STAT

 < Day Day Up > 



STAT is a suite of commercial products from Harris Corporation (http://www.statonline.harris.com/) that includes STAT Neutralizer, STAT Analyzer, and STAT Scanner. STAT Neutralizer sits on individual Windows boxes and performs tasks such as forcing policy compliance, watching for virus infection, and proactively combating intrusion-detection attempts. STAT Analyzer attempts to integrate several other commercial vulnerability scanners (including its own STAT Scanner) to give you a more complete, accurate, and nonredundant picture of the vulnerabilities on your network.

STAT Scanner is the actual auditing product in the STAT suite, so it gets the focus in this section. However, STAT Analyzer’s ability to integrate with other system auditing tools mentioned in this chapter (such as Nessus and ISS Internet Scanner) makes it worth checking out as well.

STAT Scanner (referred to as STAT for the remainder of this section) uses the same general setup used by other vulnerability scanners. STAT runs on a Windows NT/2000/XP Professional platform but can scan other operating systems, such as Windows 9x, RedHat Linux, HP-UX, and Solaris. It performs best against Windows machines, because if you are logged in as a domain administrator while performing your scan, you’ll be able to assess machines for local vulnerabilities as well as remote vulnerabilities.

STAT doesn’t use a client/server model for its scanner architecture. The STAT Scanner must reside on each host that wants to perform scans. Another product called STAT Scanner Console can be used to combine, centralize, and correlate reports from multiple STAT Scanners. STAT releases new vulnerability checks on a monthly basis and has a secure web site from which you can download the latest checks (http://premier.harris.com/stat/).

Double-clicking each vulnerability found during a scan will provide a fountain of information about the problem, its severity, where to read more about it, and how to fix it. STAT also has the ability to “AutoFix” certain vulnerabilities, such as corrections that can be made in the Windows registry. If STAT can fix it by itself, an AutoFix button will be available.

Implementation

After you first install STAT, you’ll immediately be asked for your registration key. If you do not have one, you can at least run the application in Discovery Edition, which gives you a 30-day trial of the scanner but lets you run only a limited set of vulnerability checks (from the QuickScan.dat configuration file).

click to expand
Figure 12-9: Stat’s interface

STAT has a command-line interface (detailed in Chapter 9 of its documentation), but STAT’s GUI is much more powerful. The interface is nicely organized, as shown in Figure 12-9. Below the menu and toolbar, the status of the currently selected machine and the configuration file (that is, policy or list of vulnerability checks to run) are displayed. The discovered vulnerabilities are listed in the main window. If you’re scanning multiple systems, you can choose to view those discovered vulnerabilities by individual machine or all machines at once. Each column can be sorted. At the bottom of the window, icons indicate how many vulnerabilities were found and of what level. You can also monitor the progress of the scan from here as the display updates itself regularly while it scans.

Configuring STAT

As with Nessus, you need to configure the security checks you wish to perform. STAT comes with several preconfigured DAT files, which contain categories of vulnerabilities for which you might like to scan. You can use these DAT files to scan for certain risk-level vulnerabilities, certain OS vulnerabilities, certain application vulnerabilities, or only the latest vulnerabilities. You can select a configuration file to scan against by choosing Configurations | Load Configuration From File from STAT’s main menu. You’ll see the window shown next.

click to expand

The QuickScan.dat file is the best selection for beginners. It includes all of the available vulnerability checks with the exception of port scanning and file location checks. If you’re interested in checking only system policies (accounts, password expiration, and so on), use Policy.dat. Each DAT file has a descriptive name to help you make a choice that is best suited for your purposes.

If you prefer, you can make your own configuration using one of the preconfigured DATs as a template. Choose Configurations | Edit Configuration From File. Select one of the preconfigured DAT files to use as a basis, and you should see the window shown in Figure 12-10.

click to expand
Figure 12-10: You can manually edit a configuration from this window.

In the Editing window, you can review each available check and decide which ones you want to perform. You can sort available vulnerabilities by ID, risk, name, or category. You’ll notice that a vulnerability check’s ID number begins with a single letter. This letter corresponds to the operating system for which that check is used (H for HP-UX, L for Linux, S for Solaris, and W for Windows). Highlighting a check will display information about the check at the bottom of the screen. Checks can be moved from the Available list to the Selected list (and vice versa) by using the arrow buttons. When you’re done making your selections, you can save your configuration as a custom DAT file to be used again for future scans by clicking the Save button.

