Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Privileges need to run GFI LAN guard scans

  1. #1

    Privileges need to run GFI LAN guard scans

    Does anyone know off hand if you need to be a Domain admin in order to scan a network with GFI LAN guard. Just an FYI, I know everyone is going to say why don't you just try it, but the reason I'm not able to is, an ongoing battle between me the "Security Officer" and the IT manager at my job. My coworkers in the IT department want to stop me from running vulnerability scans on the network so I don't reveal all the vulnerabilities they haven't patched and give them more work to do. That's the reason they are telling management that I need Domain Admin privileges to run scans, I'm pretty sure you should only need local admin privileges to scan. Any insights.

  2. #2
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    143
    GFI LAN guard is a windows based tool, but a lot of security people use nessus which is unix based and is not even part of the domain to begin with and it does just fine.

    Sounds to me they are playing politics, not administrators.

    I believe your biggest problem you have there is education, education of your admins about the need for security, but I am guessing it will come to them when they get bit by some virus/trojan at an epidemic scale.

    I'm not trying to disrespect you, but as a "Security Officer" you also need to become a bit more seasoned/educated in information security matters. You should have known the answer to the questions you asked. But then again, everyone has to begin some where. Good luck. You need to get upper management buy in if you are going to get anywhere.

    [edit]

    In addition, those tools test for vulnerabilities that gain administrative access on their own, you wouldn't need administrative access to test against those vulnerabilities. The point is to test if they exist and you can gain it without access to begin with. They are snowing you

    [/edit]
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  3. #3
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    So you want to scan your network...even though you dont have permission too...

    Is that not against your AUP.....

    Why dont you google it????

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  4. #4
    I do have a major politics problem at my job. Believe it or not I work at a wallstreet bank. I just recently got this job a few months ago and I've been battling with the CIO back and fourth on tons of security issues "security policies, sp1 machines, default passwords on boxes, passwords that don't expire, no patchmanagement and the list goes on. So in a nutshell I have many battles to fight. Now I do know the answer to the question I asked which is I should be able to be a local admin and run the scan with GFI lan guard. I just simply wanted other peoples feed back on the answer that is it. I spoke to the GFI the vendor on a conference call and they advised that some of the vulnerabilities that do registry checks "using their software" does need local admin or even on some domain admin privleges to properly get results from the scanner. I'm not sure if this is true or not that is why I'm asking anyone on the board who uses GFI.

  5. #5
    I do have permission from my direct management, although other management is trying to stop me from figuring out all the security issues in the network. I guess so I don't blow up his spot.

  6. #6
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Google...works well

    page 16 of the manual...

    http://www.gfi.com/downloads/downloa...d=lanss&lid=EN

    Yes it would be easier as domain admin as that is part of the local admin group...usually....

    and the newer MS OSes do not allow anonymous logon..... I do not know what exactly you are looking to do....how is the scanner supposed to get the info..without the proper privledges....

    Run it as non admin...I think all you will get though is machine names and mac addresses....maybe OS....

    If you grab more info...then you definately have a security issue....

    As security officer...you should be able to audit the network...no????

    Domain admin...is not server admin.

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  7. #7
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    143
    There are a ton of vulnerabilities that were abused by virus/trojans such as code red, nimda and many many more, they did not have admin access, they took advantage of vulnerabilities that exploited and gained admin access.

    As a security professional, I always worked without admin access for 2 reason, Most off, the hackers nor virus have admin access, they gain it by exploiting, so I want to see the systems in the same light.

    Secondly, if I don't have admin access, I can't be blamed for things only an admin has access to do.

    Those exposures are the ones most important in my book, they can all be done remotely. If a hacker needs admin access to manipulate the registry, they only way they can get it without it being given to them is thru these exploits (no admin access). Once these vulnerabilities are fixed, then yes, attend to those that can be exploited once admin access is compromised. First things first.

    GFI langard originally only did netbios type interrogation, they have expanded to compete in the market and cover a wider range of exploits. Which as I have said already do not need admin access to exploit.

    My suggestion is to tell them, "Ok, I don't want admin access" and show them how vulnerable they are even without admin access. With total buy in from upper management of course!
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  8. #8
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Yes to conduct all the scans it is capable of you will need to enter the Domain Admins credentials in the 'Connect As' box...simple as.

    It can conduct the post scans and some SNMP audits and a few other tings with out the credentials but if you want to go for a complete audit you will need the Domain admins logon details.

    But without the domain admins credentials it is just an expensive prot scanner! Kind of!

  9. #9
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    143
    I stand corrected, thanks Nokia I thought they expanded to compete with other vulnerability scanners. I still stand by my point concerning admin access. But it is apparent that would not work with this scanner. It checks by looking for patches versus testing for the actual exploit, same results though.
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  10. #10
    Hey Opus, there was no need to flame me before, honestly were all in the same industry here. I simply wanted a consensus opinion on this topic, since the vendor wasn't completely sure. In addition, you should know intimately that politics come into play with any security position "if your really in the field", especially since were the ones telling people in IT that there doing things wrong. So since you flamed me for being a "security officer" what is your current role.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •