Identifies security vulnerabilities and recommends action (or
Once GFI LANguard N.S.S. has completed scanning a computer, it
categorizes security vulnerabilities and recommends a course of action (or
solutions). Wherever possible, further information or a web link is included
regarding the security issue, for example a BugTraq ID or a Microsoft
Knowledge Base article ID.
Fast TCP/UDP port scanning and service fingerprint identification
GFI LANguard N.S.S. includes a fast TCP/IP and UDP port scanning engine,
allowing you to scan your network for unnecessary open ports. While
identifying key open ports (such as www, FTP, Telnet, SMTP) through banner
processing, GFI LANguard N.S.S. will also query the service running behind
the detected open ports to ensure that no port hijacking took place.
Network-wide patch and service pack management
You can deploy missing service packs and patches network-wide, without
user intervention. GFI LANguard N.S.S. is the ideal tool to monitor that
Microsoft SUS is doing its job properly and it performs tasks SUS cannot do
such as; deploying Microsoft Office patches and custom software patches,
patch reporting and immediate deployment of high alert patches.
Patching support for multilingual operating systems
GFI LANguard N.S.S. supports detection of missing Microsoft security
updates and their deployment on both English and also on non-English Windows
Automatically downloads security patches and vulnerability information
Through its auto-update system, GFI LANguard N.S.S. is always kept
updated with information about newly released Microsoft security updates as
well as new vulnerability checks issued by GFI.
Automatically alerts you of new security holes
GFI LANguard N.S.S. can perform scheduled scans (for instance daily or
weekly) and can automatically compare the results to previous scans. Any new
security holes or changes appearing on your network are emailed to you for
analysis. This enables you to quickly identify newly created shares,
installed services, installed applications, added users, newly opened ports
Ensures that security applications such as anti-virus and anti-spam
offer optimum protection
It is possible to check that supported security applications such as
anti-virus and anti-spyware software are updated with the latest definition
files and are functioning correctly. For example, you may ensure that
supported security applications have all key features (such as real-time
Extensive, industrial-strength vulnerabilities database
GFI LANguard N.S.S. ships with a complete vulnerabilities database,
which also includes top SANS issues, as well as Linux and CGI
vulnerabilities. This vulnerabilities database is regularly updated with
issues reported to BugTraq, SANS, CVE and other sources. New vulnerabilities
can be downloaded automatically from the GFI website.
Easily creates different types of scans and vulnerability tests
Administrators can configure scans for different types of information;
such as open shares on workstations, security audit/password policies and
machines missing a particular patch or service pack. Different types of
vulnerabilities can be scanned for, and the scan can also be performed using
Enables easy filtering of scan results
Easily analyze the scan results by clicking on one of the default filter
nodes to show, for example, machines with high security vulnerabilities or
machines that are missing a particular service pack. Custom filters can be
easily created from scratch and it is also simple to customize existing
filters. You can also export scan results data to XML.
Finds all shares on your network
GFI LANguard N.S.S. enumerates all shares on your network, including
administrative and printer shares (C$, D$, ADMIN$) and shows you who has
access to the share. Use this feature to:
- Check if permissions of shares are set correctly
- Check whether a user is sharing his/her whole drive with other users
- Prevent anonymous access to shares
- Ensure that startup folders or similar system files are not shared as
this could allow less privileged users to execute code on target machines.
Finds unused local users and groups
GFI LANguard N.S.S. enumerates all local users and groups, and
identifies user accounts that are no longer being used. You may then remove
or disable these accounts, which could present a security risk to your
Lists and detects blacklisted applications
With GFI LANguard N.S.S. you can enumerate all the applications that are
currently installed on the target computers. You may also identify
unauthorized or dangerous software by specifying the list of blacklisted
applications that you want to locate and associate with a high security
Detects wireless nodes and links
GFI LANguard N.S.S. can detect machines or devices which are connected
to your network via a wireless link. Wireless links are a tremendous
security risk if they are not secured properly.
Allows you to predefine authentication details
GFI LANguard N.S.S. allows you to store separate authentication details
for every target computer on your network, avoiding the need to specify
authentication credentials prior to every scan. In a single scanning
session, it is possible to audit all the targets in your network, even if
they require different authentication details/methods.
Enables creation of custom vulnerabilities
Using scripts and conditions, you can add your own vulnerability checks
using conditions, such as checking for particular registry entries and
values. You can also write complex vulnerability checks using the GFI
LANguard N.S.S. VBScript-compatible script engine. GFI LANguard N.S.S.
includes a script editor and debugger to help with script development.
Checks if security auditing is enabled network-wide
GFI LANguard N.S.S. checks if each NT/2000/XP machine has security
auditing enabled. If not, GFI LANguard N.S.S. alerts you and allows you to
enable auditing remotely. Security event auditing is highly recommended – it
allows you to detect intruders in real time.
Deploys custom/3rd party software and patches network-wide
Besides deploying patches and service packs, GFI LANguard N.S.S. allows
you to easily deploy 3rd party software or patches network-wide. Use this
feature to deploy client software, update custom or non-Microsoft software,
virus updates and more. The custom software deployment feature obsoletes the
need for Microsoft SMS, which is too complex and expensive for small to
medium sized networks.
Scans for dangerous USB devices
USB devices can be a potential security problem since almost any device
can be connected. This creates a potential security risk and as an
administrator you have little control. GFI LANguard N.S.S. scans all devices
connected to the USB hub, filters authorized USB devices (such as the mouse)
and only alerts you to dangerous or unknown USB devices.
Reports NTFS and share permissions
GFI LANguard N.S.S. will display both share and NTFS permissions for all
shares in your network, allowing you to easily check and lock down your
Scans and retrieves OS data from Linux systems
It is possible to remotely extract OS data from Linux-based systems and
scan results are presented in the same way as for Windows. This means that
both Linux and Windows-based target computers can be investigated in a
single scanning session! GFI LANguard N.S.S. includes numerous Linux
security checks including root kit detection.
Authentication to Linux targets through SSH Private Keys
GFI LANguard N.S.S. can use SSH Private Key files instead of the
conventional password string credentials to authenticate to Linux-based
Silent installation support
You can perform an unattended default installation of GFI LANguard
N.S.S. on multiple computers in the background without any user interaction
or intervention. Customization of the deployment parameters is also possible
through the creation of Microsoft Transform (MST) Files.
- Automatically checks the password policy for all machines on the
- Checks for programs that run automatically (potential Trojans)
- Finds out if the OS is advertising too much information
- Performs simultaneous scans through the multithread scan engine
- Provides NetBIOS hostname, currently logged username and MAC address
- Provides a list of shares, users (detailed info), services, sessions,
remote TOD (time of day) and registry information from remote computer
- SNMP device detection, SNMP Walk for inspecting network devices like
routers, network printers and more
- Offers alternative command line deployment tool
- Identifies all installed Windows services.
You're in good company...
Many leading companies have chosen GFI LANguard N.S.S. Here are just a
few: Daimler Chrysler, NATO, Siemens Communications Limited, EDS, United
Overseas Bank Ltd, Virgin Mobile, Medical Research Council (UK), Anglicare,
KLM, and many more.
- Windows 2000 (SP4) / XP (SP2) / 2003 operating
- Internet Explorer 5.1 or higher.
- Client for Microsoft Networks component – this is
included by default in Windows 95 or higher.
- Secure Shell (SSH) – this is included by default in
every Linux OS distribution pack.