You can also control several other scan options, such as logon and password policy thresholds, Windows audit policy standards, scan timeouts and concurrency, and report format defaults. All of these settings are available by choosing Edit | Options to open the Options dialog box shown in Figure 12-11.

click to expand
Figure 12-11: Choose other scan options from the Options dialog box.

Note 

In the Options dialog box shown in Figure 12-11, you’ll see the option to Skip A Machine After [an indicated number of] Failed Vulnerabilities. This doesn’t mean the machine will be skipped if it fails 20 vulnerability checks (that is, if it has more than 20 vulnerabilities). Failure in this case means that the vulnerability check itself fails to return a value (either pass or fail) for that particular check. Some possible reasons for this kind of failure can be a lack of appropriate authorization or a broken network connection.

Our last task before starting the scan is to select our targets. From the main STAT menu, choose Machines | Select Machines. When you click the Find Machines To Scan button, you’ll be given three possible methods for selecting your machines. You can import a list of machines from a file, automatically discover machines on the network, or search a range of IP addresses. The automatic discovery works best on a Windows domain, where it can find all of the computers using NetBIOS over TCP (NBT). If you’re scanning in a mixed environment, you’re better off selecting an IP range. The NBT method will automatically detect the OS and domain name of the hosts it finds in Network Neighborhood. The IP range method uses nmap (see Chapter 4) to guess the operating systems of the hosts that respond to Pings.

Tip 

You may have better success combining the Network Neighborhood and IP range discovery techniques. We found that when using only the IP range technique, STAT (using nmap’s OS identification technique) missed important domain/workgroup information about some of the Windows hosts on the network. It also wasn’t as accurate in determining the operating systems of the Windows hosts, misidentifying an XP Home box as Windows 2000 Workstation and a Windows 2000 Workstation as “Unknown.” When we used the Network Neighborhood technique, it identified the Windows boxes correctly, but missed any non-Windows boxes. Using the Network Neighborhood technique followed by the IP range technique gave us an accurate list of machines for scanning.

STAT will start looking for systems on the network, using either Ping or NBT to discover them. After STAT has finished discovering machines on your network, you can choose to search for more using a different technique, or you can select which of the discovered machines you want to scan. Any hosts that are discovered will show up in the Machine Selection Wizard dialog shown in Figure 12-12. To select individual hosts, check the box next to the hostname, and then click the Next button; or click the Select All and Check Selection buttons to choose all discovered hosts. Click Next and Finish to continue.

click to expand
Figure 12-12: Selecting targets to scan

After you’ve selected your machines, click Save and Close on the Machine List dialog. By default, STAT will automatically try to determine its administrative rights on your selected targets. If the user running STAT does not have administrative rights on each of the target machines, you will need to specify administrative login credentials for each machine or group of machines. In the following illustration, we’ve chosen to scan a Windows XP, Windows 98, Windows 2000, and a Linux system. We can provide authentication information and test logons using the Establish Administrative Rights dialog, shown next.

click to expand

Many Windows 9x/XP boxes are set up without any concept of “users.” Because STAT requires certain privileges and remote capabilities to conduct its scan, you’ll have trouble scanning these kinds of boxes unless the machines are a member of a Windows domain. For XP Professional boxes without an Administrator login, you can work around a lack of domain by performing the following steps:

  1. Enable Remote Desktop (from the Remote tab in your System Properties in Control Panel).

  2. Click Select Remote Users to create an account that STAT can use to assess the machine remotely.

  3. To allow STAT to use this account remotely, make sure that the Client for Microsoft Networks and file sharing is installed in Network Properties and that Internet Connection Firewall (in the Advanced tab of Network Properties) is turned off.

  4. Finally, you’ll need to disable Simple File Sharing in the Advanced Settings of the Folder Options View tab.

  5. On the STAT side, you’ll need to make sure you authenticate to this machine using the new account. You may also want to consider tweaking the option that skips a host after a certain number of failed vulnerabilities (from Figure 12-11). Because you may still have some privilege limitations with this method, you may want to increase the value from the default of 20.

    Remember that for Windows boxes, you won’t have to perform the authentication step (step 5) if you’re scanning boxes for which you’re logged in as a domain administrator. STAT connects to Windows systems using net use (discussed in Chapter 6). If it’s a Unix system, STAT needs a valid user account on the box, preferably root. STAT will attempt a Secure Shell (SSH) connection to the box to conduct its scan.

    Note 

    STAT requires accounts on the systems it scans because many of the vulnerabilities it looks for are local vulnerabilities that can’t be assessed from a remote network location.

