Network Detective. User Guide. Copyright 2015 RapidFire Tools, inc. All Rights Reserved

97 

Loading....

Loading....

Loading....

Loading....

Loading....

Full text

(1)

Network Detective

(2)

Contents

Contents... 1

Purpose of this Guide ... 6

About Network Detective... 6

Network Detective Overview ... 7

Installing and Running Network Detective ... 8

Network Detective Sites ... 9

Creating a Site ... 9

Using a Site ... 10

Starting an Assessment ... 10

Using the Checklist ... 12

Collecting Data ... 14

Importing a Scan ... 15

Generating Reports... 17

Report Preferences ... 20

Adding a Connector to a Site... 21

Downloading Scans with Client Connector ... 22

Initiating an External Scan ... 24

Adding an InForm Sheet ... 25

Finishing/Archiving Assessments ... 27

Changing the Type of an Assessment ... 27

Enabling/Disabling Sites ... 29

Removing Sites ... 31

Network Detective Data Explorer ... 32

Requirements ... 32

Creating a Site ... 32

Opening the Data Explorer ... 33

The Data Explorer Dashboard ... 34

Using Filters ... 35

(3)

Step 5 - IP Ranges ... 41

Step 6 - SNMP Information ... 42

Step 7 - Microsoft Baseline Security Analyzer ... 43

Step 8 - User Control Tests ... 44

Step 9 - Verify and Run ... 45

Protocol Availability Scan ... 46

Step 10 - Collection Progress ... 47

Step 11 - Finish ... 48

Exchange Assessment Data Collector ... 49

Exchange Assessment Data Collector Wizard ... 50

Step 1 – Select Your Exchange Version... 50

Step 2 – Verify Required Files ... 51

Microsoft Exchange Online for Office 365 ... 51

Microsoft Exchange 2010 ... 52

Microsoft Exchange 2007 ... 53

Step 3 – Input Credentials ... 54

Step 4 – Verify and Run ... 55

Step 5 – Collection Progress ... 56

Step 6 – Finish ... 57

SQL Server Assessment ... 58

SQL Server Assessment Data Collector Wizard ... 59

Step 1 - Input Credentials... 59

Step 2 - Verify and Run ... 59

Step 3 - Collection Progress ... 60

Step 4 – Finish ... 60

Running Network Detective – Network Detective Wizard ... 61

Network Detective Application ... 62

Scans... 63

Recent Scans... 63

All Scans ... 64

External Scans ... 65

(4)

Reports ... 67 Generating Reports ... 67 Report Customization ... 68 Preview a Report ... 72 Assessment Modules ... 73 Network Assessments... 73 Standard Reports ... 73

Client Risk Report ... 73

Full Detail Report ... 73

Excel Report ... 73

Specialty Reports ... 73

Full Detail Change Report ... 73

Site Diagram* ... 73

Site Diagrams Export to Microsoft Visio* ... 73

Asset Detail Report ... 73

Security Assessments ... 74

Standard Reports ... 74

Security Risk Report ... 74

Internal Vulnerabilities Report ... 74

Security Policy Assessment ... 74

Specialty Reports ... 74

Share Permission Report... 74

Share Permission Report by User ... 74

Vulnerability Scan Detail Report... 74

Exchange Assessments ... 75

Standard Reports ... 75

Exchange Risk Report ... 75

Exchange Mailbox Detail Report ... 75

Exchange Traffic and Use Report ... 75

(5)

SQL Server Assessment Reports ... 76

Standard Reports ... 76

Routine Health Report ... 76

SQL Server Detail Report ... 76

Database Detail Report ... 76

SQL Server Agent Jobs Report ... 76

Maintenance Plan Report ... 76

InForm ... 77

Overview ... 77

Templates ... 77

Creating a New Template ... 77

Modifying an Existing Template ... Error! Bookmark not defined. Cloning an Existing Template ... Error! Bookmark not defined. Site Interviews ... Error! Bookmark not defined. Creating a Site Interview ... 80

Inputting Interview Data ... Error! Bookmark not defined. Creating InForm Reports ... Error! Bookmark not defined. Reports Available in InForm... Error! Bookmark not defined. Client Interview Form ... Error! Bookmark not defined. Interview Response Report ... Error! Bookmark not defined. IT SWOT Analysis ... Error! Bookmark not defined. Initiate External Vulnerability Scan ... 81

Exporting Configuration Items ... 82

Export fields for Autotask ... 83

Export fields for ConnectWise ... 83

Manage Users ... 85

Billing Information ... 86

Preferences ... 87

Appendices ... 88

Appendix I – Using a USB drive ... 88

Appendix II – ConnectWise Configuration Items ... 89

(6)

ConnectWise Connection Manager ... 90

Appendix III – Group Policy Reference ... 91

Forward and Introduction ... 91

Policies for Windows Firewall ... 91

Policies for Windows Services ... 91

3rd party Firewalls – and Group Policy Considerations ... 91

Appendix IV – Mac Data Collector ... 92

Running As .cmd ... 92

Scripting ... 92

Troubleshooting ... 92

Appendix V – Push-Deploy Tool ... 93

Step 1 – Download and Run ... 93

Step 2 – Complete Settings and Configuration ... 93

Step 3 – Input Computers and/or IP Range ... 94

Step 4 –Start Collection ... 95

(7)

This document is intended for users of Network Detective. It will guide you through the initial use of the software as well as the more advanced features. Additional guides are available for various modules. This guide is designed to be used in conjunction with other supplementary guides.

About Network Detective

Network Detective performs automated assessments to uncover and document network assets, problems and security risks. Service Providers and MSPs save countless hours when proposing or on-boarding new clients and performing periodic network documentation of existing customers, while IT departments benefit from periodic reports to assist in network documentation and compliance projects. For “On Demand” users who pay per report, running the data collection and viewing the “Preview Report” is free, and there is a charge to run the “Full Report.” Certain “Premium Reports” are at an additional charge, while some reports are only available to annual subscribers.

