Foundstone 6.5 6.5 Enterprise Manager Administrator Guide COPYRIGHT Copyright © 1999-2007 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARKS AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE, LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD, PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE, SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE AND PATENT INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. License Attributions This product includes the distribution of third-party or open source code, which may be subject to the terms of different license agreements. Refer to the Foundstone_Licenses.pdf file and the applicable third-party code files included with this product distribution. Issued 11/28/2007 09:40 / Foundstone Publication 700-1618-00 / Document Build 1.0 - English Contents Welcome to Foundstone ............................................................ 6 What's New in Foundstone 6.5..................................................................................................... 6 Contacting Technical Support........................................................................................................ 7 Submitting Product Feedback ....................................................................................................... 7 Getting Started .............................................................................................................................. 8 Logging On.............................................................................................................................8 Setting up your Account.........................................................................................................9 Running your First Scans .....................................................................................................10 Getting Started - Reviewing Scan Results ...........................................................................15 How To Use Foundstone 6.5 .................................................... 16 Foundstone Enterprise Manager Overview and Concepts ......................................................... 16 Role-Based Access ..............................................................................................................16 Organizational Hierarchy ......................................................................................................17 How to Create and Edit User Accounts ...................................................................................... 19 How to Create and Edit Assets Groups ...................................................................................... 21 How to Create and Edit a Workgroup ......................................................................................... 22 How to Manage Remediation Tickets ......................................................................................... 23 Foundstone 6.5 Reference Guide ............................................. 25 Using the HOME Page ................................................................................................................ 25 Running a Quick Scan ..........................................................................................................28 Selecting which scan to view...............................................................................................29 Foundscore Overview ..........................................................................................................29 Using the Dashboard................................................................................................................... 30 Dashboard - Risk Level Tab..................................................................................................31 Dashboard - Risk by Scan Tab..............................................................................................34 Dashboard - Risk by Platform Tab ........................................................................................35 Dashboard - Risk by Vulnerability Tab ..................................................................................37 Risk Details ..........................................................................................................................39 Dashboard Configuration......................................................................................................40 Working with Reports ................................................................................................................. 41 Working with Asset Report Templates ................................................................................42 Generating Scan Reports .....................................................................................................60 Viewing the Report Queue...................................................................................................62 Viewing Finished Scan Reports............................................................................................64 Viewing Finished Asset Reports ..........................................................................................66 Report Content............................................................................................................................ 67 Reviewing HTML and PDF Reports .....................................................................................67 Reviewing CSV Reports .....................................................................................................121 XML Report Content ..........................................................................................................122 Customizing Report Headers .............................................................................................123 Working with Alerts................................................................................................................... 124 Alerts ..................................................................................................................................125 Detailed Host Report..........................................................................................................126 Vulnerability Details List .....................................................................................................129 Alerts - Setup .....................................................................................................................130 Managing Assets....................................................................................................................... 131 Viewing an Asset's Properties ...........................................................................................134 Managing Asset Identification Rules..................................................................................136 Viewing All or Active Assets ..............................................................................................138 iii 6.5 Enterprise Manager Administrator Guide Contents Clearing Asset Attributes ...................................................................................................139 Searching for Assets ..........................................................................................................140 Asset Groups .....................................................................................................................147 Criticality Levels .................................................................................................................154 Asset Owners ....................................................................................................................155 Asset Activity Status ..........................................................................................................156 Managing Data Sources ............................................................................................................ 156 To create an ePO Data Source...........................................................................................158 To create an LDAP Data Source.........................................................................................159 To schedule a Data Source ................................................................................................162 To delete a Data Source.....................................................................................................163 To edit a Data Source .........................................................................................................164 To test a Data Source.........................................................................................................164 Managing Engines..................................................................................................................... 165 Default Engine Settings .....................................................................................................167 Adding an FS850 Appliance ...............................................................................................175 Managing an FS850 Appliance...........................................................................................187 Managing Users, Groups, Organizations and Workgroups ....................................................... 206 Working with Root Organizations ......................................................................................210 Working with Workgroups (Sub-Organizations) .................................................................228 Working with Scans in the Group Properties .....................................................................240 Managing User Accounts .......................................................................................................... 241 Creating New Users ...........................................................................................................241 Editing User Properties ......................................................................................................244 Deleting Users ...................................................................................................................249 Viewing a User's Activity Log ............................................................................................249 MY ACCOUNT ...................................................................................................................250 Managing User Groups ............................................................................................................. 252 Creating New Groups.........................................................................................................253 Editing User Group Properties ...........................................................................................253 Deleting User Groups.........................................................................................................258 Adding and Removing Users from Groups ........................................................................258 Using the Default Groups...................................................................................................259 Managing Notifications.............................................................................................................. 259 Specifying User Settings ....................................................................................................262 Specifying Organization Settings .......................................................................................263 Specifying When Event Notifications Should be Sent .......................................................263 Enabling SNMP Notifications .............................................................................................265 Enabling Email Notifications ...............................................................................................267 Managing Custom Community Strings ..................................................................................... 269 SNMP Settings user interface............................................................................................269 Configure Policy Manager ..................................................................................................272 Managing Metrics - FoundScore Settings ................................................................................. 272 How FoundScore is Calculated ..........................................................................................275 Metrics - General Settings .................................................................................................282 Metrics - External Scan Settings ........................................................................................284 Metrics - Internal Scan Settings .........................................................................................286 Working with Scans .................................................................................................................. 288 Scan Status ........................................................................................................................290 Creating New Scans...........................................................................................................291 Editing Scans......................................................................................................................293 Viewing Scan Templates ....................................................................................................295 Centralized Scan Management ..........................................................................................296 Scan Templates..................................................................................................................298 Scan Properties ..................................................................................................................358 Vulnerability Filters .............................................................................................................410 Search ................................................................................................................................414 Working with Compliance Scans............................................................................................... 416 Windows Policy Settings ...................................................................................................416 iv Creating a Compliance Scan ..............................................................................................420 Viewing Compliance Reports .............................................................................................420 Managing Remediation ............................................................................................................. 423 Remediation - Rules ...........................................................................................................423 Remediation - Global Options ............................................................................................428 REMEDIATION Menu ........................................................................................................429 Managing Threats...................................................................................................................... 449 Threat Correlation...............................................................................................................451 Threat Response Compliance ............................................................................................453 Threat Configuration - User Options ..................................................................................461 Threat Configuration - Global Options ................................................................................463 Business Unit Setup...........................................................................................................465 Troubleshooting..................................................................... 470 Why does my browser ask me to load JRE? ............................................................................ 470 Why does my browser show a Hostname Mismatch warning? ............................................... 470 Why is a Scan Engine missing from the Manage > Engines list? ............................................. 471 Why does my LDAP data synchronization fail? ......................................................................... 472 Uploading reports doesn't work ................................................................................................ 473 Index ...................................................................................... 474 v Welcome to Foundstone McAfee® Foundstone® applications help organizations identify and protect the assets that matter most — those that drive business continuity or store mission-critical data. This solution allows managers to continuously monitor, respond to, and adjust to a changing risk environment. Foundstone assessment and management solutions provide continuous protection of the right assets, from the right threats, with the right measures. This guide covers the Foundstone Enterprise Manager and contains two major sections: • • How To Guide - a task-oriented introduction to help you perform the most common tasks in Foundstone 6.5 Reference Guide - complete documentation on all Foundstone Enterprise Manager features What's New in Foundstone 6.5 Welcome to Foundstone 6.5. This release makes it easier than ever to customize network policy scripts for compliance reports. It adds integration with LDAP servers, and removes the need to choose an engine when configuring a scan. New features include the following: • • • • Policy Compliance Custom Community Strings Adding a LDAP server as a Data Source Centralized Scan Management Policy Compliance With the Foundstone Enterprise Manager Windows Policy Manager, you can customize your Windows Policy settings to match your company's policy compliance requirements. You can then utilize the Windows Policy Template Scan to scan your network to see which hosts are compliant and which are non-compliant for each of your policy settings. This can save you time by identifying which policy settings must be adjusted for a scanned host on your network. Custom Community Strings In Foundstone 6.5 you can now list custom community strings used by your SNMP servers. This allows Foundstone to discover SNMP servers running custom community names and using these names to discover and assess vulnerabilities on the SNMP servers. Adding a LDAP server as a Data Source With the Foundstone Enterprise Manager Data Sources, you can add a LDAP server to your list of data sources. You can browse for assets on your LDAP server to include or exclude in a scan configuration. 6 6.5 Enterprise Manager Administrator Guide Welcome to Foundstone Centralized Scan Management Using centralized scan management, when a workgroup has more than one engine, you can assign engines to automatically run scan jobs so that users do not have to choose an engine within the scan itself. Contacting Technical Support DOWNLOAD SITE Homepage: http://www.mcafee.com/us/downloads/ • • • Products and Upgrades (valid grant number required) Product Evaluation McAfee Beta Program TECHNICAL SUPPORT Homepage: http://www.mcafee.com/us/support KnowledgeBase Search: http://knowledge.mcafee.com/ McAfee Technical Support ServicePortal (Logon credentials required): https://mysupport.mcafee.com/eservice_enu/start.swe CUSTOMER SERVICE Web: http://www.mcafee.com/us/support/index.html or http://www.mcafee.com/us/about/contact/index.html Phone: +1-888-VIRUS NO or +1-888-847-8766 Monday-Friday, 8 a.m.-8 p.m., Central Time (US, Canada, and Latin America toll-free) PROFESSIONAL SERVICES Enterprise: http://www.mcafee.com/us/enterprise/services/index.html Small & Medium Business: http://www.mcafee.com/us/smb/services/index.html Submitting Product Feedback McAfee is always interested in learning from you how Foundstone performs in your environment, and what we can do to enhance it. ¾ To submit feedback • Click the Submit Product Feedback link at the bottom left corner of any page in the Foundstone Enterprise Manager. The link directs your browser to the feedback page on the McAfee Web site. Use the form displayed to share your experience or to submit feature requests for future versions. 7 6.5 Enterprise Manager Administrator Guide Welcome to Foundstone Getting Started If you're new to Foundstone 6.5, these are the steps you can take to get familiar with the product and it's interactions with your network. 1 The Global Administrator is created automatically upon installation. When you bring up the first FoundScan Engine on the system, it asks you to set the password for the Global Administrator account. See the Foundstone Enterprise Installation Guide for more details. 2 Log on as the Global Administrator to create the top level organization(s) and a Root Organization Administrator account for each. See the Foundstone Enterprise Installation Guide for more details. 3 Log on as the Root Organization Administrator to create workgroups and all other accounts needed in the organization. 4 Set up your account (see "Setting up your Account" on page 9). Specifically, change your password and keep it secure. 5 Create and run your first scan (see "Running your First Scans" on page 10). 6 Check the results of the scan (see "Getting Started - Reviewing Scan Results" on page 15). Logging On All Foundstone Enterprise Manager users must provide their organization name, username and password to log onto Foundstone 6.5. The logon page appears when you browse to your Foundstone 6.5 URL. Foundstone 6.5 also supports third-party authentication products like Netegrity's SiteMinder application. Note: If you attempt to log in to the Foundstone Enterprise Manager immediately after completing the installation, there may be a brief period of time when the submenus are not available. Please wait a minute or two for all components to connect after the installation process. Procedures On the Logon page you can do the following: • Enter your credentials. Figure 1: Logon Page 8 6.5 Enterprise Manager Administrator Guide Welcome to Foundstone Logon Settings Setting Description Organization Enter the name of the root organization; do not use a workgroup name. User Name Enter the name assigned to you by the person that created your account. Password Enter the password assigned to you by the person that created your account. Once you are logged in, you can change your password on the account management page. Setting up your Account To get here if you are the Root Organization Administrator or a Workgroup Administrator, click MANAGE > USERS/GROUPS. Navigate to the administrators group under your organization or workgroup. Right-click your account and select Properties. If you are logged on as a Foundstone User or Global Administrator, see My Account (on page 250). When you first log onto Foundstone 6.5, check your account and update it with correct information. Do the following: • • Make sure that your contact information, username and settings are correct. Change your password to make it your own. Figure 2: User properties - General settings tab As an administrator, you don't need to make any changes to the settings on the Member of or Access Rights tabs. 9 6.5 Enterprise Manager Administrator Guide Welcome to Foundstone Running your First Scans To get here, click SCANS > NEW SCAN. First Scan: Discovery To get familiar with Foundstone 6.5, run a discovery scan on your network. This type of scan searches for live hosts and running services on your network. It produces a basic set of HTML reports that you can view through your browser. The easiest way to do this is by using a template that has already filled most of the settings for you. See Creating your First Scan (on page 10) for more information. Second Scan: SANS Top 20 After you finish creating a discovery scan, try running a SANS Top 20 scan on a small portion of your network. For example, choose one or two class C network segments. You can quickly create a SANS Top 20 scan by following the same steps you used in the discovery scan. When you select the template to use, choose the SANS Top 20 template instead of the Discovery template. Future Scans: Start Experimenting Now that you have performed a couple of small tests, and reviewed the results from them, you can start experimenting with the various settings available in Foundstone 6.5. As you become more familiar with the various scan properties, you can refer to the Foundstone Performance Tuning Guide for help in fine-tuning your scans. This document and others will be available through Technical Support shortly after Foundstone 6.5 is released. If you're using Remediation, start looking at your Remediation Tickets (see "REMEDIATION Menu" on page 429) to determine what should be done with the vulnerabilities discovered on your network. You may want to experiment on small networks or test environments first. 10 6.5 Enterprise Manager Administrator Guide Welcome to Foundstone Creating your First Scan For your first scan, use a default template to pre-set your scan settings to run a discovery scan on your network. ¾ To create and run a discovery scan These steps create a scan in the organization or workgroup (sub-organization) to which you belong. 1 In the Foundstone Enterprise Manager, on the menu bar, click SCANS > NEW SCAN. 2 Click Use a Foundstone template. 3 Select the radio button by the Discovery Scan template. Figure 3: New Scan - choose a template, scan, or defaults 4 Click Next. The Scan Properties page opens. 5 Enter the IP Ranges to scan 6 Under Name, enter a name for this scan. For example, type Discovery Scan. 7 Enter the IP addresses you want to include. Since this is a discovery scan, you can enter all the IP addresses in your organization or workgroup. See Entering IP Ranges for more information. 11 6.5 Enterprise Manager Administrator Guide 8 Welcome to Foundstone Click Next. Figure 4: Scan Properties - IP Selection Tab ¾ Activate the Scan 1 Click the Scheduler tab. 2 Select Active. The Schedule type should already be set at Immediate. 3 If you have multiple scan engines available, select the scan engine and NIC to be used by this scan. Note: If AutoSelect is enabled, by default the scan will use the scan engine assigned to the IP Selection. 12 6.5 Enterprise Manager Administrator Guide 4 Welcome to Foundstone Click OK to start the scan. Figure 5: Scan Setup - Schedule Tab Checking Scan Status To get here, click SCANS > SCAN STATUS. After a scan has started, you can see its progress, or monitor any number of scans happening on your system at any time by using the Scan Status page. This page shows the progress of the scans you can view. It lists the pending and active scans so that you can monitor their status. Procedures On the Scan Status page you can do the following: • • • See which scans are running and view the progress of active scans. Pause and Resume running scans. Cancel running scans. 13 6.5 Enterprise Manager Administrator Guide • Welcome to Foundstone Click Refresh to update the information. Figure 6: Scan Status page Features and Settings Column Heading Description Engine This is the name of the engine running the scan. Name Shows the name of the scan configuration used for this scan. Job ID This is the internal number assigned to the scan job. Start Shows the date/time the scan began. Stop Shows the date/time the scan ended. Duration Shows the amount of time that lapsed between the start time and the stop time. This amount includes any time the scan was interrupted or paused. Progress Shows the "percent complete" value for this scan. Status Shows the current status of the scan: Running, Complete, Error. Hosts Found Shows how many hosts were discovered by the scan. Action Note: Clicking either action button refreshes the page. Pause - Pauses the scan and changes to Resume. Click Resume to continue running the scan. Cancel - Stop running the scan and remove it from the queue. Refresh Update the scan status information. Clear all Inactive Remove all inactive scans from the queue. Note: This page only shows the scans that are available to your user account. 14 6.5 Enterprise Manager Administrator Guide Welcome to Foundstone Getting Started - Reviewing Scan Results To get here, click Home. After you have run a discovery scan, check the details of the scan. Review the results. The Foundstone Enterprise Manager home page (see "Using the HOME Page" on page 25) shows a summary of alerts and reports, and a dashboard overview for the most recent completed scan. Alerts (on page 125) Click Alerts on the Home page (or on the menu) to delve into the problems discovered by the scan. • • • New vulnerabilities Services Hosts Reports (see "Viewing Finished Scan Reports" on page 64) The report section on the Home page includes the <FoundScore>, general statistics, and top vulnerabilities for the selected scan. Review the reports for a detailed topology map of your network. Scans that include vulnerability checking produce more reports than the discovery-only scans. See for more information. Executive Dashboard (see "Using the Dashboard" on page 30) The Executive Dashboard provides a chart that shows the history of the <FoundScore> for the selected scan. This chart will grow and become more useful as you run subsequent scans and produce more data. 15 6.5 Enterprise Manager Administrator Guide How To Use Foundstone 6.5 How To Use Foundstone 6.5 This section provides step-by-step instructions for the most common tasks performed in Foundstone 6.5. The reference section explains each feature in more detail. Foundstone Enterprise Manager Overview and Concepts The Foundstone Enterprise Manager provides a Web interface that allows you to run Foundstone 6.5. Whether or not you can use specific menu items and features is controlled by several factors, including the following: • • • • Your Foundstone 6.5 license determines which additional functionality you can use in Foundstone. For example, the Threat Correlation Module requires a specific license. Your Login type - Foundstone User, Root Organization Administrator, Workgroup Administrator, Remediation Administrator, or Global Administrator determines your access to scans, workgroups, and other areas of Foundstone. If logged on as a Foundstone User, your individual access rights (see "User Properties - Access Rights" on page 247) affect what you can see. An administrator needs to grant you explicit access to view, edit or launch a particular scan. If you are a member of a user group (see "Managing User Groups" on page 252), you inherit the same access rights given to that group. Role-Based Access Foundstone 6.5 controls access to information based on users' roles. These roles are implemented through the Foundstone Enterprise Manager. Anyone directly using the FoundScan Console has the privilege level of the Global Administrator. Administrative Roles • The Global Administrator is a built-in role. The password is set the first time the FoundScan Console application is run. It is used to set up the top-level organization(s), and create the Root Organization Administrator for each organization. The Global Administrator can also set up workgroups under an organization, and can create users and user groups. The Global Administrator can also move top-level organizations to become workgroups under other organizations, if needed. Note: If you are logged onto the Foundstone Enterprise Manager as a Global Administrator and want to view data from a specific organization, you must log off and log back on as an Root Organization Administrator for that organization. 16 6.5 Enterprise Manager Administrator Guide • How To Use Foundstone 6.5 The Root Organization Administrator and Workgroup Administrator roles are created by higher level administrators such as the Global Administrator. They have full access to their assigned organization or workgroup and any subworkgroups within their own workgroup. They manage assets, scan configurations, user accounts, remediation tickets, and scan engines. Note: The Root Organization Administrator manages the FoundScan Engine settings (see "Managing Engines" on page 165) from the Foundstone Enterprise Manager. Workgroup Administrators do not have access to FoundScan Engine settings. In Foundstone 6.5 you can create the following remediation roles: • • • • The Remediation Administrator is created by adding users to the built-in Remediation Administrator group. This person can manage remediation tickets for the entire organization. The Remediation Manager is created by creating a user group with Remediation Manager access rights, and adding users to that role. This group can be created on a workgroup level and allows granular access to remediation tickets based on scans. These users do not have access to run scans, but have full control over tickets. The Remediation Reviewer is created by granting a user group with "View Remediation Tickets by Scan" rights. Members of that group are allowed to view any tickets for the scans they can view.A remediation view group can be created in this same manner, giving the group the ability to view any number of tickets based on the scans you allow them to access. These users do not have access to run scans or manage tickets. The Default (remediation-only) User refers to any user that has not been granted explicit access rights. All users and Workgroup Administrators can access any remediation tickets assigned to them, regardless of the workgroup to which the ticket belongs. Additional levels of access to scans can be provided to users by changing their access rights in the user's properties. Organizational Hierarchy Organization - The top-level (root) organizational unit. Each organization contains a set of users, user groups, and scans. They may also contain additional workgroups. 17 6.5 Enterprise Manager Administrator Guide How To Use Foundstone 6.5 Workgroup - a sub-organization under the top level. Figure 7: Foundstone is the organization; the others are Workgroups. Organization or workgroup administrators are also administrators for sub-workgroups. This allows the administrator to view scans, reports, alerts, and any other information from those sub-workgroups. At the top level, the organization administrator can see all workgroups within the organization. This provides a top-level view of the organization, and the ability to drill down into individual reports and alerts to see specific details. Administering Organizations and Workgroups Administering Organizations The Organization always has an Organization Administrator who is responsible for it. The Organization Administrator can break the organization into Workgroups, and can create Workgroup Administrators to be responsible for individual Workgroups. However, individual Workgroups can also be administered by the Organization Administrator; the Workgroup Administrator is an optional role. Figure 8: Hierarchy: A = Enterprise, 1 = Organization, 2 = Workgroups Multiple Organizations The Global Administrator can create multiple root organizations in your enterprise; however, these are considered completely separate entities. They are not related to each other and do not share data. 18 6.5 Enterprise Manager Administrator Guide How To Use Foundstone 6.5 IP Pools in Workgroups The top level organization contains all IP addresses that can be scanned by the organization. These IP addresses should be assigned to specific workgroups within the organization to distribute the scanning workload. Any workgroup's IP Pool must be a subset of the organization's IP Pool. Note: While it is possible to overlap IP Pools within the organization, McAfee does not recommend it; this practice may result in more than one workgroup scanning the common IP addresses. Initial Setup - Organizations and Workgroups An organization can only be created by a Global Administrator, or anyone working from the FoundScan Console (FoundScan Engine). Once an organization and Root Organization Administrator has been created, the Global Administrator or Root Organization Administrator can create workgroups under that organization. Important: The FoundScan Console application does not require you to log in. Access to the FoundScan Engine is enough to gain administrative access. How to Create and Edit User Accounts This section provides information on how to create and manage users and groups. ¾ Quick steps to creating a new user 1 From the Foundstone Enterprise Manager, navigate to MANAGE > USERS/GROUPS. From the FoundScan Console, navigate to File > Users/Groups/Scans. 2 Right-click the organization to which you are adding the new user, and choose New > User from the shortcut menu. The New User page (see "Creating New Users" on page 241) appears. 19 6.5 Enterprise Manager Administrator Guide How To Use Foundstone 6.5 3 In the New User - General (see "User Properties - General" on page 244) page, enter the user's name (required). 4 Enter and then confirm the password for this user (required). 5 Enter a valid email address for this user (required). 6 Enter the user's real first name and last name (required). 7 If desired, enter the user's primary and secondary phone numbers (optional). 8 Make sure unlocked is selected for the user's lock status. If the account is locked, the user cannot log into the Foundstone Enterprise Manager. 9 Click Next. 10 In the New User - Member Of (see "User Properties - Member Of" on page 246) page, specify the groups to which this member belongs. Select the group name under Available Groups and click to add the group to the Member Of list. 11 Click Next. 12 In the New User - Access Rights (see "User Properties - Access Rights" on page 247) page, assign rights to this user. Members of the Administrators group have full rights by default. 13 Click Finish. ¾ Quick steps to editing a user 1 Navigate to the organization or workgroup to which the user belongs, right-click the user, and choose Properties. 2 In the New User - General (see "User Properties - General" on page 244) page, make any changes needed to the user's general information. This is also where you can change the user's password, if necessary. 3 Select the Member Of (see "User Properties - Member Of" on page 246) tab, and make any changes to the group to which this user belongs. 4 Select the Access Rights (see "User Properties - Access Rights" on page 247) tab, and make any changes to the assigned rights for this user. 5 Click OK to save your changes and exit the user Properties pages. 20 6.5 Enterprise Manager Administrator Guide How To Use Foundstone 6.5 How to Create and Edit Assets Groups This section provides information on how to manage assets in your organization, including how to create asset groups, and assign criticality levels and asset owners. ¾ Quick steps to creating asset groups 1 In the Foundstone Enterprise Manager, navigate to MANAGE > ASSETS. Or, from the FoundScan Console, navigate to File > Users/Groups/Scans. On the resulting page, right-click an organization or workgroup, and choose Manage Assets from the shortcut menu. 2 In the Assets tree pane, right-click the group under which the new group will be located and choose New Group from the shortcut menu. The New Group dialog box (page 152) appears. 3 Enter the Label for the group, and select the Criticality and Owner. 4 Click OK to save your changes. ¾ Quick steps to assigning assets to groups 1 In the left pane, navigate to the network class containing the asset(s) you want to add to the group. 2 In the right pane select the first group of assets to add to the group. • To select multiple addresses, press and hold the CTRL key on the keyboard as you select IP addresses. • To select a range, click the first address. Press and hold the SHIFT key and click the last address. 3 Right-click the selected address(es) and choose Move to Group from the shortcut menu. 4 In the Move to Group dialog box (on page 151), do one of the following: • To use an existing group, choose the desired group. • To create a new group, click New Group. You can create several new groups in the New Group dialog box (on page 152) before assigning the IP Addresses. 5 After selecting the desired group, click OK. 21 6.5 Enterprise Manager Administrator Guide How To Use Foundstone 6.5 How to Create and Edit a Workgroup This section provides information on how to create and manage root organizations and workgroups (sub-organizations). ¾ Quick steps to creating a new workgroup 1 From the Foundstone Enterprise Manager, navigate to MANAGE > USERS/GROUPS. Or from the FoundScan Console, navigate to File > Users/Groups/Scans. 2 Right-click the workgroup or organization under which you want to create the new Workgroup and choose New > Workgroup from the shortcut menu. The New Workgroup page (see "New Workgroup Settings" on page 229) appears. 3 Enter the new workgroup's Name and Description and click Finish to save. Note: Workgroups must contain unique names. Do not create a workgroup using the name of an existing workgroup. 4 To edit the workgroup's properties at a later time, right-click the workgroup and choose Properties from the shortcut menu. ¾ Quick steps to editing a workgroup 1 Right-click the workgroup to edit and choose Properties from the shortcut menu. The workgroup Properties page (see "Workgroup Properties - General" on page 230) appears. 2 In the General tab (see "Workgroup Properties - General" on page 230) (the first tab displayed), enter or change the description of the workgroup. 3 Select the IP Pool tab (see "Workgroup Properties - IP Pool" on page 231) and enter the IP ranges to be used in this workgroup. All IP addresses must be subsets of the parent workgroup or organization. 4 Select the IP Exclusions tab (see "Workgroup Properties - IP Exclusions" on page 233) if you need to exclude any addresses from scanning. 5 Select the Contact Information tab (see "Workgroup Properties - Contact Info" on page 236) to set up optional contact information for the person overseeing the workgroup. 6 Select the Scan Engines tab (see "Workgroup Properties - Scan Engines" on page 237) to assign specific FoundScan Engine servers to this workgroup. Check the box next to the engines to be assigned. 7 Click OK. 22 6.5 Enterprise Manager Administrator Guide How To Use Foundstone 6.5 How to Manage Remediation Tickets ¾ Quick steps to assigning tickets 1 Choose REMEDIATION > NEW TICKETS. 2 In the New Tickets page (on page 434), sort the tickets, if necessary. To do this, click any column heading. 3 To assign a ticket, do one of the following: • To assign a single ticket, select the checkbox for the ticket. For Due Date, select the date for the ticket completion deadline. For User, select the assignee to receive the ticket. • To assign multiple tickets, select the checkboxes for each ticket to be assigned. At the bottom of the page, for Make all due on box, select the due date for the tickets. For Assign selected to, select the assignee to receive the tickets. 4 To export a ticket, select the checkbox(es) for the ticket(s) you want to export. In the lower-right corner, click the list to change Assign to Export. Future scans that find this vulnerability on this host will see that this ticket was exported, and will not generate another ticket for it. 5 To ignore a ticket, select the checkbox(es) for the ticket(s) you want to ignore. In the lower-right corner, click the list to change Assign to Ignore. Future scans that find this vulnerability on this host will see that this ticket was ignored, and will not generate another ticket for it. Note: Tickets marked as Ignore will affect future scan reports. Future scans that find this vulnerability on this machine will not record this vulnerability for this machine on future scan reports. 6 Click Submit. ¾ Quick steps to marking tickets completed 1 Choose REMEDIATION > OPEN TICKETS. 2 In the Open Tickets page (see "Remediation > Open Tickets" on page 437), sort the tickets, if necessary. To do this, click any column heading. 3 Locate the ticket you want to mark as completed and click the details icon ( )at the left. 4 In the Ticket Details page (see "Ticket Details" on page 445), under Ticket Changes, change the status to Complete. 5 Add any comments, if necessary, under Additional Comments. 6 Click Submit. 23 6.5 Enterprise Manager Administrator Guide How To Use Foundstone 6.5 ¾ Quick steps to reviewing, verifying, and closing tickets 1 Choose REMEDIATION > OPEN TICKETS. 2 In the Open Tickets page (see "Remediation > Open Tickets" on page 437), sort the tickets, if necessary. To do this, click any column heading. 3 Locate the ticket you want to verify and click the details icon ( 4 Click Verify. 5 Allow enough time for Foundstone 6.5 to verify that the ticket has been resolved, and choose REMEDIATION > REVIEW TICKETS. 6 In the Review Tickets page (see "Review Tickets" on page 439), select the checkbox for each ticket you want to close. 7 Click Acknowledge Selected Tickets. Tickets that were marked as Completed are now marked as Closed. Tickets that were marked as False Positive are now marked as False Positive Acknowledged. )at the left. Note: Tickets marked as False-Positive Acknowledged will affect future scan reports. Future scans that find this vulnerability on this machine will not record this vulnerability for this machine on future scan reports. 24 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Foundstone 6.5 Reference Guide This section describes the details of each feature in Foundstone 6.5. For step-by-step instructions for the most common tasks, see the How To Use Foundstone 6.5 section (page 16). Using the HOME Page To get here, click Home on the top level of the global navigation menu. The Home page provides a quick overview of the latest scan results. It provides the following information for the displayed scan: • • • Alerts Reports Executive Dashboard Scope The data on this page comes from the scan shown in the Scan list in the upper-right corner. Procedures From the Home page, you can do the following: • • • • Run a Quick Scan (see "Running a Quick Scan" on page 28) against a single IP address by entering the scan in the IP Range box and clicking Scan. This option is available only if you have been granted explicit access to scans. Switch the view to another scan (see "Selecting which scan to view" on page 29) by clicking the arrow to display the lists of scans available. Drill into the alert details (see "Alerts" on page 125) by clicking the magnifier to see additional detail. Open the Alerts (on page 125), Reports (see "Viewing Finished Scan Reports" on page 64), and Executive Dashboard (see "Dashboard - Risk Level Tab" on page 31) pages. 25 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Figure 9: Home Page - Shows Alerts, Reports, and Executive Dashboard Home Page Features Settings Description IP Address Enter an IP Address here and click Scan to run a quick, full vulnerability check on a specific host. This feature is available only if you have been granted access to scans (by default, the Remediation Administrator does not have this access). Scan Selection list Select the scan you want to review from this dropdown box. The scans listed are only those that your account is permitted to view. Selecting a scan from this list changes all of the data on the page. Alerts Displays a summary of the alerts found by the selected scan. Click Alerts to display the Alerts page. 26 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Settings Description Reports The reports section shows high-level summary information from the most recent reports for this scan: FoundScore - shows a quantitative score that represents your organization's security posture. Use the FoundScore to track progress in remediation efforts as you fix vulnerabilities and remove exposures in your environment. The FoundScore is explained much further in the FoundScore report. General Statistics - shows a brief summary of the number of vulnerabilities found, number of live hosts, and number of network services found by the scan. Top Vulnerabilities - shows the vulnerabilities that appeared most often in the scan. Executive Dashboard The Dashboard presents executive reports that show your progress in securing your environment, comparing data points over several months. Click Executive Dashboard to display the Executive Dashboard overview (see "Dashboard - Risk Level Tab" on page 31). Risk Rating - Shows your risk score, based on the risk index. This score is explained on the Dashboard Risk Level page (see "Dashboard - Risk Level Tab" on page 31). The Risk Rating chart provides a visual indication of the amount of risk discovered by this scan. Running FoundScore - Shows the history of the FoundScore for this scan. The number and type of dates shown in the FoundScore graph are set by the Dashboard Configuration page (see "Dashboard Configuration" on page 40). 