  6. After you’ve set up your targets and authentication, click OK. You can save your machine list for future use by choosing Machines | Save Machines To File.

Starting the Scan

For this scan, we’ve set up the default options using the QuickScan.dat configuration DAT file and are scanning four systems.

  1. After selecting the machines you want to scan, you’ll be returned to the main STAT Scanner window (shown in Figure 12-9). The machines you selected during the discovery process will now be shown in the left pane. If you still need to configure authentication or test access on any machines in the list, you can do so by right-clicking a machine and choosing either Authenticate or Test Access. It’s a good idea to do this with each host to make sure you have the access you need. When you’re ready to go, highlight (select) all the systems you want to scan by holding down SHIFT and clicking on the desired systems.

  2. Choose Analysis | Perform An Analysis to start the scan.

  3. When the scan is complete, STAT will generate two reports: a scan summary and a ports and services report. These reports give you information about the scan as well as the ports and services found running on the machines.

  4. In the STAT Scanner window, shown in Figure 12-13, you can see the results of the scan. The vulnerabilities are sorted by risk factor by default. You can also quickly see which vulnerabilities have AutoFixes available for them.

    click to expand
    Figure 12-13: Results of the scan

  5. Double-click a particular vulnerability, and you’ll get more information about it, as shown in Figure 12-14. This screen provides information that can help you decide whether you need to act. Remember that even though many of the items in the STAT reports are problems that need to be fixed, many of the lower risk warnings that STAT provides are simply configuration and policy suggestions. Sometimes they may even be false alarms, depending on how the check is performed.

    click to expand
    Figure 12-14: Vulnerability information

  6. Before you attempt to fix every vulnerability that STAT finds, make sure that doing so won’t break any of your applications in the process. For example, STAT may warn you that IIS is running and should be disabled if you don’t need it. But if you do need a web server running on that box, obviously you want to ignore this warning. However, if STAT tells you that IIS is vulnerable to a buffer overflow and should be patched immediately, that’s the kind of warning you’ll want to heed rather swiftly. Be careful with STAT warnings regarding the Windows registry as well. Some registry changes could cause undesirable side effects, so fix it only if you’re fairly certain it won’t affect any of your applications. The Vulnerability information window contains links to online advisories and articles so you can learn more about the consequences of ignoring or repairing each vulnerability. Once you’ve determined that you need to fix a vulnerability, click the AutoFix button (if it’s available), or you can follow the Solution instructions in the Vulnerability information window (see Figure 12-14) to fix it yourself.

  7. Click the Retest button after you’ve fixed the vulnerability to make sure you have actually fixed it.

Note 

No vulnerability scanner is perfect. Sometimes STAT will report false positives. Occasionally you may fix a vulnerability, but STAT still claims it’s vulnerable, even though you know the patch has been installed. STAT is meant as a guide, not a step-by-step “how to secure the network” manual. As with any tool, use common sense while operating it.

As you conduct scans, STAT keeps a history of each scan (as well as a history of each AutoFix). This lets you track what you’ve done and when you did it, and it also lets you compare scan results (discussed in the next section) to determine when a certain vulnerability might have been fixed.

Using Reports

STAT has many reporting formats and options available on the Reports menu. Choose a format, choose a scan, and STAT generates the report. An example Executive Summary report is shown in Figure 12-15.

click to expand
Figure 12-15: STAT Executive Summary report

You can print the report or export it into any number of file formats, including Excel files, comma-separated value (CSV) files, Crystal Reports, HTML, MS Access, Word, or even plain text.

If you choose Reports | Compare Scan Results in the STAT Scanner window, you’ll see a list of your previous scans. From this dialog, you can select a number of scans and create a report comparing the results of those scans. This lets you see what has changed from one scan to another.

Summarizing STAT

STAT’s biggest strength is in its ability to scan Windows boxes on a domain. Its assessing technique allows it to conduct an extremely detailed and thorough scan (including policies, registry settings, and file permissions) of every Windows box on the domain from a single, central location. Although STAT can scan and detect vulnerabilities on Unix systems, other scanners such as Nessus are more tailored to Unix machines. Perhaps that is why STAT’s Analyzer product lets you combine the power of STAT, ISS Internet Scanner (covered later in this chapter in “Internet Scanner”), and the Windows Nessus client into one package. Even so, if you’re on a Windows network, STAT scanner can be an invaluable tool for keeping your machines safe.



 < Day Day Up > 



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2004
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net