Annual subscribers enjoy the benefit of running an unlimited number of scans and reports, including the Premium reports, for a fixed annual cost. They also have access to reports that are not available in the “On Demand” model and the Export feature, which integrates with other services, like Autotask and ConnectWise, to automatically populate configuration items.

(8)

Network Detective Overview

Network Detective is composed of the Network Detective application, the Network Detective Data Collectors (for Network and Security modules), and various other Data Collector, and the optional External Vulnerability scanner (for subscription accounts only).

Network Detective is quick and easy to use; there are just three basic steps:

1. Create Sites to organize your assessments. Sites can be customers, remote offices, data centers, departments, organizational units, or any structure that is applicable for your environment. 2. Run scans as required for the individual module. If possible, run the Network Scan from the

Primary Domain Controller on the network. The output of the scan will either be a .zip or module specific scan files (.ndf, .cdf, .sdf, .hdf) used to generate reports via Network Detective.

3. Run the Network Detective tool. Import the files generated in step 1 into an assessment. Customize the report by branding with your logos and client information, and run the reports. The Wizard will walk you through your first time!

You can initiate an external Vulnerability scan from the Network Detective console BEFORE or AFTER performing the network scan. (Only available to “Subscribers.”)

(9)

Install the Network Detective Application on your system from www.rapidfiretools.com/nd. This is not installed on a client network – only the Data Collector is run on the client network. It is a click-once application and you should always accept the update to have the latest version.

When you run Network Detective the first time, it will launch the Network Detective Wizard. You can dismiss the dialog and simply use the Site Model. If you use the wizard to do ad-hoc reporting, you have three options:

1. Generate Report from a New Scan – This is the fastest way to import the data from a scan and run a report; it combines the two actions:

a. Import a Scan where you will:

 Browse to the ZIP/NDF file from the Network Data Collection

 If you have CDF and/or SDF files, put them in a folder with the NDF file to simplify this step  Create a new NDZ “Archive” file

b. Generate a Report where you will:  Select the Reports that you want to run

Note 1: Do NOT select the “Full Detail Change Report” unless you have a second NDZ file (network scan) that you are comparing against.

Note 2: The “Premium Reports” are an extra charge for non-subscriber accounts

 Choose the Vulnerability Scan for this network (or click Cancel if there is not one)

 Customize the report with your logo and company information, and the client information  Generate the set of reports

NOTE: The recommended best practice is to use Sites and always organize your scans. See the following chapter for information on how to use Sites properly.

(10)

Network Detective Sites

The Site Model for Network Detective is a framework which enables users to intuitively organize client information. A Site is a collection of scans, reports, and associated data. An advantage of this

abstraction is that you can choose what a Site represents to fit your business model. For example, if your client’s organization has multiple physical locations, you may choose to create one Site for the entire organization, or you can represent each one as an individual Site.

Creating a Site

To create a new site, select “New Site” from the menu bar.

You will be prompted to name the Site.

Since a Site represents a logical grouping, such as a physical location (i.e. an office or data center) or a customer, we recommend choosing a descriptive name. “Customer A (Denver)” and “Customer A (all

(11)

After creating and naming a new Site, the Network Detective application will display the Site’s

Dashboard. From here, you can change the Site’s name, make it Active or Inactive, add Connectors, edit the Site-specific report preferences, or start an Assessment.

Starting an Assessment

From the Site’s Dashboard, click the “Start” button on the “Active Assessment” bar to start an Assessment.

This will open the Assessment setup wizard.

(12)

After selecting Assessment Types, click “Next.” The wizard will ask you to enter a label and comment for your Assessment. Please note that while the comment section is optional, the label is required and each label must be unique.

(13)

The final window of the setup wizard summarizes the new Assessment and provides a link to the Checklist, which you can use to track the progress of your Assessment.

After starting a new Assessment, the Network Detective application will display the Assessment’s Dashboard. From there, you can edit the Assessment label and type, associate a previous Assessment, collect data, generate Reports, and finish the Assessment. You can also view the updated Checklist.

Using the Checklist

The Checklist is a helpful outline of the information you will need to collect to complete the Assessment. It is continuously updated to reflect completed items and changed to your Assessment. By using the Checklist, you can make sure that your tasks are complete on schedule and that all relevant data you collect is integrated into your reports.

(14)

Required items must be completed in order to complete the Assessment and generate reports. Note

that Reports will not be available until required data has been added to the Assessment.

As you work, the document will be updated to reflect completed Checklist items. Note that the Checklist must be accessed from the application in order for it to be up to date.

The Status Bar is a useful visual indicator of the progress of your Assessment. To view an Assessment’s status bar, navigate to the Assessment’s Dashboard by double-clicking on the Site you are working on and clicking “Go to Active Assessment."

(15)

From the Assessment Dashboard, you can track the progress of your Assessment by viewing the Checklist and the Checklist status bar.

The Checklist status bar displays the number of items to complete and their required (in red) and optional (in yellow) prerequisites.

As you complete Checklist items, the status bar will be updated to reflect your progress. Click the “View”

link to view the current Checklist and find the information you need in order to begin collecting data.

Collecting Data

In order to generate Reports, data from InForm and Network Detective scans must be associated with the Assessment. The checklist (which can be found under the “Status and Check List” bar in the Assessment’s Dashboard) will provide you with up-to-date information about the items you need in order to complete your Assessment.

(16)

Some of these items, such as running the Computer Data Collector or the Network Detective Data Collector, must be done either onsite or remotely

For more information, please see the Scans section about conducting Network Scans.

The resulting files can then be imported into Network Detective via the “Import File” or “Download Scans” buttons located in the “Import Scans” bar on the Assessment Dashboard.

Additionally, you may initiate an External Vulnerability Scan by clicking the “Initiate External Scan” button.

Note that you can only use the “Download Scans” feature if you have set up Client Connector for your Site.

InForm data can be entered directly or compiled from a questionnaire completed by a customer or onsite tech.

For more information, please see the InForm section.

Importing a Scan

Scans are associated with individual Assessments and Sites. This means that they must be imported into each Assessment in order to use the Scan data in Assessment Reports.

(17)

From the Site Dashboard, you can either click on the “Go to Active Assessment” button or the “Active Assessment” folder icon under the “SITES” sidebar on the left.