27 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Running a Quick Scan The Quick Scan feature is available from most pages within the Foundstone Enterprise Manager. Enter an IP in the text box at the top of the page, labeled "IP RANGE" and click SCAN. Quick Scan provides the ability to run a quick vulnerability assessment against a single host. Since this feature creates a scan, it can be used only by the following users: • • Root Organization Administrator Workgroup Administrator Running a quick scan creates a scan job that evaluates the selected host for all nonintrusive vulnerability checks: • • • General Vulnerabilities (page 388) Wireless Vulnerabilities Windows Host Assessment Note: Most of the vulnerability checks in the Windows Module will not find any vulnerabilities unless you have entered credentials that allow Foundstone 6.5 to access the hosts being scanned. Without credentials, Foundstone 6.5 checks only those vulnerabilities that do not use a session connection, and only those that use "Null Session" connections will show results. Important: All Quick Scans run on the Primary FoundScan Engine, regardless of your location or login information. The Quick Scan feature is located at the top of the page. Figure 10: QuickScan provides a fast way to scan an IP address ¾ To run a Quick Scan 1 Enter an IP address in the IP Address field. 2 Click Scan. Foundstone 6.5 creates a new scan job for this scan. The name for this new scan job is Quickscan_username (where "username" is your own user name). Note: You can run only one quick scan at a time. If you attempt to run a second quick scan, a message appears prompting you to wait until the current scan has finished running or has been cancelled. 28 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Selecting which scan to view Click HOME, REPORTS > ALERTS, or REPORTS > VIEW REPORTS > Scan Reports to select scans to view. When you view the Home page (page 25), Alerts page (page 125), or View Scan Reports (page 64) page, the information is based on the scan in the Scan Selection box. Scope The scans list shows the last ten scans from your organization /workgroup. It does not include scans from sub-workgroups. However, the browse button the scans with completed scan jobs you can access. shows Procedures • • To see the scan results on the current page, select the scan from the dropdown list. To see scans that belong to other workgroups you can access, click the button to browse for the scan you want to see. Figure 11: Scan selection dropdown box Foundscore Overview FoundScore is a security ranking system that compares aspects of your environment against best practices in order to quantify your security risk. A scan can earn a FoundScore from 0 to 100 for a full scan. Note: If the scan does not check for vulnerabilities, the top FoundScore is 50 because it only detects running services and deducts the relevant points. • • A higher score reflects a more effective security posture (an environment with less risk). A lower score indicates that your environment possesses more security weaknesses and, consequently, more risk. These scores can be ranked with qualitative scores to give you an idea of your environment's security posture: 29 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Score Range Ranking 0 – 25 Poor 26 - 50 Below Average 51 - 70 Average 71 - 85 Above Average 86 - 100 Excellent More information about FoundScore Vulnerabilities Score..................................................................275 What FoundScore does not indicate ........................................282 Using MyFoundScore................................................................81 Using the Dashboard To get here, click DASHBOARD on the global navigation menu. Or, click Executive Dashboard on the Home page (see "Using the HOME Page" on page 25). This section provides information on how to use and view the information in the Dashboard. The Dashboard page presents executive reports that show your progress in securing your environment. The Executive Dashboard shows executive level information, comparing data points over several months. Figure 12: Executive Dashboard Tabs These four tabs each show an executive-level report: • • • Risk Level (see "Dashboard - Risk Level Tab" on page 31) - shows the FoundScore for the selected scan. You can configure the chart to show different scans and date ranges. Risk by Scan (see "Dashboard - Risk by Scan Tab" on page 34) - shows the number of vulnerabilities found in each scan. Risk by Platform (see "Dashboard - Risk by Platform Tab" on page 35) - shows the number of vulnerabilities found in each platform throughout the selected scans. 30 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide Risk by Vulnerability (see "Dashboard - Risk by Vulnerability Tab" on page 37) breaks down the number of vulnerabilities by type: informational, low, medium, and high. Also compares the number of vulnerabilities with the number of hosts scanned. To specify what is displayed in the Dashboard, click Configure. Use the Dashboard Configuration page (see "Dashboard Configuration" on page 40) to specify the period for which you want data displayed, the type of data, the type of vulnerabilities, and for which scans. Dashboard - Risk Level Tab To get here, click DASHBOARD. The Risk Level tab is the default tab. Average FoundScore by Month shows the average FoundScore of the selected scans for each month. By configuring the view, you can change which scans are included in the graph, and you can see the data by week or by day. Foundstone 6.5 sorts the completed scans by the month in which they were completed and averages their scores. It provides statistical information so you can see which scans had the highest/lowest scores and the most changes. Note: The data shown comes from scans you can access. They must have Vulnerability checks enabled, and be allowed to be displayed by the Dashboard Configuration settings (page 40). Procedures From the Risk Level Tab you can do the following: • • Configure the Dashboard (see "Dashboard Configuration" on page 40) - Click Configure to open the configuration page. It lets you choose which scans to include in the graphs, and specify the date range used. Click a data point to see the details (see "Risk Details" on page 39) - When viewing the Average FoundScore by Month, you can click one of the average monthly scores on the chart to see the daily scores for that month. 31 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Figure 13: Executive Dashboard - Risk Level Tab Risk Level Descriptions Data Description Overall Risk When the chart shows several months/weeks/days, the risk indicator averages the displayed months/weeks/days. This average FoundScore is used to calculate the risk level. The level of the indicator is based on your Overall Risk Index (below). y y y y y Severe - Risk Index is 80-100 High - Risk Index is 60-79 Medium - Risk Index is 40-59 Minor - Risk Index is 20-39 Low - Risk Index is 1-19 32 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Data Description Overall Risk Index This metric lets you judge your overall threat. If you are licensed to use the Threat Correlation Module, this index uses your FoundScore and the threat data to calculate your risk. The Risk Index score is calculated as follows: (100-FoundScore)*(Threat Index) The Risk Index can range from 1-100, with 1 being low risk and 100 being very high risk. The formula for the Threat Index is as follows: ((Number of High threats with vulns x 5) + (Number of Medium threats with vulns x 3) + (Number of Low threats with vulns x1 1)) / (High + Medium + Low + threats not found on your network) Average FoundScore (Average MyFoundScore) Shows the average of the monthly averages in the Average FoundScore by Month graph. (If MyFoundScore has been enabled, it shows the average MyFoundScore from the selected scans.) Scan with highest FoundScore Shows the name of the scan configuration whose most recent scan job has the highest FoundScore among all the scans currently tracked in your database. The number in parentheses shows the highest all-time FoundScore. Scan with lowest FoundScore Shows the name of the scan configuration whose most recent scan job has the lowest FoundScore among all the scans currently tracked in your database. The number in parenthesis shows the lowest all-time FoundScore. Scan with largest positive change in FoundScore Shows the name of the scan configuration whose most recent FoundScore improved the most of all the scans tracked by your database. The number in parenthesis shows how much the FoundScore improved from its lowest to its highest point. Scan with largest negative change in FoundScore Shows the name of the scan configuration whose most recent FoundScore dropped the most of all the scans tracked by your database. The number in parenthesis shows how much the FoundScore dropped. 33 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Dashboard - Risk by Scan Tab To get here, click DASHBOARD. Then click the Risk by Scan tab. The Vulnerabilities by Scan chart shows vulnerabilities and FoundScores for each scan. In the vulnerability display, the chart shows the high, medium, and low vulnerabilities for each scan. It sorts the scans by the number of vulnerabilities found, showing the scan with the most vulnerabilities first. Note: The data shown comes from scans you can access. In addition, only those scans with vulnerabilities are included. If you ran a scan and no vulnerabilities were reported, that scan will not be included. Procedures From the Risk by Scan Tab you can do the following: • • • • Hover the mouse over any section of a column to see the number of vulnerabilities in that category, whether it be low, medium, or high. Click any section of a column in the graph to see the Risk Details page (see "Risk Details" on page 39). Click FoundScore to see the FoundScores by Month (per Scan) chart. Executive Dashboard sorts every scan configuration by name, and displays the average FoundScores per month for each scan. Configure the Dashboard (see "Dashboard Configuration" on page 40) - Click Configure to open the configuration page. It lets you choose which scans to include in the graphs, and specify the date range used. Figure 14: Dashboard - Risk by Scan page 34 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide To show the FoundScore display, click FoundScore. The chart breaks down the FoundScore for each scan. Risk By Foundscore Descriptions Setting Description Scan with largest positive change in (My)FoundScore Shows which scan has improved its FoundScore the most since its first scan. The number in parenthesis shows the amount of the improvement. Scan with largest negative change in (My)FoundScore Shows which scan has had the largest drop in FoundScore since its first scan. The number in parenthesis shows how much the score deteriorated. Running average of (My)FoundScore Shows the average FoundScore of all scans in the organization since the first scan. Dashboard - Risk by Platform Tab To get here, click DASHBOARD. Then click the Risk by Platform tab. The Vulnerabilities by Platform chart shows a column for each computer platform discovered on your network. It sorts the columns by the number of vulnerabilities found so that you can quickly see which platforms need the most attention. The colors in each bar represent the different risk levels, high (red), medium (orange), low (yellow), and informational (blue). Note: Hosts that were identified as "unknown" are not included in this chart. This may be the cause for discrepancy between the total number of hosts on this chart compared with others. The data shown is limited to the scans you can access. 35 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Procedures On the Risk by Platform tab you can do the following: • • Hold the mouse over any section of a bar to see the number of vulnerabilities found for that category. Click any section of a bar to see the Risk Details page (see "Risk Details" on page 39) for more information about the vulnerabilities discovered on that platform. Figure 15: Dashboard - Risk by Platform page 36 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Risk By Platform Descriptions Data Description / Scope These data points show the platforms with the most and Platform with the fewest High-Risk Vulnerabilities the fewest vulnerabilities for each category. The information Platform with the most Medium-Risk Vulnerabilities represents all platforms discovered on your network Platform with the fewest Medium-Risk Vulnerabilities that are tracked in the database. Platform with the most High-Risk Vulnerabilities Platform with the most Low-Risk Vulnerabilities Platform with the fewest Low-Risk Vulnerabilities Platform with the most Informational Vulnerabilities Platform with the fewest Informational Vulnerabilities Dashboard - Risk by Vulnerability Tab To get here, click DASHBOARD. Then click the Risk by Vulnerability tab. The Vulnerabilities by Rating pie chart breaks down the high, medium, and low vulnerability ratings into percentages. This chart is based on the most recent complete scan available. The Monthly Hosts versus Vulnerabilities chart compares the number of hosts found to the number of vulnerabilities found. It shows the total number of hosts, and the total number of unique vulnerabilities found for each month. The data for the chart comes from all scans in the database that you can access. Note: The data shown is limited to the scans you can access. 37 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Procedures From the Risk by Vulnerability tab you can hold the mouse over any section of the bar chart to display the exact number of vulnerabilities found for that category. Figure 16: Dashboard - Risk by Vulnerability page Risk By Vulnerability Descriptions Data Description Total number of vulnerabilities Shows the number of vulnerabilities found in the current period. Note that this number may be different than the number shown in the Monthly Hosts graph, as the graph includes the total of unique vulnerabilities found on each host. Change in total number of vulnerabilities from previous period Shows the difference in the number of vulnerabilities found between the current period and the last period. Average number of vulnerabilities Shows the average number of vulnerabilities found per scan. This is calculated using all scans currently in your database. Average number of vulnerabilities per host Shows the average number of vulnerabilities found on each host. This is calculated by dividing the total number of hosts found by the total number of vulnerabilities found. (Current period) - (Last period) = Change in total vulnerabilities 38 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Risk Details To get here, click DASHBOARD > Risk by Scan, Risk by Platform, or Risk by Vulnerability tab and click the data in the displayed charts. The Risk Details Page displays High, Medium, and Low Risk Details. The details are based on the category you clicked to get to this page. For example, if you clicked a chart on the Risk by Platform page, the details pertain to the specific platform you clicked. Likewise, if you clicked a chart on the Risk by Scan page, the details here pertain to the scan configuration you clicked. Note: The list includes all vulnerabilities discovered on your network, regardless of the remediation state (open, closed, ignored, exported and so on). Procedures On the Risk Details page you can do the following: • • • To set the number of vulnerabilities displayed on the page, choose from the Results per page drop-down box. To get back to the main page, click Dashboard. To sort the list, click the column heading Name or Amt. The Amt column shows the number of times this vulnerability was found on your network. Figure 17: Executive Dashboard - Report Details page 39 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Dashboard Configuration To get here, click DASHBOARD. Then click Configure. The configuration options let you restrict the data in the reports to specific scan configurations. By default, all scan configurations are automatically selected when you first open the Executive Dashboard. Procedures In the Dashboard Configuration page you can do the following: • • • • Switch the display between the normal FoundScore and MyFoundScore (if you have customized your FoundScore calculation settings). Choose the number of days, weeks or months to display on the Executive Dashboard graphs. Filter the data to only show the top 20 vulnerabilities according to the SANS/FBI Top 20 list. To include in the Executive Dashboard graphs, select the scan under Scan Configuration. Figure 18: Dashboard Configuration page 40 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Settings & Features Setting Description Use FoundScore Displays the default FoundScore on the Dashboard, regardless of whether you've customized the MyFoundScore calculations. Use MyFoundScore If you have customized the MyFoundScore calculations, select this option to display the modified (My)FoundScore on the Dashboard. By Day By Week By Month Select the level of detail you want to view. This modifies the Executive Dashboard graphs to display by day, week, or month. Number of Months Select from 10 to 40 months to display on the Executive Dashboard graphs. All Vulnerabilities Shows all vulnerabilities found in the selected scans. FBI/SANS Top 20 Filters the scans to only show the vulnerabilities on the FBI/SANS Top 20 list. Scan Configuration Select the scans you want to display in the Executive Dashboard. Back Return to the Executive Dashboard page. Click Save first to apply any changes. Reset Selects all scans from the organization and all workgroups. Save Saves all settings on this page. Working with Reports This section describes how to generate and view reports from scans of your network. ¾ Quick steps to generating and viewing a report 1 Choose REPORTS > GENERATE REPORTS. 2 In the Scan Report tab (see "Generating Scan Reports" on page 60), select the scan from the Scan Configuration tree on the left. 3 In the Jobs list, select the job for which you want to generate a report. 4 Select the output format for the report: HTML, PDF, XML, or CSV. • If you choose PDF, select the reports you want included in the PDF output under Report Options. 41 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide 5 Click Submit to add the report to the queue. • To see the reports that are queued for processing, select the Queued Reports tab (see "Viewing the Report Queue" on page 62). 6 Choose REPORTS > VIEW REPORTS. 7 In the Scan Reports tab (see "Viewing Finished Scan Reports" on page 64), select the scan from the list. The list displays the last ten scans from your organization/workgroup. It does not include scans from sub-workgroups. • To see scans that belong to other workgroups you can access, click the browse button and choose the scan you want to see. 8 Go to the report you want and do the following: • To view the report, click the link to VIEW REPORT. • To save the report, click the link to DOWNLOAD the report. Click any of the icons next to the DOWNLOAD link to download specific reports -- XML, CSV, PDF, or HTML. 9 When prompted if you want to save the file, click Save and then select the directory in which to save the file. Working with Asset Report Templates To get here, click REPORTS > GENERATE REPORTS. The Manage Asset Reports page provides a complete list of all the asset report templates you have created. Note: To view the results, go to REPORTS > VIEW REPORTS. Procedures • • • Create a new report template (see "To create a new report template" on page 43) Create a report template from another template (see "To create a new template from an existing template" on page 44) View, Edit, or Delete a report template (see "To view or edit report templates" on page 44) Figure 19: Manage Asset Reports 42 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Manage Asset Report Template Settings Setting Description View another user's templates Administrators can use this feature to filter the displayed templates. After changing this field, the page only shows the templates created by the selected user. Create New Template Create a new asset report template View / Edit View and edit the settings of an existing asset report template Delete Delete the selected asset report template Name Click on an asset report name to view the latest report generated using this template Description Shows the optional template description Last Run Shows the last time that this template generated a report Next Run Displays the date and time of the next scheduled run for a template Note: A blank Next Run field means this template is not currently scheduled to run. Asset Report Template Procedures Use the following procedures to create, edit, and delete Asset Report templates. ¾ To create a new report template 1 Click the Create New Template button. 2 Enter a Name. This is a required field. 3 Enter a Description. This is an optional field. Tip: Periodically save your settings by selecting the Save button, in the unlikely event that something should happen with your Internet browser. 4 Click the Report Type (see "Report Type Tab" on page 46) tab and select a report type. 5 Select the appropriate date (or dates) for the selected report type. Tip: Select the Use Most Recent Data checkbox to report on the most recent data available. 43 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide 6 Click the Asset Filter (see "Asset Filter Tab" on page 48) tab and select the criteria to be used in your report. 7 Click the Sections (see "Sections Tab" on page 54) tab and select the report sections to include in your report. 8 Click the Generation (see "Generation Tab" on page 56) tab and select the report formats, language, and schedule for the report. 9 Click the Delivery (see "Deliver Tab" on page 57) tab and add the user groups and email addresses that should receive the report each time it is generated. 10 Click Save to save the report settings. ¾ To create a new template from an existing template 1 Click Create New Template. 2 Select From an Existing Template. 3 Choose a template from the Select a Template drop-down list. A message window displays. 4 Click OK. Note: This message appears because the window must be refreshed to display Copy of template_name in the Name field. 5 Enter a template name or accept the default. 6 Enter a description. This is an optional field. 7 Click Save. ¾ To make changes to the new template • Click through the other tabs and change the settings as needed. The changes will be saved to this new report template. To view or edit report templates 1 Select View/Edit for the appropriate custom report template. 2 Make any changes to the report template. 3 Click Save. 44 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Start Tab To get here in the Foundstone Enterprise Manager, click REPORTS > GENERATE REPORTS, then click Create New Template or click View/Edit of an existing template. Use the Start Tab to create a new template, or base a template from an existing template. Procedures • Select New Template or From an existing template Note: Selecting From an existing template requires selecting a template from the Select a Template list. • Enter a unique name for the template Note: Selecting an existing template will fill in the field with "Copy of" and the name of the existing template; this can be changed to another name. • Enter a description for the template (optional) Figure 20: Asset Report Template - Start Tab 45 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Start Tab Settings Setting Description New Template Create a new template based on the default Foundstone report template settings. From an existing template Select this option to create a template based on the settings from another template. Copy of is added to the template name in the Name field, to prevent copying over the existing template. Name Enter a name for the Asset Report Template. Description Enter a description for the Asset Report Template (optional). S Report Type Tab Screen caps need captions. To get here in the Foundstone Enterprise Manager, click REPORTS > MANAGE REPORTS, then click Create New Template or click View/Edit of an existing template. Select the Report Type tab. The settings on this page determine the type of report (single date, delta, trend, or dashboard) and the data date(s) to be included in the report. Procedures • • Choose whether to use a Single Date Report, Delta Report, Trend Report, or Dashboard Report. Enter the appropriate date (or dates) for the selected report type. Figure 21: Report Type: Single Date Report 46 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Report Type Tab Settings Setting Description Single Date Report Find the most current information for a set of hosts for a specific date. Foundstone uses the data from the most recent scan before the date on a host-by-host basis. For example, if the date is set to 4/17/07, and Host 1 was scanned on 4/15/07 and HOST2 was last scanned on 3/02/07, the report shows the data from 4/15/07 for HOST1 and data from 3/02/07 for HOST2. Data from scans that ran after this date are not included in the report unless you select Use Most Recent Data. Delta Report Generate a report with up to five selected dates. For each date, Foundstone selects data from the scans closest to the date. You must enter at least two dates for this type of report. Trend Report Generate a report comparing the trends between the current date and the date(s) you enter. Select Relative Dates to show data for the selected period of time. Select Absolute Dates to show data from the selected date to the report generation date. Dashboard Report Generate a report showing the risk(s) viewable on the Foundstone Enterprise Manager dashboard. Selecting the Dashboard Report will disable the Asset Filter tab and change the selectable options on the Sections tab. Use Most Recent Data Use this option to generate current reports. When the report is generated, it retrieves the most recent scan data from the database, regardless of the date entered. Relative Dates Generate a report for a selected number of dates; you choose how far apart the dates are. Absolute Dates Generate a report with the dates you provide in addition to the date at report generation. 47 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description Calendar View a calendar with selectable dates. Use the Today link (located at the bottom of the Calendar) to automatically input Today's date. Use the Previous and Next arrows to move to the previous or next month respectively. y y Select Use Most Recent Data to have the report template automatically retrieve the most recent data set upon generating the report. Manually enter the date into the appropriate date field. Asset Filter Tab To get here in the Foundstone Enterprise Manager, click REPORTS > GENERATE REPORTS, then click Create New Template or click View/Edit of an existing template. Select the Asset Filter tab. The Asset Filter controls which assets (hosts) are available for generating reports. Create matching or non-matching conditions to select appropriate assets. Note: Asset Filters are not output filters for reports. Output filters are handled on the Sections tab. Procedures On this tab you can do the following: • To add a condition, click Add Condition ( • To add a nested condition, click Add Nested Condition ( • • • To edit a condition, click Edit this Condition ( ). To change the AND / OR operators, click on the operator. To delete a condition, click Delete this Condition ( ). • • To delete a condition group, click Delete this Condition Group ( ). To move a condition, drag and drop the condition to the desired location. 48 ). ). 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Note: When a condition is dragged over a new location, the background color will change. If the background color does not change when the condition is dropped, the condition will not move to the new location. Asset Filter Tab Settings Setting Add Condition ( Description ) Add a condition at the current level in the hierarchy. Add Nested Condition ( ) Create a new condition on a new child-level in the hierarchy. Nested conditions share the same operator. Edit ( Open the Edit Condition dialog box and make changes. ) Delete this Condition ( ) Remove a condition from the criteria list. Delete this Condition Group ( ) Remove the conditions contained within a group. Expression Generate a summarized expression of the conditions entered in this filter. Each condition is represented by a number in the expression. For example, the following expression shows a filter with six conditions: 1 and (2 and (3 or 4) and 5) and 6 AND / OR Toggle between AND and OR. It affects all conditions within the same hierarchical level. y y AND: search for any record containing all of the conditions specified in the nested group. OR: search for any record containing any of the conditions specified in the nested group. 49 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Operators and Comparative Settings The operators that appear are based on the asset filter condition. Some conditions may only show certain operators. Operator Meanings Operator Description AND Filter returns assets that meet all of the stated criteria. OR Filter returns assets that meet any of the stated criteria. contains Filter returns assets that contain the stated criteria (e.g. contains windows will return assets that are running Windows 2000, Windows XP, etc.). does not contain Filter returns assests that do not contain the stated criteria. ends with Filter will return assets that end with the stated criteria. does not end with Filter will return assets that do not end with the stated criteria. equals Filter returns assets that contain an exact match of the stated criteria. does not equal Filter returns assets that do not contain an exact match of the stated criteria. exists Filter returns assets where a specific vulnerablity exists. does not exist Filter returns assets where a specific vulnerability does not exist. is Filter returns a specific type of asset. starts with Filter returns assets that start with the stated criteria. does not start with Filter returns assets that do not start with the stated criteria. 50 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Asset Filter Conditions The following table describes the conditions available for use in an asset filter. Note: A user can only include assets that the user has access to. Conditions and their Descriptions Setting Description Asset Criticality Filter by criticality level; None, Low, Limited, Moderate, Significant, or Extensive. Select to include or exclude the designated levels. Select multiple levels of criticality to include in a report. Asset Group Name Filter by the group name of a given asset. Select to include or exclude the group name from the report. Enter partial information and select whether the selection starts or ends with the partial information. Asset Label Filter by the label of a given asset. Asset Owner Enter an owner's name (exact or partial entry) for this filter. Select a setting to either include or exclude any assets associated with the owner for the report; or whether the owner's name starts or ends with the partially entered name. Banners Filter by banner information. CVE Number Enter a CVE (Common Vulnerabilities and Exposures) number to filter by a specific vulnerability. Note: Multiple CVE numbers can be added to a condition by separating each number with a comma. False Positives Filter assets by either those that have at least one false positive associated with it, or has no false positivies associated with it. FSL Output Enter the FSL (Foundstone Scripting Language) output for this filter. Select a setting to either include or exclude any assets associated with the FSL Output entered; or whether the FSL Output starts or ends with the partially entered text. Host DNS Name Set this filter to either include or exclude any assets with a specific Host DNS name; or whether a Host DNS name starts or ends with the partially entered text. Host NetBIOS Name Set this filter to either include or exclude any assets with a specific Host NetBIOS name; or whether a Host NetBIOS name starts or ends with the partially entered text. 51 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description IAVA Number Enter the IAVA (Information Assurance Vulnerability Alert) number for this filter. Select a setting to either include or exclude any assets associated with the IAVA number; or whether the IAVA starts or ends with the partially entered text. Note: Multiple IAVA numbers can be added to a condition by separatnig each number with a comma. IP Address Enter the IP Address(es) or IP Address Range for this filter. It is also possible to import the IP Addresses from a file; the file format must be comma separated. The maximum file size allowed is 128kb. Select a setting to either include or exclude the IP Address(es) from the report. Note: While you can enter any IP Address(es) or IP Address Range, your level of access (see "How Access Rights affect the Asset Filter" on page 53) will affect which IP Addresses show up in the report. KB Number Enter the Microsoft KnowledeBase ID Number(s) for this filter. Numbers can be full or partial. Warning: Do not use "KB" when entering the ID number. Knowledge Base Numbers describe artifacts related to Microsoft products, including technical support. Note: Multiple KB numbers can be added to a condition by separating each number with a comma. MS Number Enter the Microsoft ID Number(s) for this filter. Numbers can be full or partial. Microsoft ID Numbers describe vulnerabilities identified and listed by Microsoft. Note: Multiple MS numbers can be added to a condition by separatnig each number with a comma. Open Ports Filter assets based upon the open ports on a system. Note: When entering multiple ports, use a comma to separate each port number. 52 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description Operating System Determine which Operating Systems to include or exclude from the report. Enter the exact name of the operating system, or enter partial information (i.e. win for Windows). Select a setting to include or exclude the operating system(s); or whether the operating system starts or ends with the partially entered text. Organization Enter an organization name, and set whether to include or exclude this name from the report. Protocol Name Identifies all assets with at least one TCP or UDP port open (based on configuration selected). Scan Name Identifies all scan configurations that map to the scan name, then extracts all IP ranges allowed for that scan configurations, and then finds assets within the allowed IP ranges. Vulnerability Name Enter a vulnerability name, and set whether to include or exclude this name from the report. Vulnerability Severity Select the vulnerability severity level(s), and set whether to include or exclude the severity level from the report. How Access Rights affect the Asset Filter Although report templates select IP addresses based on the criteria you set in the Asset Filter, your level of access within Foundstone will affect which IP addresses will show up on your report. The following table shows how your Foundstone access rights affect which IP addresses you can see in a report. Access Rights Table Access Rights Available IP Addresses Global Administrator None Root Organization Administrator All IP addresses in the organization's IP Pool Workgroup Administrator All IP addresses in the workgroup's IP Pool Remediation Administrator None Foundstone User with view access to a scan All IP addresses included in the scan 53 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Access Rights Available IP Addresses Foundstone User with rights to edit the IP addresses All IP addresses within the workgroup to which the scan belongs. If the scan belongs to the organization, this user has access to all IP addresses within the organization. Sections Tab To get here in the Foundstone Enterprise Manager, click REPORTS > GENERATE REPORTS, then click Create New Template or click View/Edit of an existing template. Select the Sections tab. These settings determine what sections of content appear in the report. Procedures The Sections tab allows multiple selections, based upon the Report Type selected. See the Sections Tab Details section below for further information about each Sections option available when either Single Date, Delta, or Trend Report type is selected. See the Sections Tab Details section below for further information about each Sections option available when the Dashboard Report type is selected. 54 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Sections Tab Details Section Description Banners Reports Show the results of a TCP banner scan. The scan connects to each TCP service port and reports the daemon response. It usually includes a version number or some descriptive information on the service itself. Discovered Hosts Report Show the results of the host discovery portion of the scan. Foundstone 6.5 uses a combination of ICMP, UDP, and TCP scans to discover hosts. False Positives Report Show the remediation tickets that have been marked as false positive in your Foundstone system. Foundscore Report Foundscore is a security ranking system that compares aspects of an environment against best practices in order to quantify the security risk. A scan can earn a Foundscore from 0 to 100 for a full scan. A higher score reflects a more effective security posture; a lower score indicates an environment with more security weaknesses and more risk. Infrastructure Report This report shows the vulnerability checks specifically from scanning the infrastructure (e.g. routers). Operating Systems Report Show the operating systems discovered on various hosts during a scan. Risk by Platform The Risk by Platform displays the number of vulnerabilities, by platform, to present a visual representation of which platforms need the most attention. Risk by Scan The Risk by Scan displays the vulnerabilities and FoundScore for each scan. Risk by Vulnerability The Risk by Vulnerability breaks down the high, medium, and low vulnerabilities ratings into percentages, based on the most recent complete scan available. Risk Level View The Risk Level View shows the average FoundScore of the selected scans for each month. Services Report This report identifies the services running in the environment. Summary Report This report provides an overview of the data found for the selected hosts. Vulnerabilities Report The Vulnerabilities Report shows a summary of the vulnerabilities found. Vulnerabilities Check Configuration Report The Vulnerabilities Check Configuration Report shows the vulnerability checks that were used in the last two scans performed on the host. 55 6.5 Enterprise Manager Administrator Guide Section Foundstone 6.5 Reference Guide Description WHAM Access Report This report shows the vulnerability checks specifically from scanning hosts running the Windows operating system. Web Report Show the discovered web servers and vulnerabilities. Select All Select all options on the tab. Unselect All Deselect all options onthe tab. Generation Tab To get here in the Foundstone Enterprise Manager, click REPORTS > GENERATE REPORTS, then click Create New Template or click View/Edit of an existing template. Select the Generation tab. The settings on this page control the report output (format and language), and any report schedule settings (type and schedule details). Generation Tab Details Setting Description CSV Generate the report in a Comma Separated Value format. Choose this option to export the data to a spreadsheet or other third-party software. HTML Generate an HTML report for viewing through the Foundstone Enterprise Manager. PDF Generate a PDF report. 56 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description XML Generate the report in XML. Choose this option to export the data to XML-compatible third-party software. Languages Choose the languages in which to generate the report. This option only shows the languages that are available on your system. Include report Include the report template settings when generating a report template as part of the (e.g. asset filter settings). report Immediate Run this report as soon as you click Save. One Time Run this report at the scheduled time after you click Save. Daily Run this report each day at the scheduled time after you click Save. Weekly Run this report each week on the scheduled day at the scheduled time after you click Save. Monthly Run this report each month on the scheduled day at the scheduled time after you click Save. Deliver Tab To get here in the Foundstone Enterprise Manager, click REPORTS > GENERATE REPORTS, then click Create New Template or click View/Edit of an existing template. Select the Delivery tab. The settings on this page allow the option of delivering a report to designated recipients via email. Procedures • • • To add an individual email address, click Add Email Address. To add an existing Foundstone user, click Add Foundstone User. To add an existing group of Foundstone users, click Add a Foundstone Group. 57 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide To remove a user or group, highlight the report recipient(s) and click Remove Selected. Figure 22: Asset Report Templates - Delivery Options Deliver Tab - Add Email Address Options Setting Description Add Email Address Click to create an email address to the recipient list. This option is shown by default; you do not have to click it to begin. Email Address Enter the email address to be added. Confirm Email Address Enter the same email address again to help ensure correct spelling. Add Recipient Click to add the email address to the recipient list. Remove Selected Remove the selected email address from the Recipient list. Figure 23: Add a Foundstone user to the email recipient list 58 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Add Foundstone User Options Setting Description Add Foundstone User (link) Click the link to open the options for adding a Foundstone user to the email recipient list. Foundstone uses the email addresses registered in the user's account settings. User Dropdown Box Select the Foundstone user from the dropdown box. Add Foundstone User (button) Click to add the selected user to the recipient list. Remove Selected Click to remove the selected user from the recipient list. Figure 24: Add Foundstone Workgroup to Email Recipient List Add Foundstone Usergroup Options Setting Description Add Foundstone Usergroup (link) Click the link to open the options for adding a Foundstone usergroup to the email recipient list. Foundstone uses the email addresses registered in the user's account settings for those users that belong to the usergroup. Usergroup Dropdown Box Select the Foundstone usergroup from the dropdown box. Add Foundstone Usergroup (button) Click to add the selected usergroup to the recipient list. Remove Selected Click to remove the selected usergroup(s) from the recipient list. 59 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Generating Scan Reports To get here, click REPORTS > GENERATE REPORTS. Then click the Scan Reports tab. This page lets you generate a set of reports from any scan you can access. Procedures On this page you can do the following: • • • To select a scan job, select the scan from the Scan Configuration tree on the left. Then choose the job from the Jobs dropdown box. To create a report for a specific scan job, select the scan and job as described above. Then choose the output format for the report: HTML, PDF, XML, or CSV. If you choose PDF, select the reports you want included in the PDF output under Report Options. Click Submit to add the report to the queue. To see the report queue, go to REPORTS > VIEW REPORTS. Figure 25: Report Management - Generate reports for a specific scan 60 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Report Generation Options Setting Description Scan Configurations Scan configurations are displayed under the workgroups to which they belong. Click + to expand the workgroup and navigate to the appropriate scan. You can only select one scan at a time. Jobs Once you have selected a scan on the left, choose the scan job for which you want a report. The highest number is always the latest scan job. Output Options Choose the final format for your report. HTML - publishes all reports to HTML. You can view this by clicking View from the Report Selection page (see "Viewing Finished Scan Reports" on page 64) or Home page (see "Using the HOME Page" on page 25). PDF - choose which reports to include. Foundstone 6.5 creates the HTML reports and prints them to a PDF file. Anyone with a PDF-Reader program like Adobe Acrobat Reader can access it. XML - exports the XML data to two xml files: y y Host_data.xml contains host information (IP address, OS name, DNS name, NetBIOS name, NetBIOS Workgroup Name) service name service port, protocol name, and any returned banner information. Risk_data.xml contains vulnerability information (descriptions, recommendations), and for each vulnerability it shows the hosts containing the vulnerability and the services found on each host. CSV - Exports selected reports to a Comma Separated Value list that you can download. Note: CSV reports display protocols such as HTTP, FTP and so forth, based on how they are discovered. It is possible for a single port to show one protocol in the CSV output, and yet show a different protocol in a search results list. Report Options y y If you choose PDF reports, select which of the HTML reports should be printed to PDF. If you choose another report output, the reports are predetermined; there are no additional report options. 61 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Viewing the Report Queue To get here, click REPORTS > VIEW REPORTS. This page shows the status of both scan reports and Asset Reports in the report queue. The Foundstone Report Engine generates these reports and uploads them to the Foundstone Enterprise Manager. Procedures • • To stop a report being generated and remove it from the queue, click Cancel. To view finished reports, select either Asset Reports or Scan Reports from Completed Reports. Note: Once a report has been generated, it is automatically removed from the Report Generation Queue. Figure 26: Report Settings - Report Queue Table Name Setting Description Source Shows whether the report came from a scan report (template) or Asset Report (scan). User If the report is a scan report, this column shows the Foundstone login name of the person that created the template. If the report is a Asset Report, the entry is left blank. Name Shows the name of the template (for scan reports) or the name of the scan (for Asset Reports). Start Time Shows the time that Foundstone began generating this report. Duration Shows the number of seconds it has taken to generate the report. 