I’ve been in network security for over ten years now, and I can still count on one hand the number of security incidents that could not be traced back to a missing patch or insecure configuration. On the admin side of things, it seems like no matter how hard you try to keep up, there is always a system out there missing patches, or a new vulnerability in some third party application that has to be addressed immediately. Sound familiar?
With the ratio of hosts to admins growing larger every day, every admin needs tools that will simplify his or her work load, and automate as much of the effort as possible. GFI LANguardhas become my go to tool, and the first place I look for anything I need. It’s like an admin’s Swiss Army Knife. It is full of features an overworked system admin is going to love.
LANGuard is meant to run on a Windows domain member, but don’t think it only does Windows systems. While patch management and deployment are only available for Windows systems, vulnerability scanning can check out Mac OS and Linux systems as well, and auditing can use an SSH connection to assess those non-MS hosts. The install is fairly straight-forward, requiring from 1 to 4 GB of RAM depending on the number of scan targets, and being able to run on any current 32 or 64bit Windows platform, workstation or server, making this a very flexible product that will be easy to add to your network. The install will ask for an administrative account under which to run the patching and auditing, but can do vulnerability scans over the network without administrative privileges.
In my environment, we use GFI LANguard to monitor and manage our mostly Windows based network. While there are many more features to the program that I can fit in this review, here’s a summary of the top four that I rely on every week.
1. Patch Management
LANguard manages patches and upgrades for both Microsoft software and non-MS software including Quicktime, Acrobat, Flash, Firefox, JRE, etc. It seems that every other week some new zero-day is out there for one of the media programs, and being able to update Flash as easily as I do Office saves hours of manual deployments to users.
Notice that in addition to MS patches, we’re covering WinZip, Flash, Chrome, and more. Let’s see WSUS do that!
2. Licensing Compliance
LANguard can scan all your domain members for installed software to assist with licensing and policy enforcement. If you choose, it can even uninstall automatically any software found that is unauthorised. This comes in very handy during true-ups and renewals. We use it to keep an eye on developers who have local admin rights to their machines.
3. Vulnerability Scanning
Network based scanning of your network enables LANguard to scan Windows, Mac OS, and Linux hosts, including virtual machines. With 15,000+ checks, the ability to schedule or trigger scans, and great reporting capabilities, LANguard can help you stay a step ahead of attackers. The scheduled scans can alert you to new services on the network, or new vulnerabilities as LANguard updates its vulnerability database regularly.Here’s an example of the configuration for the “High Security Vulnerabilities” scan.
While I have used OpenVAS, SAINT, and others, having all of this in one package that I can delegate to others, and that can easily generate reports, is a win. Have you ever shown your manager the output of OpenVAS without cleaning it up first? I did once. Once. Wait until you see the “Executive Management” reports. I foresee a promotion in your future.
LANguard can perform both hardware and software auditing of Windows hosts, allowing you to determine not only what software is installed, but what hardware you have. Its reports can be filtered to give you exactly the information you need to plan your next upgrade, answer the boss’ questions, or respond to an audit request. Where I work we do two different audit cycles a year, so I don’t go more than a week without being asked to provide proof of this, or confirmation of that. LANguard includes a reporting pack that proves dead useful when the auditors call. Here’s an example of the Software Audit report.
You can save that as an HTML report, or just print it to PDF and send it to the auditor.
LANguard also comes with some hidden gems, including network tools like NetBIOS and SNMP enumeration, remote desktop connection and remote shutdown capabilities too.
For the small business (or ubergeek running a network at home,) GFI even offers a fully functional version of LANGuard for free. The only restriction is that it is limited to five ip.addrs. While many of us may have more than that running on the home lab, this is still a great way to keep the most critical systems covered. You owe it to yourself to download LANguard and take it for a spin. You’re going to love it.