This will bring you to the Dashboard of the Site’s current Assessment.

(18)

This will open a file selection wizard. Browse to the NDFs and (if necessary) CDFs.

For more information on NDFs and CDFs and how importing Scans works in the Network Detective

Application, please see Import Scan.

Once the file is imported it will be listed under the “Imported Scans” bar in the Assessment Dashboard.

If you have imported all of the Scans and completed the other requirements listed by the checklist, you may now generate reports.

Generating Reports

Network Detective Reports are associated with a specific Assessment in the Site Model. You can generate Reports for your client based on the information you have added to the Site Assessment. Additionally, you can set Site-specific defaults to customize your Reports.

(19)

To generate Network Detective Reports, navigate to the desired Site from the Home screen by double-clicking on its icon.

This will open the Site’s Dashboard.

From the Site’s Dashboard, you can either click on the “Go to Active Assessment” button or the “Active Assessment” folder icon under the “SITES” sidebar on the left.

This will open the Assessment’s Dashboard.

From the Assessment’s Dashboard, you can view

the Reports you are able to generate under the “Reports” bar.

Note that only the Reports listed in black may be generated. Greyed out reports are either unavailable with your subscription or the Assessment is lacking the necessary data.

(20)

Click the “Generate” button on the “Reports” bar. This will open the Report Generation wizard. Only available Reports will be listed in the wizard. Choose the Reports you would like to generate and proceed with the instructions.

If you are unfamiliar with the Report Generator, please see Report Customization for more information.

After your reports have been generated, you can access them from the “Generated Reports” folder on the “Sites” sidebar.

(21)

In Network Detective Sites, you can specify defaults on a Site-by-Site basis to create a consistent custom “look and feel” for each client. The defaults you set from within a Site’s Dashboard will persist over all Reports generated for that Site.

First, navigate to the desired Site from the Home screen by double-clicking on its icon. This will open the Site’s Dashboard.

From the Site’s Dashboard, click the “Edit” button on the “Report Preferences” bar.

This will open the Report Customization wizard.

Follow the instructions in the Customization wizard.

If desired, navigate to the “My Logo” and “Cover Images” tabs to upload images, or the “Themes” tab to specify a theme. When you are finished, exit the wizard and generate Reports.

(22)

Adding a Connector to a Site

As an alternative to importing Scans from a local source, Scans can be downloaded remotely via the Network Detective Client Connector service.

Preferences for Client Connectors are configured on a Site-by-Site basis and can be customized for each individual site.

To add a Connector to a Site, first navigate to the desired Site from the Home screen by double-clicking on its icon.

This will open the Site’s Dashboard.

(23)

If you wish, the label can be identical to the Site name.

Note that the Connector ID is randomly generated and will be used to configure the Connector.

Next, configure your Connector.

You can now use your Connector to download Scans and associate them with your Assessments.

Downloading Scans with Client Connector

Downloading Scans using the Site Model is done on a Site-by-Site basis. In order to download Scans, you must first set up a Connector to associate with your Site (see “Adding a Connector to a Site”).

First, navigate to the desired Site from the Home screen by double-clicking on its icon. This will open the Site’s Dashboard.

(24)

From the Site’s Dashboard, you can view the Site’s associated Connectors under the “Connectors” bar. Here you can also view whether or not your Connectors have downloads available.

If you have downloads available that you would like to add to the Site’s Assessment, click on “Go to Active Assessment.”

(25)

This will open a dialog box which will allow you to browse the Scans available from the Connector. You can select specific scans or use the “Download All” option.

After your Scans have finished downloading, they will be listed under the “Imported Scans” bar and you can use them to generate Reports.

Initiating an External Scan

Some Reports either require or have the option of using External Vulnerability Scans. These can either be imported or downloaded from an outside source or initiated from within the Assessment.

First, navigate to the desired Site from the Home screen by double-clicking on its icon.

This will open the Site’s Dashboard.

(26)

This will open the Assessment Dashboard. Select “Initiate External Scan” from the “Imported Scans” bar.

This will bring up the External Scan wizard. Follow the instructions provided. For more information about

External Vulnerability Scans, please see External Scans.

Adding an InForm Sheet

InForm surveys can be a valuable addition to Site Assessments. Information collected by a tech onsite or entered manually into a template can be compiled into Network Detective Reports.

For more information, please see the InForm section.

(27)

To add an InForm sheet to your Assessment, first navigate to the desired Site from the Home screen by double-clicking on its icon.

This will open the Site’s Dashboard.

When the Site opens, click on the “Go to Active Assessment” button in the “Active Assessment” bar.

(28)

Using the Start InForm Assessment dialog box, select your template, type in the name of your customer and click “Ok.”

The new template will be listed under the InForm bar. Click the “visit” link to configure your template.

Finishing/Archiving Assessments

Once you have completed all of the items on the checklist(s) you can click the “Finish” button to archive the Assessment.

This changes to status of the Assessment from “Active” to “Archived”. After you archive an Assessment, you can create a new Assessment for the same Site. This new Assessment will be the Site’s currently active Assessment. The archived Assessment will remain accessable for your records.

You may also switch between active Assessments by re-activating an archived Assessment.

Archived Assessments are accessible from a Site’s Dashboard. To view a Site’s archived Assessments, click the “Archived Assessment” folder located in the “SITES” sidebar.

Changing the Type of an Assessment

Checklists are based on the type of the Assessment you are conducting. If you decide to collect

additional information for your customer after starting an Assessment, you do not need to create a new Assessment. Instead, change the Assessment Type.

You can change the type of an Assessment from its Dashboard. Click the “Edit” link next to Assessment Type in the “Status and Check List” section of the Site Dashboard.

(29)
(30)

This will update the Checklist to include any additional items.

Enabling/Disabling Sites

Sites can have either an active (enabled) or archived (disabled) status. An archived site is one that you are no longer currently working on but may re-initialize at a later date.

This option is preferable to removing a Site in many cases, such as when you need to save all of the settings and associated data for a particular Site for your records, or when you wish to re-start work at a later date.