62 6.5 Enterprise Manager Administrator Guide Progress Status Foundstone 6.5 Reference Guide Shows the amount of progress made on generating the report. y y y y y y Action y y Complete - the report is ready Failed - something prevented the report from being generated. Try generating the report again. Retrieving Data - The report is processing. Generating PDF - The PDF report is generating. (Only appears if the PDF option is selected.) Paused, waiting for PDF - This report must wait until an existing PDF report generation is complete. Transferring - The report has been generated and is being uploaded to the Foundstone Enterprise Manager. Cancel - click to stop generating the report. Cancelling the report may leave a partial result. Delete - click to remove the report from the queue. This does not delete the report from it's published location. Clear Failed Clears all failed report generations from the Report Generation Queue. Refresh Refreshes the page; useful when checking the report progess. Completed Reports Displays generated Asset Reports or Scan Reports. Asset Reports Displays generated Asset Reports, based on the Asset Report templates you created. Scan Reports Displays the last three scan reports generated, based on the scan configuration selected. To view the reports for a different scan configuration, select a scan name from the Scan Configuration list. 63 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Viewing Finished Scan Reports To get here, click REPORTS > VIEW REPORTS. Then select Scan Reports from Completed Reports. This shows the latest three jobs that ran for a particular scan generated by your organization/workgroup. Showing three reports on this page makes it easy to compare the differences and note any progress. Procedures On this page you can do the following: • • • To view the results from a different scan, select the scan from the dropdown box in the upper-right corner. To view a full list of scans, click ... next to the scan dropdown box in the upperright corner. Download available reports (see "To download a report" on page 403) for the various scan jobs. Figure 27: Reports page - click DOWNLOAD to save to disk 64 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Report Selection Features Setting Description Scan Selection Choose the scan you want to view from the scan dropdown box. View Report Click to open the HTML reports (see "Reviewing HTML and PDF Reports" on page 67) for this scan job. General Lists the number of vulnerabilities discovered by this scan, the number of live hosts, and services. Top Services Shows the services that were discovered the most by this scan. It shows how many times the service was discovered, and the name of the service. Top Vulnerabilities Shows the vulnerabilities that were discovered the most by this scan. It shows how many times the vulnerability was discovered, and the name of the vulnerability. Download Click the report style you wish to view. If there are no reports for the scan job, you can submit a request to generate a report (see "Generating Scan Reports" on page 60) by going to MANAGE > REPORTS. The various report formats are available for each job that generated reports. Click one of the download links to save the reports to your local computer. 65 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Viewing Finished Asset Reports To get here, click REPORTS > VIEW REPORTS. Then select Asset Reports from Completed Reports. This page shows the finished generated asset reports. Procedures On this page you can do the following: • • Download an asset report by clicking on a report icon. You will be prompted to Open, Save, or Cancel the file download. View an asset report by clicking on the report name. Report Selection Features Setting Description Download Click the report style you wish to view. The various report formats are available for each report template that generated reports. Click one of the download links to save the reports to your local computer. Name Click an asset report name to view the Asset Report. Description Displays the description for the report (if one was entered when the report template was created). 66 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Report Content Report content is based on the selections made when the scan configuration was created, or when the report template was created. • • PDF and HTML reports (page 67) are based on scan and report template settings: • scan reports contain sections for the various tests that were run. For example, if you run the Web Module in a scan, the report includes the Web Module section. • Asset Reports contain sections based on the settings in the report template. For example, you have to choose Banners in the template to show a Banners section in the report. CSV (page 121) and XML (page 122) reports contain a specific set of data, despite the settings in the scans or report templates. Reviewing HTML and PDF Reports Foundstone 6.5 reports show assets and vulnerabilities in easy-to-understand graphs and charts, providing an interactive big picture of an organization's total security posture. Selected Scan Components If you cannot find a specific report you expected to find, review the Configuration History Report (see "Scan Configuration History Report" on page 73) to make sure that the proper scan components were selected for the scan. For example, if the reports don't contain a Source Sifting Report, it is probably because Source Sifting was not selected for the scan. Small Scans For smaller scans where the number of live hosts does not exceed the Report Breakdown Size, a single set of reports is created for the scan. The main report page is the Scan Summary Report. Large Scans If the Report Breakdown Size is set to be lower than the number of live hosts found, the report is broken into regions. If asset groups are used, regions are named using the asset labels; otherwise the regions are named in sequential order (Region 1, Region 2, and so on). Each region contains its own set of reports. The first report you see is a summary of the regional reports. Clicking one of the regions takes you to the Scan Summary Report for that region. 67 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Navigating Reports Once you have opened the Foundstone 6.5 reports, navigate through them by selecting from the Report Pages list. Figure 28: Reports - navigation dropdown box Note: Reports are not generated for Foundstone 6.5 modules that were not selected in the scan configuration. If you expected to see a report for a particular module, check to make sure it was selected in the scan configuration. ¾ To see the detailed reports There are two ways to open the detailed reports. • The Report Pages list provides access to the reports that were generated for this scan. • To see more details than those provided in the summary report, go to the section of the summary report you want to see, and click Detailed Report on the summary header. 68 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Asset Summary To get here from the Foundstone Enterprise Manager, click REPORTS > VIEW REPORTS and then select Asset Reports in the Completed Reports area (default). Click a report name to view a report. This report provides an overview of an asset report. Use it to quickly identify anomalies or problems in your environment. It serves as a jumping off point to delve deeper into the reports. Asset Summary Report Features Section Heading Description Report specifications Displays information about the scan itself, including the Report Section, Date, User, and more. FoundScore Summary or MyFoundScore Summary Shows the average FoundScore or average MyFoundScore for the entire scan. It also displays statistics that you can use to compare overall progress from month-to-month. (MyFoundScore appears if you have enabled MyFoundScore (see "Managing Metrics - FoundScore Settings" on page 272) and then generated new reports.) Click Detailed Report to see the FoundScore report. Assets Summary Shows the Filtered System Count, and includes the network name, criticality rating, and number of systems discovered on each. Click Detailed Report to see the Discovered Hosts report. 69 6.5 Enterprise Manager Administrator Guide Operating System Summary Foundstone 6.5 Reference Guide Shows the top 15 operating systems found on the entire scan. Click Detailed Report to see the Operating System report. A [+] after the operating system name indicates that OS details were obtained using a NULL session. A [++] after the operating system name indicates that OS details were obtained using credentials (such as a user name and password). A [**] after the operating system name indicates multiple operating systems fingerprinted on the same IP address (a possible indication of port forwarding). A [*] after the operating system name indicates the OS details were obtained from ePO. Reports that show operating systems display the following icons to indicate that the information came from an ePOrelated machine: y - the system contains a potential buffer overflow vulnerability that can be protected by McAfee Virus Scan if buffer overflow protection is enabled. y - the system contains a potential buffer overflow vulnerability, but is currently protected by the McAfee Virus Scan buffer overflow protection feature. y Network Services Summary Shows the top 15 network services found on the entire scan. Click Detailed Report to see the Services report. Vulnerability Report Summary Breaks down the entire scan by the severity of the vulnerabilities found: high, medium, low, and informational. Click Detailed Report to see the Vulnerability report. Windows Vulnerability by Category Shows the number of Windows vulnerabilities found for Windows scans, based on category type. Click Detailed Report to see the Windows Assessment Module report. Banners Report To get here from the Foundstone Enterprise Manager, select Banners from the Report Pages list on any reports page. The banners report shows the results of a TCP banner scan. The scan connects to each TCP service port and reports the daemon response. It usually includes a version number or some descriptive information on the service itself. For example, this FTP banner provides the NetBIOS server name and version number: 220 MARK Microsoft FTP Service (Version 5.0) This information allows an attacker to research security issues associated with this version of the software. 70 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Review this report from each scan to make sure nothing unexpected is showing up. While Foundstone 6.5 can detect many known vulnerabilities, it cannot detect if a particular device doesn't belong on the network. Note: The scan runs a few enumeration tasks, even though you are not running vulnerability checks. It tests available SMTP commands and tries basic login attempts on applicable services. Even if you are not running any vulnerability checking scans, this can trigger an Intrusion Detection System alert from third-party software because it sends network traffic associated with known attack methods. Foundstone 6.5 provides additional information for certain services like SNMP and NetBIOS; the enumeration phase returns a SNMP Sysid and NetBIOS name table. Compliance Pass/Fail Report To get here from the Foundstone Enterprise Manager, select Compliance Assessment > Compliance Pass/Fail from the Report Pages list on any reports page for compliance scans. Note: This report does not apply to the Windows Policy Template Scan. When you scan systems using the compliance scan templates, the Compliance Pass/Fail report provides details on those hosts that passed or failed the scan. Hosts that were found to have one or more high or medium vulnerabilities failed the test. Hosts with no, low or informational vulnerabilities passed the test. Hosts with no vulnerabilities are listed for your information only. Note: To view this report in PDF format, you must select the Scan Summary PDF Report Sub-type (in the Reports tab (see "Common Report Settings in All Templates" on page 300) of the scan configuration). Procedures • • To view additional information about the host, click the IP address to display the Vulnerabilities by IP report (on page 109). To view the differences between this scan configuration and the predefined compliance template from which it was created, select Compliance Assessment > Compliance Scan Differences on the Report Pages menu to display the Compliance Scan Difference report (see "Compliance Scan Differences Report" on page 72). 71 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Compliance Scan Differences Report To get here from the Foundstone Enterprise Manager, select Compliance Assessment > Compliance Scan Differences on the Report Pages menu of any compliance scan. Note: This report does not apply to the Windows Policy Template Scan. This report is displayed when you have generated a scan based on one of the compliance scan templates and have selected to view the Compliance Scan Differences. McAfee security experts have defined templates that will help you evaluate your organization's compliance with security regulations. The Compliance Scan Differences report describes the key differences between this scan configuration and the latest version of the predefined template that is installed and used by Foundstone. You will see differences in this report if: • • • You copied the predefined template, modified it, then based your scan on the modified template, You based your original scan on the template, and then modified the scan, or An updated compliance template was provided by McAfee (via FSUpdate). Note: To view this report in PDF format, you must select the Configuration History PDF Report Sub-type (in the Reports tab (see "Common Report Settings in All Templates" on page 300) of the scan configuration). Compliance Scan Differences Section Heading Description Differences From Predefined Compliance Template Provides a description of this report. Configuration Differences For both Host Discovery and Service Discovery settings, provides information on the differences between the scan and the scan template. Vulnerability Check Differences For both Intrusive and Non-Intrusive Checks, provides information on the differences between the scan and the scan template. Click + to expand each category for more details. 72 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Delta Report To get here from the Foundstone Enterprise Manager, select Delta from the Report Pages list on any Scan Report page. The Delta Report compares the data from the two most recent scans using this scan configuration. It includes the FoundScore, Discovered Hosts, and Network Services. If you see that the FoundScore or other details have changed since the last scan, the Delta report is a good place to find out what happened. If the change is dramatic (for example, a 50 point FoundScore drop) make sure you check the configuration history to see if any modifications were made to the scan configuration that might have affected the results. Scan Configuration History Report To get here from the Foundstone Enterprise Manager, click the Description of the changes between scan configurations link at the bottom of the Short Term Trend table. This is the first place to check for changes to a scan configuration. It provides a simple way for you to compare similar scan jobs, and see where the differences occur. Foundstone 6.5 breaks the Configuration History into two major sections: • • The Scan Configuration History Details shows the scan configuration settings for the most recent job run by this scan. The Scan Configuration Comparison shows the differences between the last two scan jobs for this scan. It only appears in the report after you have run two or more scans using this scan configuration. The table shows the scan configuration settings that changed between the two scan jobs. It shows the start time, stop time, and total duration of the scan job. Figure 29: Scan Configuration History - Comparison between last 2 jobs 73 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Note: This report does not show differences in scheduling; it only shows scan settings. For information on scheduling changes, check the Scan Status in the Foundstone Enterprise Manager. For more specific details on each scan configuration, see the Vulnerability Check Configuration Report (on page 108). Delta: FoundScore Risk Rating The FoundScore chart shows the FoundScores from the two scans being compared. This section also displays a table containing the following statistics: Statistic Description Prior FoundScore Shows the risk level and FoundScore of last scan. Current FoundScore Shows the risk level FoundScore of the current scan. Overall Change Shows the difference between the two scans (as a positive or negative value). Delta: Vulnerabilities The Total Vulnerabilities chart shows the number of vulnerabilities found in each of the scans. Statistic Description High Shows the number of high vulnerabilities found in both the prior and current scans. Medium Shows the number of medium vulnerabilities found in both the prior and current scans. Low Shows the number of low vulnerabilities found in both the prior and current scans. Informational Shows the number of informational vulnerabilities found in both the prior and current scans. The summary table shows the number of the Total New Vulnerabilities, the Total Removed Vulnerabilities, and the Overall Change. 74 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Delta: Discovered Hosts The Comparison of Total Active Hosts chart shows the number of hosts found in each of the scans. The statistics table shows the following statistics: Statistic Description Total New Hosts Shows the number of new hosts found in the current scan. Total Removed Hosts Shows the number of hosts removed since the prior scan. Overall Change Shows the change in number of hosts between the two scans (negative or positive). Delta: Network Services The Comparison of Total Network Services chart shows the number of services found in each of the scans. The statistics table shows the following statistics: Statistic Description New Services Shows the number of services found in the current scan. Removed Services Shows the number of services removed since the prior scan. Overall Change Shows the overall change in number of services found in the scans. Discovered Hosts Report To get here from the Foundstone Enterprise Manager, select Discovered Hosts from the Report Pages list on any reports page. This report shows the results of the host discovery portion of the scan. Foundstone 6.5 uses a combination of ICMP, UDP, and TCP scans to discover hosts. The graph and tables in the report contain the results of the host discovery process, displaying active, inactive, and potentially active hosts for the IP address ranges provided. The asset value (criticality) for each host is included. The main purpose of the discovered hosts report is to give you a detailed look at your network allocation, but it also provides a useful layout of the discovered hosts as well. The Assets section of the report details, by subnet, the hostname, OS identification and open ports found for each live host. Individual ports show hyperlinks to their banners, making this the best place to start a manual review of the network. 75 6.5 Enterprise Manager Administrator Guide ¾ Foundstone 6.5 Reference Guide Assets By Range(s) This chart shows a bar for each network segment. The network segments are defined when you add Scan Ranges to the scan configuration. Each bar shows the number of active IP addresses per IP range. Potentially active addresses appear in a darker color above each bar. Summary of Assets Shows each network segment that was added to the scan configuration. Column Heading Description Network Name Shows the IP Address range or network name entered into the scan configuration. Click a network name to jump to the related information in the Assets list further down in this report. This provides a quick way to ignore network segments that did not discover any active hosts. Criticality If you have assigned a criticality value to the host, that value appears here. If the value is "0" or left blank, no value has been assigned. Systems Shows the number of active systems found in this network segment. This number does not include potentially active systems. Total IP Addresses Shows the total number of IP addresses that the scan tested in this network segment. 76 6.5 Enterprise Manager Administrator Guide ¾ Foundstone 6.5 Reference Guide Assets This report shows a breakdown of the scanned ranges. To see the details for each range, click + to expand the section. Column Heading Description IP Address Shows the IP Address of the discovered host. NetBios Name Shows the NetBIOS name of the discovered host. DNS Name Shows the DNS name of the discovered host. Criticality If you have assigned a criticality value to the host, that value appears here. If the value is "0" or left blank, no value has been assigned. Operating System Shows the operating system running on the host. A [+] after the operating system name indicates that OS details were obtained using a NULL session. A [++] after the operating system name indicates that OS details were obtained using credentials (such as a user name and password). A [**] after the operating system name indicates multiple operating systems fingerprinted on the same IP address (a possible indication of port forwarding). A [*] after the operating system name indicates the OS details were obtained from ePO. Reports that show operating systems display the following icons to indicate that the information came from an ePOrelated machine: y - the system contains a potential buffer overflow vulnerability that can be protected by McAfee Virus Scan if buffer overflow protection is enabled. y - the system contains a potential buffer overflow vulnerability, but is currently protected by the McAfee Virus Scan buffer overflow protection feature. y Label Shows the Labe of the discovered host. Services Shows any services that were discovered running on the host. Clicking on a service opens the corresponding information on the Banners Report. Vulnerabilities Shows any vulnerabilities that were discovered on the host. 77 6.5 Enterprise Manager Administrator Guide ¾ Foundstone 6.5 Reference Guide Potentially Active Hosts Potentially Active hosts are machines that may be alive, but did not respond conclusively during the scan. During the host discovery phase of the scan, if an IP responds with either a Reset reply (RST-ACK) during TCP scanning, or an "ICMP port unreachable" during UDP scanning, the host is categorized as "Potentially Active." Foundstone does not perform any further assessment on Potentially Active hosts during this scan. Potentially Active hosts are commonly found in environments where filtering is used to control network access. False Positives Report To get here from the Foundstone Enterprise Manager, select False Positive from the Report Pages list on any Asset Report page. Click an IP address. This report shows a list of the false positives found on each individual IP address. Note: A [+] after the operating system name indicates that OS details were obtained using a NULL session. A [++] after the operating system name indicates that OS details were obtained using credentials (such as a user name and password). False Positive Descriptions Data Heading Description Vulnerability Name Shows the name of the vulnerability. Click this name to see detailed information about the vulnerability. Description Gives a brief summary of the vulnerability. Recommendation Tells how to remove the vulnerability. If a fix does not exist, the recommendation usually offers a workaround solution or explains how to disable the offending software. Observation Describes the cause of the vulnerability. Shows how an attacker can take advantage of the vulnerability, and may discuss the risk involved in allowing the vulnerability to exist. Common Vulnerabilities and Exposures (CVE) Link This link displays a description of the vulnerability or exposure from the Common Vulnerabilities and Exposures (CVE) Web site http://cve.mitre.org. 78 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide FoundScore Report To get here from the Foundstone Enterprise Manager, select FoundScore from the Report Pages list on any reports page. FoundScore is a security ranking system that compares aspects of your environment against best practices in order to quantify your security risk. A scan can earn a FoundScore from 0 to 100 for a full scan. Note: If the scan does not check for vulnerabilities, the top FoundScore is 50 because it only detects running services and deducts the relevant points. • • A higher score reflects a more effective security posture (an environment with less risk). A lower score indicates that your environment possesses more security weaknesses and, consequently, more risk. These scores can be ranked with qualitative scores to give you an idea of your environment's security posture: Score Range Ranking 0 – 25 Poor 26 - 50 Below Average 51 - 70 Average 71 - 85 Above Average 86 - 100 Excellent The FoundScore Report shows your rating, based on 100 points. The FoundScore Results chart shows your Exposure Deduction and Vulnerabilities Deduction. 79 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Statistics Shown in the Statistics Table Statistic Description High Risk Vulnerabilities Shows the number of high risk vulnerabilities founds, your deductions, and your running score. Medium Risk Vulnerabilities Shows the number of medium risk vulnerabilities found, your deductions, and your running score. Low Risk Vulnerabilities Shows the number of low risk vulnerabilities found, your deductions, and your running score. Informational Vulnerabilities Shows the number of informational vulnerabilities found, your deductions, and your running score. Score after Vulnerability Deductions Shows your score after all vulnerabilities and deductions have been counted. Number of NonEssential Services Shows the number of non-essential services found, your deductions, and your running score. Number of Machines with No Essential Services Shows the number of machines found not hosting an essential service, your deductions, and your running score. UDP Permitted If UDP is permitted inbound to the network (other than port 53 (DNS)), shows your deduction and running score. ICMP Permitted If ICMP is permitted inbound to the network, shows your deduction and your running score. Number of Trojans/ Backdoor Applications Shows the number of Trojans and/or backdoor applications found, your deductions, and your running score. Number of Wireless Devices Shows the number of wireless devices found, your deductions, and your running score. Number of Rogue Applications Shows the number of rogue applications found, your deductions, and your running score. Total Score Shows your total FoundScore. For more information on FoundScore, see "FoundScore Overview" in the Organization and Workgroup Administrator Guide. 80 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Using MyFoundScore Foundstone administrators can modify FoundScore settings through the Foundstone Enterprise Manager by going to Manage > Metrics. By default, the Foundstone reports show FoundScore based on default metrics. However, you can customize the metrics so that the reports show your own score, called MyFoundScore. Use it to customize the FoundScore to your organizational needs (see "Managing Metrics - FoundScore Settings" on page 272). Managing Metrics Managing Metrics - FoundScore Settings................................272 Infrastructure Assessment Summary Report To get here from the Foundstone Enterprise Manager, select Infrastructure Assessment > Infrastructure from the Report Pages list on any reports page. This report shows the results of the Infrastructure Devices Assessment scan. It shows charts that summarize the following detailed reports: Infrastructure Devices by Risk Report This report groups the vulnerabilities by their risk rating: High, Medium, or Low. The detailed report shows the vulnerabilities for each individual host. The summary report displays the IP address and number of vulnerabilities found at that address. 10.0.0.1...4 shows four vulnerabilities on the system at the 10.0.0.1 address. Infrastructure Devices by Category Report This report groups the vulnerabilities by their Infrastructure Devices Assessment category. Vulnerability checks are displayed under these categories when you select vulnerability checks for the scan configuration. Infrastructure Devices Access Report This report provides details regarding the type of access Foundstone 6.5 was able to gain using its credentials. The summary provides a quick overview. Access Summary Column Heading Descriptions System Shows the names of the hosts used in the scan. It also lists 'individual hosts' to show any statistics for machines that were accessed using individual host credentials. SSHv2 Certificate Shows the number of systems that Foundstone 6.5 accessed using an SSHv2 certificate 81 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide SSHv2 Password Shows the number of systems that Foundstone 6.5 accessed using an SSHv2 password. SSHv1 Certificate Shows the number of systems that Foundstone 6.5 accessed using the SSHv1 certificate. SSHv1 Password Shows the number of systems that Foundstone 6.5 accessed using an SSHv1 password. Telnet Shows the number of systems that Foundstone 6.5 accessed using Telnet. Infrastructure Assessment Vulnerabilities by Risk To get here, select Infrastructure Assessment > Infrastructure By Risk from the Report Pages list on any reports page. The charts display the number of vulnerabilities by severity and the percentage of vulnerabilities by severity, ranking vulnerable systems by their risk rating - low, medium, or high. The report groups the vulnerabilities by their system name and provides an easy way to find the systems that contain the most vulnerabilities. These groups are based on the credentials you entered when you set up the scan configuration. Column Heading Description System Shows the IP address and the system name for the host. Click the IP address to see more information about the IP address from the Vulnerabilities by IP Report. Operating System Displays the operating system discovered on the host. Vulnerability Shows a list of all the vulnerabilities discovered in this category. Click a vulnerability title to see more details in the Vulnerability Details Report. Infrastructure Assessment Vulnerabilities by Category To get here, select Infrastructure Assessment > Infrastructure By Category from the Report Pages list on any reports page. The chart displays the number of systems found by category: Miscellaneous, No Credentials Required, Patches and Hotfixes, Security Policy/Options, and Services. The report groups the systems by category and then by system. The category is based on the vulnerability checks used in the scan. 82 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Column Heading Description System Shows the IP address and the system name for the host. Click the IP address to see more information about the IP address from the Vulnerabilities by IP Report. Operating System Displays the operating system discovered on the host. Vulnerability Shows a list of all the vulnerabilities discovered in this category. Click a vulnerability title to see more details on the Vulnerability Details Report. Infrastructure Assessment Vulnerabilities by Access To get here, select Infrastructure Assessment > Infrastructure Access from the Report Pages list on any reports page. The chart shows the number of systems by how they were accessed: SSHv2 Certificate, SSHv2 Password, SSHv1 Certificate, SSHv1 Password, or Telnet. The report is grouped by the level of access attained (No Access, Partial Access, Full Access) and then by system. Report Description Access Summary Column Heading Descriptions System Shows the names of the hosts used in the scan. It also lists 'individual hosts' to show any statistics for machines that were accessed using individual host credentials. SSHv2 Certificate Shows the number of systems that Foundstone 6.5 accessed using an SSHv2 certificate SSHv2 Password Shows the number of systems that Foundstone 6.5 accessed using an SSHv2 password. SSHv1 Certificate Shows the number of systems that Foundstone 6.5 accessed using the SSHv1 certificate. SSHv1 Password Shows the number of systems that Foundstone 6.5 accessed using an SSHv1 password. Telnet Shows the number of systems that Foundstone 6.5 accessed using Telnet. Each group contains a table that shows the access gained to each host. The access level is shown by the following icons: 83 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Full Access Foundstone 6.5 was able to gain this type of access to the system. Partial Access Foundstone 6.5 was able to gain partial access to the system. No Access Foundstone 6.5 was unable to gain access to the system. Network Map Report To get here from the Foundstone Enterprise Manager, select Network Map from the Report Pages list on any Scan Report page. Foundstone 6.5 generates a map of your network during the discovery phase. It gives you a method of identifying discovered networks and devices, including hosts, firewalls, routers, and Wireless Access Points. Network Topology Summary The Network Map shows a graphical representation of the target environment. Foundstone 6.5 used the Host Discovery Settings to scan the network and create the map based on the responses it received. It maps the devices based on their subnet membership and the distance between them. Holding the mouse over any of these spheres shows a list of the IP addresses discovered under that device. If any of the IP addresses contain high-risk vulnerabilities, the IP address appears in bold red text. Holding the mouse over a red item shows the name of the first high-risk vulnerability for that IP address. Note: The traceroute procedure does not always return an IP at each hop. This is almost always due to a firewall blocking responses to the traceroute commands. Unknowns are represented as firewalls (red spheres) on the map. It is possible, however, due to varying load conditions on the network and other factors out of our control that spurious unknowns might creep into the data. Our data gathering methods minimize this, but when it does happen, some machines may be connected to a firewall in the map that are in fact connected to a known router in the network. Network Topology Details The detailed map breaks out each network device (router, firewall, and so on) and shows a list of the systems attached to that device. Each device is labeled with an icon so that you can easily spot the different operating systems used in the environment. 84 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Network Service Summary To get here from the Foundstone Enterprise Manager, select Network Assessment > Network Services from the Report Pages list on any reports page. Use the Services Report to identify services running in your environment. Network Services Descriptions This summary shows a list of the network services found during the scan. Column Heading Description Top 15 Services Shows the service and the number of systems running that service. Service Name Shows the service that is running on the system. Port Displays the port number and protocol name. Description Gives a brief description of the service and possible security recommendations. Banner Contains a link if there is an associated Banners Report. Connect Displays [open] if Foundstone discovered a service that allows you to connect to it. Click [open] to connect to the service. This is particularly useful for identifying Web services. If a banner was not discovered, or if the service does not offer banners, n/a appears in this column. Operating System Report To get here from the Foundstone Enterprise Manager, select Operating Systems from the Report Pages list on any reports page. The charts and tables in the Operating System Report display the operating systems discovered during the scan. The first chart displays the top 15 most-common operating systems (OS), and shows how many of each OS was found. The table shows all operating systems that were discovered, the number of each, and the percentage breakdown for the entire scan. A [+] after the operating system name indicates that OS details were obtained using a NULL session. A [++] after the operating system name indicates that OS details were obtained using credentials (such as a user name and password). A [**] after the operating system name indicates multiple operating systems fingerprinted on the same IP address (a possible indication of port forwarding). A [*] after the operating system name indicates the OS details were obtained from ePO. 85 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Reports that show operating systems display the following icons to indicate that the information came from an ePO-related machine: y - the system contains a potential buffer overflow vulnerability that can be protected by McAfee Virus Scan if buffer overflow protection is enabled. y - the system contains a potential buffer overflow vulnerability, but is currently protected by the McAfee Virus Scan buffer overflow protection feature. The second half of the report shows the details for each OS. Click + to expand the details for any OS. The details show the system IP address and DNS name for those systems found running the selected OS. Click an IP address after expanding the details to see more information about the system in the Hosts Report (see "Discovered Hosts Report" on page 75). • • • Note: The identification method may produce a misprint due to the genealogy of the system's IP stack. For example, F5 BigIP may print as a BSD UNIX system because the device runs on a BDS/i kernel. Network environments can also affect operating system fingerprinting. This happens frequently with QOS devices that alter packets as they pass, changing the system's OS print to that of the QOS device. Proxy-based firewalls or packet shaper/scrubber devices can also cause the OS fingerprinting to error. Report Template To get here from the Foundstone Enterprise Manager, select Report Template from the Report Pages list on any Asset Report page. Foundstone 6.5 generates a feature list of which Report Template options were selected for a specific report. Note: The Output Setting Include report template as part of the report option must be selected from the Generation tab when creating a new scan or editing an existing scan. 86 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Report Template Settings Setting Description Custom Template Specifications Includes the Template Name and Description entered. Report Type y y y y Single Date Report (choose a date to run a report) Delta Report (compare data between date(s) selected) Trend Report (compare trends between the current date and a date selected) Dashboard Report (generate a report based on the most recent data available) Report Dates Lists any dates of the data points in the report. Asset Filter Lists any asset filters created for this report. Report Sections Lists the sections included in this report. Output Settings Report Formats (CSV, HTML, PDF, XML); Report Languages. Schedule Settings Displays the schedule type for this report. Deliver Lists email addresses, accounts, and workgroups specified to received an email notification about this report. Risk Level Report (Asset Report) To get here from the Foundstone Enterprise Manager, click Reports > View Reports and then select the Asset Reports tab. Select a Risk Level report to view. The Risk Level report shows the average FoundScore of the selected scans for each month. Foundstone 6.5 sorts the completed scans by the month in which they were completed and averages their scores. It provides statistical information so you can see which scans had the highest/lowest scores and the most changes. Note: The data shown comes from scans you can access. 87 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Risk Level Descriptions Data Description Overall Risk When the chart shows several months/weeks/days, the risk indicator averages the displayed months/weeks/days. This average FoundScore is used to calculate the risk level. The level of the indicator is based on your Overall Risk Index (below). y y y y y Overall Risk Index Severe - Risk Index is 80-100 High - Risk Index is 60-79 Medium - Risk Index is 40-59 Minor - Risk Index is 20-39 Low - Risk Index is 1-19 This metric lets you judge your overall threat. If you are licensed to use the Threat Correlation Module, this index uses your FoundScore and the threat data to calculate your risk. The Risk Index score is calculated as follows: (100-FoundScore)*(Threat Index) The Risk Index can range from 1-100, with 1 being low risk and 100 being very high risk. The formula for the Threat Index is as follows: ((Number of High threats with vulns x 5) + (Number of Medium threats with vulns x 3) + (Number of Low threats with vulns x1 1)) / (High + Medium + Low + threats not found on your network) Average FoundScore (Average MyFoundScore) Shows the average of the monthly averages in the Average FoundScore by Month graph. (If MyFoundScore has been enabled, it shows the average MyFoundScore from the selected scans.) Scan with highest FoundScore Shows the name of the scan configuration whose most recent scan job has the highest FoundScore among all the scans currently tracked in your database. The number in parentheses shows the highest all-time FoundScore. Scan with lowest FoundScore Shows the name of the scan configuration whose most recent scan job has the lowest FoundScore among all the scans currently tracked in your database. The number in parenthesis shows the lowest all-time FoundScore. 88 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Data Description Scan with largest positive change in FoundScore Shows the name of the scan configuration whose most recent FoundScore improved the most of all the scans tracked by your database. The number in parenthesis shows how much the FoundScore improved from its lowest to its highest point. Scan with largest negative change in FoundScore Shows the name of the scan configuration whose most recent FoundScore dropped the most of all the scans tracked by your database. The number in parenthesis shows how much the FoundScore dropped. Risk By Scan View Report To get here from the Foundstone Enterprise Manager, select Risk Assessment > Risk By Scan View from the Report Pages list on any Dashboard Report.. The Risk by Scan View displays each scan in a bar chart, with colors to represent the severity level of the vulnerabilities found. This report also shows the number of vulnerabilities found for each severity level, and the total number of vulnerabilities found for each scan. Risk By Scan Descriptions Setting Description High An attacker might gain privileged access (administrator, root) to the machine over a remote connection. Medium An attacker might gain non-privileged (user) access to the machine over a remote connection. Low The vulnerability provides enticement data to the attacker that may be used to launch a more informed attack against the target environment. It may indirectly lead to some form of remote connection access to the machine. Informational Available data that is less valuable to an attacker than the low risk vulnerability. You may not be able to address informational findings; they may be inherent to the network services or architecture in use. 89 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Risk By Scan Report (Asset Report) To get here from the Foundstone Enterprise Manager, click Reports > View Reports and then select the Asset Reports tab. Select a Risk By Scan report to view. To show the Foundscore display, select Report Pages > Risk Assessment > Risk by Foundscore View. The Risk By Scan report shows vulnerabilities and FoundScores for each scan. In the vulnerability display, the chart shows the high, medium, and low vulnerabilities for each scan. It sorts the scans by the number of vulnerabilities found, showing the scan with the most vulnerabilities first. Note: The data shown comes from scans you can access. In addition, only those scans with vulnerabilities are included. If you ran a scan and no vulnerabilities were reported, that scan will not be included. Risk By Foundscore Descriptions Setting Description Scan with largest positive change in (My)FoundScore Shows which scan has improved its FoundScore the most since its first scan. The number in parenthesis shows the amount of the improvement. Scan with largest negative change in (My)FoundScore Shows which scan has had the largest drop in FoundScore since its first scan. The number in parenthesis shows how much the score deteriorated. Running average of (My)FoundScore Shows the average FoundScore of all scans in the organization since the first scan. 90 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Risk By Platform Report (Asset Report) To get here from the Foundstone Enterprise Manager, click Reports > View Reports and then select the Asset Reports tab. Select a Risk By Platform report to view. The Risk By Platform report shows a column for each computer platform discovered on your network. It sorts the columns by the number of vulnerabilities found so that you can quickly see which platforms need the most attention. The colors in each bar represent the different risk levels, high (red), medium (orange), low (yellow), and informational (blue). Note: Hosts that were identified as "unknown" are not included in this chart. This may be the cause for discrepancy between the total number of hosts on this chart compared with others. The data shown is limited to the scans you can access. Risk By Platform Descriptions Data Description / Scope Platform with the most High-Risk Vulnerabilities These data points show the platforms with the most and Platform with the fewest High-Risk Vulnerabilities the fewest vulnerabilities for each category. The information Platform with the most Medium-Risk Vulnerabilities represents all platforms discovered on your network Platform with the fewest Medium-Risk Vulnerabilities that are tracked in the database. Platform with the most Low-Risk Vulnerabilities Platform with the fewest Low-Risk Vulnerabilities Platform with the most Informational Vulnerabilities Platform with the fewest Informational Vulnerabilities 91 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Risk By Vulnerability Report (Asset Report) To get here from the Foundstone Enterprise Manager, click Reports > View Reports and then select the Asset Reports tab. Select a Risk By Vulnerability report to view. The Risk By Vulnerability pie chart breaks down the high, medium, and low vulnerability ratings into percentages. This chart is based on the most recent complete scan available. The Risk By Vulnerabilities bar chart compares the number of hosts found to the number of vulnerabilities found. It shows the total number of hosts, and the total number of unique vulnerabilities found for each month. The data for the chart comes from all scans in the database that you can access. Note: The data shown is limited to the scans you can access. Risk By Vulnerability Descriptions Data Description Total number of vulnerabilities Shows the number of vulnerabilities found in the current period. Note that this number may be different than the number shown in the Monthly Hosts graph, as the graph includes the total of unique vulnerabilities found on each host. Change in total number of vulnerabilities from previous period Shows the difference in the number of vulnerabilities found between the current period and the last period. Average number of vulnerabilities Shows the average number of vulnerabilities found per scan. This is calculated using all scans currently in your database. Average number of vulnerabilities per host Shows the average number of vulnerabilities found on each host. This is calculated by dividing the total number of hosts found by the total number of vulnerabilities found. (Current period) - (Last period) = Change in total vulnerabilities 92 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Scan Summary To get here from the Foundstone Enterprise Manager, click REPORTS > VIEW REPORTS and then select Scan Reports in the Completed Reports area. Click View Report to view a report. This report provides an overview of the scan. Use it to quickly identify anomalies or problems in your environment. It serves as a jumping off point to delve deeper into the reports. Scan Summary Report Features Section Heading Description Scan specifications Displays information about the scan itself, including the Scan Type, Duration, Description and more. FoundScore Summary or MyFoundScore Summary Shows the average FoundScore or average MyFoundScore for the entire scan. It also displays statistics that you can use to compare overall progress from month-to-month. (MyFoundScore appears if you have enabled MyFoundScore (see "Managing Metrics - FoundScore Settings" on page 272) and then generated new reports.) Click Detailed Report to see the FoundScore report. Network Map Summary Shows a topological map of the different regions discovered by the scan configuration. Click Detailed Report to see the Network Map report. Assets Summary Shows the Filtered System Count, and includes the network name, criticality rating, and number of systems discovered on each. Click Detailed Report to see the Discovered Hosts report. 