© 2016 RapidFire Tools, Inc. All rights reserved. V20160111 – Ver 3M
Network Detective
Security Assessment Module
1
Overview
The Network Detective Security Assessment Module is composed of the Network Detective application, the Network Detective Data Collector used to perform network the network scan as well as local computer scans, and the Push Deploy Tool used to set-up and execute local computer scans from a centralized location on the network.
Network Detective is quick and easy to use; there are just four basic steps:
1. Run the Network Detective Desktop Software to Create Site Files to Manage Your Assessments - Site files can be created to manage assessments for specific customer accounts, remote office locations, data centers, departments, organizational units, or any structure that is applicable the environment on which you are performing a network assessment.
2. Start a New Security Assessment – Once the Site is created; you start a New Assessment and perform the security assessment’s data collection process as detailed in the assessment process
Checklist that you can view in the Assessment Window. After each scan type is complete, run the
Network Detective Desktop Software tool go to your Active Assessment, and import the scan files generated in step 3 into the assessment.
3. Perform Data Collection - Run scans as required for the Security Assessment process. If possible,
run the Network Scan from the Primary Domain Controller on the network. The output of the scan will be a .zip file containing module specific scan files (.ndf, .cdf, .sdf). Be sure that you
document the name of the folder used to store scan data results files for later importing into your assessment. When the optional External Vulnerability Scan is performed, the scan data will
be stored in a .vul file.
4.
Run Security Assessment Reports - Customize the report by setting up your company’s branding2
Step 1 - Security Assessment Project Initial Set-up
A. Go to www.rapidfiretools.com/nd to download and install the Network Detective application. Then run Network Detective and login with your credentials.
B. Create a “Site” in Network Detective.
Step 2 – Start an Active Security Assessment
A. From within the Site Window, select the
Start button that is located on the far
right side of the window to start the
Assessment. Next, select one of the Security Assessment options presented.
Select either the Domain or Workgroup option depending on the type of network you are assessing.
Then follow the prompts presented in the Network Detective Wizard to start the new
3
B. Once the new Security Assessment is started, a “Checklist” is displayed in the Assessment
Window presenting the “Required” and “Optional” steps that are to be performed during the
assessment process. Below is the Checklist for a Security Assessment.
C. Complete the required Checklist Items and use the Refresh Checklist feature to guide you through the assessment process at each step until completion.
You may also print a copy of the Checklist for reference purposes by using the Printed Checklist feature.
Step 3 – Data Collection
A. Using Network Detective installed on your own computer, initiate the
External Vulnerability Scanin the
Scans section of the Network Detective Assessment Window. (Optional)
B. To start the network scans on the target network, login to the Domain Controller with
Administrator privileges.
C. Download the Network Detective Data Collector program from www.rapidfiretools.com/nd
and save to either your client’s Domain Controlleror a USB drive
Note: You may extract the Data Collector files to a folder on either the Domain Controller or the
USB drive. Then you can run "RunNetworkDetective.exe" to launch the GUI. Before using a USB drive in the data collection process, please refer to Appendix I – Using a USB Drive found on page 9.
4
Best Practices: The Data Collector makes use of multiple technologies/approaches for collecting
information on the client network, including Remote Registry and Remote WMI to gather system information (CPU, Memory, Disk space, etc.) and installed applications.
Enable Windows Firewall: Allow remote administration exception in Group Policy.
Add/Define Windows Firewall: Define Port Exceptions – enabled:Remote Registry for IP
range in Group Policy.
(While enabling remote protocols is optional and not always possible, this will provide network access to each of the machines so that the data collector can gather data from the individual systems. Even without this, Network Detective can provide useful information on the systems from Active Directory and the port scans.)
E. Next, after starting the Data Collector select the Network Data Collector and
Security Data Collector options and
follow the wizard-driven prompts. F. After the Data Collector Network Scan
is complete, either save the scan results file to a USB drive for later importing of the results into the assessment or email the file for later access. Make sure the USB has sufficient free space to extract
and save the Data Collector files and to store the scan results data files.
G. Importing the Network Scan file into your
Assessment – From within the Scans section
of the Assessment Window, select the Import
Scan File button
H. Then, browse the folder storing the
Network Scan results data file
generated by the Network Data
Collector either stored on a USB drive or in another location on your computer. Select the file, and then Open the file to import the scan results into your assessment.
Upon completing the Import of the
Network Scan data, review the Checklist in the Assessment Window
5
I. Next, to perform the Security Data Collection Scans of computers and wireless networks within the network, download and install the Push Deploy Tool on your USB drive from
www.rapidfiretools.com/nd. Information about surrounding wireless networks is collected if
the Collector scans a computer that has a wireless Network Interface Card (NIC) installed. J. Then initiate the Security Data Scan using the Push Deploy Tool by selecting the Security Data
.SDF scan option selected and then run the scan. Next Import the scan results into your
assessment.