The Sites home screen has two views: “Active Sites” and “All Sites”. The “Active Sites” view will display only enabled Sites and the

To disable a Site from the home screen, right click on the Site and select “Disable Site”. Once disabled, the Site will move under “All Sites” and will not be visible from the “Active Sites” screen.

(31)

click on the Site you need to enable and choose Enable Site from the context menu.

Note thata disabled Site is greyed out and has a Redindicator when viewedunder “All Sites” and is not

(32)

Removing Sites

Removing a Site removes all of its associated Assessments and their information. We recommend archiving Sites instead of removing them whenever possible.

To remove a Site, right-click on the Site from the home screen and select “Remove” from the context menu.

(33)

This section describes how to use the Network Detective Data Explorer. The Data Explorer is a tool available to Network Detective subscribers. It enables the user to preview report data and continuously monitor customer metrics. Used with the Site Module, this is a powerful way to ensure that you get the most from Network Detective.

Requirements

 Network Detective Application  Network Detective Subscription

Creating a Site

In order to use the Data Explorer, you must have a Network Detective Site associated with your customer.

Creating a Site is simple, just click the New Site and follow the prompts to name your Site and start an Assessment. If you have already collected data, the NDF/NDZ and InForm data can be easily imported into a Site Assessment.

Note that you must have data in order to use the Data Explorer.

(34)

Opening the Data Explorer

After you have created a Site for your customer, initialized an Assessment, and added Scan data, you can use the Data Explorer tool to preview graphs and charts that may be included in your Reports.

In the Network Detective application, navigate to Sites>Your Site > Go To Active Assessment.

From the Active Assessment, click the Explore Data button.

(35)

When you open the Data Explorer the default view is the Dashboard, which summarizes all of the Scan data you have imported into the current Assessment.

This screen is a condensed overview of the Network Assessment. All of the metrics in the Dashboard are current. As you import new data and continue with your Assessment, the figures will be updated. The Dashboard can help you monitor a Site and track the progress of your Assessment. It is faster and more convenient than generating a report. In many cases, small changes such as if customer has added a Windows XP machine to the network, may not necessitate a full report.

(36)

Using Filters

After you have created a Site for your customer, initialized an Assessment, and added Scan data, you can use the Data Explorer tool to view information about your customer’s Network.

In the Network Detective application, navigate to Sites>Your Site > Go To Active Assessment.

From the Active Assessment, click theExplore Data button. This will bring up the Data Explorer. Click on a Filter such as Computers to switch to a more specific view of your Customer’s data.

From here, you can also filter using the search box in the upper right-hand corner or the Filters menu on the left hand side.

Filter by criteria such as computers running Windows XP, inactive computers, or computers on different domains.

(37)

The Network Data Collector is a self-extracting zip file that executes an “.EXE” and is completely non-invasive – it is not “installed” on the domain controller or any other machine on the client’s network, and does not make any changes to the system.

The Data Collector makes use of multiple technologies/approaches for collecting information on the client network, including:

• Active Directory Access and APIs • Network API calls*

• DNS and DHCP lookups

• Microsoft APIs and Event Logs*

• Remote WMI, RPC and Remote Registry (over the network) • “whois” and network lookups*

• Microsoft Baseline Security Analyzer (MBSA)*

* Network Data Collector Only

When using the Network Data Collector for the Network Assessment module, to get the most information from the systems on the network, you will want to make sure that WMI and Remote Registry calls are available:

• Enable “Windows Firewall: Allow remote administration exception” in Group Policy. • Add/Define “Windows Firewall: Define Port Exceptions” – “enabled:Remote Registry” for IP

range in Group Policy.

(While enabling remote protocols is optional and not always possible, this will provide network access to each of the machines so that the data collector can gather data from the individual systems. Even without this, Network Detective can provide useful information on the systems from Active Directory and the port scans.)

For information on modifying Group Policies, see Appendix III – Group Policy Reference

(38)

Network Detective Data Collector Wizard

After downloading the Network Detective (ND) and the Network Detective Data Collector (NDDC), run the NDDC with administrator privileges to generate the files necessary to create reports in ND. On non-domain networks, you still must run a “Network Data Collection.” Choose one of the systems on the peer-peer network, and enable both the Network Data Collector and the Local Computer Data Collector.

Step 1 - Select Scan Types

Run the NDDC via its portable executable and choose the types of scans you wish to perform. Your first scan should include the Network Data Collector to produce the required .ndf file, so that option is checked by default.

Running the “Local Computer Collector” alone? Click “Next” and skip to Step 9 - Verify and Run.

Running the “Security Data Collector” alone? Click “Next” and skip to Step 8 - User Control Tests.

(39)

The NDDC requires access to the Domain Controller and Active Directory in order to provide you with all the data necessary to produce accurate reports. If your current login has those administrator rights, simply click next to continue. Otherwise specify a user with elevated permissions.

(40)

Step 3 - Specify Domains

(If you selected, “This network does not have a Domain Controller” in Step 2, this step will be grayed out and the wizard will skip to Step 4.)

The NDDC will query your Active Directory for domains to scan through and list them on this window. By default, all domains will be scanned for data. Alternatively, you may individually Ctrl+Click domains.

(41)

External Domain names allow others to visit your site and facilitates services, such as email. To gather information regarding external domains, input them into this wizard page and they will be added to the data collection.

Examples of external domains include: mycompany.com

(42)

Step 5 - IP Ranges

The Wizard will auto-detect IP ranges from the NIC card(s) installed on this system to include in the scan. You may include additional subnets.

(43)

By default, the NDDC will retrieve data from devices with the community string “public.” If you wish to define an additional community string (such as “private”), enter it here.

(44)

Step 7 - Microsoft Baseline Security Analyzer

If you have the Microsoft Baseline Security Analyzer (MBSA) installed, the NDDC can use it as part of the detection process to perform vulnerability assessment checks. If you do not have the MBSA installed, a link has been provided.

Use “Run MBSA” to perform a weak password check. Enable “Patch Analysis” to gather information on missing patches (this second option will increase the time required to perform the scan).