93 6.5 Enterprise Manager Administrator Guide Operating System Summary Foundstone 6.5 Reference Guide Shows the top 15 operating systems found on the entire scan. Click Detailed Report to see the Operating System report. A [+] after the operating system name indicates that OS details were obtained using a NULL session. A [++] after the operating system name indicates that OS details were obtained using credentials (such as a user name and password). A [**] after the operating system name indicates multiple operating systems fingerprinted on the same IP address (a possible indication of port forwarding). A [*] after the operating system name indicates the OS details were obtained from ePO. Reports that show operating systems display the following icons to indicate that the information came from an ePOrelated machine: y - the system contains a potential buffer overflow vulnerability that can be protected by McAfee Virus Scan if buffer overflow protection is enabled. y - the system contains a potential buffer overflow vulnerability, but is currently protected by the McAfee Virus Scan buffer overflow protection feature. Network Services Summary Shows the top 15 network services found on the entire scan. Click Detailed Report to see the Services report. Vulnerability Report Summary Breaks down the entire scan by the severity of the vulnerabilities found: high, medium, low, and informational. Click Detailed Report to see the Vulnerability report. Web Server Inventory Summary Shows the number and types of Web servers found on the entire scan. Click Detailed Report to see the Web Server report. Short Term Trend Report Summary Shows the changes between the last two jobs for this scan. The data includes the Average FoundScore, Total Discovered Hosts, Total Services Found, and Total Vulnerabilities. Click Detailed Report to see the Short Term Trend report. Long Term Trend Summary Shows an overview of the last 10 jobs for this scan. The graphs include the Average FoundScore, Total Discovered Hosts, Total Services Found, and Total Vulnerabilities. Click Detailed Report to see the Long Term Trend report. Windows Vulnerability by Category Shows the number of Windows vulnerabilities found for Windows scans, based on category type. Click Detailed Report to see the Windows Assessment Module report. 94 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Service Descriptions To get here from the Foundstone Enterprise Manager, select Network Assessment > Services Description from the Report Pages list on any reports page. Use the Service Descriptions to identify services running in your environment. Network Services Descriptions This summary shows a list of the network services found during the scan. Column Heading Description Service Name Shows the service that is running on the system. Port Displays the port number and protocol name. Description Gives a brief description of the service and possible security recommendations. Note: The service names (such as SUNRPC) are based on the ICCAN registered ports listing, and may not show the actual service. For example, if a web server is running on port 22, the services report identifies it as SSH because port 22 is registered to SSH. If there is some doubt to the validity of the service identification, check the banners report to see if the running service offered any further information. Smart Guesswork Report To get here from the Foundstone Enterprise Manager, select Web Assessment > Smart GuessWork from the Report Pages list on any reports page. McAfee "Smart Guesswork" feature probes discovered Web servers for hidden content: • • • configuration files login data backup files These files can possess sensitive data such as user names, passwords, or host file structure information. Foundstone 6.5 uses the structure of the Web server to create intelligent requests for hidden files. This report shows the initial contents of each discovered file to provide an early indication of the nature of the vulnerability. However, you should carefully analyze all files discovered by Smart Guesswork for appropriateness and determine how to keep them from unauthorized users. To expand the details of each section, click + or click Expand All. 95 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Detail Description Target Web Server Shows the URL of the server being probed. Clicking the URL takes you to the server itself. Probe Sent Shows the request sent. Click this request to see the results. Details of Response Received Shows a portion of the results of the probe. This can help you determine the seriousness of the problem and make a decision concerning it. Recommendation Foundstone 6.5 offers a recommendation for each type of file it discovers. The recommendation offers various methods of preventing the discovered files from getting into the wrong hands. Source Sifting Report To get here from the Foundstone Enterprise Manager, select Web Assessment > Source Sifting from the Report Pages list on any reports page. During the course of the scan, Foundstone 6.5 enumerates the contents of each Web server, and scans them for special information. These vulnerabilities can be debilitating to an IT staff trying to prevent network attacks. Attackers can easily duplicate this type of scan on a network to enumerate this information for themselves. Section Heading Description Machine Shows the name of the machine that hosted the Web application. Also shows the IP address and the port used by the application. Email Addresses Shows the number of email addresses found by sifting through the Web applications on the system. Non-standard email addresses can provide clues to the identities of persons within an organization. Foundstone Database Connection Strings Shows the number of instances found where the application calls information from a Foundstone Database. Foundstone Database connection strings can contain Foundstone Database-server passwords. Hidden Form Fields Shows the number of hidden form fields found in the Web application. Hidden form fields can contain passwords or clues to passwords used in forms-based user authentication. 96 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Include Files Shows the number of include files found. Include files can provide absolute path information, passwords, user names, and many other types of data. Absolute File Paths Shows the number of absolute file paths found. Absolute paths or other evidence of files can provide locations of unprotected resources. Taken together this information might be used to gain access to a critical system. SQL Security Analysis Report To get here from the Foundstone Enterprise Manager, select Web Assessment > SQL Security from the Report Pages list on any reports page. This report provides information about weaknesses in SQL Foundstone Database applications. Since nearly every commercial Web application interacts with a Foundstone Database, it is very important to make sure that users can access the data, but only in the way intended by the programmers. Malicious hackers look for "loopholes" left by programmers to gather important information about the Foundstone Database and the application itself. Hackers commonly exploit Foundstone Database weaknesses by sending bogus data to the Foundstone Database. This produces an exception and can provide important information to the hacker about the Foundstone Database and its settings. This information can help the hacker launch a much more informed attack against the application and the company. These attacks might lead to the extraction of critical data from the Foundstone Database. The SQL Security Analysis report illustrates where Foundstone Database and application security weaknesses can be improved to help prevent attackers from gaining further access. Trend Report To get here from the Foundstone Enterprise Manager, select Trend from the Report Pages list on any Scan Report page. This report compares the ten most recent scans that were completed. This report is not available unless you have completed at least two scans using the same scan configuration. This report provides a simple way to quantify how effectively Foundstone 6.5 is being used on your network. It is also one of the most effective ways to illustrate changes to management, and to show both improvement and decline in the network's security posture over time. 97 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Trend: FoundScore The FoundScore chart shows the FoundScores from the most recent scans. This section also displays a table containing the following statistics: Statistic Description Highest FoundScore Shows the highest FoundScore of the last ten scans. Date Scored shows the completion date for the scan that had the highest FoundScore. Lowest FoundScore Shows the lowest FoundScore of the last ten scans. Date Scored shows the completion date for the scan that had the lowest FoundScore. Average FoundScore Shows the average FoundScore for the last ten scans. Total Scans shows the total number of scans shown in this report. Median FoundScore Shows the FoundScore of the middle-most scan on the list. If you listed the scans in order based on their FoundScore, the median would be the number in the very middle of this list. Standard Deviation Shows how diverse the scores are when compared to each other. A large number tells you that the data is spread out. A small number shows that the scores are close together and have not changed much throughout the scans. 98 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Trend: Vulnerabilities The Vulnerabilities chart shows the number of vulnerabilities found in each of the scans. The statistics table shows the following statistics: Statistic Description Highest Total # of Vulnerabilities Examines each scan and shows the highest number of vulnerabilities found in one scan. Date shows the completion date for the scan that had the highest number of vulnerabilities. Lowest Total # of Vulnerabilities Shows the lowest number of vulnerabilities found in these scans. Date shows the completion date for the scan that contained the lowest number of vulnerabilities. Average Total # of Vulnerabilities Shows the average number of vulnerabilities from the displayed scans. Total Scans shows the total number of scans shown in this report. Median # of Vulnerabilities Shows the number of vulnerabilities found in the middle-most scan on the list. If you listed the scans in order based on the number of vulnerabilities found, the median would be the number in the very middle of this list. Standard Deviation Shows how diverse the number of vulnerabilities are when compared to each other. A large number tells you that the data is diverse and spread out. A small number tells you the data points are close together, and have not changed much from scan to scan. 99 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Trend: Discovered Hosts The Hosts chart shows the number of hosts found in each of the scans. The statistics table shows the following statistics: Statistic Description Highest Total # of Discovered Hosts Examines each scan and shows the highest number of hosts found in one scan. Date shows the completion date for the scan that had the highest number of hosts. Lowest Total # of Discovered Hosts Shows the lowest number of hosts found in these scans. Average Total # of Discovered Hosts Shows the average number of vulnerabilities from the displayed scans. Date shows the completion date for the scan that contained the lowest number of hosts. Total Scans shows the total number of scans shown in this report. Median # of Discovered Hosts Shows the number of hosts found in the middle-most scan on the list. If you listed the scans in order based on the number of hosts found, the median would be the number in the very middle of this list. Standard Deviation Shows how diverse the number of hosts are when compared to each other. A large number tells you that the data is diverse and spread out. A small number tells you the data points are close together, and have not changed much from scan to scan. 100 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Trend: Total Services Found The Total Services Found chart shows the number of services found in each of the scans. The statistics table shows the following statistics: Statistic Description Highest Total # of Services Shows the highest number of services found in any of these scans. Date shows the completion date for the scan that had the highest number of hosts. Lowest Total # of Services Shows the lowest number of hosts found in any of these scans. Date shows the completion date for the scan that contained the lowest number of hosts. Average Total # of Services Shows the average number of services found in the scans. Total Scans shows the total number of scans shown in this report. Median # of Services Shows the number of services found in the middle-most scan on the list. If you listed the scans in order based on the number of services found, the median would be the number in the very middle of this list. Standard Deviation Shows how diverse the number of services are when compared to each other. A large number tells you that the data is diverse and spread out. A small number tells you the data points are close together, and have not changed much from scan to scan. 101 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide UNIX Assessment Hosts Summary Report To get here from the Foundstone Enterprise Manager, select UNIX Assessment > UNIX Hosts from the Report Pages list on any reports page. This report shows the results of the UNIX Host Assessment scan. It shows charts that summarize the following detailed reports: UNIX Host Summary Descriptions Access Summary Column Heading Descriptions Systems Shows the names of the hosts used in the scan. It also lists 'individual hosts' to show any statistics for machines that were accessed using individual host credentials. SSHv2 Certificate Shows the number of systems that Foundstone 6.5 accessed using an SSHv2 certificate SSHv2 Password Shows the number of systems that Foundstone 6.5 accessed using an SSHv2 password. SSHv1 Certificate Shows the number of systems that Foundstone 6.5 accessed using an SSHv1 certificate. SSHv1 Password Shows the number of systems that Foundstone 6.5 accessed using an SSHv1 password. Telnet Shows the number of systems that Foundstone 6.5 accessed using Telnet. 102 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide UNIX Assessment Vulnerabilities by Risk To get here, select UNIX Assessment > UNIX Vulns By Risk from the Report Pages list on any reports page. The charts display the number of vulnerabilities by severity and the percentage of vulnerabilities by severity, ranking vulnerable systems by their risk rating - low, medium, or high. The report groups the vulnerabilities by their system name and provides an easy way to find the systems that contain the most vulnerabilities. These groups are based on the credentials you entered when you set up the scan configuration. UNIX Assessment Descriptions Column Heading Description System Shows the IP address and the system name for the host. Click the IP address to see more information about the IP address from the Vulnerabilities by IP Report. Operating System Displays the operating system discovered on the host. Vulnerability Shows a list of all the vulnerabilities discovered in this category. Click a vulnerability title to see more details in the Vulnerability Details Report. UNIX Assessment Vulnerabilities by Category To get here, select UNIX Assessment > UNIX Vulns By Category from the Report Pages list on any reports page. The chart displays the number of systems found by category: Brute Force, Network, No Credentials Required, Potentially Unwanted Programs, Patches and Hotfixes, Security Policy/Options, Services, and Miscellaneous. The report groups the systems by category and then by system. The category is based on the vulnerability checks used in the scan. 103 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide UNIX Assessment Descriptions Column Heading Description System Shows the IP address and the system name for the host. Click the IP address to see more information about the IP address from the Vulnerabilities by IP Report. Operating System Displays the operating system discovered on the host. Vulnerability Shows a list of all the vulnerabilities discovered in this category. Click a vulnerability title to see more details on the Vulnerability Details Report. UNIX Assessment Vulnerabilities by Access To get here, select UNIX Assessment > UNIX Access from the Report Pages list on any reports page. The chart shows the number of systems by how they were accessed: SSHv2 Certificate, SSHv2 Password, SSHv1 Certificate, SSHv1 Password, or Telnet. The report is grouped by individual hosts and then by DNS name. Report Description Access Summary Column Heading Descriptions IP Address Displays the IP address of the scanned host. DNS Name Displays the DNS name of the scanned host. Access Summary Uses icons to display the access gained using a specific protocol and credential type. Protocol Displays which protocol was used in an attempt to gain access to the host. Credential Type Displays which credential type was used in an attempt to gain access to the host. 104 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Each group contains a table that shows the access gained to each host. The access level is shown by the following icons: Full Access Foundstone 6.5 was able to gain this type of access to the system. Partial Access Foundstone 6.5 was able to gain partial access to the system. No Access Foundstone 6.5 was unable to gain access to the system. Protocol Description Protocol Descriptions SSHv2 Certificate Shows the number of systems that Foundstone 6.5 accessed using an SSHv2 certificate SSHv2 Password Shows the number of systems that Foundstone 6.5 accessed using an SSHv2 password. SSHv1 Certificate Shows the number of systems that Foundstone 6.5 accessed using an SSHv1 certificate. SSHv1 Password Shows the number of systems that Foundstone 6.5 accessed using an SSHv1 password. Telnet Shows the number of systems that Foundstone 6.5 accessed using Telnet. Vulnerable Accounts by Web Server Report To get here from the Foundstone Enterprise Manager, select Web Assessment > Vulnerable Accounts By Web Server from the Report Pages list on any reports page. McAfee Web Authentication Analysis discovers popular login points where users must be authenticated to access the application. It probes these points to determine where attackers might easily guess usernames and passwords. Use this to change account information so that attackers cannot use weak accounts to gain unauthorized access. While the top of the report shows a summary of the Web servers and accounts discovered on each, the bottom half of the report shows the details for each Web Server. Click + or Expand All to see the details. 105 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Section Heading Description URL Assessed This is the URL that Foundstone 6.5 assessed to find the weak account(s). Port Shows the port used by the Web application. Authentication Type Shows which type of authentication the access point uses: Basic - a low security method of providing credentials. The client side encodes the credentials using the Base64 encoding scheme, and sends it in plaintext to the server. The server decodes and checks the credentials. NTLM - a high security method of authenticating Windows NT users over a Windows Network. HTTP or Forms based - Highly customizable authentication method using HTML forms. There is no standardized way to perform Forms-based authentication, but credentials probably pass from the client to the server in plaintext unless SSL is used. Username Shows the discovered username(s) on the account. Password Shows the associated password(s) on the account. Vulnerability Report To get here from the Foundstone Enterprise Manager, select Vulnerability Assessment > Vulnerabilities from the Report Pages list on any reports page. The vulnerabilities report shows a summary of the vulnerabilities found by the scan. Report Component Description Vulnerability Report Displays a bar graph showing the number of vulnerabilities that fall into each 'severity' category: High, Medium, Low, and Informational. Displays a pie chart showing each severity category as a percentage of the entire scan. 106 6.5 Enterprise Manager Administrator Guide Vulnerabilities by Risk Foundstone 6.5 Reference Guide Shows the vulnerabilities found by the scan, and categorizes them into High, Medium, and Low Risk vulnerabilities. y y y y y y y Number of Vulnerabilities by Operating System Click + to expand each category for more details. Risk Level - Shows whether the vulnerability is rated at High, Medium, Low, or Informational. Vulnerability Name - Shows the name of the vulnerability found. Number Discovered - Shows how many times the vulnerability was discovered on the network. Affected Systems - Shows which hosts were affected by the vulnerability - these are the machines that need to be fixed. Click a vulnerability name to see more information about that vulnerability in the Vulnerability Details Report. Click an IP address to see all the vulnerabilities associated with that host in the Vulnerabilities by IP Report. Breaks the vulnerabilities down by operating system so that you can see which operating systems need the most work to reduce the vulnerabilities. Note that a high number of vulnerabilities does not necessarily indicate that the operating system is the most exposed; you must also consider the severity (high, medium, and low) of the vulnerabilities discovered. Top 15 Hosts with the Largest Number of Vulnerabilities Shows which 15 hosts have the most vulnerabilities. Although this is a strong indication that these hosts require more attention than others do, you must also consider the severity of the vulnerabilities when prioritizing corrective action. Systems with the most severe vulnerabilities should generally be addressed before those with a greater total number of less severe (medium and low) weaknesses. 107 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Vulnerability Check Configuration Report To get here from the Foundstone Enterprise Manager, select Scan Configuration History > Vulnerability Check Configuration from the Report Pages list on any Scan report page. This report shows the vulnerability checks that were used in the last two scans performed by this scan configuration. Click + on the vulnerability check title lines to see the details for that category of vulnerability checks. Column Headings Description Check Name Shows the name of the vulnerability check used in the scan. CVE Number If the vulnerability was reported on the Common Vulnerabilities and Exposures Web site http://cve.mitre.org, this column shows the CVE Identification number. Click the link to see the related information. Date Shows the date and time that the check last ran. ID Shows the internal vulnerability check identification number. The report also compares this scan with the previous scan and shows which checks were added or removed. Symbol Existed in the Previous Scan Exists in this scan No Yes Yes No 108 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Vulnerability Details Report To get here from the Foundstone Enterprise Manager, select Vulnerability Assessment > Vulnerability Details from the Report Pages list on any reports page. This report shows specific details about the vulnerabilities discovered by the scan. Section Heading Description Affected System(s) Click + to expand this section. It shows which IP addresses are afflicted with this vulnerability. This vulnerability should be fixed on each of these systems. Click an IP address to see specific information about the system. Description Describes the vulnerability. Recommendation Tells how to remove the vulnerability. If a fix does not exist, the recommendation usually offers a workaround solution or explains how to disable the offending software. Observation Describes the cause of the vulnerability. Shows how an attacker can take advantage of the vulnerability, and may discuss the risk involved in allowing the vulnerability to exist. Common Vulnerabilities This link displays a description of the vulnerability or and Exposures (CVE) exposure from the Common Vulnerabilities and Exposures Link (CVE) Web site http://cve.mitre.org. Vulnerabilities by IP Report To get here from the Foundstone Enterprise Manager, select Vulnerability Assessment > Vulnerabilities By IP from the Report Pages list on any reports page. This report shows a list of the vulnerabilities found on each individual IP address. This can be a very long report. For each IP address, the report shows the following information. Data Heading Description Vulnerability Name Shows the name of the vulnerability. Click this name to see detailed information about the vulnerability. Description Describes the cause of the vulnerability. Shows how an attacker can take advantage of the vulnerability, and may discuss the risk involved in allowing the vulnerability to exist. 109 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Recommendation Tells how to remove the vulnerability. If a fix does not exist, the recommendation usually offers a workaround solution or explains how to disable the offending software. Common Vulnerabilities and Exposures (CVE) Link This link displays a description of the vulnerability or exposure from the Common Vulnerabilities and Exposures (CVE) Web site http://cve.mitre.org. Web Application Assessment Report To get here from the Foundstone Enterprise Manager, select Web Assessment > Web Module from the Report Pages list on any reports page. This report shows a summary of the information gathered during the Web Module scans. Report Sections Description Web Server Inventory Shows a visual inventory of the different Web servers found on your network. Click Detailed Report to see the Web Server Inventory Report. Web Contents by Server Shows the breakdown of the contents on each Web server discovered. Click the chart or Detailed Report to see the Web Site Contents Report. Vulnerable accounts by Web Server Shows the number of accounts whose username and password is easily guessed. It groups these accounts according to the Web server on which they were discovered. Smart Guesswork Summary Shows hidden content on your Internet site. The summary breaks the content into risk categories - high, medium, and low risk. Click the chart or Detailed Report to see the Smart Guesswork Report. Source Code Disclosure Shows the number of scripts that were found on each Web Summary server. Click Detailed Report to see the complete Web Source Disclosure Report. SQL Security Analysis Summary Shows a bar on the graph for each Web server. The number of units on each bar represents the number of SQL vulnerabilities found on that particular Web server. For more information, click Detailed Report to see the SQL Security Analysis Report. Source Sifting Summary Shows the number of each type of information found by sorting through Web application scripts and files. Click the chart or Detailed Report to see the Source Sifting Report. 110 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Web Server Inventory Report To get here from the Foundstone Enterprise Manager, select Web Assessment > Web Server Inventory from the Report Pages list on any reports page. The Web Server Inventory provides a complete report of the various Web servers found by the scan. Column Headers Description Web Server Shows the DNS name of the Web server. IP Address Shows the IP address where this Web server was found. Type This information comes from the Web server's banner or the HTTP header, depending on the availability of the information. It shows the type of Web server and version number. Some Web servers also provide information about additional modules that have been loaded such as OpenSSL, PHP, mod_ssl and so forth. Protocol Shows the protocol being used by the Web server. Usually this is http or https. Port Lists the port that the server is using to run the Web service. Web Site Contents Report To get here from the Foundstone Enterprise Manager, select Web Assessment > Web Site Contents from the Report Pages list on any reports page. During the course of a scan, Foundstone 6.5 enumerates the contents of each Web server. The enumeration includes HTML pages, client-side scripts (e.g. .ASP, .CFM, etc.), server-side scripts (cgi-bin), mobile executables (ActiveX controls, Java applets) and other important data provided by the Web server. Image files and other static content that is not directly related to system security is omitted from the content listing. Section Heading Extension Description Machine n/a Shows the name of the machine that hosted the Web server. Also shows the IP address and the port used by the application. Other n/a Shows files that do not fall into any of the following categories. This does not include graphics and image files, which are ignored. 111 6.5 Enterprise Manager Administrator Guide Server Side Includes Foundstone 6.5 Reference Guide .shtml Shows the number of Server Side Includes found on the Web site. Server-side includes are used when part of a page is dynamically generated; the server evaluates the include to determine the information to display as it serves the page. .inc .asa Server Side Scripting .asp Shows the number of Server Side Scripts found on the Web site. Server-side scripts run on the server to provide dynamic information on Web pages. .php .php3 Server Side Processing .exe Shows programs within the Web root directory. These programs may be used to help generate information used in dynamic pages, but cannot run on client systems without being downloaded first. .dll .jsp Web App. Server Page .cfm Shows the number of Web applications and server pages found on the Web server. .nsf .woa CGI / Perl .cgi Shows the number of Common Gateway Interface programs and Perl scripts found on the Web server. .sh .pl Dynamic Page .dhtml Shows the number of dynamically generated pages on the server. .xml Static Page .html Foundstone 6.5 examines the extension of each file to determine whether it is static or dynamic. .htm .txt Java Applet embedded <applet>...</ap plet> tags in HTML files Active X embedded This is the number of pages using Active X on the <object>...</obj Web server. ect> tags in HTML files 112 This is the number of pages using Java applets on the Web server. 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Web Source Disclosure Report To get here from the Foundstone Enterprise Manager, select Web Assessment > Source Code Disclosure from the Report Pages list on any reports page. This report shows the details of the Web server and the source code discovered on that server. It provides you with information regarding two vulnerabilities to fix: • • Web server misconfigurations Move, hide, or remove the information that the attacker is able to see. Source Code Disclosure Descriptions Details Description Number of Websites Analyzed Shows the total number of websites scanned for this report. Number of Scripts Analyzed Shows the total number of scripts scanned on all of the websites analyzed for this report. Number of Scripts with Source Code Discovered (Vulnerable) Shows the number of vulnerable scripts discovered for this report. This number is also represented as a percentage of the total number of scripts analyzed. Source Code Disclosure Findings Descriptions Details Description Locate Shows the URL and IP Address of the server being probed. TCP Port of Web Server Shows the TCP port number of the server being probed. Number of Scripts Discovered Shows the number of scripts discovered on the server being probed. Number of Scripts Disclosed (Vulnerable) Shows the number of vulnerable scripts found on the server being probed. Vulnerable Script Shows the URL of the vulnerable script on the server being probed. Clicking the URL takes you to the server itself. Probe(s) Sent Shows the requests that were sent to the server to access the script. Probe Type Provides a description of the vulnerability that was exploited to gain the information. Partial Details Shows a portion of the results of the probe. This can help you determine the seriousness of the problem and make a decision concerning it. 113 6.5 Enterprise Manager Administrator Guide Recommendation Foundstone 6.5 Reference Guide Foundstone 6.5 offers a recommendation for each type of file it discovers. The recommendation offers various methods of preventing the discovered files from getting into the wrong hands. Windows Assessment Report To get here from the Foundstone Enterprise Manager, select Windows Host Assessment > Windows Hosts from the Report Pages list on any reports page. This report shows the results of the Windows Host Assessment scan. It shows charts that summarize the following detailed reports: Windows Systems by Risk Summary This report groups the vulnerabilities by their risk rating: High, Medium, or Low. The detailed report shows the vulnerabilities for each individual host. The summary report displays the IP address and number of vulnerabilities found at that address. 10.0.0.1...4 shows four vulnerabilities on the system at the 10.0.0.1 address. Windows Vulnerabilities by Category This report groups the vulnerabilities by their Windows Host Assessment category. Vulnerability checks are displayed under these categories when you select vulnerability checks for the scan configuration. Access Report Summary This report provides details regarding the type of access Foundstone 6.5 was able to gain using its credentials. The summary provides a quick overview. Access Summary Column Heading Descriptions Domain Shows the names of the domains and Workgroups used in the scan. It also lists 'individual hosts' to show any statistics for machines that were accessed using individual host credentials. Administrator Authentication Shows the number of systems that gave Foundstone 6.5 administrative access. Remote Registry Shows the number of systems that gave Foundstone 6.5 access to their registry files. Remote File System Access Shows the number of systems that gave Foundstone 6.5 access to their file systems. WMI Accessible Shows the number of systems that Foundstone 6.5 was able to connect with, using WMI commands. Null Session Shows the number of systems with which Foundstone was able to establish a null connection. 114 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Windows Access Report To get here from the Foundstone Enterprise Manager, select Windows Host Assessment > Windows Access from the Report Pages list on any reports page. This report is grouped by Domains, Workgroups, and Individual Hosts. These groups are determined by the credentials you supplied in the scan configuration. For each group, the report shows a summary chart that displays the number of hosts Foundstone 6.5 accessed, and the level of access that was achieved. Windows Assessment Module Access Report Each group contains a table that shows the access gained to each host. The access level is shown by the following icons: Full Access Foundstone 6.5 was able to gain this type of access to the system. Partial Access This only appears in the Access Summary column; it shows that Foundstone 6.5 was able to access the machine through some access types, but not others. No Access Foundstone 6.5 was unable to gain this type of access to the system. Report Description Column Headings Access Type Description Domain n/a Shows the System name and IP address. Access Summary Full This column provides a quick summary for the host. It shows Full Access if all the access types were Full Access. None Administrator Authentication Partial It shows Partial Access if it was able to gain some access types but not others. Full Shows Full Access if it was able to authenticate to the machine as an administrative user. None Remote Registry Full Shows Full Access if it was able to access the system's registry files. None Remote File System Access Full Shows Full Access if it was able to access the file system on the host. None 115 6.5 Enterprise Manager Administrator Guide WMI Accessible Foundstone 6.5 Reference Guide Full None Null Session Full Shows Full Access if it was able to establish communication with the Windows Management Instrumentation. Shows Full Access if it was able to establish a Null Session with the host. None Windows Policy Report To get here from the Foundstone Enterprise Manager, click REPORTS > VIEW REPORTS and then select Scan Reports in the Completed Reports area. Click View Report to view a report generated from a Windows Policy Template Scan. The Windows Policy Report provides information gathered from a Windows Policy Template Scan. This report identifies which scanned hosts are compliant and which are non-compliant with your compliance policies. Use this report to help get your scanned hosts into compliance. Compliance Summary Report To get here from the Foundstone Enterprise Manager, click REPORTS > VIEW REPORTS and select Scan Reports in the Completed Reports area. Click a report name for the Windows Policy Template Scan to view a report. Select Report Pages > Compliance Summary. This report provides an overview of a Windows policy compliance scan. Use it to quickly identify anomalies or problems in your environment. Compliance Summary Report Features Section Heading Description Scan specifications Displays information about the report section, the scan name, and the generation date/time. Host Summary Displays the number of hosts scanned, the number of Windows host assessment modules (WHAM) scanned, the number of hosts that are compliant, the number of hosts that are noncompliant, and the compliance percentage. Policy Summary Displays the Windows policy, the number of hosts scanned, the number of hosts that are compliant with this policy, the number of hosts that are noncompliant with this policy, the number of hosts where policy compliance could not be determined, and the compliance rate for this policy. (plus image, minus image) Clicking a plus icon expands a report section, and clicking a minus icon hides a report section. 116 6.5 Enterprise Manager Administrator Guide (search image) Foundstone 6.5 Reference Guide Use Search to find a specific policy or host in the compliance report. Compliance Policy Details To get here from the Foundstone Enterprise Manager, click REPORTS > VIEW REPORTS and select Scan Reports in the Completed Reports area. Click a report name for the Windows Policy Template Scan to view a report. Select Report Pages > Compliance Policy Details. This report displays a Windows policy and the systems affected by this policy. Use it to identify systems that are noncompliant. Compliance Policy Details Report Features Section Heading Description Scan Specifications Displays information about the report section, the scan name, and the generation date/time. Compliance Policy Details Displays the policy setting, the system(s) affected by the policy, the operating system, and the system policy status (Pass/Fail). Note: You can click the system IP address to view the system's Compliance Policies by IP report. (plus image, minus image) Clicking a plus icon expands a report section, and clicking a minus icon hides a report section. (search image) Use Search to find a specific policy or host in the compliance report. Compliance Hosts To get here from the Foundstone Enterprise Manager, click REPORTS > VIEW REPORTS and select Scan Reports in the Completed Reports area. Click a report name for the Windows Policy Template Scan to view a report. Select Report Pages > Compliance Hosts. This report provides an overview for each system in your Windows policy compliance scan. Use it to identify all noncompliance policy settings (marked as Failed) for each system in your environment. Compliance Hosts Report Features Section Heading Description Scan Specifications Displays information about the report section, the scan name, and the generation date/time. 117 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Compliance Policies By IP Displays all compliance policies affecting a single IP address. The list shows the Windows policy name and whether the system passed or failed compliance. (plus image, minus image) Clicking a plus icon expands a report section, and clicking a minus icon hides a report section. (search image) Use Search to find a specific policy or host in the compliance report. Windows Vulnerabilities by Risk To get here from the Foundstone Enterprise Manager, select Windows Host Assessment > Windows Vulns By Risk from the Report Pages list on any reports page. This report groups the vulnerabilities first by their domain, Workgroup, or individual host. These groups are based on the credentials you entered when you set up the scan configuration. Within each domain, Workgroup, or individual host group, the report groups vulnerable systems by their risk rating - low, medium, or high. It provides an easy way to find the systems that contain the most vulnerabilities within each domain, Workgroup, or individual host group. The vulnerabilities are further grouped by system. Column Heading Description System Shows the IP address and the system name for the host. Click the IP address to see more information about the IP address from the Vulnerabilities by IP Report. 118 6.5 Enterprise Manager Administrator Guide Operating System Foundstone 6.5 Reference Guide Displays the operating system discovered on the host. A [+] after the operating system name indicates that OS details were obtained using a NULL session. A [++] after the operating system name indicates that OS details were obtained using credentials (such as a user name and password). A [**] after the operating system name indicates multiple operating systems fingerprinted on the same IP address (a possible indication of port forwarding). A [*] after the operating system name indicates the OS details were obtained from ePO. Reports that show operating systems display the following icons to indicate that the information came from an ePOrelated machine: Vulnerability y - the system contains a potential buffer overflow vulnerability that can be protected by McAfee Virus Scan if buffer overflow protection is enabled. y - the system contains a potential buffer overflow vulnerability, but is currently protected by the McAfee Virus Scan buffer overflow protection feature. Shows a list of all the vulnerabilities discovered in this category. Click a vulnerability title to see more details on the Windows Assessment Module Vulnerability Details Report. Windows Vulnerabilities by Category To get here from the Foundstone Enterprise Manager, select Windows Host Assessment > Windows Vulns By Category from the Report Pages list on any reports page. This report groups the vulnerabilities first by their domain, Workgroup, or individual host. These groups are based on the credentials you entered when you set up the scan configuration. Within each domain, Workgroup, or individual host group, the vulnerabilities are further grouped by their Windows Host Assessment category. This category is based on the vulnerability checks used in the scan. 119 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Column Heading Description System Shows the IP address and the system name for the host. Click the IP address to see more information about the IP address from the Vulnerabilities by IP Report. Operating System Displays the operating system discovered on the host. Vulnerability Shows a list of all the vulnerabilities discovered in this category. Click a vulnerability title to see more details on the Windows Assessment Module Vulnerability Details Report. Windows Vulnerability Details Report To get here from the Foundstone Enterprise Manager, select Vulnerability Assessment > Vulnerability Details from the Report Pages list on any reports page. This report shows specific details about the vulnerabilities discovered by the scan. Section Heading Description Affected System(s) Click + to expand this section. It shows which IP addresses are afflicted with this vulnerability. This vulnerability should be fixed on each of these systems. Click an IP address to see specific information about the system. System Shows the system name and IP address of the hosts discovered to have this vulnerability. Operating System Shows the operating system found on the vulnerable host. Description Describes the vulnerability. Observation Describes the cause of the vulnerability. Shows how an attacker can take advantage of the vulnerability, and may discuss the risk involved in allowing the vulnerability to exist. Recommendation Tells how to remove the vulnerability. If a fix does not exist, the recommendation usually offers a workaround solution or explains how to disable the offending software. Common Vulnerabilities This link opens a description of the vulnerability or exposure and Exposures (CVE) from http://cve.mitre.org. See CVE for more information. Link 120 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Reviewing CSV Reports When generating a report with a CSV format, the content of the report is not affected by the Sections selected. Each CSV report contains a set of information in column format. Authenticated Hosts The authenticated.hosts.csv report contains the following columns: • • • • • • • • • • • • • IP Address, DNS Name, NetBIOS Name, Asset Name, Asset Criticality, OSID, Owner, SSHv2 Certificate (will be one of "Root", "User", or "No Access") SSHv2 Credentials (will be one of "Root", "User", or "No Access") SSHv1 (will be one of "Root", "User", or "No Access") Telnet (will be one of "Root", "User", or "No Access") Error Code, Error Description Vulnerabilities The vulnerabilities.csv report contains the following columns: • • • • • • • • IP Address, DNS Name, NetBIOS Name, Asset Name, Asset Criticality, OSID, Owner, Vulnerability ID (corresponds to the ID in vulndatabase.xml) Network Assets The network_assets.csv report contains the following columns: • • • • • • • • • IP Address, DNS Name, NetBIOS Name, Asset Name, Asset Criticality, OSID, Owner, Workgroup, Banner 121 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide XML Report Content When generating a report with a XML format, the content of the report is not affected by the Sections selected. Each XML report contains a set of information in column format. Host Data The Host_Data.xml report contains the following columns: • • Report Creation Date, Report Type (Template or Scan) For Template Based Reports: • • • • • Template Name, User Name, Organization Name, Start Time, End Time For Scan Based Reports: • • • • • Job ID, Scan Name, Scan Type (0 = external; 1 = internal), Start Time, End Time For Both Reports: • • • • • • • • Host Data, IPDWORD (IP address of DWORD), IPAddress (IP address as a string), OS Name, DNS Name, NetBIOS Name, WorkGroup Name (for each Host) Services: • • • Service ID (corresponds to the value in servicedatabase.xml), Actual Port, Banner Vulnerabilities: • Faultline ID (corresponds to the ID in vulndatabase.xml) 122 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Risk Data The Risk_Data.xml report contains the following columns: • • Report Creation Date, Report Type (Template or Scan) For Template Based Reports: • • • • • Template Name, User Name, Organization Name, Start Time, End Time For Scan Based Reports: • • • • • JobID, Scan Name, Scan Type (0 = external; 1 = internal), Start Time, End Time For Both Reports: • • Faultline ID (corresponds to the ID in vulndatabase.xml) Exposure Data Customizing Report Headers You can customize your HTML and PDF reports by adding your own header image(s). When Foundstone 6.5 generates an HTML or PDF report, it automatically searches for these images and places them at the top of each page. Note: This must be done on each FoundScan Engine that generates reports. It is also possible to display different headers based on the engine that generated them. ¾ To add a custom header to your HTML Reports 1 Create an image file named top-left.png. It should be 375 pixels wide x 100 pixels high. Note: Large logos or red backgrounds could make it difficult to see the Report Pages, Prev, Next, and Help Icon links. 2 Create an image file named top-mid.png. It should be 4 pixels wide x 100 pixels high. Note: This image is used to fill in the header, removing any white space between the top-left and top-right images. 