Note: For the Push Deploy Tool to push the local security scans to computers throughout the network to perform local computer security scans, you need to ensure that the Windows
Management Instrumentation (WMI) service is running and able to be managed remotely on the computers that you wish to scan.
Sometimes Windows Firewall blocks Remote Management of WMI, so this service may need to be allowed to operate through the Firewall.
Push/Deploy also relies on using the Admin$ share to copy and run the data collector locally. Admin$ must be present on the computers you wish to scan, and be accessible with the login credentials you provide for the scan.
For Workgroup based networks, the Administrator credentials for all workstations and servers that are to be scanned are recommended to be the same. If the Workgroup based network does not have a consistent set of Administrator credentials for all machines to be scanned, then proceed to the next step of using the Computer Data Collector to perform local computer scans on each computer, one at a time. Or, you can also run the Push Deploy Tool on the Workgroup network multiple times using each set of Administrator credentials.
Tip!: Create a shared network folder to centralize and store all Local Computer Security
Scan results data files created
by the scans performed by the Push Deploy Tool. Then reference this folder in the
Storage Folder field to enable
the local computer security scan data files to be stored in this central location.
6
self-extracting .zip file. Once this file is downloaded and extracted into a folder, right click on the file named RunNetworkDetective.exe and run the Data Collector file as an Administrator. Then, select the Local Computer Data Collector and Security Data Collector options, select the
Next button, and complete the set-up of the local computer scans by following the prompts.
In this instance, the Data Collector is being used to perform Local Scans on individual computers (workstations or servers) to collect information for each system. Use this if/when WMI and other network protocols are blocked from working over the network from the Network Data Collector scan, or when scanning non-Domain networks.
When you run the Data Collector to perform local scans you will see a scan progress window present on the computer you are scanning.
Once a computer scan is performed, the scan results files will be placed within a .zip file (that contains .CDF, .SDF, and .WDF files) stored in the folder where the Data Collector was
executed from or specified during the scan set-up process. Copy and save the scan results file to a USB drive for later importing of the results of each computer scan performed into your security assessment.
L. Once all of the scan data is imported into the
Assessment, the assessment’s Checklist will
7
Step 4 – Generating Reports
NOTE: This step is NOT performed at the client site or network. Network Detective should be installed on your workstations or laptop. Install Network Detective from www.rapidfiretools.com/download if you have not already done so.
A. Run Network Detective and login with your credentials.
B. Then select the Site, go to the Active
Assessment, and then select the Reports
link to the center of the Assessment
Window in order select the reports you
want to generate. Then select which of the Network Assessment reports that you want to generate.
C. Select the Create Reports button and follow the prompts to generate the reports you selected.
D. At the end of the report generation process, the generated reports will be made
available for you to open and review.
The Security Assessment module can generate the following reports:
Network Security Risk Review - This report includes a proprietary Security Risk Score and chart showing the relative health (on a scale of 1 to 10) of the network security, along with a summary of the number of computers with issues. This powerful lead generation and sales development tool also reports on outbound protocols, System Control protocols, User Access Controls, as well as an external
vulnerabilities summary list.
Network Security Management Plan - Network Management Plan This report will help prioritize issues based on the issue's risk score. A listing of all security related risks are provided along with
recommended actions.
Network Security PowerPoint - Use our generated PowerPoint presentation as a basis for conducting a meeting presenting your findings from the Network Detective. General summary information along with the risk and issue score are presented along with specific issue recommendations and next steps.
8
Outbound Security Report - Highlights deviation from industry standards compared to outbound port and protocol accessibility, lists available wireless networks as part of a wireless security survey, and provides information on Internet content accessibility.
Security Policy Assessment Report - A detailed overview of the security policies which are in place on both a domain wide and local machine basis.
Share Permission Report - Comprehensive lists of all network “shares” by computer, detailing which users and groups have access to which devices and files, and what level of access they have.
User Permissions Report - Organizes permissions by user, showing all shared computers and files to which they have access.
User Behavior Analysis Report - Shows all logins, successful and failure, by user. Report allows you to find service accounts which are not properly configured (and thus failing to login) as well as users who may be attempting (and possibly succeeding) in accessing resources (computers) which they should not be.
Login History by Computer Report - Same data as User Behavior but inverted to show you by computer. Quite useful, in particular, for looking at a commonly accessed machines (file server, domain controller, etc.) – or a particularly sensitive machine for failed login attempts. An example would be CEO’s laptop – or the accounting computer where you want to be extra diligent in checking for users trying to get in.
9
Appendix I – Using a USB Drive
It is often handy to use a USB drive so that you are not downloading anything onto the client or prospect machine. And it is extremely useful when using the Local Data Collector.
To setup the USB drive, simply download and run
NetworkDetectiveDataCollector.exe, and unzip it directly to the USB drive (uncheck “When done unzipping…”).
To run a scan from the USB, run any of:
RunNetworkDetective.exe – runs the interactive Data Collector. This
is the same as downloading and unzipping/running the Data Collector from the download site.
runLocalSecurity.bat – runs the Data Collector to perform a local Security data collection. The Data