(45)

(Not running the Security Data Collector? Skip this step.)

The User Control Test tests outbound access to a variety of sites from the computer. This can be useful for checking the functionality of your existing content control system. You can also specify known URLs that violate your content control policies to test the ability of users to connect to those sites.

(46)

Step 9 - Verify and Run

This page asks you to specify a destination for the output files of your chosen scans. You have the option of outputting to a folder, or the NDDC can also output to a compressed .zip file.

(47)

Some machines may be blocked by a firewall or have security restrictions that may prevent information from being collected by your centralized scan. The Protocol Availability Scan will “pre-scan” to detect which machines are unavailable and, if desired, must be scanned separately.

You can save the results of this scan as a .txt file, which will allow you scan those restricted machines while your main scan runs.

(48)

Step 10 - Collection Progress

This page charts the progress of your scan. You can cancel the data collection entirely (no data will be saved), or you can choose to “Wrap It Up.” This will end the scan prematurely, leaving some machines not scanned but still providing you with partial results.

(49)

This final page confirms that the scan has completed. The wizard shows the output destination, allows you to open that folder, and also review the results of your completed scan.

(50)

Exchange Assessment Data Collector

The Exchange Assessment Data Collector is a self-extracting zip file that executes an “.EXE” and is completely non-invasive – it is not “installed” on the Exchange server or any other machine on the client’s network, and does not make any changes to the system.

The Data Collector makes use of multiple technologies/approaches for collecting information on the Microsoft Exchange environment depending on the version of Exchange. Remote protocols are used to access Office 365 environments, while the use of local PowerShell CmdLets specific for Microsoft Exchange are used for local scans.

In most cases, the server Microsoft Exchange will already have PowerShell and the proper CmdLets installed. The Exchange Assessment Data Collector will check for pre-requisites before performing its scan.

For local Exchange 2007 and 2010, the Exchange Assessment Data Collector must be run on the server running Exchange.

(51)

Step 1 – Select Your Exchange Version

The scan for Microsoft Exchange Online for Office 365 can be done from any Internet connected PC; however, the Microsoft Exchange 2010 and Microsoft Exchange 2007 must be run from the actual server Microsoft Exchange is running on from an account with administrative credentials.

(52)

Step 2 – Verify Required Files

Microsoft Exchange Online for Office 365

Office 365 requires: Microsoft.Online.Administration.Automation.PSModule.dll. If the wizard cannot find this file, this error message will display:

(53)

Exchange 2010 requires: RemoteExchange.ps1. If the wizard cannot find this file, this error message will display:

(54)

Microsoft Exchange 2007

Exchange 2007 requires: Exchange.ps1. If the wizard cannot find this file, this error message will display:

(55)

(If you selected Microsoft Exchange 2010 or Microsoft Exchange 2007 in Step 1, this step will be grayed out and the wizard will skip to Step 4.)

Input your credentials for Office 365 and click “Next.” The Wizard will test your credentials and will ask you to try again upon failure to connect.

(56)

Step 4 – Verify and Run

This page asks you to specify a destination for the output files of your scan. You have the option of outputting to a folder, or you can output to a compressed .zip file.

(57)

This page charts the progress of your scan. You can cancel the data collection entirely - no data will be saved. Doing so will show the following screen:

(58)

Step 6 – Finish

This final page confirms that the scan has completed. The wizard reminds you of where it outputted the results and allows you to open that folder.

(59)

The SQL Server Assessment Data Collector is a self-extracting zip file that executes an “.EXE” and is completely non-invasive – it is not “installed” on the SQL Server or any other machine on the client’s network, and does not make any changes to the system.

The Data Collector makes use of multiple various protocols to scan a SQL Server instance and can be done remotely.

The SQL Server Assessment Data Collector can be used to inspect any SQL Server on the LAN or hosted at a remote location so long as it can be accessed using SQL Server

(60)

SQL Server Assessment Data Collector Wizard

Step 1 - Input Credentials

The SQL Server Assessment Data Collector requires a SQL Server Authenticated account with sufficient administrative privileges to collect data (i.e., ‘sa’).

Step 2 - Verify and Run

(61)

This page charts the progress of your scan. You can cancel the data collection entirely - no data will be saved.

Step 4 – Finish

This final page confirms that the scan has completed successfully. The wizard shows the output destination, and allows you to open that folder and review the results of your completed scan. Once you’re finished, click “Done” and the wizard will close.

(62)

Running Network Detective – Network Detective Wizard

Install the Network Detective Application on your system from www.rapidfiretools.com/download. This is not installed on a client network – only the Data Collector is run on the client network. It is a click-once application and you should always accept the update to have the latest version.

When you run Network Detective the first time, it will launch the Network Detective Wizard. You have three options:

2. Generate Report from a New Scan – This is the fastest way to import the data from a scan and run a report; it combines the two actions:

a. Import a Scan where you will:

 Browse to the ZIP/NDF file from the Network Data Collection

 If you have CDF and/or SDF files, put them in a folder with the NDF file to simplify this step  Create a new NDZ “Archive” file

b. Generate a Report where you will:  Select the Reports that you want to run

Note 1: Do NOT select the “Full Detail Change Report” unless you have a second NDZ file (network scan) that you are comparing against.

Note 2: The “Premium Reports” are an extra charge for non-subscriber accounts

 Choose the Vulnerability Scan for this network (or click Cancel if there is not one)

 Customize the report with your logo and company information, and the client information  Generate the set of reports

See the sections below with more detail on both of these Actions.

3. Download the Data Collector – Takes you to the Download page where you can download the Network Data Collector, Computer Data Collector, and other resources.

4. Initiate an External Vulnerability Scan – Allows you to initiate an External Vulnerability scan. You can do this prior to going on-site to run the Network Data Collection, or after you have run the Data Collection.

(63)

The Main screen of Network Detective allows you to quickly import and generate reports, organize your Scans and Reports, Add or Manage access for other users in your company, edit billing information and set preferences.

(64)

Scans

Click the Scans icon on the top bar to view and manage the scans you have already imported into Network Detective Libraries (archives), stored as “.NDZ” files. These files contain the scans from the Data Collector. (Each NDZ file must include a valid Network Scan (ZIP/NDF).)