123 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide 3 Create an image file named top-right.png. It should be 180 pixels wide x 100 pixels high. 4 Save these files to this directory: Foundstone\XML Reports\I18N\en\Images Note: Add it to additional language directories if you have localized reports. Foundstone\XML Reports\I18N\<language directory>\Images ¾ To add a custom header to your PDF Reports 1 Create an image file named foheader.gif. It should be 720 pixels wide x 100 pixels high. 2 Save it to this directory: Foundstone\XML Reports\HTML\Include\images The default location of these directories is c:\program files\foundstone\. ¾ To modify the Internet Explorer header and footer Internet Explorer creates its own headers and footers for printed pages. These text headers and footers affect printed HTML reports. They usually include a filename or URL, dates, page numbers, and so forth. Change these Internet Explorer settings on the server hosting the Foundstone Report Engine by choosing Page Setup from the File menu. Use the Internet Explorer help file for more information. Working with Alerts This section describes how to view and set up alerts. The alerts are available from the Results menu if you are logged in as a Root Organization Administrator, Remediation Administrator, or Foundstone User. Use the Alerts page (see "Alerts" on page 125) to displays the hosts, services, and vulnerabilities found in the selected scan. Use the Alerts - Setup (on page 130) page to change the risk level associated with various types of alerts, and set up email alerts. 124 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Alerts To get here, click RESULTS > ALERTS. You can also click Alerts from the Alerts box on the home page. The Alerts page displays the hosts, services, and vulnerabilities found in the selected scan. Procedures - On this page you can do the following: • • • • • • Run a Quick Scan (see "Running a Quick Scan" on page 28) (this feature is available if the Remediation Administrator has been granted access to run scans) Select a Scan for viewing the alerts that came from that scan job (this feature is available if the Remediation Administrator has been granted access to run scans) Expand or condense all alert categories Expand or condense individual alert categories Change the settings (see "Alerts - Setup" on page 130) for how the alerts are displayed See the Detailed Host Report (on page 126) for any host listed in the Alerts. Figure 30: Alerts page - collapsed view 125 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Settings Setting Description Setup Open the Alert Settings (see "Alerts - Setup" on page 130) page. Expand All/ Collapse All Click to expand/collapse all alerts on this page. Click to show all the alerts in that section. Click to collapse the alerts in that section. Vulnerability Names Click any of the vulnerability names to see the Vulnerability Details. Affected IP(s) Opens the Detailed Host Report (on page 126), showing host-discovery details, service-discovery details, and vulnerabilities found on that host. Detailed Host Report To get here, choose Results > Alerts. Click + to expand an alert category and click a specific IP address. The Detailed Host report provides detailed information about the system found at the selected IP address, based on the latest scans. (If the host was not available during the latest scans, the host is not listed.) This report lists any vulnerabilities and services found on that host. When you access this report for a specific IP address, Foundstone 6.5 queries the Foundstone Database for the scan information related to this IP address. Since these reports can be generated for any IP address on your network, they are not generated with the regular reports. Procedures On this page you can do the following: • To learn more about a particular vulnerability, click the vulnerability name. The details show descriptions and recommendations for resolving the vulnerability. 126 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide To see a list of services found, click any service name. The details also show the banners that were returned by the listening services. Figure 31: Host Detail Report 127 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Detailed Host Report Features Setting Description Host Discovery Details Shows information gained from the Host Discovery process during the latest scans, including the following: y y y y y y Domain Name Server NetBIOS name of the host any assigned asset labels (assigned through the Asset Management page (see "Managing Assets" on page 131)) Any discovered operating system How the host was discovered (ICMP, UDP, TCP etc.) Time and date of the scan Criticality Shows the criticality assigned to this host. Criticality is assigned through the Asset Management page (see "Managing Assets" on page 131). Vulnerability Details Shows the Vulnerabilities found on the host. Click any vulnerability to see the Vulnerability Details List (on page 129). It shows complete details regarding the selected vulnerability. Note: Vulnerability details only appear for scans that included vulnerability checks. Discovery scan results do not show vulnerabilities. Service Detection Details Shows the service name, service title, port and protocol for each service discovered running on the host. Click a service to see the information recovered by the scan from that service. Note: These services are based on the ICAAN registration for that particular port. The actual service may be different than the one displayed. For example, if you are running a Web server on port 22 (SSH), this report shows a service description for Secure Shell -- not HTTP. Expand All Shows the details for all vulnerability descriptions. This selection can take a few minutes. 128 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Vulnerability Details List To get here, choose Results > Alerts. Click + to expand an alert category and click a specific IP address, then click a vulnerability. The Vulnerability Details List provides detailed information about specific vulnerabilities. Procedures On this page you can do the following: • • Review vulnerability details for a specific vulnerability. Learn how to patch or fix the host so that it is no longer susceptible to this vulnerability. Figure 32: Vulnerability Details Report 129 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Vulnerability Details Features Setting Description Name The name of the vulnerability. Risk Provides a risk rating on a scale from 1-9. Scoring a 1 is low risk; 9 is high risk. Intrusive Tells whether the vulnerability check was intrusive or not. Description Briefly describes the vulnerability. Observation Provides additional information on how the vulnerability can be used to compromise a system, which types of software are vulnerable, and references to additional information for further research on the vulnerability. Recommendation McAfee's recommendations on how to remedy the vulnerability. It provides patch information and shows where to get additional information. Alerts - Setup To get here, choose RESULTS > ALERTS. Then click Setup. This page lets you change the risk level associated with various types of alerts. Scope The changes made on this page only affect your workgroup. They do not affect parent or child workgroups or organizations. Procedures On this page you can do the following: • Set risk levels for vulnerabilities, services, hosts, and operating systems. This changes the risk-button icon displayed next to each category on the alerts page. For example, changing the Medium Risk Vulnerabilities to "Low" will display a yellow icon next to the Medium Risk category instead of an orange icon. 130 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide Turn off alerts for vulnerabilities, services, hosts, and operating systems. When set to Off, the alert category does not appear. Figure 33: Alerts Setup Page - Set alert levels for each category Managing Assets Foundstone 6.5 provides the ability to rate and identify hosts throughout your organization. Your FoundScore can also reflect the ratings you assigned. This lets you place more emphasis on important assets, ensuring that your remediation efforts are prioritized the way you want them. For example, if a production server is compromised, your company is likely at greater risk than if someone were to attack the mail-room postage computer. Scope Asset properties and asset groups are shared throughout the organization. All workgroups and that "share" an asset can view the same information. The organization can access all assets. Whether you can view an asset or not depends on the IP Pool you can access. • • Workgroup Administrators can see only those assets that belong within their assigned workgroups. Root Organization Administrators can see assets belonging to the entire organization since all workgroups contain subset IP pools of the organization itself. Procedures In Asset Management, you can perform the following tasks: • Organize your IP Addresses into groups (see "Asset Groups" on page 147). This includes creating new groups (see "To create an asset group containing selected assets" on page 149) in a hierarchal structure, and assigning assets to those groups (page 149). 131 6.5 Enterprise Manager Administrator Guide • • • • • • Foundstone 6.5 Reference Guide Assign asset labels and criticality levels to individual hosts. To do this, right-click the asset and select Properties. Then edit the asset's properties (see "Viewing an Asset's Properties" on page 134). Search for a labeled asset (see "Using the Basic Search" on page 142), by clicking the Search tool in the Asset toolbar. Build your own search criteria (see "Using the Advanced Search" on page 143) to create a database search, by clicking the Advanced Search tool in the Asset toolbar. Create a group from the search results (see "What to do with Search Results" on page 146), by clicking the Move to Group tool on the Asset toolbar. Note this is only available on the Search toolbars. Filter the assets (see "Viewing All or Active Assets" on page 138), by clicking the Select View tool in the Asset toolbar. Refresh the list of active hosts from the database, by clicking the Refresh Active Hosts Information tool on the Asset toolbar. Active hosts are those hosts that were found during the last scan. Note: Asset criticality does not affect the FoundScore calculation until you start assigning criticality levels to your assets. Figure 34: Asset Management - main page 132 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Right Display Pane The right display pane shows the contents of the group selected in the left pane. The items on the right are classified using the following icons: • Asset Group. If this appears in the right display pane, it is a child group of the selected group. • Active Host. The latest scan that attempted to find this host actually found it, meaning that the host was running. • Non-Active Host. The latest scan that attempted to find this host did not find it. The host may still be there, but it was not found. IP Addresses appear in blue text when they are assigned to a group, contain a label, or have a criticality level associated with them. Clearing the attributes of an asset removes it from any group it belongs to, and returns it to black text. The buttons and commands on the toolbar let you access the various features of Access Management. Figure 35: Asset Management Toolbar Asset Toolbar Description Toolbar Button Description Toggles the Assets Tree pane on the left side. Toggles the Search pane (see "Using the Basic Search" on page 142) on the left side. If the Assets pane is already open, the Search pane replaces it. Search performs quick, simple searches for specific assets using the asset name, operating system, NetBIOS name, DNS name, domain or workgroup, or criticality. Toggles the Advanced Search pane (see "Using the Advanced Search" on page 143) on the left side. If the Assets pane is already open, the Search pane replaces it. Advanced Search lets you build your own search criteria, and run the search on the database. A detailed search can take a long time, depending on the size of your database and complexity of the search. If you need to leave this page while the search is running, it does not interrupt the search. You can return to this page after the search is completed to review the results. 133 6.5 Enterprise Manager Administrator Guide Toolbar Button Foundstone 6.5 Reference Guide Description Displays a list so you can select which assets you want to display in the Assets pane. y y All Assets - displays all assets, whether active or not, labeled or not. Active Assets - displays only those assets that were identified as active in the last scan. Note: These options are not available in the Search or Advanced Search panels. These options search only for Active Assets. See Viewing Labeled Assets or All Assets (see "Viewing All or Active Assets" on page 138). Refreshes the list of active assets. Choose to Refresh All for Active Hosts or Refresh Selected for Active Hosts. Opens the help file. Viewing an Asset's Properties Asset properties define the asset, allowing you to add labels, identify how critical the asset is to your organization, and assign a specific Foundstone 6.5 user to be an owner. View or change the properties of an asset by double-clicking it, or rightclicking the asset and choosing Properties from the shortcut menu. Procedures Using the Asset Properties pane you can do the following: • • • View the latest information discovered for a specific host by selecting the host and looking at the properties. The information includes the DNS name, NetBIOS name, operating system, domain name, label, criticality, and asset owner. Change a label to a host by entering the new label information in the Label text box. If no label is assigned, the default AssetID appears as the label. You can change the label if you have only a single asset selected. Set the criticality level for the host or IP range by selecting the level from the Criticality list. 134 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide Assign an Asset Owner to the host or IP range by selecting the user from the Asset Owner list. Figure 36: Asset Management - Asset Properties dialog box Asset Properties Property Description DNS Name If a single host is selected, and a recent scan discovered the DNS name of that host, Foundstone 6.5 displays it here. This field is inactive if you select more than one host. For display only. NetBIOS Name If a single host is selected, and a recent scan discovered the NetBIOS name of that host, Foundstone 6.5 displays it here. This field is inactive if you select more than one host. For display only. Operating System If a single host is selected, and a recent scan discovered the operating system running on that host, Foundstone 6.5 displays it here. This field is inactive if you select more than one host. For display only. Domain Name If a single host is selected, and a recent scan discovered the domain name of that host, Foundstone 6.5 displays it here. This field is inactive if you select more than one host. For display only. Label Use this field to assign the group or host label. This can be anything you want. If a custom label has not been assigned, the label uses the Foundstone Asset ID number for its label. Criticality Click the arrow and select the criticality level (see "Criticality Levels" on page 154) from the list. Asset Owner Click the arrow and select the asset owner from the list. 135 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Managing Asset Identification Rules Foundstone 6.5 provides three rule-based systems for identifying assets on your network: one for Windows-based systems, one for non-Windows-based systems, and one for unknown hosts with unknown operating systems. You choose which rules to enable, and the order in which they will attempt to run. Using the Managing Asset Identification Rules pane you can do the following: • • • Create prioritized rules for identifying unique assets. Determine the priority for each set of rules. View current rule configurations. Scope Asset identification rules affect the entire organization. Notes • • • • • Asset Identification Rules only affect scans created after the rule was created or edited. Prior scans are not affected. For Windows and Unknown assets, the first rule is pre-set to identify hosts with ePO UIDs. For each asset, Foundstone tries each rule until it finds a rule whose conditions match the asset. Once a rule matches an asset, the remaining rules are ignored. You can set up multiple rules to identify all the assets on your system. Each rule contains one or more conditions. Procedures • • • To set up a rule, choose the checkboxes on a single row to select the conditions for that rule. For example, with Windows Assets, ePO UID is automatically selected as the first rule. On row 2, select the checkboxes that correspond to the conditions that should exist in the second rule. To review the rule list, see the text under Configured Rules just below each selection table. To set a limit on how long an undiscovered asset can live without being marked as inactive, change the Asset Activity setting at the bottom of the page. Note: You can search for inactive assets using the Advanced Search feature in Asset Management (see "Using the Advanced Search" on page 143). 136 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Unique Identifier Features Property Description Windows Asset An asset running a Windows operating system. non-Windows Asset An asset running a non-Windows operating system. Unknown Asset An asset with an OS-type that cannot be identified. ePO UID The ePO ID comes from the ePO agent running on Windowsbased hosts. They are always unique, and provide the most reliable way to identify an asset. Foundstone 6.5 always looks for an ePO identifier on Windows-based hosts. MAC Address Address tied to the network adapter (NIC) on the host. It is not solely reliable in asset identification because the network card can be moved to another host. DNS Name Use a domain name as part of the unique identifier. Adding this option along with an IP address allows for cases where the same IP address may exist in two different domains. IP Address Use an IP address as part of the unique identifier. y y In a DHCP environment, a rule that contains only this condition can cause confusion if an asset receives a different IP address from DHCP. Be sure to use other conditions along with this rule to ensure you have identified unique assets. In a non-DHCP environment, set up the last rule with this condition only to catch all assets that don't match the conditions in previous rules. 137 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Property Description NetBIOS Name In Windows-based systems, use the hostname as part of the unique identifier. Confirmed Displays the number of confirmed and unconfirmed assets for each rule selected. Also presents the number as a percentage of the total found for a rule. Running a new scan updates this column. Configured Rules Displays the order in which rules will be applied to assets. Asset Activity Set the number of days an asset can go without being discovered before it is labeled as inactive. For more information, see Asset Activity Status (page 155). Viewing All or Active Assets Viewing All Assets - Default View The default view shows all assets. The Assets Tree view shows all of the assets in your allowed scanning range. They are grouped by IP address sets. • To show this view, click the Select View tool in the toolbar and choose All Assets from the list displayed. Figure 37: Asset Management - all assets view 138 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Viewing Active Assets When you choose to view labeled scans, Foundstone 6.5 adjusts the asset tree view to show only those asset groups and general IP ranges that contain active assets. • To show this view, click the Select View tool in the Asset toolbar and choose Active Assets from the list. Clearing Asset Attributes To get here using the Foundstone Enterprise Manager, click MANAGE > ASSETS. To get here using the FoundScan Console, choose Users/Groups/Scans from the File menu, right-click an organization or workgroup, and choose Manage Assets from the shortcut menu. Remove the attributes of an asset by right-clicking the asset and selecting Clear Attributes. Note: Remove the attributes of multiple labeled assets by selecting the assets, right-clicking the selection, and clicking Clear Attributes. However, if any of the selected assets (even one) does not contain either a label or criticality setting, this option does not appear. 139 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Searching for Assets Foundstone includes both a basic and advanced search to locate assets. Using the basic search, search for an asset with a specific label, IP, operating system, NetBIOS name, DNS name, or domain name. The results returned from a basic search include only those assets that were found during the last scan. These assets are called "active" or "alive" assets. Using the advanced search, build your own search criteria. Specify if you want to include only those assets that were found during the last scan (active assets), assets that had be found previously but were not found during the last scan (inactive assets), or assets that have never been scanned (unidentified assets). You can switch between basic and advanced searches, and the search results will not be cleared. However, any subsequent searches you perform will be against the entire database and not against the current results set. Working with large searches A maximum of 10,000 assets can be displayed as a search result. If the result of search will be larger than 10,000 assets, a message appears asking if you want to view the partial result. If you choose to view the partial results, the total number of assets included in the results is displayed at the top of the search results table. Stopping a search If you stop a search, the search results table shows the partial results and displays "partial results" at the top of the table. Working with columns in the search results Columns in the search results table can be moved, resized, or removed (or added back in). Any changes to make to the table are not "remembered" the next time you access asset management. • • • To resize a column, select the line between the columns and drag it to a new location. To "force" the column to adjust the fit to actual size needed, double-click the line. To move a column, select the column and drag it to a new location. To select the columns displayed, right-click a column heading and choose Select Columns from the shortcut menu to display the Select Columns dialog box. By default, all columns are included. To remove a column from view, select the column name in the right side of the dialog box and click Remove. To display a column that was removed, select the column name in the left side of the dialog box and click Add. You can also reorder the display of the columns in this dialog box. 140 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Using the Asset toolbar during searches The buttons and commands on the toolbar let you access the various features during basic or advanced searches. Figure 38: Asset Management toolbar - after searching Button Description Toggles the Assets Tree pane on the left side. Toggles the Search pane (see "Using the Basic Search" on page 142) on the left side. If the Assets pane is already open, the Search pane replaces it. Search performs quick, simple searches for specific assets using the asset name, operating system, NetBIOS name, DNS name, domain or workgroup, or criticality. Toggles the Advanced Search pane (see "Using the Advanced Search" on page 143) on the left side. If the Assets pane is already open, the Search pane replaces it. Advanced Search lets you build your own search criteria, and run the search on the database. A detailed search can take a long time, depending on the size of your database and complexity of the search. If you need to leave this page while the search is running, it does not interrupt the search. You can return to this page after the search is completed to review the results. Moves assets in a search result to a group (see "What to do with Search Results" on page 146), allowing you to assign a group name and criticality. Note: Assets can belong to only one group. Opens the help file. 141 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Using the Basic Search Use the basic search to locate an asset with a specific label, IP, operating system, NetBIOS name, DNS name, or domain name. Note: The results returned from a basic search include only those assets that were found during the last scan. These assets are called "active" or "alive" assets. ¾ To search for active assets 1 Click Search. The Search pane appears on the left side of the Asset Management page. Figure 39: Asset Management - basic search 2 Enter the text you want to find in the String to search for: text box. For all searches except for IP address, you can enter all or part of the string. For IP addresses, you must enter an exact IP address (in the correct net mask format, such as 10.0.1.89). 3 For General Filter, select the type of search you want to perform: Label, IP Address, Operating System, DNS Name, NetBIOS Name, or Domain Name. 4 To filter your search by a specific criticality level, under Criticality Filter, select the criticality level of the asset. This creates an "AND" search so that if you search for a Windows operating system with a criticality level of "Significant", your search results include all assets that are Windows operating systems and with a criticality "Significant." Unchecking all boxes provides the same result as if all boxes were checked: your search results include assets with any criticality. When the search has completed, the assets matching your search criteria are displayed in the right pane. A temporary group named "Search Results" is created and 142 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide remains as long as you are logged on for the session. Assets in this temporary group can be moved, renamed, or have criticality levels changed. For more information, see What to do with Search Results (on page 146). Using the Advanced Search Use the advanced database search to build your own search criteria, and run the search on the database. Specify if you want to include only those assets that were found during the last scan (active assets), assets that had be found previously but were not found during the last scan (inactive assets), or assets that have never been scanned (unidentified assets). On this page you can do the following: • • • • Specify the search criteria by selecting the options from the list boxes and entering the text on which to base the search in the Add Criteria area. Click Add to move the selection to the Search Criteria area. Use the logical operators, AND or OR from the Logical Operator list to specify how each search criteria line is interpreted. The selected operator affects the entire search; you cannot select multiple operators within the same search. Remove a single search line from the Search Criteria area by selecting the line you want to remove and clicking Remove. Remove all lines of criteria from the Search Criteria area by clicking Remove All. Note: The Advanced Search Results show the data as it was when the search ran. If the data changes, it is not reflected in the search results until you run the search again. The Advanced Search Results are kept in the Reports folder on the FoundScan Engine and on the Foundstone Enterprise Manager. The default location is c:\Program Files\Foundstone\Reports\%orgname%\Queries\%username%\. Note: A detailed search can take a long time, depending on the size of your database and complexity of the search. 143 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide To use the advanced search to locate assets 1 Click Advanced Search. The Search pane appears on the left side of the Asset Management page. Figure 40: Asset Management - advanced search 2 For Add Criteria, do the following: • Select the arrow to specify the type of search you want to perform. • Select whether the criteria Contains/Does Not Contain, or is In/Not In. The options available depend on the criteria you select. • Enter the parameters on which you want to filter the search. For information on the parameters for each criteria, see the following table. 3 Click Add to add the line to the search criteria. 4 To further filter your search, create another line and choose a Logical Operator: • Choose AND to search for assets that match all lines of criteria. For example, [IP addresses 10.0.0.0 through 10.0.0.255] AND [Open Ports 1 through 50] returns all assets in that IP range that also have open ports in the 1-50 range. • Choose OR to search for assets that match any line of criteria. For example, [IP address 10.0.0.0] OR IP address [198.162.0.0] returns the assets belonging to either of these IP addresses if found. 144 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide 5 If necessary, remove a line of search criteria by selecting the line and clicking Remove. To clear all lines of search criteria, click Remove All. 6 To filter your search by a specific criticality level, under Criticality Filter, select the criticality level of the asset. This creates an "AND" search so that if you search for a Windows operating system with a criticality level of "Significant", your search results include all assets that are Windows operating systems and with a criticality "Significant." Unchecking all boxes provides the same result as if all boxes were checked: your search results include assets with any criticality. 7 To filter your search by a specific asset type, under Asset filter, select the type of asset. This creates an "AND" search so that if you search for a Windows operating system with an asset filter of "Active," your search results include all assets that are Windows operating systems and that are active. For more information, see Asset Activity Status (page 155). 8 When you are ready to begin the search, click Search. To stop the search, click Stop. There may be a slight delay before the Stop button becomes available. During this time the results are being retrieved from the database. When the search has completed, the assets matching your search criteria are displayed in the right pane. A temporary group named "Search Results" is created and remains as long as you are logged on for the session. Assets in this temporary group can be moved, renamed, or have criticality levels changed. For more information, see What to do with Search Results (on page 146). Advanced Search Criteria Setting Description IP Address Enter a range of IP addresses on which to search. Label Enter all or part of the string to search for a labeled asset. Choose Contains to find assets that contain this string in the label. Choose Does Not Contain to find assets that do not contain this string in the label. Enter up to 64 characters. OS Name Enter the partial name of an Operating System, such as win. Choose Contains to find assets that use this operating system. Enter up to 64 characters. Choose Does Not Contain to find assets that do not use this operating system. DNS Name Enter the partial DNS name of the asset. Choose Contains to find the assets that contain this DNS name. Enter up to 64 characters. Choose Does Not Contain to find assets that do not contain this DNS name. NetBIOS Name Enter the partial NetBIOS name of the asset. Choose Contains to find assets that contain this NetBIOS name. Enter up to 64 characters. Choose Does Not Contain to find assets that do not contain this name. 145 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description Domain Name Enter the partial domain name of the asset. Choose Contains to find assets that are members of this domain. Enter up to 64 characters. Choose Does Not Contain to find assets that are not members of this domain. Open Ports Enter a range of open ports. Enter a positive number of five digits or less. Choose In to look for assets with these open ports. Choose Not In to find assets on which open ports are not found. Protocol Select the protocol, TCP or UDP. Choose Equals to find assets that are running services utilizing the selected protocol. Select Not Equals to find assets that are not running the selected protocol. Service Name Enter the name of a running service, such as SMTP or HTTP. Enter up to 64 characters. Choose Contains to include assets that are running these services. Choose Does Not Contain to exclude those assets. Banner Text Enter a partial name of banner text returned by a running service. Enter up to 64 characters. Choose Contains to include assets that returned this text in a banner. Choose Does Not Contain to exclude those assets. What to do with Search Results Once your search has completed, you can use the results of the search to manage your assets. The results are temporarily saved (per session) in a group, "Search Results." Procedures When your search results are available, you can: • • Add the search results to a group by selecting the assets and then clicking the Move to Group tool on the toolbar. Use the Move to Group dialog box (on page 151) to move the selected assets to an existing group, or to a new group. You can also right-click the assets and choose Move to Group from the shortcut menu. View or change the properties of an asset. To do this, right-click the asset, and choose Properties from the shortcut menu. You can also double-click the asset to display this dialog box. Use the Asset Properties dialog box (see "Viewing an Asset's Properties" on page 134) to change the label or criticality level of the asset. Tip: If you have multiple assets selected, use the Asset Properties dialog box to change the criticality level only. To change the label of an asset, be sure you have selected only that asset. 146 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Asset Groups You can combine multiple assets into groups, organizing them into hierarchies that make sense to your organization. This makes it easier to manage assets, add groups of assets to scans, and monitor risk. You can create any number of groups and sublevels of groups. Scope Asset groups are shared across the organization. However, they display only those assets you have the right to view. All administrators can view all asset groups. The Root Organization Administrator can view and delete all assets groups. The Workgroup Administrator can view only those assets belonging to the IP pool of his or her assigned workgroup (and subworkgroups). The Root Organization Administrator can delete any asset group. The Workgroup Administrator can delete asset groups if the group only contains assets belonging to the IP pool for that workgroup. If the asset group contains assets from other workgroups, only the assets belonging to that IP pool are removed and the asset group itself is not deleted. Procedures In Asset Management, you can perform the following tasks: • • • • • To view the assets that belong to a group, click the group in the left pane. The assets are displayed in the right pane. To view or change the properties of a group (page 152), right-click the group and select Properties from the shortcut menu. To create a new group (page 152), right-click the organization or a group and select New Group from the shortcut menu. To move a group to another group (page 150), right click the group whose assets you want to move and select Move to Group. To move assets into a group (page 149), browse to the asset range you want to add. In the right panel, select the assets using CTRL-Click or SHIFT-Click to select multiple assets. Right-click the selection and choose Move to Group from the shortcut menu. 147 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Notes: Moving multiple assets into an asset group shows the internal asset ID as the label. This is done to provide a unique label and can be overwritten. Moving a single asset into an asset group shows the IP address as the label until you overwrite it. Figure 41: Asset Management - main page Displayed Asset Group Properties Setting Description Active host (page 155) Inactive host (page 155) Undiscovered host (page 155) Blue Assets If the asset shows up with blue text, it means that someone has modified the asset's criticality, label, or group membership. DNS Name Shows the name reported by DNS for this asset. NetBIOS Name Shows the NetBIOS name that the last scan found on this asset. Label Shows any labels that have been assigned to these assets. IP Address/Range Shows the IP address on which this asset was found. 148 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description Criticality Shows the criticality that has been assigned to each asset. You can assign the criticality to the entire group by modifying the group's properties (page 152). ¾ To create a new asset group 1 In the Assets tree pane, navigate to the location where you want to create the new group. 2 Right-click the group under which the new group will be located and choose New Group from the shortcut menu. The New Group dialog box (page 152) appears. 3 Enter the Label for the group, and select the Criticality and Owner. 4 Click OK to save your changes. Tip: You can also right-click a group or an empty area in the right pane and choose New Group. The new group is created under the currently selected group. ¾ To create an asset group containing selected assets 1 In the Assets tree pane, navigate to the IP mask containing the range you want to group. Click the IP mask so that the range appears in the right pane. 2 Select the assets you want to include in the new group. 3 Right-click the assets and then choose Move to Group. The Move to Group dialog (see "Move to Group dialog box" on page 151) box appears. 4 Click New Group. The New Group dialog box (page 152) appears. 5 Enter the Label for the group, and select the Criticality and Owner. 6 Click OK to save your changes. ¾ To assign assets to groups Note: Adding or removing multiple assets to or from a group can take several minutes because of the database changes that are being made. For this reason, when moving assets into an asset group, the number of assets you can move at once is roughly limited to a class C network. You can move multiple class C's to a group at a single time if they belong to the same class B. By selecting the class B network in the left pane (192.168.*.*) the right pane shows the class C networks belonging to the class B. You can select any (or all) of the entries in the table and choose Move to Group from the shortcut menu in the table. This will take several minutes to perform. An asset can belong to only one group at a time. 149 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide 1 In the left pane, navigate to the network class containing the asset(s) you want to add to the group. 2 In the right pane select the first group of assets to add to the group. • To select multiple addresses, press and hold the CTRL key on the keyboard as you select IP addresses. • To select a range, click the first address. Press and hold the SHIFT key and click the last address. 3 Right-click the selected address(es) and choose Move to Group from the shortcut menu. 4 In the Move to Group dialog box (on page 151), do one of the following: • To use an existing group, choose the desired group. • To create a new group, click New Group. You can create several new groups in the New Group dialog box (on page 152) before assigning the IP Addresses. 5 After selecting the desired group, click OK. ¾ To move groups around • You can rearrange your asset groups as needed by dragging them to new positions in the Assets tree pane. Tip: You can also right-click a group in the Assets pane and choose Move to Group from the shortcut menu. ¾ To delete a group Deleting a group puts all of the assets back into the asset tree, and removes the group. Any assets that inherited the asset group's criticality or owner properties will retain those properties after the group is deleted. 1 In the Assets tree pane, select the group you want to delete. 2 Press the Delete key. 3 When the prompted if you are sure you want to delete the group(s), click Yes. Tip: You can also right-click the group and choose Delete from the shortcut menu. ¾ To rename a group 1 Right-click the group you want to rename and choose Rename from the shortcut menu. 2 Enter the new name and press Enter. ¾ To change the group's assigned criticality or label 1 Right-click the group you want to rename and choose Properties from the shortcut menu. 2 Change the criticality level or label and click OK. 150 6.5 Enterprise Manager Administrator Guide ¾ Foundstone 6.5 Reference Guide To remove an asset from a group Removing an asset from a group moves the asset and any child assets to the root level. This has the same effect as dragging and dropping the group to the root level. • Right-click the asset to be removed, and choose Remove from Group from the shortcut menu. ¾ To refresh the display of active hosts in a group • In the Assets pane, right-click the group containing the assets you want to refresh, and choose Refresh Selected for Active Hosts from the shortcut menu. Move to Group dialog box Use this dialog box to move selected assets to an existing Asset Group, or create a new group. Procedures In the Move to Group dialog box, you can do the following: • • To add the selected search results or IP addresses to an existing group, select the group name and click OK. To add the selected results or IP addresses to a new group, click New Group. After you enter the information to create the new group, select the newly created group and click OK. 151 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide New Group dialog box Use this dialog box to specify the properties of the new group you are creating. Figure 42: Asset Management - New Group dialog box New Group Dialog Box Settings Setting Description Label Enter the name for this asset group. Criticality Choose the criticality level (see "Criticality Levels" on page 154) to indicate how important the assets in this group are to the security of your enterprise. Asset Owner If you are assigning assets to specific users, choose the appropriate user from the list. Asset Group Properties To get here using the Foundstone Enterprise Manager, click MANAGE > ASSETS. Then rightclick a group and choose Properties from the shortcut menu. To get here using the FoundScan Console, choose Users/Groups/Scans from the File menu, right -click an organization or workgroup, and choose Manage Assets from the shortcut menu. Then right-click a group and choose Properties from the shortcut menu. Use the Asset Group Properties dialog box to simultaneously set the properties for multiple assets belonging to the same group. Procedures On this page you can do the following: • • • • Set the group name (label). Change the criticality. Extend the criticality to all assets in the hierarchal structure under this group. Assign an asset owner. 152 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Figure 43: Asset Management - Asset Group Properties dialog box Asset Group Property Settings Property Description Label Shows the group name. Note: The Asset Label field does not support high-ASCII characters. Only use alpha-numeric characters for group names. Criticality Shows the criticality level (see "Criticality Levels" on page 154) applied to the group. Individual assets within the group may have their own criticality level applied to them. Apply this criticality to existing child assets Select this checkbox to apply the criticality level to all groups under this group in the Asset Tree view. Asset Owner Assign all the assets in this group to this user. Asset Properties dialog box View or change the properties of an asset by double-clicking it, or right-clicking the asset and choosing Properties from the shortcut menu. Asset properties define the asset, allowing you to add labels, identify how critical the asset is to your organization, and assign a specific Foundstone 6.5 user to be an owner. Figure 44: Asset Management - Asset Properties dialog box 153 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Asset Properties Property Description DNS Name If a single host is selected, and a recent scan discovered the DNS name of that host, Foundstone 6.5 displays it here. This field is inactive if you select more than one host. For display only. NetBIOS Name If a single host is selected, and a recent scan discovered the NetBIOS name of that host, Foundstone 6.5 displays it here. This field is inactive if you select more than one host. For display only. Operating System If a single host is selected, and a recent scan discovered the operating system running on that host, Foundstone 6.5 displays it here. This field is inactive if you select more than one host. For display only. Domain Name If a single host is selected, and a recent scan discovered the domain name of that host, Foundstone 6.5 displays it here. This field is inactive if you select more than one host. For display only. Label Use this field to assign the group or host label. This can be anything you want. If a custom label has not been assigned, the label uses the host's IP address for its label. Criticality Click the arrow and select the criticality level (see "Criticality Levels" on page 154) from the list. Asset Owner Click the arrow and select the asset owner from the list. Criticality Levels Criticality levels indicate how important this asset is to your business, and the impact to your business should this asset be compromised. Foundstone 6.5 uses six criticality levels (including "none"). Set this level after you determine how critical the asset is to your enterprise. • • • What would be the impact if this machine were vulnerable to an attack, or if its data was compromised? How important is the data on this host? How difficult will it be to replace this data? 154 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Criticality Levels Criticality Description None The criticality level has not been assigned. Low (1) Lowest criticality - fixing the vulnerabilities on this host is a low priority when compared to others. Limited (2) Moderate (3) Intermediate levels of criticality. Significant (4) Extensive (5) Highest criticality - fixing the vulnerabilities on this host should be the highest priority. How Criticality Affects FoundScore Once you begin assigning criticality levels to your assets, the criticality affects your FoundScore. Vulnerabilities found on hosts marked with a lower criticality count less than vulnerabilities found on hosts with a high criticality level. For more information on criticality levels and FoundScore, see Managing Metrics - FoundScore Settings (on page 272). Asset Owners Foundstone 6.5 lets you assign assets to specific users. Assign the asset to any user in the system, so you can assign users to specific subnets. If you are using Remediation Tickets, set up automatic rules that assign assets to their asset owners whenever a vulnerability is discovered on that asset. Procedures • • • To create an asset owner, make sure the user already exists in the Foundstone 6.5 system (see "Creating New Users" on page 241). To assign an asset to a user, right-click the asset or group, and click Properties from the shortcut menu. Choose the user from the Asset Owner dropdown box. To remove an owner from an asset, right-click the asset or group and choose Properties from the shortcut menu. Select None from the Asset Owner list. 155 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Asset Activity Status The activity status of an asset is determined by a scan discovering the asset. An asset can be Active, Inactive, or Undiscovered. • • Active assets - Assets that were found by a scan within x days. The number of days is set in the Asset Activity box in the Manage Asset Identification Rules dialog box (page 136). Inactive assets - Assets that were not found within x days, but were found by a previous scan. Note: To reactivate an asset, run a scan that will discover that asset. • Undiscovered assets - Assets that have been manually entered on the Manage > Assets page, but have not been found by a scan. Managing Data Sources To get here in the Foundstone Enterprise Manager, click Manage > Data Sources. Use these settings to configure the Foundstone Data Synchronization Service. This allows Foundstone 6.5 to use data residing in ePolicy Orchestrator databases or LDAP servers, increasing operating system accuracy and showing which vulnerabilities are mitigated by other McAfee products deployed in those environments. If your active directory domain is configured to use Secure Sockets Layer (SSL) encryption ensure the machine hosting the Data Synchronization Service has the requisite certificates in place. Foundstone 6.5 adds the following information to the reports, which show assets with ePO data: • • operating system service pack level Note: ePolicy Orchestrator information is given a higher priority over existing operating system information in the Foundstone Database. Foundstone 6.5 supports LDAP version 3, with Simple, SNEGO or NTLM access. The LDAP server must support paged search control. Procedures The Data Sources page provides the ability to: • • • • Add an ePO Data Source (page 158) or LDAP Data Source (page 159) Edit an existing Data Source (page 164) Delete a Data Source (page 163) Test a Data Source (page 164) 156 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Figure 45: ePO servers added to the Data Sources library Settings Setting Description Server Address IP address or fully qualified domain name Type ePolicy Orchestrator or LDAP server Last Sync Time Date and time of the last successful synchronization Last Sync Status Status of the last synchronization Next Sync Time Date and time of the next synchronization Actions Edit, Delete, or Test the database connection Add Data Source Specify the location and settings for a new ePolicy Orchestrator database Refresh Refreshes the page to update the information displayed 157 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide To create an ePO Data Source 1 Click Add Data Source. 2 Select ePO from the Data Source Type list. 3 Type the server address of the ePO database. 4 Type the name of the ePO database. 5 Type a username and password. Note: The username must have at least read-access to the ePO database. 6 Select Active or Inactive for the Scheduler. 7 Select either a Schedule Type (Immediate or One Time) or a Recurring (Daily, Weekly, Monthly). Note: If you select Daily, Weekly, or Monthly, also select the appropriate Schedule (page 162) options for this data source. 8 Click Save and then click Exit. 158 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide To create an LDAP Data Source 1 Click Add Data Source. 2 Select LDAP from the Data Source Type list. 3 Type entries for these options: • LDAP server address or fully qualified domain name (FQDN) Once an LDAP data source is saved, this field cannot be edited. You must create a new LDAP data source to correct a server address or FQDN error. Note: A fully qualified domain name is required if you are using an SSL connection. • • LDAP server port number Timeout number (in seconds) - this field is optional. Timeout determines how long the Foundstone Data Synchronization Service waits for a reply from the LDAP server before deciding that the LDAP server is not responding. If this field is left blank, the Foundstone Data Synchronization Service uses the server default. 4 Select a connection type. Select SSL if your LDAP server supports it. If not, leave the selection as Standard. 5 Select an authentication type (NTLM, Generic, or Simple). If you are using OpenLDAP, you must use Simple authentication. Note: NTLM and Generic authentication are not compatible with LDAP in Linux environments. 159 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide 6 Type a username and password. 7 Select either Active or Inactive for the Scheduler. 8 The LDAP Search Root is a string that specifies the root of the LDAP tree. For the LDAP Search Root, specify where asset searches should begin. Example: dc=foundstone, dc=com Note: The fields in the LDAP Attribute Mapping are case insensitive. The values in the LDAP Attribute Mapping are given by the administrator, and could vary from system to system. 9 The LDAP Search Filter sets criteria that helps reduce the number of attributes returned by a search. Example: (objectclass=computer) imports all computers from the LDAP server to the Faultline database. For more information on LDAP query basics, go to the Microsoft TechNet website (http://technet.microsoft.com/en-us/library/aa996205.aspx). Note: To import an OU structure, specify the root of the OU structure as your LDAP root and use an LDAP filter to remove any results that should be synchronized. 10 Type entries for these options: • NetBIOS Name: LDAP attribute containing the NetBIOS name (if it exists) • DNS Name: LDAP attribute containing the host (Domain) name (if it exists) • IP Address: LDAP attribute containing the IP Address • Domain Name (optional): LDAP attribute containing the DNS Name (if it exists) • MAC Address (optional): LDAP attribute containing the MAC address (if it exists) 160 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Example 1: If the active directory does not have an LDAP attribute containing the IP address of individual hosts, the NetBIOS Name and DNS Name attributes can be used to retreive entries and resolve IP addresses. Standard Winsock methods are used to lookup the IP address for a given hostname. An IP address is required to scan the system. If the hostname cannot be resolved, the asset is not added to the final result set. Example 2: If the active directory does have an LDAP attribute containing the IP address of individual host, the IP Address attribute can retrieve IP addresses directly, so the NetBIOS and DNS Name attributes are not necessary. 11 Select a Schedule Type (Immediate or One Time) or a Recurring (Daily, Weekly, Monthly). Note: If you select Daily, Weekly, or Monthly, also select the appropriate Schedule (page 162) options for this data source. 12 Click Save and then click Exit. 161 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide After your LDAP data source is synchronized successfully into Foundstone, go to Adding IP Addresses by browsing a LDAP server (page 367) for information on how to add LDAP assets to a scan configuration. If you need to view or troubleshoot the data retrieved from the synchronization, create a scan and browse your LDAP assets. You can also view the LDAPAssets table in the database for more information. To schedule a Data Source ¾ To setup a Daily Recurring Data Source 1 Select Daily under Recurring. 2 Type the Start On date. Note: You can also use the Calendar ( ) to select a start date. 3 Select an hour and minutes this data source is to be run on a daily basis. 4 Click Save. ¾ To setup a Weekly Recurring Data Source 1 Select Weekly under Recurring. 2 Select a day of the week to run this data source. Note: It is possible to select more than one day to run a data source. 3 Select an hour and minutes this data source is to be run on a weekly basis. 4 Select the number of weeks this data source is to recur. For example, selecting 3 means the selected data source runs once every 3 weeks. 5 Click Save. ¾ To setup a Monthly Recurring Data Source 1 Select Monthly under Recurring. 2 Do the following: • To schedule a data source to run on a specific day during a specific week, make sure the Date checkbox is not selected. Select the Start On criteria. Select the First through the Fifth to designate the week of the month the data source will be run. Then, select the day of the week the data source will be run. • To schedule a data source to run on a specific date during a month, make sure the Date checkbox is selected. Select the Start On criteria. Select the date (1st through the 31st) of the month to run the data source. 162 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide 3 Select an hour and minutes this data source is to be run on a monthly basis. 4 Select the number of months this data source is to recur. For example, selecting 3 means the selected data source runs once every 3 months. 5 Click Add. The schedule criteria is added to the list. Note: You can add more than one schedule criteria to the monthly schedule list. 6 Click Save. To delete a Data Source 1 Click Delete in the row of the Data Source to be deleted. A message appears asking for a confirmation for the deletion. Figure 46: ePO servers added to the Data Sources library 2 Click OK. 163 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide To edit a Data Source To get here in the Foundstone Enterprise Manager, click Manage > Data Sources. 1 Click Edit in the row of the Data Source to be edited. Figure 47: ePO servers added to the Data Sources library 2 Make the necessary changes. 3 Click Save. 4 Click Exit. To test a Data Source To get here in the Foundstone Enterprise Manager, click Manage > Data Sources. The data source Test feature allows you to verify that your data source is properly setup and that the service is running. Use this feature before you synchronize with your data source. 1 Click Test in the row of the Data Source connection to be tested. Figure 48: ePO servers added to the Data Sources library If you receive a successful test result, then the service is running. If you receive a failed test result, then the service is either not installed or is not running. If your data source is not properly setup, then edit (page 164) your data source. 164 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Managing Engines To get here, click MANAGE > ENGINES. You must be logged in as the Root Organization Administrator to use this page. This page shows the FoundScan Engine servers that are available for running scans. If you have more than one FoundScan Engine, a list of the available engines appears on the Scan Schedule page so that you can select the machine that should run the scan. Warning: If you create multiple root organizations, they should use separate engines or at least have a common administrator that knows to avoid overlapping settings; the engine settings can be edited by any Root Organization Administrator. Scope The settings on this page affect the entire organization, including all workgroups. Workgroup administrators cannot make changes to these settings. Procedures On this page you can do the following: • • To see if the engine can be reached, click Test Connectivity. To change the description, enter a description in the Description column and click Update. Note: If an engine is supposed to appear on this list, but does not, make sure the engine is made available in the Organization or Workgroup Properties (see "Organization Properties - Scan Engines" on page 226). Figure 49: Manage Engines - shows the available engines Setting Description Name Provides the ability to enter a descriptive name for the FoundScan Engine. The name and description are stored in the engine's registry. Description The optional description can provide additional information about the location or purpose of this FoundScan Engine. Click Update to accept any changes you make. 165 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description Type Displays the type of system on which Foundstone is running. If the FoundScan Engine is running on a McAfee appliance, it is displayed here. If the FoundScan Engine is running on customersupplied equipment, the type is displayed as "Custom." Status Shows whether the Foundstone Database is communicating with this FoundScan Engine. If the status is online, the Foundstone Database is able to communicate with the FoundScan Engine. This status is updated every 30 seconds as the database polls each engine. Update Click Update to submit changes to the FoundScan Engine servers. Delete Removes this FoundScan Engine from the list. Engines that are online cannot be deleted from the list. Pause/Resume Pauses all scans on this FoundScan Engine. Test Click Test Connectivity to see if the FoundScan Engine is running and reachable. If the engine is found, a confirmation message shows the IP address and port that the engine is using to communicate with the Foundstone Enterprise Manager. Note: The "online" status is established after the connectivity, so it is possible to see the Test Connectivity button even when the engine status is offline. Preferences Edit the settings for this engine. (see "Default Engine Settings" on page 167) Manage Manage additional settings for a FS850 Appliance (see "Managing an FS850 Appliance" on page 187). Use this feature to restart, rename, or reconfigure the FS850 Appliance. Add FS850 Opens the initial FS850 Appliance setup wizard (see "Adding an FS850 Appliance" on page 175). Use this feature to set up the initial configuration for an FS850 Appliance. 166 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Default Engine Settings The tabs on this page let you set the common options that affect all FoundScan Engine servers you can access. Settings that affect all engines are available here; those options that are specific to each engine are disabled. Procedures On this page you can do the following: • • • • To set the default settings for all FoundScan Engine servers in your organization, go through each tab and edit the available settings. To change the settings for engine-specific options, click Manage > Engines. Click Edit Preferences for the engine who's options you want to change. To save the changes to the default engine template, so that all new FoundScan Engine servers that come online use these settings, click Save. To save the settings to the template and to apply the new settings to all FoundScan Engine servers, click Global Save. Engine Preferences - General Settings This page lets you change the FoundScan Engine's general settings, including the following: • • • • logging options report directory locations and report generation behavior, DHCP resolution database maintenance settings Figure 50: Engine Preferences - General Settings 167 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Logging Options Setting Description Limit Logfile Retention to ____ days Select this option to set the number of days (1 through 365) of information to retain in the log file. Use Coordinated Universal Time in Log Files Select this option if you are coordinating across multiple time zones. Clear this option to use the local computer's time in the log file. This option refers to the time stamp at the beginning of each message in the log file. Enabling this option uses Coordinated Universal Time (UTC), also known as Greenwich Mean Time (GMT), instead of any particular time zone. Disable logging of status messages Select this option to stop logging status messages. Log Directory Set the path to the local directory where you want to save your Foundstone Logs. Report Directory Setting Description Report Directory Select the local folder in which to save generated reports. Generate Reports for Foundstone 6.5 supports individual FoundScan Engine roles. Choose the role that this engine will assume on your network. y y y This engine - This engine will only generate reports for scans created by this engine. Then it uploads the report to the Foundstone Enterprise Manager so everyone can access it. Use this option for engines that should not help in the report generation process. For example, a remote engine with somewhat limited bandwidth to the database could use this option. Any engine - This engine will generate reports in the database queue. Then it uploads the report to the Foundstone Enterprise Manager so everyone can access it. Use this option for normal engines. Do not generate reports - This engine will not generate reports. When this engine finishes a scan, the reports are queued in the database to wait for an available engine to generate the report. Use this option for engines that should not generate reports; on a large network with multiple engines, the primary engine should use this setting because it is busy handling the communication between the <database> and the Foundstone Enterprise Manager. 168 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Console Management Options Setting Description Remove scans __ Select this option to set the time for keeping non-active hour(s) after completion scans in the main window of the Console. Then enter the or error number of hours (1 through 168) after which scans should be removed. Limit number of nonSelect this option to set the number of non-active scans active scans to __ items that appear in the main window of the Console. Then enter the number of non-active scans (8 through 30) to be limited. Use host name to reconcile dynamic IP addresses Select this option to resolve IP addresses to their machine names using the DHCP server. This lets Foundstone 6.5 track hosts even if their IP Address changes, but it can make the scan job run slightly slower. Clear this feature if you don't have a DHCP server, or if you don't want to track hosts by name. Use __ threads per scanner instance for FSL script processing Set the number of threads (8 through 30) running in parallel to execute FSL vulnerability check scripts. The number can be increased for a faster scan when vulnerability checking is enabled. Increasing the number of FSL threads used improves scan performance but it also requires more network bandwidth. Perform db maintenance at ______ every __ days Use this option to set up regular maintenance on the Foundstone Database. Choose the time for the maintenance to occur and select the interval (number of days, 1 through 30) between each maintenance period. By default the interval is set to 1 day. This is the recommended setting. This process updates the statistics on the Foundstone Database, is silent and does not affect users other than increasing the CPU usage on the Foundstone Database server. Every day, at the specified maintenance time, Foundstone 6.5 sends a request to the Foundstone Database to update its statistics. The Foundstone Database compares the time of the last maintenance to the interval set specified. If that interval has passed since the last maintenance, the Foundstone Database begins the process again. Update Index Statistics When this option is selected, the Foundstone Database updates its indexes during the regular maintenance period that you scheduled above. 169 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description Delete jobs older than ______ days Check this option to automatically delete old scan jobs after a specified number of days. This helps reduce the amount of disk space required by the database. However, once a job is deleted, you cannot generate reports from that job although existing reports for that job are not deleted. The deleted job is no longer used to calculate statistics in reports. About stale tickets: If a ticket has been opened for a vulnerability on a particular host, it will expire after this many days. If Foundstone 6.5 discovers the same vulnerability on the host after this ticket has already expired, Foundstone 6.5 opens a new ticket for that vulnerability. Engine Preferences - Enterprise Manager This page lets you change the FoundScan Engine general settings, including the following: • • • Engine name and description Engine address and port settings Foundstone Enterprise Manager identification settings Figure 51: Engine Preferences - Enterprise Manager Settings 170 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Display Options Setting Description Display Name Enter the name that will be displayed for this FoundScan Engine in the Foundstone Enterprise Manager. The name can also be set on the MANAGE > ENGINES (see "Managing Engines" on page 165) page. Description Type the description that will be displayed for this FoundScan Engine in the Foundstone Enterprise Manager. Foundstone Enterprise Manager to FoundScan Engine Connection Portal Setting Description Address Enter the IP address, DNS name, or NetBIOS name for the Web server running the Foundstone Enterprise Manager. Leave this box blank if there is no Web server, or if the Web server is on this machine. If you leave the address blank, reports will not be available through the Foundstone Enterprise Manager (unless it is running on this machine, which is not recommended). Port Enter the port number that the Web server uses to receive McAfee information. Valid ports are 0 through 65535. Important: If you change the port for an FS850 Appliance, communication with the appliance will fail until you configure the appliance firewall. Log directly onto the FS850 Appliance to make this change. Use Default Port Select this to use the default port setting of 3800. Use SSL Use Secure Socket Layer between this FoundScan Engine and the Foundstone Enterprise Manager. Note: Changing this setting requires that the FoundScan Engine be restarted. Once the change has been made in the Foundstone Database, communications between the Foundstone Enterprise Manager and the FoundScan Engine are interrupted. In order to continue to use the Foundstone Enterprise Manager, it may be necessary to restart the FoundScan Engine manually. 171 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Portal Setting Description Authentication Scheme Shows the authentication method being used to communicate from the Foundstone Enterprise Manager to the FoundScan Engine. y y y No Authentication – the servers will accept encrypted traffic, but will not identify the server sending the data. Although this option is fairly secure, it can allow someone to spoof the server and gain access to the data. Authenticate using Foundstone basic certificate – the servers will use the default certificates. This option is more secure, but it is possible that someone could gain a copy of the required certificate and use it to spoof the server to gain data. Authenticate using fully qualified domain name – the servers check the domain name of the server with which they are told to communicate. This is the most secure option. Important: If you use SSL, your IIS server must contain a valid SSL Certificate. See the McAfee Install Guide for more information on setting up SSL Certificates. If your IIS server does not have a SSL Certificate, and you have selected this option, the FoundScan Engine cannot post reports to the Foundstone Enterprise Manager. FoundScan Engine to Foundstone Enterprise Manager Connection Portal Setting Description Address Enter the DNS name, NetBIOS name, or an IP address for this engine. Leave blank to use the default IP address found by the FoundScan Console on the engine. Port Enter the port number that the FoundScan Engine uses to receive McAfee information. Note: If you are using an FS850 Appliance, changing this setting requires that you open the new port on the appliance's firewall. See the <doc_fs850ig> for more information. Use Default Port Select this to use the default port settings: 80 for normal http communication, or 443 if SSL is selected. Use SSL Use Secure Socket Layer between this FoundScan Engine and the Foundstone Enterprise Manager (Web server). 172 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Portal Setting Description Authentication Scheme Shows the authentication method being used to communicate from the FoundScan Engine to the Foundstone Enterprise Manager. y y y No Authentication – the servers will accept encrypted traffic, but will not identify the server sending the data. Although this option is fairly secure, it can allow someone to spoof the server and gain access to the data. Authenticate using Foundstone basic certificate – the servers will use the default certificates. This option is more secure, but it is possible that someone could gain a copy of the required certificate and use it to spoof the server to gain data. Authenticate using fully qualified domain name – the servers check the domain name of the server with which they are told to communicate. This is the most secure option. Important: If you use SSL, your IIS server must contain a valid SSL Certificate. See the McAfee Install Guide for more information on setting up SSL Certificates. If your IIS server does not have a SSL Certificate, and you have selected this option, the FoundScan Engine cannot post reports to the Foundstone Enterprise Manager. Engine Preferences - Network Options This page lets you set network options and SMTP settings. Procedures On this page you can do the following: • To have the engine detect whether it is connected to the network, select Enable Network Connectivity Detection. Enter at least one IP address in the New Target IP field and click Add. 173 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Figure 52: Engine Preferences - Network Options Network Connectivity Detection Settings Setting Description Enable Network Connectivity Detection Turn this feature on to ping a known 'good' host to ensure that the FoundScan Engine is connected to your network as it scans. If the FoundScan Engine is not connected, it cannot find any hosts and reports no vulnerabilities on your network. If the network is inactive or erratic, Foundstone 6.5 pauses all scans until network connectivity is re-established or stabilized. New Target IP Enter a known 'good' host and click Add. The target will be added to the Ping Target list. Ping Target This list shows the IP addresses that the FoundScan Engine will ping to ensure that it is connected to the network. You can remove items from this list by selecting the item and clicking Remove. Timeout Enter how many seconds (1 through 10) to wait for a response to the ping. Interval Enter how often (1 through 100) you want to send the ping to verify that the scanner is online. Threshold Enter how many times (1 through 10) the ping should fail to pause the scans running on this engine. Foundstone 6.5 continues sending a ping to the target, and resumes the scans when the ping threshold is no longer breached. 174 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Engine Preferences - Default Ports To get here, click MANAGE > ENGINES. Click Preferences. Then click the Default Ports tab. You must be logged in as the Root Organization Administrator to use this page. This page lets you determine the default ports used in the Host Discovery and Service Discovery phases of the scan. Valid port numbers are 0 through 65535. Procedures On this page you can do the following: • • • • To add a port to a port list, enter the port in the Start Port box and click >. To add a range of ports to a port list, enter the beginning port in the Start Port box, enter the ending port of the range in the End Port box, and click >. To remove a port from the default port list, select the port in the list and click Remove. To restore the list to the Foundstone 6.5 defaults, click Defaults. This option sets the default list to the list shipped with Foundstone 6.5. Warning: If two engines have different default port lists, the exact same scan may produce different results on each engine because of the different ports being scanned. Figure 53: Engine Preferences - Default Ports Adding an FS850 Appliance The FS850 Appliance can be added to your network to increase scanning power and provide additional coverage on your network. You must be logged on as a Root Organization Administrator to complete some of the required steps. 175 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide ¾ To set up an FS850 Appliance complete the following tasks in this order 1 Add the FS850 Appliance to your network. This step might require that you configure the network interface cards (NICs). See the FS850 Installation Guide. 2 Run the FS850 Setup Wizard (see "FS850 Appliance Setup Wizard" on page 178). This wizard configures the settings needed to start the FS850 Appliance for the first time. 3 Control the FS850 Appliance through the settings on the Manage page (see "Managing an FS850 Appliance" on page 187). ¾ Quick steps to adding an FS850 Appliance 1 Choose MANAGE > ENGINES. 2 Click Add FS850 to start the FS850 Appliance Setup Wizard. The FS850 Appliance must be available on the network before proceeding with this wizard. For more information, see the FS850 Quick Start Guide. 3 Enter the IP address for the FS850 Appliance you want to attach. The available address appears on the liquid crystal display on the FS850 Appliance once you have connected a network interface card to your network. 4 Enter the administrator password associated with the FS850 Appliance. The default password is FS-850!. You are prompted to change this password later in this wizard. 5 Click Next. 6 Carefully read through the license agreement. Next is disabled until you scroll to the bottom of the agreement. 7 Check the box for I have read and agree to the terms and conditions of this license agreement. 8 Click Next. 9 If necessary, change the appliance name. For Specify the new appliance name, enter the name by which you will identify this FS850 Appliance. McAfee recommends using the fully-qualified domain name. This is especially important if you use custom certificates on your system. If you change the host name, be sure to take the steps necessary to resolve the new name (see "To resolve the host name if you change it" on page 182). 10 If necessary, change the appliance system clock. For Set the system clock, enter the new time and date using the specified format of mm/dd/yyyy hh:mm AM/PM. Note: If you are changing the system clock or time zone after you have initially set up the FS850 Appliance, making a change that is over 12 hours different from the original time can cause a licensing problem if the FS850 Appliance has not been properly licensed. Licensing can be set up through the Manage FS850 Appliance licensing tab (see "Licensing Tab" on page 196). 176 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide 11 If necessary, change the time zone. For Set the time zone to, click the arrow and select the time zone from the list. 12 For Specify the new administrative password, enter a new administrative password for the FS850 Appliance. The password must be 6-12 digits in length, and can contain numbers, upper-and-lower-case letters, and special characters. 13 For Re-enter the new administrative password, enter the new administrative password again to confirm you have entered the password you expected. 14 Click Next. 15 For SQL Server address, enter the location of the Foundstone Database. Enter the IP address or fully-qualified domain name. Use the fully-qualified domain name if you are using custom certificates. 16 For SQL Server username, enter the user name Faultline unless you have manually tweaked the database settings to create a different database user. 17 For SQL Server password, enter the password associated with the user name you entered in the previous step. The password for the Faultline user was created during the installation process when you first installed Foundstone. 18 Click Test Database to attempt to connect to the database using the credentials you supplied above. If successful, the message SQL Credentials Accepted appears. 19 Click Next. 20 To specify the day of the week to check for operating system updates, click the arrow and select the day or select Every Day. 21 To specify the time, click the arrow and select the hour at which you want to check for operating system updates. 22 Click Next. 23 Review the settings you have specified by scrolling through the list. If you need to change a setting, click the setting itself. The wizard returns to the page containing the setting so that you can correct it. When all settings are correct, to accept these settings click Apply. The wizard applies the settings and restarts the FS850 Appliance. Restarting the appliance can take several minutes. The wizard window closes, leaving you on the MANAGE > ENGINES page (see "Managing Engines" on page 165) in the Foundstone Enterprise Manager. Once the FS850 Appliance has restarted, you can refresh the MANAGE > ENGINES page and the FS850 Appliance appears on the list of available engines. 24 After the settings have been sent to the FS850 Appliance, the appliance connects to the Foundstone update server to find any additional security patches. It downloads and applies the available patches, and restarts. 25 Click Finish. 26 Finally, finish the integration and set the other FoundScan Engine settings. To do this, choose MANAGE> ENGINES and then click Manage for the FS850 Appliance (see "Managing an FS850 Appliance" on page 187) you are configuring. 177 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide FS850 Appliance Setup Wizard From the Manage > Engines page, click Add FS850 to start the FS850 Appliance Setup Wizard. The FS850 Appliance must be available on the network before proceeding with this wizard. For more information, see the FS850 Quick Start Guide. 1 Enter the IP address for the FS850 Appliance you want to attach. The available address appears on the liquid crystal display on the FS850 Appliance once you have connected a network interface card to your network. 178 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide 2 Enter the administrator password associated with the FS850 Appliance. The default password is FS-850!. You are prompted to change this password later in this wizard. 3 Click Next to continue with the FS850 Setup Wizard - License Agreement (see "FS850 Appliance Setup Wizard - License Agreement" on page 180). • If the connection to the FS850 Appliance was not successful, the following page appears. Check and re-enter the IP address and password, and then click Next to continue. Troubleshooting the Connection • • • If you cannot connect, log directly into the FS850 Appliance configuration page and make sure that the connected NIC is set up with the correct IP address. If you can successfully send a PING command to the address but cannot connect, the problem is most likely that you have the wrong password. If not, there is a problem with your network connection or settings. If the display on the FS850 Appliance does not show the IP address, make sure it is properly connected to the network. See the FS850 Installation Guide for more information. 179 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide FS850 Appliance Setup Wizard - License Agreement 1 Carefully read through the license agreement. Next is disabled until you scroll to the bottom of the agreement. 2 Check the box for I have read and agree to the terms and conditions of this license agreement. 3 Click Next to continue with the FS850 Setup Wizard - Appliance Name (see "FS850 Appliance Setup Wizard - Appliance Name" on page 181). 180 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide FS850 Appliance Setup Wizard - Appliance Name Use these settings to set the host name, system time/date, and create your administrative password on the FS850 Appliance. 1 If necessary, change the appliance name. For Specify the new appliance name, enter the name by which you will identify this FS850 Appliance. McAfee recommends using the fully-qualified domain name. This is especially important if you use custom certificates on your system. If you change the host name, be sure to take the steps necessary to resolve the new name (see "To resolve the host name if you change it" on page 182). 2 If necessary, change the appliance system clock. For Set the system clock, enter the new time and date using the specified format of mm/dd/yyyy hh:mm AM/PM. Note: If you are changing the system clock or time zone after you have initially set up the FS850 Appliance, making a change that is over 12 hours different from the original time can cause a licensing problem if the FS850 Appliance has not been properly licensed. Licensing can be set up through the Manage FS850 Appliance licensing tab (see "Licensing Tab" on page 196). 181 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide 3 If necessary, change the time zone. For Set the time zone to, click the arrow and select the time zone from the list. 4 For Specify the new administrative password, enter a new administrative password for the FS850 Appliance. The password must be 6-12 digits in length, and can contain numbers, upper-and-lower-case letters, and the following special characters: !, @, #, $, %, &, _ (underscore), and - (dash). 5 For Re-enter the new administrative password, enter the new administrative password again to confirm you have entered the password you expected. 6 Click Next to continue with the FS850 Setup Wizard - Database Settings (see "FS850 Appliance Setup Wizard - Database Settings" on page 183). ¾ To resolve the host name if you change it You may encounter problems when you change the host name of the FS850 Appliance. If the Foundstone Enterprise Manager will no longer communicate with the FS850 Appliance after the changes take place, McAfee recommends you do one of the following: • • • Add the host name of the FS850 Appliance to the HOSTS file on the Foundstone Enterprise Manager server. Add the host name of the FS850 Appliance to the DNS server on your network. Change the WINS settings on your network so that the Foundstone Enterprise Manager server can resolve the host name of the FS850 Appliance. 182 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide FS850 Appliance Setup Wizard - Database Settings Use this page to set up the communication between the FS850 Appliance and the Foundstone Database. 1 For SQL Server address, enter the location of the Foundstone Database. Enter the IP address or fully-qualified domain name. Use the fully-qualified domain name if you are using custom certificates. 2 For SQL Server username, enter the user name Faultline unless you have manually tweaked the database settings to create a different database user. 3 For SQL Server password, enter the password associated with the user name you entered in the previous step. The password for the Faultline user was created during the installation process when you first installed Foundstone. 4 Click Test Database to attempt to connect to the database using the credentials you supplied above. If successful, the message SQL Credentials Accepted appears. 5 Click Next to continue with the FS850 Setup Wizard - System Update Settings (see "FS850 Appliance Setup Wizard - System Update Settings" on page 183). 183 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide FS850 Appliance Setup Wizard - System Update Settings These settings tell the FS850 Appliance how often and when to download and install operating system updates. The time and date are based on the local FS850 Appliance system. When this date and time occur on the FS850 Appliance, it checks the Foundstone System Update Server (SUS) for updates. If an update is available, the FS850 Appliance downloads and installs it. Note: The FS850 Appliance does not download Foundstone updates directly. When the primary FoundScan Console retrieves a Foundstone update, the update is sent to the database and distributed to all FoundScan Engine servers. 1 To specify the day of the week to check for operating system updates, click the arrow and select the day or select Every Day. 2 To specify the time, click the arrow and select the hour at which you want to check for operating system updates. 3 Click Next to continue with the FS850 Setup Wizard - SSL Configuration. 184 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide FS850 Appliance Setup Wizard - Review Settings Use the Review Settings page to view the configurations to be saved on the FS850 Appliance. Figure 54: Review Settings - click a setting to change it 1 Review the settings you have specified by scrolling through the list. If you need to change a setting, click the setting itself. The wizard returns to the page containing the setting so that you can correct it. 2 When all settings are correct, to accept these settings click Apply. The wizard applies the settings and restarts the FS850 Appliance. Restarting the appliance can take several minutes. The wizard window closes, leaving you on the MANAGE > ENGINES page (see "Managing Engines" on page 165) in the Foundstone Enterprise Manager. Once the FS850 Appliance has restarted, you can refresh the MANAGE > ENGINES page and the FS850 Appliance appears on the list of available engines. Your next step is to finish the integration and set the other FoundScan Engine settings. To do this, choose Manage > Engines, and then click Manage for the FS850 Appliance (see "Managing an FS850 Appliance" on page 187) you are configuring. Note: If the Foundstone Enterprise Manager cannot find the new FS850 Appliance on the network, clicking Manage produces an error message. You must resolve the issue (see "To resolve the host name if you change it" on page 182) before continuing. 185 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide FS850 Appliance Setup Wizard - Upgrade The FS850 Appliance is compatible with Foundstone 4.1. If your system is running a later version, such as Foundstone 6.5, the FS850 Appliance automatically retrieves the necessary update files and installs them. The following page only appears when the FS850 Appliance is upgrading itself to be compatible with the Foundstone system on your network. This page shows the current status of the FS850 Appliance, showing that it is restarting, receiving and installing updates and so forth. Once it has finished the upgrade process, the final page in the setup wizard automatically appears. Note: If you reset the FS850 Appliance to factory defaults, it will again be compatible with Foundstone 4.1. 186 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide FS850 Appliance Setup Wizard - Finished After the settings have been sent to the FS850 Appliance, the appliance connects to the Foundstone update server to find any additional security patches. It downloads and applies the available patches, and restarts. Note: The FS850 Appliance is automatically added to the workgroup or organization to which you belong. To make it available to other workgroups, you must add it to the Scan Engines tab in the workgroup properties (see "Organization Properties Scan Engines" on page 226). Managing an FS850 Appliance To get here, from the Foundstone Enterprise Manager click MANAGE > ENGINES. Then, for the FS850 Appliance you want to configure, click Manage. You must be an Root Organization Administrator to access this menu. Before you can use these settings, the FS850 Appliance must be on your network and visible to the other Foundstone servers. Use these options to manage the FS850 Appliance through the Foundstone Enterprise Manager interface. From your browser you can do the following: • • • Shut down (see "Appliance Home Tab" on page 188) the FS850 Appliance Restart (see "Appliance Home Tab" on page 188) the FS850 Appliance Reconfigure (see "Appliance Home Tab" on page 188) the FS850 Appliance 187 6.5 Enterprise Manager Administrator Guide • • • • • • • • • Foundstone 6.5 Reference Guide View the configured NIC settings (see "Configuration Tab - Network Configuration" on page 191) on the FS850 Appliance Set the hostname, system date and time (see "Configuration Tab - System Options" on page 192) Reset the system password (see "Configuration Tab - System Options" on page 192) Set the appliance management port (see "Configuration Tab - System Options" on page 192) Choose the level of engine logging (see "Configuration Tab - System Options" on page 192) performed Configure the way that the FS850 Appliance communicates with the database (see "Configuration Tab - Database Configuration" on page 193) Reconfigure operating system update settings (see "Configuration Tab - Update Settings" on page 194) License (see "Licensing Tab" on page 196) the FS850 Appliance for use on your network Run various support tools (see "Support Tools Tab" on page 200) You can also check the Preferences settings to configure the FS850 Appliance for generating reports and other behaviors: • • • • • Engine Preferences - General Settings (on page 167) Engine Preferences - Enterprise Manager (on page 170) Engine Preferences - Alerts Engine Preferences - Network Options (on page 173) Engine Preferences - Default Ports (on page 175) Appliance Home Tab Use this page to shut down the FS850 Appliance, restart it, or reconfigure it. You can also refresh the information displayed in the status tables. Figure 55: Appliance Home tab 188 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Appliance Settings Setting Description Shut Down Appliance To shut down the FS850 Appliance, click this button. You are prompted if you want to proceed, as you must physically access the FS850 Appliance in order to power it back on. Click OK to proceed with the shut down. Restart Appliance To restart the FS850 Appliance, click this button. You are prompted if you want to proceed as any active scans are paused and your management session via Foundstone Enterprise Manager is terminated. Click OK to proceed with the restart. Reconfigure Appliance To reconfigure the appliance, click this button to display the FS850 Appliance Setup Wizard (see "FS850 Appliance Setup Wizard - Appliance Name" on page 181), beginning with the Appliance Name page. Refresh To refresh the display in the status tables, click this button. Appliance Status This table displays information about the FS850 Appliance hardware. Included is information about the FS850 Appliance name and NICs. To change this information, click the Configuration Tab (on page 190). FoundScan Engine Status This table displays information about the FS850 Appliance software, including information about the engine version and status, and licensing information. To change the licensing, click the Licensing Tab (on page 196). Note: The FS850 Appliance runs twin hyper-thread processors that appear on this page as 4 processors. 189 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Configuration Tab Use this page to view the network configuration of the FS850 Appliance, and change the system options, database configuration, and update settings. Figure 56: Configuration tab - Network Configuration Configuration Tab Setting Description Network Configuration The network configuration table is displayed when you first access the Configuration tab. If you are in another area within the Configuration tab, click this button to return to the network configuration settings. System Options (see "Configuration Tab System Options" on page 192) To change the FS850 Appliance host name, date and time settings of the FS850 Appliance, administrative password, appliance management port, or engine logging level, click this button. Database Configuration (see "Configuration Tab - Database Configuration" on page 193) To change the SQL Server options, click this button. Update Settings (see "Configuration Tab Update Settings" on page 194) To change the date and time that operating system updates are downloaded and installed, click this button. Interface The network configuration table displays information on the NICs on the FS850 Appliance. Click the arrow to select the NIC for which you want to view information. 190 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Configuration Tab - Network Configuration Use this page to view information about each of the network interface cards in the FS850 Appliance. The network configuration table is displayed when you first access the Configuration tab. If you are in another area within the Configuration tab, click this button to return to the network configuration settings. Figure 57: Configuration tab - Network Configuration Network Configuration Setting Description Interface Click the arrow to select the network interface card for which you want to view information. IP Address, Subnet Displays information regarding the network interface card Mask, Default Gateway, selected. Primary DNS Server, Secondary DNS Server NIC Status Displays the status of the network interface card. 191 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Configuration Tab - System Options Use this page to change the FS850 Appliance host name, date and time settings of the FS850 Appliance, administrative password, appliance management port, or engine logging level. Figure 58: Configuration tab - System Options System Configuration Setting Description Appliance Hostname To change the name of the appliance, enter a new name. McAfee recommends using the fully-qualified domain name. This is especially important if you use custom certificates on your system. If you change the host name, be sure to take the steps necessary to resolve the new name (see "To resolve the host name if you change it" on page 182). Date and Time Settings To change the appliance system clock, enter the new time and date using the mm/dd/yyyy hh:mm AM/PM format. To change the time zone, click the arrow and select the time zone from the list. Note: If you are changing the system clock or time zone after you have initially set up the FS850 Appliance, making a change that is over 12 hours different from the original time can cause a licensing problem if the FS850 Appliance has not been properly licensed. Licensing can be set up through the Manage FS850 Appliance licensing tab (see "Licensing Tab" on page 196). Reset administrative password; Re-enter administrative password To change the administrative password for the FS850 Appliance, enter a new password for the FS850 Appliance. The password must be 6-12 digits in length, and can contain numbers, upper-and-lower-case letters, and special characters. Then re-enter the password, to confirm you have entered the password you expected. 