Recent Scans

Select Recent Scans, above, which will provide a list of all the scans, from all the directories, sorted by date (most recent first). Select a scan and click “Generate Report” (or double-click) to run reports from this scan. You can select and rename the scans, delete scans, etc.

(65)

The All Scans view provides you with a list of all of your Folders and Scans. You can drill down into folders, rename scans, delete scans, etc., as well as double-click to generate reports.

(66)

External Scans

(67)

Click Import Scan to import one NDF/ZIP file from a Network Data Collection and optionally, multiple CDF/SDF files from Local/Computer Data Collections and Security Scans into a Network Detective archive file (NDZ file). Each NDZ file must include a valid Network Scan (ZIP/NDF).

There are two steps:

1. Select the Scan Results. Browse to the NDF and optionally the CDF files. It is helpful if you have them all in a single directory. If necessary, you can add CDF files to an existing NDZ at a later time.

2. Import into a Scan Library/Archive. Browse to select an existing NDZ archive file, or create a new one.

a. If the NDZ does not already exist it will be created.

b. If the NDZ does exist, and you are importing an NDF, the NDF will be replaced.

c. If the NDZ does exist and you are adding CDF files, the CDF files will be merged into the NDF file inside the NDZ archive (the CDF files are not retained as separate files). When the CDFs are merged, you can determine which Domain – either a Custom Domain that you can name (e.g.-WORKGROUP), merge it into the Domain from the Network Scan (shown in green), or choose to exclude it from the merge.

Click “Merge Now” to perform the Merge. Clicking close will skip the merge entirely. d. You MUST create the NDZ or new folder within the Network Detective “Scans” Folder in

(68)

Reports

Generating Reports

From the Scans screen, select an archive file (NDZ) and click Generate a Report (or double-click) to start the Generate Report Wizard. You may include any combination of reports from multiple assessment modules in one report set.

1. The first step is to select the reports that you wish to run. This is done from each Assessment Module tab inside the Report Generation Wizard, detailed later in this section.

2. The next step is to select an External Vulnerability Scan. If you do not have one for this site, click Cancel to continue.

(69)

After you’ve selected your reports, a customization dialogue will appear. There are a few fields on this first page that you can fill to customize the text portion of your reports:

 Report Prepared For: Who are you ultimately delivering this report to?  Report Prepared By*: This is you, your company, your DBA.

 Footer*: This is the footer of the document, and appears on all pages. By default it reads, “PROPRIETARY & CONFIDENDTIAL”

 Cover Page Disclaimer*: By default this is a confidentiality disclaimer, but could also could serve well for Copyright.

(70)

On the next tab, you can upload your company logo as a custom image in your reports. If set in Preferences, this will automatically appear in future reports you generate.

(71)

Each report generated follows a pre-built theme and is color-coded based on the Assessment Module it comes from. On this page, select your desired theme and pre-defined color palette, or specify your own colors.(Note: Some Color Palettes and Themes available only to Subscribers)

(72)

Each report generated has a unique Cover Image for each of the Network Detective Assessment Modules. Alternatively, you can specify your own cover image* in this Customization dialogue, or set a default in Preferences.

After you have finished customizing your reports, click Generate to begin.

(73)

 Client Risk Report (Executive Summary) (.docx)  Full Detail Report (.docx)

 Excel details (.xlsx)

 Full Detail Change Report (.docx) – only select this report when you are creating a comparison to a previous scan on the same network.

Note that these reports are delivered to you as Microsoft® Word and/or Excel documents so that you are able to add information to the report, or extract information to be included in your own

documentation, sort and analyze, in Excel, etc.

For Trial Edition users, please remember that generating any of these reports is a billable event (or decrements your pre-paid report quota). If needed, you may re-run or regenerate reports from the same

.NDF (NDZ) file without additional charge should you later want the .XLSX, for instance, or simply need to change your logo. However, the step of merging CDF files creates a new NDF file inside the NDZ, and would be considered a new, billable, report.

(Note: Please keep in mind that each .NDF file has its own unique ID. You can re-run reports for the SAME NDF file at no charge. Running a new data collection on the same network as a previous scan and then running reports is a separate chargeable event.)

Preview a Report

Sometimes you may wish to “preview” a report. Right-click and select Generate Preview Report. This will generate a redacted version of the Full Detail Report so that you can judge whether you have a “good” scan. This is particularly useful for Trial Edition users to decide if they should run the full reports, or perform a new scan.

(74)

Assessment Modules

Network Assessments

Standard Reports

Report Name Description

Client Risk Report Summary report which presents detailed findings

with charts and graphs.

Full Detail Report Comprehensive report containing device and

network information.

Excel Report Detailed report with each reporting category

separated by worksheet. Specialty Reports

Report Name Description

Full Detail Change Report Compares current scan against a previous scan,

creating a differencing report.

Site Diagram* A visual breakdown of assets broken down by

function and OS (Static).

Site Diagrams Export to Microsoft Visio* Microsoft Visio format which is used as

framework for custom projects.

Asset Detail Report Comprehensive report with information

separated on a per-asset basis.

(75)

Standard Reports

Report Name Description

Security Risk Report Summary report which presents overall security

position.

Internal Vulnerabilities Report Summary report outlining internal vulnerabilities.

Security Policy Assessment Detail report of security policies on the domain

and individual computers. Specialty Reports

Report Name Description

Share Permission Report Breakdown of share permissions by computer.

Share Permission Report by User Breakdown of share permissions by user.

Vulnerability Scan Detail Report Full detailed results from the External

(76)

Exchange Assessments

Standard Reports

Report Name Description

Exchange Risk Report Summary report presenting an assessment and

summary of the Exchange Server.

Exchange Mailbox Detail Report Detailed report for each mailbox on the Exchange

Server.

Exchange Traffic and Use Report Report showing traffic analysis and mailbox usage

on the Exchange Server.

Exchange Distribution Lists Report Detailed report showing all distribution lists.