192 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description Appliance Management Use this setting to change the port used for communication Port between the FS850 Appliance and the Foundstone Enterprise Manager. The default port is 443. Engine Logging Level To specify the level of logging on the FS850 Appliance click the arrow. Choose from None (Recommended) or Full Logging. McAfee recommends that you do not enable logging as this can add significantly to the amount of information included in the logs. For example, every script that is launched, and every result that is returned, would be added. If necessary, Technical Support may recommend that you enable full logging in the event it is necessary to troubleshoot issues with the FS850 Appliance. Submit To save any changes you made, click this button. Configuration Tab - Database Configuration Use this page to change the communication between the FS850 Appliance and the Foundstone Database. Figure 59: Configuration tab - database configuration SQL Server Options Setting Description SQL Server Address To change the SQL Server database, enter the location of the Foundstone Database. Enter the IP address or fullyqualified domain name. Use the fully-qualified domain name if you are using custom certificates. 193 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide SQL Username Enter the user name Faultline unless you have manually changed the database settings to create a different database user. SQL Password Enter the password associated with the user name you entered in the previous step. The password for the Faultline user was created during the installation process when you first installed Foundstone. Test Credentials To attempt to connect to the database using the credentials you supplied, click Start Test. If successful, the message SQL Credentials Accepted appears. Submit To save any changes you made, click this button. Configuration Tab - Update Settings Use this page to change the date and time that operating system updates are downloaded and installed. The time and date are based on the local FS850 Appliance system. When this date and time occur on the FS850 Appliance, it checks the Foundstone System Update Server (SUS) for updates. If an update is available, the FS850 Appliance downloads and installs it. Note: The FS850 Appliance does not download Foundstone updates directly. When the primary FoundScan Console retrieves a Foundstone update, the update is sent to the database and distributed to all FoundScan Engine servers. Figure 60: Configuration Tab - Update Settings 194 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide System Update Settings (Basic) Setting Description Install Updates on To specify the day of the week to check for operating system updates, click the arrow and select the day or select Every Day. Launch Update Install at To specify the time, click the arrow and select the hour at which you want to check for operating system updates. Advanced To use a proxy server, click this button. Use the advanced area (described in the following section) to specify the proxy connection. Submit To save any changes you made, click this button. System Update Settings (Advanced) Setting Description Use Proxy Server To use a proxy server when connecting to the Internet to download operating system updates, check this box. Proxy Autoconfig Script URL To use a configuration file that specifies your proxy settings, enter the complete URL in this field. If you do not use a configuration script, you can leave this field blank. Proxy Server Address Enter the IP address of the proxy server. Proxy Server Port Enter the port number of the proxy server. Bypass Proxy Server for If you do not want to use a proxy server when connecting Local Addresses to local addresses, check this box. 195 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Licensing Tab Use this page to unlock the license on the FS850 Appliance, generate a registration key, submit a request for a license, or clear an infringement status. For information on how to request and apply a license, see How to license the FS850 Appliance (on page 198). License Details Setting Description View Current License Status To view the current license details, click this button. The details are displayed in the left side of the page. Generate Registration Key To generate a registration key, click this button. Copy the registration key created so you can paste it into the Foundstone Registration Web page. Submit Registration Key To display the Foundstone Registration Web page, so you can request an unlock code (or license), click this button. Enter Unlock Code To apply the license (or unlock code) received in an email from McAfee, click this button. License Details License Status 196 Displays the type of license, and if the license if valid. 6.5 Enterprise Manager Administrator Guide Registration Key Foundstone 6.5 Reference Guide Days Remaining on License Displays the number of days until the license expires. Evaluation licenses are for 60 days. License Flags Displays additional information regarding the license. Click Generate to create key When you click Generate Registration Key, the key is created in this field. Copy this key to paste into the Foundstone Registration Web page when you submit a license request. Reset To reset the license on this FS850 Appliance, click this button. Warning: Resetting the license on the FS850 Appliance will disable the appliance until a new license is applied. The evaluation license is not reapplied to the FS850 Appliance. Clear Infringement Status To clear an infringement or license violation created due to an error during installation (such as a misconfiguration), click this button. You can clear the infringement status only once; any further attempts to clear the infringement status require the assistance of McAfee Technical Support. 197 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Licensing Tab - Unlock Code Use this page to license your FS850 Appliance. To unlock, and license, your FS850 Appliance cut and paste the contents of your unlock code (which you received via email) and then click Apply. Unlock Code Details Setting Description Unlock Code When you have received the email with the license key, copy the entire license portion of the email (including the "--BEGIN LICENSE--" and "--END LICENSE--" portions), and paste the key in this field. Apply To apply the unlock code (license key), click this button. A message is displayed informing you the license key was applied successfully and prompting you to restart the FS850 Appliance. ¾ How to license the FS850 Appliance Follow these steps to license the FS850 Appliance. When you installed the appliance, it was installed with a 60-day evaluation license. In order to continue to use the FS850 Appliance you must request a registration key and then enter the unlock code you will receive via email. 198 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide 1 Click MANAGE > ENGINES. 2 For the FS850 Appliance you want to license, click Manage. 3 Click the Licensing tab. 4 Click Generate Registration Key. The key is created and displayed under Registration Key. 5 Copy the registration key. (Select the entire contents of the key, right-click, and choose Copy from the shortcut menu.) 6 Click Submit Registration Key. The Foundstone Registration page opens in your browser. 7 Complete all information on the form. For Request Hash, paste the registration key you copied in the previous step. 8 Click Submit Registration. An email containing the license key will be sent to the email address you entered on the registration form. 9 When you have received the email with the license key, copy the entire license portion of the email (including the "--BEGIN LICENSE--" and "--END LICENSE--" portions). 10 Click MANAGE > ENGINES. 11 For the FS850 Appliance you want to license, click Manage. 12 Click the Licensing tab. 13 Click Enter Unlock Code. 14 Paste the license key received in email and click Apply. A message is displayed informing you the license key was applied successfully and prompting you to restart the FS850 Appliance. 15 Click the link to restart the FS850 Appliance. 199 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Support Tools Tab Use this page to obtain information on how to contact Technical Support, as well as to the utilities included on the FS850 Appliance. To access any of the support tools, click the associated button: Support Tools Settings Setting Description Log Utilities (see "Support Tools Tab Log Utilities" on page 201) To view the various log files on the FS850 Appliance, or to quickly clean up any temporary files, click this button. File and Image Utilities To download update images (and apply them), or to upload (see "Support Tools Tab a support executable, click this button. - File and Image Utilities" on page 202) Registry Export (see "Support Tools Tab Registry Export" on page 203) To export the registry on the FS850 Appliance, click this button. Utilities (see "Support To access the network utilities included on the FS850 Tools - Utilities" on page Appliance, click this button. 203) FSL Diagnostics (see "Support Tools - FSL Diagnostics" on page 204) To specify the settings so you can collect FSL script execution diagnostics, click this button. Options for Contacting Technical Support Displays the phone number and Web site so you can contact McAfee Technical Support. 200 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Support Tools Tab - Log Utilities Use this page to view the various log files on the FS850 Appliance, or to quickly clean up any temporary files. Log Utilities Settings Setting Description View Logs of Type To select the type of log you want to view, click the arrow. For example, to view the daily log files, select FoundScan Daily Logs. The available logs are displayed in the list below. Download To download or view the log file, select the log file in the list and click Download. Clean Up To clean up temporary (log files) on the FS850 Appliance, click this button. Be sure to refresh the screen (by pressing F5) if you have any files selected in the list above this button. 201 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Support Tools Tab - File and Image Utilities Use this page to download update images (and apply them to the FS850 Appliance). You can also upload a support utility (executable) to the FS850 Appliance using this page, which may be necessary for troubleshooting. McAfee Technical Support will advise you if this is necessary. File and Image Utilities Settings Setting Description Available Images Displays a list of the currently available update images on the FS850 Appliance. To apply a new image, select the image in this list. Available images include any update images you may have downloaded. Apply To apply a new image, select the image in the list of Available Images and click this button. A warning appears asking you to confirm that you want to apply the image. Upload Support Executable (maximum file size 5MB) A support executable is a utility file that you upload to the FS850 Appliance, generally for troubleshooting purposes. McAfee Technical Support will provide the file to upload. To locate the support executable, click Browse. You can also enter the full path and file name of the executable. To upload the file, click Upload. Download Update Image from (URL or UNC Path) To download a new update image to the FS850 Appliance, enter the full URL or UNC path to the image, and then click Download. You should have obtained a new image from McAfee via download or compact disc. 202 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Support Tools Tab - Registry Export Use this page to export the registry on the FS850 Appliance. The registry key you export is saved in a zipped file named FS850-Registry.zip. Registry Export Settings Setting Description Registry Export Enter the full path and name of the registry key you want to export. All subkeys within the registry key are exported. You can use the common abbreviation of the root key (for example, HKLM\Software\Foundstone\Foundscan). Export Key To export the registry key (to a zipped file), click this button. Support Tools - Utilities Use this page to access the network utilities included on the FS850 Appliance. 203 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Utilities Settings Setting Description Available Utilities To specify a utility to execute, scroll through the list of available utilities and select the utility you want to run. Enter Target IP Address Enter the IP address of the target computer. If you do not (Optional) enter an IP address, the command will execute against the IP address of the FS850 Appliance. Execute Command To execute the utility, click this button. The command selected under Available Utilities is executed immediately. Support Tools - FSL Diagnostics Use this page to specify the settings so you can collect FSL script execution diagnostics. View the results of the script diagnostics on the Support Tools Tab - Log Utilities (on page 201), using the FSL Diagnostics category. Generally, you will be advised by McAfee Technical Support when it is necessary to gather FSL script diagnostics. FSL Diagnostics Settings Setting Description FSL Script ID (FID) Enter the FSL Script ID (usually provided by McAfee Technical Support). Target Address Enter the IP address of the target system to be scanned (tested) by the FS850 Appliance. The script runs on the FS850 Appliance against this target system. Target Port Enter the port number to be used for the scan. This is the port number on the target system. 204 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Authenticate FS850 Appliance can use credentials to authenticate itself to a host running Windows. This allows the FSL scripts to access the Windows registry and other information. To establish an anonymous connection with the target system before executing the FSL script, check the box for Map IPC$ as Null. To initiate a privileged session between the FS850 Appliance and the target system, check the box for Map IPC$ as, and then provide valid credentials for Username and Password. See Managing Credentials (on page 380) for more information. Username Enter a valid logon name to access the target system. This field becomes available if you have selected Map IPC$ as under Authenticate. Password Enter a valid password to access the target system. This field becomes available if you have selected Map IPC$ as under Authenticate. Start To begin executing the FSL script on the target system, click this button. Using Multiple Network Interface Cards Although you can configure multiple gateways (one for each NIC), the FS850 Appliance uses only one as its default gateway (default route). The FS850 Appliance chooses the active NIC that has the lowest metric. By default, the network interface preference is as follows: 1 NIC 1 2 NIC 2 3 NIC A 4 NIC B The metric for each NIC determines the order in which the appliance chooses a default gateway, and can be changed using the Route Table Editor if necessary. 205 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Managing Users, Groups, Organizations and Workgroups To get here using the Foundstone Enterprise Manager, click MANAGE > USERS/GROUPS. To get here using the FoundScan Console, choose File > Users/Groups/Scans. Use the USERS/GROUPS page to create workgroups (sub-organizations), and manage your users. This is the main page for accessing organizational properties, and users. If you are logged in as a Global Administrator, you can also create and access scans from this page. Scope The Global Administrator can create or delete a root organization, and can assign IP addresses and FoundScan Engine servers to be used by the root organization. Root Organization Administrators cannot change the IP addresses or FoundScan Engine servers on the root organization; but can assign subsets of their IP pool and engines to the workgroups belonging to that organization. The same is true for workgroups. Workgroup Administrators cannot change their own IP Pool or assigned FoundScan Engine servers, but they may assign subsets of the IP Pool and FoundScan Engine servers to children workgroups under their own workgroup. Procedures The Organization Management page allows you to do the following: • • • • • Global Administrators can create root organizations (see "Creating a New Root Organization" on page 210), and delete root organizations (see "Deleting a Root Organization" on page 219). Both Global Administrators and Root Organization Administrators can edit the root organization's properties (see "Editing the Root Organization Properties" on page 219). Global Administrators, Root Organization Administrators, and Workgroup Administrators can create workgroups (see "New Workgroup Settings" on page 229), delete workgroups (see "Deleting a Workgroup (Sub-Organization)" on page 238), and edit workgroup properties (see "Editing Workgroup Properties" on page 230). All three types of administrators can create user accounts (see "Creating New Users" on page 241), delete user accounts (see "Deleting Users" on page 249), and edit user account properties (see "Editing User Properties" on page 244). All three types of administrators can also create user groups (see "Creating New Groups" on page 253), add users to user groups (see "Adding and Removing Users from Groups" on page 254), remove users from user groups (see "Adding and Removing Users from Groups" on page 254), delete user groups (see "Deleting User Groups" on page 258), edit user group properties (see "Editing User Group Properties" on page 253), create scans, edit scans, view user activity logs, and view workgroup activity logs. 206 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide Users do not have access to this page. Figure 61: Organization Management: Workgroups with Users, Groups, and Scans folders Organization Management Features Feature Organization Name Description Double-click to see or hide the folders and workgroups belonging to the organization. Right-click to do the following: y y y y y y y create a new scan (see "Creating New Scans" on page 291) (this feature is not available to Global Administrators) create a new user (see "Creating New Users" on page 241) create a new (user) group (see "Creating New Groups" on page 253) create a new workgroup (sub-organization) (see "New Workgroup Settings" on page 229) view/edit the root organization's/workgroup's properties (see "Editing the Root Organization Properties" on page 219) view the root organization's/workgroup's logs (see "Viewing Organization/Workgroup Logs" on page 227), delete the root organization (see "Deleting a Root Organization" on page 219) 207 6.5 Enterprise Manager Administrator Guide Feature Users User Name Foundstone 6.5 Reference Guide Description Click to see the users belonging to this folder in the right pane. Double-click to collapse or expand the folder. Right-click to create a new user (see "Creating New Users" on page 241). This displays a Foundstone 6.5 user account name. Doubleclick to view the user's properties (see "Editing User Properties" on page 244). Right-click to do the following: y y y y y Groups create a new user (see "Creating New Users" on page 241) view this user's properties (see "Editing User Properties" on page 244) view this user's activity logs (see "Viewing a User's Activity Log" on page 249) rename this user delete this user (see "Deleting Users" on page 249) This folder contains the groups that belong to this organization or workgroup. Click to see the groups belonging to this folder in the right pane. Double-click to collapse or expand the folder. Right-click to create a new group (see "Creating New Groups" on page 253). Group Name This displays a Foundstone 6.5 user-group name. User groups let you organize users according to their access privilege, assigning the privileges to the group rather than all the users within the group. In turn, adding users to the group lets them inherit the settings of the group. Right-click to do the following: y y y y create a new group (see "Creating New Groups" on page 253) view the group's properties (see "Editing User Group Properties" on page 253) rename the group delete the group (see "Deleting User Groups" on page 258) The Administrators and Remediation Administrators groups are default groups that cannot be removed. See Using the Default Groups (on page 259) for more information. 208 6.5 Enterprise Manager Administrator Guide Feature Scans Foundstone 6.5 Reference Guide Description This folder contains the scans that belong to this organization or workgroup. Right-click to create a new scan (see "Creating New Scans" on page 291) for the organization or workgroup. This feature is not available to Global Administrators. Scan Name This is the name of the scan as it appears in the reports and throughout Foundstone 6.5. Note that Global Administrators cannot manage scans. You must be logged in as a Root Organization Administrator. Double-click to view/edit the scan properties (see "Editing Scans" on page 293). Right-click to do the following: y y y y Workgroup Name Create a new scan (see "Creating New Scans" on page 291) view/edit the scan properties (see "Editing Scans" on page 293) launch this scan (see "Working with Scans in the Group Properties" on page 240) delete this scan (see "Working with Scans in the Group Properties" on page 240) The Workgroup is a sub-organization. It contains the same elements as the root organization, including Users, Groups, and Scans. Double-click the Workgroup to expand or collapse its contents. Right-click to do the following: y y y y y y y Create a new Scan (see "Creating New Scans" on page 291) (this feature is not available to Global Administrators) Create a new User (see "Creating New Users" on page 241) Create a new Group (see "Creating New Groups" on page 253) Create a new Workgroup (see "New Workgroup Settings" on page 229) View/edit this Workgroup's properties (see "Editing Workgroup Properties" on page 230) View the activity logs for this workgroup (see "Viewing a Workgroup's Activity Logs" on page 239) Delete this workgroup (see "Deleting a Workgroup (SubOrganization)" on page 238) 209 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Working with Root Organizations To get here using the Foundstone Enterprise Manager, click MANAGE > USERS/GROUPS. To get here using the FoundScan Console, choose File > Users/Groups/Scans. The Users/Groups page lets Global Administrators create, edit, or delete root organizations. Root organizations are the top-level organization of the hierarchical tree structure in Foundstone 6.5. An enterprise may have as many root organizations as needed. However, root organizations are hidden from each other; administrators and users can only view the scans and data that pertain to the organization to which they belong. Scope The Global Administrator can create or delete a root organization, and can assign IP addresses and FoundScan Engine servers to be used by the root organization. Root Organization Administrators cannot change the IP addresses or FoundScan Engine servers on the root organization; but can assign subsets of their IP pool and engines to the workgroups belonging to that organization. Procedures: From the Users/Groups page you can do the following: • • • • • • Create a Root Organization (see "Creating a New Root Organization" on page 210) (Global Administrator Only) Delete a Root Organization (see "Deleting a Root Organization" on page 219) (Global Administrator Only) Edit the Root Organization's Properties (see "Editing the Root Organization Properties" on page 219) Rename the Root Organization View the Organization's Activity Logs (see "Viewing Organization/Workgroup Logs" on page 227) Create/Delete/Edit Workgroups (page 228) Creating a New Root Organization ¾ To create a new Root Organization 1 Right-click Organizations. 2 Click New Organization. The New Organization Wizard (on page 211) is displayed. 3 Follow the directions in the New Organization Wizard as it guides you through the remaining steps for setting up the organization. Tip: If you are using the Foundstone Enterprise Manager, create the initial root organization with its Root Organization Administrator account, log off and log on again using the new Root Organization Administrator account. This provides you with access to the rest of the features in Foundstone 6.5 for that organization. As the Root Organization Administrator, you can continue setting up your workgroups and users as desired. 210 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide New Organization Wizard When you create an organization, the New Organization Wizard leads you through the settings that must be set for that organization. These settings are available at a later time by right-clicking the organization and selecting Properties. Use the following buttons to navigate through the wizard: • • • • Next - moves to the next page Previous - shows the previous page Cancel - returns to the main page without saving any settings. Finish or Save - saves all changes you have made and returns to the main page. The New Organization Wizard contains the following pages: 1 GENERAL (see "New Organization - General page" on page 211) - name & description - required. 2 IP POOL (see "New Organization - IP Pool page" on page 212) - IP range for the organization 3 SCAN ENGINES (see "New Organization - Scan Engine page" on page 216) select which scan engines are available for the org. 4 CREATE ADMIN (see "New Organization - Administrator page" on page 217) name & passwords (required) Additional settings are available through the organization's properties page. New Organization - General page Use the General page of the New Organization wizard to enter the name and description of the new organization. The Organization name is required, and must be unique from other organization names. Procedures Enter a name and (optionally) a description for the organization. Organization names should only include alpha-numeric characters. Spaces are also allowed. Note: You cannot click Next to continue until you have entered a valid Organization name. 211 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Organizations and workgroups cannot be renamed. Make sure that you have planned thoroughly so that the organization name you enter is the one you want to keep. Figure 62: New Organization Wizard - General Page New Organization - IP Pool page Use the IP Pool page of the New Organization wizard to specify the IP ranges available to the organization. The FoundScan Console Administrator or the Global Administrator sets up the organization with a specific set of IP addresses, based on your McAfee license. Scope The IP Pool settings are inherited from the parent workgroup or organization. Changing these settings limits the settings of all sub-workgroups under this one. In a sub-workgroup, you can assign a subset of the parent's IP Addresses, shown in the Available Address Space field. You can also reduce the IP Limitation value for sub-workgroups, but cannot raise it past the limit set for the parent workgroup or organization. Procedures On this page you can do the following: • • To add an entire range from the Available Address Space to the IP Pool, click to select the desired range in the Available Address Space section. Click Add to IP Pool. This adds the entire range. To add subsets of the Available Address Space to the IP Pool, enter the beginning IP address in the Starting Address box, and the final IP address in the Ending Address box. Click to add the range. 212 6.5 Enterprise Manager Administrator Guide • • Foundstone 6.5 Reference Guide To enter a range in CIDR format, add the beginning address to the CIDR Address box. Enter the network mask (8, 16, 24, 32) after the slash / . Click to add the range. To import a list of IP Addresses from a text file, click Import and select the text file to be added. Important: Only the administrator of your parent organization or workgroup can edit your IP pool. At the organization level, only the Global Administrator can modify the IP pool. Note: Once you have created the organization, you can add a list of IP addresses to be excluded from scanning by editing the organization properties (see "Editing the Root Organization Properties" on page 219). Figure 63: Organization properties - IP pool page IP Pool Settings Setting Description Available Address Space Shows the IP address range(s) that you are licensed to scan. The addresses come from your license, and can be filtered by the person creating the organization or workgroup. Add to IP Pool Use this option if you want this organization to be able to scan the entire address range in the Available Address Space. To use it, select a range in the Available Address Space. Click Add to IP Pool to include the entire range in the IP Pool. 213 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description IP Pool This section contains the addresses that this organization is allowed to scan. Starting IP Address Enter the beginning address of an IP address range. The ending IP address is automatically set to include the rest of the class C network belonging to this entry. If you are entering a single address, enter the same single address in the Ending Address field. Ending IP Address Enter the ending address of the IP address range. Adds the range entered in the Starting IP Address and Ending IP Address fields to the IP Pool list on the right. Note: As you add ranges to the IP Pool, if the ranges overlap each other, Foundstone 6.5 automatically combines them into the same range. CIDR Address Enter an address range using CIDR format (see "To add ranges using the CIDR Format" on page 215). Import Import a text file containing a list of IP addresses (see "To import a list of address ranges" on page 216). Remove Select an address range in the IP Pool list and click Remove to delete the range. Remove All Clear the IP Pool list completely. Maximum IP Addresses per Scan for this Organization Enter the number of IP addresses that can be added to a single scan. If more than this number of addresses is added to any scan, the system displays a warning. The maximum number of IP addresses allowed is 2,147,483,647. Leave this field blank to remove the IP limitation. Note: Changing this number affects the IP limit for all Workgroups under this one. If this is set at the root organization level, it is applied to all workgroups as well as the root organization. 214 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide ¾ To add a new address to the IP pool 1 In the Starting Address box, enter the beginning address of the range. When you enter the last number of the address, Foundstone 6.5 automatically adds a default address to the Ending Address box. 2 If you want to change the default address in the Ending Address box, type over it. 3 Click ¾ To add ranges using the CIDR Format • In the CIDR Address box, enter a CIDR-formatted range. to add the range to the IP Pool. CIDR Format Examples Example Result 10.1.1.1/8 10.1.1.1 - 10.255.255.255 10.2.2.2/16 10.2.2.2 - 10.2.255.255 10.3.3.3/24 10.3.3.3 - 10.3.3.255 10.3.3.3/32 10.3.3.3 - 10.3.3.3 Foundstone 6.5 supports basic CIDR format IP range importing from a text file with some slight modifications from the strict CIDR definition. Typically, a CIDR format would translate the range 10.1.2.3/8 to 10.0.0.0-10.255.255.255. It would start from the network address using the top 8 bits of the range (10.0.0.0 in this example) and would finish at the last valid IP address for that network (10.255.255.255). Foundstone 6.5 translates the range 10.1.2.3/8 to 10.1.2.3-10.255.255.255. This lets you specify a beginning host in the range, rather than always starting from the beginning of the network block. ¾ To add a range from the available addresses 1 In the Available Address Space box, select the range you want to add to the Organization's IP Pool. 2 Click Add to IP Pool. The address range appears in the Organization's IP Pool. ¾ To remove all address ranges from an IP Pool 1 Click Remove All. 2 When the dialog appears, asking you to verify that you want to remove all IP Pool ranges, click Yes. All IP ranges are removed from the list. 3 Click Next or Finish to save the changes. 215 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide ¾ To remove an address range from the IP pool 1 Select the IP range to be removed and click Remove. 2 Click Yes to verify the change. The selected range is removed from the list. 3 Click Next or Finish to save the changes. ¾ To import a list of address ranges 1 Click Import. 2 Browse to the file to be uploaded and click Import. Make sure the file is properly formatted (see "Import File Format" on page 361) before uploading. You are limited to the following number of lines in the file being imported: • 2500 lines in the Foundstone Enterprise Manager • 7999 lines in the FoundScan Console The ranges from the file appear when the upload finishes. Then click OK. New Organization - Scan Engine page Use the Scan Engines page of the New Organization wizard to associate specific scan engines with your organization. Although other engines may be installed, the new organization and any workgroups (sub-organizations) see only the selected engines. Note: This page appears only if there is more than one engine installed on your network. Figure 64: New Organization - Scan Engines page 216 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Scan Engine Selection Features Setting Description Select Check each scan engine that you want to make available to this organization and its workgroups. Auto Select With Auto Select enabled, users do not have to select an engine when creating a scan. The scan engine assigned to the given IP address(es) is automatically selected. Note: Only enable Auto Select if the engine is able to scan the entire IP space assigned to this organization or workgroup. Name Shows the name of the FoundScan Engine. The name was assigned by the person that installed Foundstone 6.5. Description The description can be added or changed by editing the description field on the MANAGE > ENGINES (see "Managing Engines" on page 165) page when you are logged on as the Root Organization Administrator. Address Shows the address on which the engine was found. Port Shows the port being used to communicate between the FoundScan Engine and the Foundstone Enterprise Manager. Protocol Shows the protocol (http or https) being used between the FoundScan Engine and the Foundstone Enterprise Manager. Active Shows Yes if the engine is currently detected to be active on the network. Shows No if the engine is not found. New Organization - Administrator page When you create a new organization, you must create an administrator account for the organization. This is the only account required to create the organization. Use the Administrator page of the New Organization wizard to enter the required information for the administrator account. 217 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Note: The required fields are marked with an asterisk ( * ) and red typeface until their individual requirements have been met. See below for details. Figure 65: User Account Properties - Administrator page User Properties Property Description Organization Shows the name of the organization to which the user will belong. User Name Enter a unique username for this account. The label remains red if the name is not unique. Tip: Since there are other places throughout Foundstone 6.5 where you must choose a user by the username, McAfee recommends usernames that are based on the user's first and last names. Password Enter a password that follows these requirements: y y y y At least 8 characters long Contains at least one number Contains at least one non-alpha-numeric character (`~!@#$%^&*()-_=+) The following characters are not allowed: < > / \ Confirm Password Enter the same password to ensure it was not mis-typed. This entry must match the Password entry. Email Address Enter the user's email address for notifications of scan completions and configuration changes. 218 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Property Description First Name Enter the first name of the user. May not be left blank. Last Name Enter the last name of the user. May not be left blank. Primary Phone (optional) Enter the user's phone number. This data is only displayed in the user's property page. It is not used by Foundstone 6.5. Secondary Phone (optional) Enter a secondary phone number. Lock Status Leave this option set to Unlocked. Warning: Setting this option to Locked prevents this account from logging onto Foundstone 6.5. Deleting a Root Organization Deleting a root organization removes all workgroups (sub-organizations), users, scans and associated jobs. ¾ To delete a Root Organization • Right-click the organization to be deleted and choose Delete from the shortcut menu. Warning: This removes all the information associated with this organization from the database. This action cannot be undone without restoring the database from a backup, assuming you have been backing up your database. Editing the Root Organization Properties Use the Properties pages to change the properties of the Root Organization. Procedures On the Organization Properties page you can do the following: • • • • Change the Organization's assigned IP pool (see "Organization Properties - IP Pool" on page 220). Exclude specific IP addresses from the organization. Change or add contact information (see "Organization Properties - Contact Information" on page 225) for the person over the organization. Change the Scan Engine assignments (see "Organization Properties - Scan Engines" on page 226) for the organization. 219 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide ¾ To edit the Root Organization's Properties 1 Right-click the organization you want to edit and choose Properties from the shortcut menu displayed. 2 Make any changes as necessary in each of the tabs. 3 Click OK when finished making changes. Organization Properties - General Use the General tab of the Properties dialog box to enter the name and description of the new organization or workgroup. The name should be unique from other organizations or workgroups. Procedures • Enter or change the description of the organization or workgroup. Figure 66: Workgroup Properties - General tab Organization Properties - IP Pool Use the IP Pool tab of the Properties dialog box to view your licensed Available Address Space, and specify the IP Addresses that are available to this organization. Scope The IP Pool settings are inherited from the parent workgroup or organization. Changing these settings limits the settings of all sub-workgroups under this one. In a sub-workgroup, you can assign a subset of the parent's IP Addresses, shown in the Available Address Space box. You can also reduce the IP Limitation value for sub- 220 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide workgroups, but cannot raise it past the limit set for the parent workgroup or organization. Procedures On this page you can do the following: • • • • To add an entire range from the Available Address Space to the IP Pool, click to select the desired range in the Available Address Space section. Click Add to IP Pool. This adds the entire range. To add subsets of the Available Address Space to the IP Pool, enter the beginning IP address in the Starting Address box, and the final IP address in the Ending Address box. Click to add the range. To enter a range in CIDR format, add the beginning address to the CIDR Address box. Enter the network mask (8, 16, 24, 32) after the slash / . Click to add the range. To import a list of IP Addresses from a text file, click Import and select the text file to be added. Important: Only the administrator of your parent organization or workgroup can edit your IP pool. At the organization level, only the Global Administrator can modify the IP pool. Note: Once you have created the organization, you can add a list of IP addresses to be excluded from scanning by editing the IP exclusions. Figure 67: Organization Properties - IP Pool tab 221 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide IP Pool Settings Setting Description Available Address Space Shows the IP address range(s) that you are licensed to scan. The addresses come from your license, and can be filtered by the person creating the organization or workgroup. Add to IP Pool Use this option if you want this organization to be able to scan the entire address range in the Available Address Space. To use it, select a range in the Available Address Space. Click Add to IP Pool to include the entire range in the IP Pool. IP Pool This section contains the addresses that this organization is allowed to scan. Starting IP Address Enter the beginning address of an IP address range. The ending IP address is automatically set to include the rest of the class C network belonging to this entry. If you are entering a single address, enter the same single address in the Ending Address field. Ending IP Address Enter the ending address of the IP address range. Adds the range entered in the Starting IP Address and Ending IP Address fields to the IP Pool list on the right. Note: As you add ranges to the IP Pool, if the ranges overlap each other, Foundstone 6.5 automatically combines them into the same range. CIDR Address Enter an address range using CIDR format (see "To add ranges using the CIDR Format" on page 215). Import Import a text file containing a list of IP addresses (see "To import a list of address ranges" on page 216). Remove Select an address range in the IP Pool list and click Remove to delete the range. Remove All Clear the IP Pool list completely. 222 6.5 Enterprise Manager Administrator Guide Setting Foundstone 6.5 Reference Guide Description Maximum IP Addresses Enter the number of IP addresses that can be added to a per Scan for this single scan. If more than this number of addresses is added Organization to any scan, the system displays a warning. The maximum number of IP addresses allowed is 2,147,483,647. Leave this field blank to remove the IP limitation. Note: Changing this number affects the IP limit for all Workgroups under this one. If this is set at the root organization level, it is applied to all workgroups as well as the root organization. Organization Properties - IP Exclusions This page lets you specify the IP Addresses that you want to exclude from all scans. Adding systems to this list prevents them from being scanned by Foundstone without regard for which organization or workgroup is running the scan. Note: Changing these settings does not affect any scans currently in progress. When Foundstone 6.5 finishes and reschedules a scan, it activates any new changes to the scan configuration. This page is not available while creating the organization; after creating an organization you must edit the organization's properties to set any IP exclusions. Scope Warning: Excluding an IP address or range in a workgroup's properties adds that address or range to the global exclusion list for the entire organization. All exclusions are global to the organization. Procedures On this page you can do the following: • • • To add excluded IP addresses, enter the beginning IP address in the Starting Address box, and the final IP address in the Ending Address box. Click to add the range. To enter a range in CIDR format, add the beginning address to the CIDR Address box. Enter the network mask (8, 16, 24, 32) after the slash / . Click to add the range. To import a list of IP Addresses from a text file, click Import and select the text file to be added. 223 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Important: If you are the Root Organization Administrator or a workgroup administrator, you cannot edit the IP Exclusions for your own organization or workgroup. This must be done by someone who has a higher level of access than you have. At the organization level, this data can only be modified by the Global Administrator. Figure 68: Organization Properties - IP Exclusions tab IP Exclusion Settings Setting Description IP Pool This section contains the addresses that are excluded from this organization's or workgroup's scans. Starting IP Address Enter the beginning address of an IP address range. The ending IP address is automatically set to include the rest of the class C network belonging to this entry. If you are entering a single address, enter the same single address in the Ending Address field. Ending IP Address Enter the ending address of the IP address range. Adds the range entered in the Starting IP Address and Ending IP Address fields to the IP Pool list on the right. Note: As you add ranges to the IP Pool, if the ranges overlap each other, Foundstone 6.5 automatically combines them into the same range. CIDR Address Enter an address range using CIDR format (see "To add ranges using the CIDR Format" on page 215). 224 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description Import Import a text file containing a list of IP addresses (see "To import a list of address ranges" on page 216). Remove Select an address range in the IP Pool list and click Remove to delete the range. Remove All Clear the IP Pool list completely. Organization Properties - Contact Information Use the Contact Info tab in the Properties dialog box to keep contact information for the person responsible for the Organization or Workgroup. The settings on this page are not required and are purely informational. Foundstone 6.5 associates this information with the organization, but does not use it anywhere else in the product. Figure 69: Workgroup Properties - Contact Information 225 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Organization Properties - Scan Engines Use the Scan Engines tab in the Properties dialog box to assign specific FoundScan Engine servers to an organization or workgroup. This allows you to assign engines by geographic location, reducing network scan-related traffic over WAN connections. Figure 70: Workgroup Properties - Scan Engines Tab Scan Engine Selection Features Setting Description Select Check each scan engine that you want to make available to this organization and its workgroups. Auto Select With Auto Select enabled, users do not have to select an engine when creating a scan. The scan engine assigned to the given IP address(es) is automatically selected. Note: Only enable Auto Select if the engine is able to scan the entire IP space assigned to this organization or workgroup. Name Displays the name of the FoundScan Engine. The name was assigned by the person that installed Foundstone 6.5. Description Displays the description of the FoundScan Engine. The description can be added or changed by editing the description field on the MANAGE > ENGINES (see "Managing Engines" on page 165) page when you are logged on as the Root Organization Administrator. Address Displays the address on which the FoundScan Engine was found. 