Specialty Reports

Report Name Description

Exchange Mobile Device Report Detailed report of mobile device users.

Exchange Mailbox Permission Report by Mailbox Detailed report showing mailbox permissions by

mailbox.

Exchange Mailbox Permissions by User Detailed report showing mailbox permissions by

(77)

Standard Reports

Report Name Description

Routine Health Report This report is designed to be run on a regular basis to

assess the general health of an SQL server.

SQL Server Detail Report This report is designed to show specific, technical

details for an entire SQL server.

Database Detail Report This report is designed to show specific, technical

details for a single Database

SQL Server Agent Jobs Report This report is designed to show the status and history

of scheduled jobs on the Database

Maintenance Plan Report This report is designed to show the status of

(78)

InForm

Overview

InForm allows you to create custom forms to gather information about a client and their site and generate reports. Your Interviews could focus on anything from purely technical information – server room security, cable management, etc. – to policies like BYOD.

Templates

Templates represent a re-usable form design. Templates contain the list of Categories and Topics. You can have multiple templates for different types of clients (e.g. – Managed Services, Prospect, IT Site Survey etc.) or services (e.g. – Security Audit).

Creating a New Template

From the InForm screen within Network Detective, click “Site Interview Templates.”

(79)

Change the name of the form. This will also change the filename for the template description file.

Right-click on the Form header or any other node to bring up the context menu. From this menu, you can Add New Categories. Categories are used to group various topics together.

Use the category editor to change the label of the category and add instructions for the category as a whole.

(80)

Use the topic editor to select the type of response, change the label for the topic, and add instructions for the topic.

Response Types

InForm supports three types of responses:

Response Type Description Example Use

Text Response Free-form text response Describe the condition of the data center.

Multiple Choice Multiple fixed responses Does the firewall have IPS? - Yes

- No

- Cannot Determine

Checklist Item An item that is marked off if done Check the security of the door locks

Follow-ups

Follow-ups are Topics that will appear if a particular response to a question is chosen. You can add multiple follow-ups for a particular response by using the Add Follow-up Question link next to a particular response.

Issues

The selection of any response can be marked as an Issue. Issues must have the Issue Description, Issue Score, and Issue Recommendation completed. If a response is selected that is marked as an issue, the issue will be added to the Risk Analysis, Management Plan, and Power Point issue section. In this way, you can create forms that affect the risk and issue scores.

(81)

Response forms can be added to any assessment from the InForm section. Creating a Response Form

From the InForm section, press the ‘Add’ button to add an InForm response form to the assessment.

Click on the visit link to open up the response form.

Entering Responses

Use the response column to enter your answers for the various topics. Notes are used to augment or supplement the information in the responses. Files and SWOT are used to attach pictures and other files, as well as specify strength, weakness, opportunities, and threat entries.

(82)

Initiate External Vulnerability Scan

You can initiate an External Vulnerability Scan from the Wizard or by clicking the link on the right-hand side.

This feature is ONLY available to subscribers. Enter a Scan Label (Name for this scan), and an IP address or address range.

You can also supply an email address to be notified when the scan is completed.

Click OK, and then Next to send the request to our servers that will perform the scan.

Click the External Scans Folder Icon to view the status of the scan. Once the Scan has been completed you can then run your reports to include the External Vulnerability scan.

Note: You can, and should, initiate the External Vulnerability Scan before visiting the client site to perform the data collection. This way the External Scan data should be available when you are ready to

(83)

You can use Network Detective to export data to configuration items within PSA/CRM or Ticketing Systems such as Autotask and ConnectWise. Select the archive (NDZ file) and click “Export Configuration Items to Autotask” or “Export Configuration Items to ConnectWise.” Network Detective will Create and/or Update Configuration items.

1. Enter your PSA Connection information so that Network Detective can login to your PSA database to populate the drop-down items. If you have not setup a Connection, click the Manage Connection link to enter the login/connection information.

a. For Autotask, this will be a user’s login to Autotask (preferably an administrative user). b. For ConnectWise, you must first setup an Integrator login. Please see Appendix II. 2. Select the Company/Account where you want the items to be mapped.

3. You then select the Items to Export (right hand column)

4. Map the known Network Detective elements (Computers, Servers, Printers, SQL Servers, etc.) to the configuration item in your PSA system.

5. Choose whether to Create New configuration items

6. Select Update Existing Records with Same Reference Title if you want to update existing configuration items with information from Network Detective.

(84)

Note that you can perform this operation multiple times with different “Selected Items” to map each group to different Product types. For example, if different sets of “Non-A/D devices need to get mapped to different elements (e.g. - some to Switches, other to Printers), select appropriate items, set the mapping and repeat with different settings as necessary.

Export fields for Autotask

When exporting to Autotask, Network Detective will set the following fields in each Configuration item:  Product (mapped as per step 4 above)

 Reference Title (from the machine name)

 Notes (information on the device, including O/S, CPU, RAM, IP, etc. – as available from scan)

Export fields for ConnectWise

When exporting to ConnectWise, you can use any existing Configuration Types that you have setup. In this case, Network Detective will populate the standard fields, and the Notes field will be set with the information for that system (CPU, Memory, etc.). If there was information in the Notes field, it will be overwritten by Network Detective.

(85)

Configuration Questions relevant to the Configuration type. For example, for Computers (ND), the Configuration Questions include: Computer Name, Operating System, CPU, etc. The full list of information will also be entered into the Configuration Question: Misc.

(86)

Manage Users

You can add users to the account so that they can run reports. Set them to Standard User to prevent them from accessing the Manage Users, Billing and Preferences screens.

(87)
(88)

Preferences

(89)

Appendix I – Using a USB drive

It is often handy to use a USB drive so that you are not downloading anything onto the client or prospect machine. And it is extremely useful when using the Local Data Collector.

To setup the USB drive, simply download and run

NetworkDetectiveDataCollector.exe, and unzip it directly to the USB drive (uncheck “When done unzipping…”).

To run a scan from the USB, run any of:

RunNetworkDetective.exe – runs the interactive Data Collector. This is the same as downloading and unzipping/running the Data

Collector from the download site.

runLocal.bat – runs the Data Collector to perform a Local Data Collection, and will pop up a dialog with the folder containing the CDF file once complete. Note that the CDF file output is stored on the root of USB and in the “CDF” folder that will be created. This way all CDFs from multiple machines are in one folder.

runLocalSilent.bat – runs the Data Collector to perform a Local Data Collection, but does not pop open a dialog box. Note that the CDF file output is stored on the root of USB and in the “CDF” folder that will be created. This way all CDFs from multiple machines are in one folder.

(90)

Appendix II – ConnectWise Configuration Items

Before configuration items can be imported into the ConnectWise PSA, the appropriate permissions must be setup in your ConnectWise system and you must configure a “ConnectWise Connection” in Network Detective.

Setting up an “Integrator Login” in ConnectWise

 Navigate to Setup-> Setup Tables

 Type “Integrator” into the Table lookup and hit Enter

 Click the Integrator Login link

Click the “New” Icon to bring up the New Integrator login screen as shown on the right.

Enter and record Username and Password values which you will need later on when configuring a

“ConnectWise Connection” in the Network Detective tool (see below).

Set the Access Level to “All Records.”

Enable both Company API and Configuration API. Click the Save icon to save this Integrator Login. (Note, if you already have an Integrator Login

configured, you may use it as long as the Company and Configuration API’s are enabled.)

(91)

From the Export to ConnectWise screen, click Manage Connections to provide the login credentials so Network Detective can connect to your ConnectWise database.

(If you have already done this, select a “Connection” from the drop down box and skip this step.)

From the ConnectWise Connections Manager screen, click “New” to create a new Connection. Enter the Username and Password that you setup in in the Integrator Login step, above. Enter your Company ID that is specified when you log into the ConnectWise PSA client.

Enter the hostname of the ConnectWise site that you connect to into the PSA URL. For instance: If your Site is http://test.connectwise.com, enter “test.connectwise.com.” (without the quotes).

(92)

Appendix III – Group Policy Reference

Forward and Introduction

Some networks are more restrictive than others, and in some cases the Network Detective Data Collector may query a device and have the request blocked or return less information than is required. To obtain more information, Group Policies can be modified, or a Local Data Collection to fill-in-the-blanks can be performed.

This document is a reference for modifying Group Policies, and will indicate which Group Policies are needed to ensure a full data collection. This document is for reference only; RapidFire Tools is in no way responsible for, or able to assist with, any modifications to Group Policies made via this document. If you choose to make changes, perform a backup first, only make changes once you’ve assessed the overall impact, and of course, exercise caution.

Policies for Windows Firewall

Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile

Windows Firewall: Allow ICMP exceptions

Enabled

Allow inbound echo request

Windows Firewall: Allow file and printer sharing exception

Enabled

Allow unsolicited incoming messages from local subnet

Windows Firewall: Allow remote administration exception

Enabled

Allow unsolicited incoming messages from local subnet

Windows Firewall: Allow local port exceptions

Enabled

Windows Firewall: Define inbound port exceptions

TCP: 135, 139, 445

UDP: 137, 138

Windows Firewall: Allow Remote Desktop exception

Enabled

Allow unsolicited incoming messages from local subnet

Policies for Windows Services

Computer Configuration > Windows Settings > Security Settings > System Services

Windows Management Instrumentation (WMI)

Startup Type: Automatic

Remote Registry

Startup Type: Automatic

Remote Procedure Call (RPC)

Startup Type: Automatic

3rd party Firewalls – and Group Policy Considerations

(93)

The Mac Data Collector may be run via a .cmd (command), or through Terminal (Macintosh’s Command Prompt).

Running As .cmd

After downloading the .zip file containing the Mac Data Collector, double click to extract it to a directory (jump drive, desktop, etc.).

This outputs a file called NetworkDetectiveMacCollector.cmd.

Double click the .cmd, and the collection will run. When complete, a .cdf is produced in the directory the scan was initiated from.

Scripting

If scripting, download and extract as above. You may then add the following optional arguments to change the output directory or filename:

Argument Result

-f Specifies filename for .cdf

-d Specifies output directory for .cdf

Troubleshooting

If double-clicking the .cmd does not produce a .cdf, try deliberately running the .cmd from Terminal. Right click the .cmd and select Open With, then navigate to Terminal.

(94)

Appendix V – Push-Deploy Tool

The Network Detective Push-Deploy Tool pushes the local data collector to machines in a specified range and saves the scan files to a specified directory (which can also be a network share). The benefit of the tool is that a local scan can be run simultaneously on each computer from a centralized location. The output CDFs from the local scans can then be automatically uploaded using the Client Connector Network Detective add-on and downloaded to the Network Detective application for use in report generation.

The Push-Deploy Tool can be run from any machine on the network. Step 1 – Download and Run

First, download the ZIP file and extract the contents either to a USB drive or directly to any machine on the target network. Then run NetworkDetectivePushDeployTool.exe

Step 2 – Complete Settings and Configuration

(95)

the machine. If the user is not an Administrator, supply a different set of credentials for an account with Admin privileges.

3. Input Network Detective Connector ID (optional). This feature requires the Client Connector, a Network Detective add-on that must be purchased separately.

Step 3 – Input Computers and/or IP Range

On the tab labeled Computers and Collection status, set the target computers. This can be done one of several ways:

1. Add a single computer;

2. Add computers via text file (.txt); 3. Enter an IP range.

(96)

Step 4 –Start Collection

Click Start Collection in the bottom right corner to begin the scan.

A series of checks will be made to ensure that the user account entered has admin access to the machines, the remote PC has .NET 3.5 installed, and WMI is accessible.

(97)

If the tests pass for each machine (3 check marks), the PID will be created under status and a question mark (?) under the Collected CDF column. A completed scan will have a check mark.

Step 5 – Scan Output

On the tab labeled Collected Data Files there is a list of all output files and the output directory. To use this output to generate reports, these files must be imported into the Network Detective desktop application. For more information, please see the sections in this document on the Client Connector, Creating a Site, and Generating Reports.

Figure

Updating...

Related subjects :