226 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description Port Displays the port being used to communicate between the FoundScan Engine and the Foundstone Enterprise Manager. Protocol Displays the protocol (http or https) being used between the FoundScan Engine and the Foundstone Enterprise Manager. Active Displays Yes if the engine is currently detected to be active on the network. Displays No if the engine is not found. Viewing Organization/Workgroup Logs Foundstone 6.5 logs actions from each workgroup and user account. The log events are for Foundstone Enterprise Manager events only, not for similar events performed on the FoundScan Console. You can see the logs for any organization or workgroup that you can access. • To see the organizational log file, right-click a workgroup and click View Logs. The log file shows information for the selected organization/workgroup and all workgroups under it. Figure 71: Activity Logs - shows account activity Log Features Column Heading Description Date/Time The date and time of the event. Organization The organization or workgroup name of the activity log. 227 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Column Heading Description User Name The logon username for the account that ran the event. IP Address The IP address of the host that ran the event. Description Describes the event that took place. Working with Workgroups (Sub-Organizations) Use the Users/Groups page to create, edit, or delete workgroups (when you are logged in as an administrator). Procedures: From the Users/Groups page you can do the following: • • • • • Create a Workgroup under your Workgroup (see "New Workgroup Settings" on page 229) Edit a Workgroup's Properties (see "Editing Workgroup Properties" on page 230) Delete a Workgroup under your Workgroup (see "Deleting a Workgroup (SubOrganization)" on page 238) Rename a Workgroup View the Workgroup's Activity Logs (see "Viewing a Workgroup's Activity Logs" on page 239) Figure 72: Organization Management - organizations and workgroups Creating New Workgroups (Sub-Organizations) Create a new Workgroup (sub-organization) under the root organization or under another workgroup. Use workgroups to organize your IP Pool into manageable segments, so multiple administrators can manage the scanning and remediation 228 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide process while reports and demographic information flow up through the hierarchy for review. ¾ To create a new Workgroup 1 In the hierarchical organization tree view, right-click the workgroup or organization under which you want to create the new Workgroup and choose New > Workgroup from the shortcut menu displayed. The New Workgroup page (see "New Workgroup Settings" on page 229) appears. 2 Enter the new workgroup's Name and Description and click Finish to save. Note: Workgroups must contain unique names. Do not create a workgroup using the name of an existing workgroup. To edit the workgroup's properties (see "Editing Workgroup Properties" on page 230) at a later time, right-click the workgroup and choose Properties from the shortcut menu displayed. New Workgroup Settings This page lets you set the name and description of your new workgroup. The Workgroup Name label is red because it is required. Enter a unique name for this workgroup. The Description is optional. Click Finish to create the workgroup. Warning: Organizations and workgroups cannot be renamed. Make sure that you have planned thoroughly so that the organization name you enter is the one you want to keep. Figure 73: New Workgroup - General Settings 229 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Editing Workgroup Properties Use this feature to change the Workgroup's general properties. Procedures On the Workgroup Properties page you can do the following: • • • • Assign a specific IP Pool (see "Organization Properties - IP Pool" on page 220) for this workgroup to scan. Exclude specific IP addresses from the scan. Add contact information (see "Organization Properties - Contact Information" on page 225) to track who is responsible for it. Assign specific Scan Engines (see "Organization Properties - Scan Engines" on page 226) that the workgroup can use. ¾ To edit the Workgroup's Properties 1 Right-click the workgroup you want to edit and choose Properties from the shortcut menu. The workgroup Properties page appears. 2 Click OK when finished making changes. Workgroup Properties - General Use the General tab of the Properties dialog box to enter the name and description of the new organization or workgroup. The name should be unique from other organizations or workgroups. Procedures • Enter or change the description of the organization or workgroup. Figure 74: Workgroup Properties - General tab 230 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Workgroup Properties - IP Pool This page shows the Available Address Space, and lets you specify the IP Addresses that will be available to this workgroup. Scope The IP Pool settings are inherited from the parent workgroup or organization. Changing these settings limits the settings of all sub-workgroups under this one. In a sub-workgroup, you can assign a subset of the parent's IP Addresses, shown in the Available Address Space field. You can also reduce the IP Limitation value for sub-workgroups, but cannot raise it past the limit set for the parent workgroup or organization. Procedures On this page you can do the following: • • • • To add an entire range from the Available Address Space to the IP Pool, click to select the desired range in the Available Address Space section. Click Add to IP Pool. This adds the entire range. To add subsets of the Available Address Space to the IP Pool, enter the beginning IP address in the Starting Address box, and the final IP address in the Ending Address box. Click to add the range. To enter a range in CIDR format, add the beginning address to the CIDR Address box. Enter the network mask (8, 16, 24, 32) after the slash / . Click to add the range. To import a list of IP Addresses from a text file, click Import and select the text file to be added. Important: Only the administrator of your parent organization or workgroup can edit your IP pool. At the organization level, only the Global Administrator can modify the IP pool. 231 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Note: Once you have created the organization, you can add a list of IP addresses to be excluded from scanning by editing the organization properties (see "Editing the Root Organization Properties" on page 219). Figure 75: Organization properties - IP pool page IP Pool Settings Setting Description Available Address Space Shows the IP address range(s) that you are licensed to scan. The addresses come from your license, and can be filtered by the person creating the organization or workgroup. Add to IP Pool Use this option if you want this organization to be able to scan the entire address range in the Available Address Space. To use it, select a range in the Available Address Space. Click Add to IP Pool to include the entire range in the IP Pool. IP Pool This section contains the addresses that this organization is allowed to scan. Starting IP Address Enter the beginning address of an IP address range. The ending IP address is automatically set to include the rest of the class C network belonging to this entry. If you are entering a single address, enter the same single address in the Ending Address field. Ending IP Address Enter the ending address of the IP address range. 232 6.5 Enterprise Manager Administrator Guide Setting Foundstone 6.5 Reference Guide Description Adds the range entered in the Starting IP Address and Ending IP Address fields to the IP Pool list on the right. Note: As you add ranges to the IP Pool, if the ranges overlap each other, Foundstone 6.5 automatically combines them into the same range. CIDR Address Enter an address range using CIDR format (see "To add ranges using the CIDR Format" on page 215). Import Import a text file containing a list of IP addresses (see "To import a list of address ranges" on page 216). Remove Select an address range in the IP Pool list and click Remove to delete the range. Remove All Clear the IP Pool list completely. Maximum IP Addresses per Scan for this Organization Enter the number of IP addresses that can be added to a single scan. If more than this number of addresses is added to any scan, the system displays a warning. The maximum number of IP addresses allowed is 2,147,483,647. Leave this field blank to remove the IP limitation. Note: Changing this number affects the IP limit for all Workgroups under this one. If this is set at the root organization level, it is applied to all workgroups as well as the root organization. Workgroup Properties - IP Exclusions This page lets you specify the IP Addresses that you want to exclude from all scans. Adding systems to this list prevents them from being scanned by Foundstone without regard for which organization or workgroup is running the scan. Note: Changing these settings does not affect any scans currently in progress. When Foundstone 6.5 finishes and reschedules a scan, it activates any new changes to the scan configuration. This page is not available while creating the organization; after creating an organization you must edit the organization's properties to set any IP exclusions. Scope Warning: Excluding an IP address or range in a workgroup's properties adds that address or range to the global exclusion list for the entire organization. All exclusions are global to the organization. 233 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Procedures On this page you can do the following: • • • To add excluded IP addresses, enter the beginning IP address in the Starting Address box, and the final IP address in the Ending Address box. Click to add the range. To enter a range in CIDR format, add the beginning address to the CIDR Address box. Enter the network mask (8, 16, 24, 32) after the slash / . Click to add the range. To import a list of IP Addresses from a text file, click Import and select the text file to be added. Important: If you are the Root Organization Administrator or a workgroup administrator, you cannot edit the IP Exclusions for your own organization or workgroup. This must be done by someone who has a higher level of access than you have. At the organization level, this data can only be modified by the Global Administrator. Figure 76: Organization Properties - IP Exclusions tab 234 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide IP Exclusion Settings Setting Description IP Pool This section contains the addresses that are excluded from this organization's or workgroup's scans. Starting IP Address Enter the beginning address of an IP address range. The ending IP address is automatically set to include the rest of the class C network belonging to this entry. If you are entering a single address, enter the same single address in the Ending Address field. Ending IP Address Enter the ending address of the IP address range. Adds the range entered in the Starting IP Address and Ending IP Address fields to the IP Pool list on the right. Note: As you add ranges to the IP Pool, if the ranges overlap each other, Foundstone 6.5 automatically combines them into the same range. CIDR Address Enter an address range using CIDR format (see "To add ranges using the CIDR Format" on page 215). Import Import a text file containing a list of IP addresses (see "To import a list of address ranges" on page 216). Remove Select an address range in the IP Pool list and click Remove to delete the range. Remove All Clear the IP Pool list completely. 235 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Workgroup Properties - Contact Info Use the Contact Info tab in the Properties dialog box to keep contact information for the person responsible for the Organization or Workgroup. The settings on this page are not required and are purely informational. Foundstone 6.5 associates this information with the organization, but does not use it anywhere else in the product. Figure 77: Workgroup Properties - Contact Information 236 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Workgroup Properties - Scan Engines Use the Scan Engines tab in the Properties dialog box to assign specific FoundScan Engine servers to an organization or workgroup. This allows you to assign engines by geographic location, reducing network scan-related traffic over WAN connections. Figure 78: Workgroup Properties - Scan Engines Tab Scan Engine Selection Features Setting Description Select Check each scan engine that you want to make available to this organization and its workgroups. Auto Select With Auto Select enabled, users do not have to select an engine when creating a scan. The scan engine assigned to the given IP address(es) is automatically selected. Note: Only enable Auto Select if the engine is able to scan the entire IP space assigned to this organization or workgroup. Name Displays the name of the FoundScan Engine. The name was assigned by the person that installed Foundstone 6.5. Description Displays the description of the FoundScan Engine. The description can be added or changed by editing the description field on the MANAGE > ENGINES (see "Managing Engines" on page 165) page when you are logged on as the Root Organization Administrator. Address Displays the address on which the FoundScan Engine was found. 237 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description Port Displays the port being used to communicate between the FoundScan Engine and the Foundstone Enterprise Manager. Protocol Displays the protocol (http or https) being used between the FoundScan Engine and the Foundstone Enterprise Manager. Active Displays Yes if the engine is currently detected to be active on the network. Displays No if the engine is not found. Moving a Workgroup Use this feature to move a workgroup within an organization, either as a workgroup or a sub-workgroup. Global Administrators can move any workgroup or subworkgroup within any organization the Global Administrator has access rights to. Root Organization Administrators can only move workgroups and sub-workgroups within their organization. Workgroup Administrators can only move sub-workgroups within their assigned workgroup. Note: You cannot move a workgroup to a different organization. When moving a workgroup, the workgroup will lose all workgroup settings and rights associated with the previous parent workgroup and obtain all settings and rights of the new parent workgroup. Scan engine settings are inherited from the parent workgroup or organization. It is possible for an administrator to limit the scan engines available to a workgroup, but cannot grant access to scan engines that the parent workgroup or organization does not have access rights. To move a workgroup • In the Users/Groups window, drag-and-drop the workgroup to the desired location within the organization. Deleting a Workgroup (Sub-Organization) Deleting a workgroup removes all of the children workgroups belonging to it, as well as its users, scans and associated jobs. You must be logged in as an administrator of the parent organization or workgroup over the workgroup you want to delete. 238 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide ¾ To delete a workgroup • Right-click the workgroup to be deleted and choose Delete from the shortcut menu displayed. Warning: Deleting a workgroup removes all information associated with this workgroup from the database. This action cannot be undone without restoring the database from a backup. Viewing a Workgroup's Activity Logs Foundstone 6.5 logs actions from each workgroup and user account. The log events are for Foundstone Enterprise Manager events only, not for similar events performed on the FoundScan Console. You can see the logs for any organization or workgroup that you can access. • To see the organizational log file, right-click a workgroup and click View Logs. The log file shows information for the selected organization/workgroup and all workgroups under it. Figure 79: Activity Logs - shows account activity 239 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Log Features Column Heading Description Date/Time The date and time of the event. Organization The organization or workgroup name of the activity log. User Name The logon username for the account that ran the event. IP Address The IP address of the host that ran the event. Description Describes the event that took place. Working with Scans in the Group Properties Create, edit, launch, and delete scans from the organization management interface, as well as through the SCANS menu. Procedures: From the Users/Groups page, do the following: • • • • To create a new scan, right-click the organization or workgroup to which the scan should belong and choose New > Scan from the shortcut menu displayed. The New Scan page (see "Creating New Scans" on page 291) is displayed so you can begin the process to define a new scan. To edit a scan, navigate to the scan in the Scan folder under the Workgroup to which it belongs. Right-click the scan and choose Properties from the shortcut menu. The scan properties Scheduler page (page 404) is displayed. To launch a scan, right-click the scan and choose Launch from the shortcut menu. To delete a scan, right-click the scan and choose Delete from the shortcut menu. 240 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Managing User Accounts Create, edit, and delete users from workgroups. Users can belong to a single workgroup, several workgroups, or to the organization. Procedures • • • • • To create a new user (see "Creating New Users" on page 241), right-click the organization or workgroup to which the user should belong and click New > User. To edit a user (see "Editing User Properties" on page 244), right-click the user and click Properties. To assign rights based on individual scans, right-click the user and click Properties. Click the Access Rights tab (see "User Properties - Access Rights" on page 247). To delete a user, right-click the user and click delete. To View the user's activity log (see "Viewing a User's Activity Log" on page 249), right-click the user and click View Logs. Creating New Users This page lets you set the general properties for a user account. If this is a new account, clicking OK or Finish creates the account. Procedures • • To create a new user, right-click the organization to which you are adding the new user, and choose New > User. To edit the user's properties after creating the user, right-click the user and choose Properties. The New User properties page lets you change the user's general information (see "User Properties - General" on page 244) that you entered when creating the user, change the list of groups to which the user belongs (see "User Properties - Member Of" on page 246), and set specific rights to access scans and remediation tickets (see "User Properties - Access Rights" on page 247). 241 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Note: The required fields are marked with an asterisk ( * ) and red typeface until their individual requirements have been met. See the following table for details. Figure 80: User Account Properties - General User page User Properties Property Description Organization Shows the name of the organization to which the user will belong. User Name Enter a unique username for this account. The label remains red if the name is not unique. Only alphabetic and numeric characters are allowed. Tip: Since there are other places throughout Foundstone 6.5 where you must choose a user by the username, McAfee recommends user names that are based on the user's first and last names. Password Enter a password that follows these requirements: y y y Contains at least 8 characters Contains at least one number Contains at least one non-alpha-numeric character (`~!@#$%^&*()-_=+) The following characters are not allowed: < > / \ Confirm Password Enter the same password to ensure it was not mis-typed. This entry must match the Password entry. Email Address Enter the user's email address for notifications of scan completions and configuration changes. First Name Enter the first name of the user. May not be left blank. 242 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Property Description Last Name Enter the last name of the user. May not be left blank. Primary Phone (optional) Enter the user's phone number. This data is only displayed in the user's property page. It is not used by Foundstone 6.5. Secondary Phone (optional) Enter a secondary phone number. Lock Status Leave this option set to Unlocked. Warning: Setting this option to Locked prevents this account from logging onto Foundstone 6.5. ¾ To create an administrator 1 Create a user account (see "Creating New Users" on page 241). 2 In the organization tree structure, navigate to the user account and click Properties. 3 Click the Member Of tab. 4 Under Available Groups, select the Administrators group to which this account should belong. Figure 81: User Account Properties - Member Of tab 5 Click Add to add the group to the Member Of column. The user now has administrative privileges to that workgroup. 243 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Editing User Properties To get here using the Foundstone Enterprise Manager, click MANAGE > USERS/GROUPS. To get here using the FoundScan Console, choose File > Users/Groups/Scans. Then navigate to the user you want to modify. Right-click the user and select Properties. Administrators can modify the user properties for anyone within their workgroup or workgroups within that workgroup's hierarchy. The User Properties page lets you change user account settings for a particular user. User properties consists of three tabs: • • • General (see "User Properties - General" on page 244) lets you set your password, change account names, and enter contact information. Member of (see "User Properties - Member Of" on page 246) lets you determine the user groups to which the user will belong. Making users members of a user group gives the users the rights of the group, which makes access rights easier to manage. Access Rights (see "User Properties - Access Rights" on page 247) lets your modify the level of access the user has on a scan-per-scan basis. Figure 82: User properties - General settings tab User Properties - General This page lets you set the general properties for the user account. Procedures On this page you can do the following: • • Enter the required information. To unlock a user account, select Unlocked and save the account. 244 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide To change a user's password, enter the new password in both the Password and the Confirm Password fields. Note: The required fields are marked with an asterisk ( * ) and red typeface until their individual requirements have been met. See below for details. Figure 83: User Account Properties - Administrator page User Properties Property Description Organization Shows the name of the organization to which the user will belong. User Name Enter a unique username for this account. The label remains red if the name is not unique. Tip: Since there are other places throughout Foundstone 6.5 where you must choose a user by the username, McAfee recommends usernames that are based on the user's first and last names. Password Enter a password that follows these requirements: y y y y Confirm Password Contains at least 8 characters Contains at least one number Contains at least one non-alpha-numeric character (`~!@#$%^&*()-_=+) The following characters are not allowed: < > / \ Enter the same password to ensure it was not mis-typed. This entry must match the Password entry. 245 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Property Description Email Address Enter the user's email address for notifications of scan completions and configuration changes. First Name Enter the first name of the user. May not be left blank. Last Name Enter the last name of the user. May not be left blank. Primary Phone (optional) Enter the user's phone number. This data is only displayed in the user's property page. It is not used by Foundstone 6.5. Secondary Phone (optional) Enter a secondary phone number. Lock Status Leave this option set to Unlocked. Warning: Setting this option to Locked prevents this account from logging onto Foundstone 6.5. User Properties - Member Of This page lets you set the general properties for the user account. Procedures On this page you can do the following: • • To make the user a member of a group, select the group in the Available Groups list. Click Add. The user is now a member of that group. To remove the user from a group, select the group in the Member of list. Click Remove. The user is no longer a member of that group. Figure 84: User Account Properties - Member Of tab 246 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide User Properties - Access Rights This page lets you assign access rights to the user or group. These settings affect the user or group whose properties you are viewing. Procedures On this page you can do the following: • To see the scans for a specific workgroup or organization, select the workgroup or organization in the left pane. • To add the right to view a specific scan, select the appropriate workgroup or organization in the left pane, and click View for the appropriate scan in the right pane. See below for more specific information on access rights. • To edit the access rights for multiple scans, select the checkbox in the Select column for each scan you want to change. Click the checkboxes in the column heading to mark the selected scans. • To grant full access to all scans in the workgroup, including all future scans, select the Full Access checkbox. • To grant the ability to view all tickets associated with a particular scan, follow these two steps: Give the user at least View access to a scan. To do this, go to the scan and select the checkbox in the View column. Under Remediation Access Rights, select View Tickets By Scan. • To grant the ability to edit, assign, and approve completed tickets, follow the same steps as above but select Manage Tickets by Scan under Remediation Access Rights. Figure 85: Access Rights configuration 247 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Settings for Scan Access Rights Setting Description Select Column Lets you select specific scans, or all of them. Tip: If you select multiple scans, click the checkbox in the column heading to check that column for all selected scans. Full Access Check this box if this user or group should have full access to all scans for the organization or workgroup. This person can edit, launch, or delete any scan in the organization or workgroup. Clicking Full Access grays out the rest of the Scan Access Rights settings. This user or group will also have full access to all future scans created under this organization. Scan Name Column Shows the name of the scans belonging to the organization. Full Column Check this option to be able to see this scan. When selected, this user or group can view the alerts, reports, and other information displayed in the Foundstone Enterprise Manager for the selected scan. View Column Check this option to be able to see this scan. When selected, this user or group can view the alerts, reports, and other information displayed in the Foundstone Enterprise Manager for the selected scan. Edit IP Column Check this option to allow the user or group to edit the IP ranges for the selected scan. Edit Body Column Check this option to allow the user or group to edit the selected scan's settings, other than the IP ranges and schedule. Schedule Column Check this option to allow the user or group to change the times when the selected scan is scheduled to run. Settings for Remediation Access Rights Setting Description Access own tickets All users can view any tickets assigned to them. This is default behavior for anyone on the system. View Tickets by Scan This level lets you view all Remediation tickets for any scans you can view. Users with this setting can still view any tickets assigned to them. Note: This setting applies to all scans for which the user has at least View access. 248 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description Manage Tickets by Scan This level makes you a Remediation Manager for all tickets for any scan you can view. Users with this setting scan still view any tickets assigned to them. Note: This setting applies to all scans for which the user has at least View access. Deleting Users Use this option to remove users from the database. As soon as you remove a user from the database, that user is immediately locked out of Foundstone 6.5. Effects on Remediation Tickets When you remove a user who has assigned tickets, the tickets become unassigned and go back to the New Tickets queue for reassignment. Viewing a User's Activity Log To get here using the Foundstone Enterprise Manager, click MANAGE > USERS/GROUPS. You must be logged on as an Administrator. To get here using the FoundScan Console, choose File > Users/Groups/Scans. Foundstone 6.5 logs actions from each workgroup and user account. View the logs for any user account that you can access. • • To see the user activity log file, right-click the user and click View Logs. To sort the log, click a column heading in the log file. 249 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide The Activity Logs window displays information for the selected user. Figure 86: Activity Logs - shows account activity Log Features Column Heading Description Date/Time The date and time of the event. Organization The organization or workgroup name associated with the user. User Name The logon username for the account that ran the event. IP Address The IP address of the host that ran the event. Description Describes the event that took place. MY ACCOUNT To get here, click MY ACCOUNT on the global navigation menu. This option only appears if you are logged in as a Global Administrator, Foundstone User or Remediation Administrator. The Root Organization Administrator and Workgroup Administrator roles should edit the user properites for their own accounts (see "Editing User Properties" on page 244). This page lets you change your own Foundstone 6.5 account information. Scope This page affects only your own account settings. Procedures • Add or change any information. To do this, change or add text to any fields and click Apply. 250 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide Change your password. To do this, enter your current password in the Old Password field. Enter your new password in the Password and Confirm Password fields and click Apply. Important: To save any changes, you must also enter your current password in the Old Password field. Figure 87: Edit My Account - change the settings for your account Account Properties Property Description User Name You can change your username by entering a new name here. This is the username that you use to log onto Foundstone 6.5. Keep in mind it must be unique from other names on the system. Also, people often need to refer to you by your user account name, so McAfee recommends this name be based on your first and last name. Email Address Enter the user's email address for notifications of scan completions and configuration changes. First Name Enter the first name of the user. May not be left blank. Last Name Enter the last name of the user. May not be left blank. Primary Phone (optional) Enter your phone number in case someone uses this data to reach you. This data is only displayed in the user's property page. It is not used by Foundstone 6.5. Secondary Phone (optional) Enter a secondary phone number. 251 6.5 Enterprise Manager Administrator Guide Old Password Foundstone 6.5 Reference Guide Enter your current password. Important: If you are changing any information, you must enter your current password here before the changes will be accepted. If you are changing your password, enter the new password in the Password field below; but you must still enter your current password here. Password Enter a password that follows these requirements: y y y y Confirm Password Contains at least 8 characters Contains at least one number Contains at least one non-alphanumeric character (`~!@#$%^&*()-_=+) Does not contain < > / \ Enter the same password to ensure it was not mis-typed. This entry must match the Password entry. Managing User Groups To get here using the Foundstone Enterprise Manager, click MANAGE > USERS/GROUPS. To get here using the FoundScan Console, choose File > Users/Groups/Scans. Then navigate to the Group folder under an organization or workgroup. Foundstone 6.5 supports user groups so that you can assign a specific set of user rights to multiple user accounts simply by adding user accounts to the group. Any changes you make to the group's access rights are automatically inherited by the users belonging to that group. Likewise, removing a user account from the group automatically removes the group access rights from that account; unless similar rights are explicitly assigned to the individual user account. Note: You cannot edit or delete the default groups (see "Using the Default Groups" on page 259). The Users/Groups page lets you create, edit, or delete groups. Procedures • • • • Create a new group (see "Creating New Groups" on page 253). Edit the group (see "Editing User Group Properties" on page 253). Assign rights (see "User Group Properties - Access Rights" on page 255) based on individual scans. Delete a group (see "Deleting User Groups" on page 258). 252 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Creating New Groups Create user groups to define access rights for groups of user accounts that require similar access. ¾ To create a new group 1 Right-click the group folder under the organization or workgroup where you want to create the new group and choose New Group from the shortcut menu displayed. 2 Use the New Group wizard to define the settings for the new group. Click Next to move from one page to another of the wizard. • General properties page (see "User Group Properties - General" on page 254) - enter the group name and description. • Members page (see "Adding and Removing Users from Groups" on page 254) - add user accounts to the group. • Access Rights page (see "User Group Properties - Access Rights" on page 255) - assign access rights to the group. All members inherit these rights. 3 Click Finish to create the new group. Editing User Group Properties Once you have created a group, edit the following properties at any time: ¾ To edit the properties of a group 1 Navigate to the group you want to edit under the Groups folder. 2 Right-click the group name and choose Properties from the shortcut menu. 3 Do one of the following: • Change the name or description (see "User Group Properties - General" on page 254) from its original setting. • Add users to the group (see "Adding and Removing Users from Groups" on page 254). • Remove users from the group (see "Adding and Removing Users from Groups" on page 254). • Assign specific access rights (see "User Group Properties - Access Rights" on page 255) to individual scans. Note: You have to create a scan before you can assign rights to view/edit it. Access rights are based on individual scans. 4 Click OK to save your changes. 253 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide User Group Properties - General Use the General tab in the Group Properties dialog box to enter the Group Name and (optional) Description for the group. Figure 88: Group Properties - General information General Tab - Group Properties Setting Description Organization Displays the organization to which the group will belong. This field cannot be changed. Group Name A unique, descriptive name for the group. This name is not seen by anyone but the administrators. Note: The Group Name will appear red until you enter a name. It also turns red if you enter a character that is not allowed. Description An optional description for the group. Use the description to provide additional information about the purpose of the group. It appears only in the Organization Management interface. Adding and Removing Users from Groups Use the Members tab of the Group Properties dialog box to assign user accounts to this group. Properties On this page, do the following: 254 6.5 Enterprise Manager Administrator Guide • • Foundstone 6.5 Reference Guide To add a user account to the group, select the account to add in the Available Users list and click Add. The account appears in the Members list. To remove the account from the group, select the account in the Members list and click Remove. The account is removed from the list. Figure 89: Group Properties - Adding/removing members User Group Properties - Access Rights Use the Access Rights tab of the Group Properties dialog box to assign access rights of the group. These settings affect the users within the group whose properties you are viewing. Procedures On this page you, do the following: • To see the scans for a specific workgroup or organization, select the workgroup or organization in the left pane. • To add the right to view a specific scan, select the appropriate workgroup or organization in the left pane, and check the box to View the appropriate scan in the right pane. See below for more specific information on access rights. • To edit the access rights for multiple scans, check the box in the Select column for each scan you want to change. Select the checkboxes in the column heading to mark the selected scans. • To grant full access to all scans in the workgroup, including all future scans, select the Full Access checkbox. • To grant the ability to view all tickets associated with a particular scan, follow these two steps: Give the user at least View access to a scan. To do this, go to the scan and select the checkbox in the View column. Under Remediation Access Rights, select View Tickets By Scan. 255 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide To grant the ability to edit, assign, and approve completed tickets, follow the same steps as above but select Manage Tickets by Scan under Remediation Access Rights. Note: If a user belongs to a group, the user automatically inherits all rights associated with that group. You cannot remove these rights on an individual basis by editing the user; the only way to remove group rights from a user is to remove the user from the group, or edit the properties for the entire group. Figure 90: Workgroup Properties - Access Rights Settings for Scan Access Rights Setting Description Select Column Lets you select specific scans, or all of them. Tip: If you select multiple scans, click the checkbox in the column heading to check that column for all selected scans. Full Access Check this box if this user or group should have full access to all scans for the organization or workgroup. This person can edit, launch, or delete any scan in the organization or workgroup. Clicking Full Access grays out the rest of the Scan Access Rights settings. This user or group will also have full access to all future scans created under this organization. Scan Name Column Shows the name of the scans belonging to the organization. 256 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description Full Column Check this option to be able to see this scan. When selected, this user or group can view the alerts, reports, and other information displayed in the Foundstone Enterprise Manager for the selected scan. View Column Check this option to be able to see this scan. When selected, this user or group can view the alerts, reports, and other information displayed in the Foundstone Enterprise Manager for the selected scan. Edit IP Column Check this option to allow the user or group to edit the IP ranges for the selected scan. Edit Body Column Check this option to allow the user or group to edit the selected scan's settings, other than the IP ranges and schedule. Schedule Column Check this option to allow the user or group to change the times when the selected scan is scheduled to run. Settings for Remediation Access Rights Setting Description Access own tickets All users can view any tickets assigned to them. This is default behavior for anyone on the system. View Tickets by Scan This level lets you view all Remediation tickets for any scans you can view. Users with this setting can still view any tickets assigned to them. Note: This setting applies to all scans for which the user has at least View access. Manage Tickets by Scan This level makes you a Remediation Manager for all tickets for any scan you can view. Users with this setting scan still view any tickets assigned to them. Note: This setting applies to all scans for which the user has at least View access. 257 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Deleting User Groups You can delete a user group without affecting existing scans or organizational structures. Effects on Users Deleting a user group that contains users does not delete the actual user accounts. It deletes the access rights the users gained by belonging to the group. So if a user belonged to a group and the group was deleted, the user would no longer have the rights given by the group. ¾ To delete a user group • Right-click the group that you want to remove and choose Delete from the shortcut menu displayed. Adding and Removing Users from Groups Use the Members tab in the Group Properties dialog box to add or remove user accounts from the group. ¾ To add or remove users from a group 1 Right-click the Group folder under an organization or workgroup and choose Properties from the shortcut menu displayed. 2 Select the Members tab in the Group Properties dialog box. Figure 91: Group Properties - Adding/removing members 258 6.5 Enterprise Manager Administrator Guide 3 Foundstone 6.5 Reference Guide Do one of the following: • To add a user account to the group, select the account to add in the Available Users list and then click Add. The account is displayed in the Members list. • To remove the account from the group, select the account in the Members list and click Remove. The account is removed from the list. Using the Default Groups Foundstone 6.5 contains two default groups that cannot be removed or edited. Administrators The Administrators group exists in every organization and workgroup. Any member added to this group automatically receives administrative privileges over the workgroup, including full access to all scans and remediation tickets for that workgroup. Note: When you remove a user from the Administrators group, review the user's access rights for the Workgroup. The "Manage Remediation Tickets" rights are not automatically revoked when the user is removed from the Administrators group. Remediation Administrators The Remediation Group exists only under the Root Organization. The rights associated with this group are a subset of the Administrators group. They include the ability to manage all of the remediation tickets for the entire organization and all of its workgroups, including the following specific examples: • • • Review new tickets and assign them to Remediation Users. Change ticket details. Review tickets that have been completed, approving their closure state. Root Organization Administrators also have these privileges along with their other management duties, but a Remediation Administrator does not have access to the other management interfaces that the Root Organization Administrator can view. It is acceptable to allow a Remediation Administrator to have additional access to other user groups in addition to the Remediation Administrator group. This would allow a Remediation Administrator to also have access to specific scans through the Access Rights properties page (see "User Properties - Access Rights" on page 247). Managing Notifications To get here using the Foundstone Enterprise Manager, click MANAGE > NOTIFICATIONS. The Foundstone Foundstone Notification Service adds SNMP and email integration for remediation and scan related events, as well as system status, such as FCM updates available. Remediation tickets are used to manage and track vulnerabilities in systems within your corporate network. The remediation system is available through 259 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide the Foundstone Enterprise Manager and is integrated with other functions of the system, for example, access management. Note: If you have McAfee's VirusScan Enterprise On-Access Scanner enabled, the Foundstone Notification service will fail to connect to your email server. To receive email notifications, exclude the Notification service from VirusScan Enterprise. See the Foundstone Enterprise Install Guide for further information about using Foundstone and VirusScan Enterprise. Scope The Foundstone Foundstone Notification Service can be configured to communicate and interact with an external SNMP management node, so you can receive notifications, via SNMP trap, of when specific events occur. Event notifications are sent from Foundstone to your SNMP management console. The Global Administrator enables or disables notifications, and specifies where and how events are to be sent. Once the Global Administrator has enabled notifications, the Root Organization Administrator specifies the events for which notifications are to be sent. Use the Notifications Settings page to enable or disable notifications for specific events. Procedures for Global Administrators Log on as a Global Administrator to set up and enable notifications: • • • • • • • Specify if event notifications are to be sent when tickets are generated or when they are assigned for export (page 263). Enable or disable SNMP notifications (page 265). Specify the SNMP manager and agent (see "Enabling SNMP Notifications" on page 265). Enable or disable email notifications (page 266). Specify the email server settings and email addresses (see "Enabling Email Notifications" on page 266). To save changes, click Save. To cancel any changes made, click Reset. User Settings Tab When you are logged in as Root Organization Administrator, Workgroup Administrator, Remediation Administrator, or Default (remediation-only) User, use the User Settings tab (see "Specifying User Settings" on page 262) to: • • • • Specify the remediation events for which you want to receive email notifications. Specify the scan events and scans for which you want to receive email notifications. To save changes, click Save. To cancel any changes made, click Reset. Org Settings Tab On this page, when you are logged in as Root Organization Administrator, use the Org Settings tab (see "Specifying Organization Settings" on page 263) to: 260 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide • • Specify the type of notification (SNMP or email) for remediation and scan related events. To save changes, click Save. To cancel any changes made, click Reset. ¾ To receive notifications when tickets are exported Note: The Global Administrator must have specified that notifications are to be sent when tickets are exported. 1 Log in to the Foundstone Enterprise Manager as a Root Organization Administrator or Workgroup Administrator and choose Manage > Remediation. 2 In the Remediation Rules Editor dialog box, create a new remediation rule, or modify an existing rule, and change the Action to Export. 3 Save your changes. Note: If you have McAfee's VirusScan Enterprise On-Access Scanner enabled, the Foundstone Notification service will fail to connect to your email server. To receive email notifications, disable the On-Access Scanner. ¾ To receive notifications when tickets are exported Note: The Global Administrator must have specified that notifications are to be sent when tickets are exported. 1 Log in to the Foundstone Enterprise Manager as a Root Organization Administrator or Workgroup Administrator and choose Manage > Remediation. 2 In the Remediation Rules Editor dialog box, create a new remediation rule, or modify an existing rule, and change the Action to Export. 3 Save your changes. Note: If you have McAfee's VirusScan Enterprise On-Access Scanner enabled, the Foundstone Notification service will fail to connect to your email server. To receive email notifications, exclude the Notification service from VirusScan Enterprise. See the Foundstone Enterprise Install Guide for further information about using Foundstone and VirusScan Enterprise. 261 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Specifying User Settings To get here using the Foundstone Enterprise Manager, log in to the root organization as Root Organization Administrator, Workgroup Administrator, Remediation Administrator, or Default (remediation-only) User, click MANAGE > NOTIFICATIONS, and then select the User Settings tab. Use this page to specify the remediation and scan related events for which you want to receive email notifications. Figure 92: Notification Settings - User Settings Remediation Related Events Select the checkbox for each event for which you want to receive email notifications. To disable email notifications, clear the checkbox. Scan Related Events Select the checkbox for each event for you which you want to receive email notifications. Then select the scans that you want these notifications to apply to. Note: The scan related events you select apply to each scan selected. For example, if you choose to receive email notifications for Scan Started, you will receive a notification each time every scan you selected is started. To save changes, click Save. To cancel any changes made, click Reset. 262 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Specifying Organization Settings To get here using the Foundstone Enterprise Manager, log in to the root organization as Root Organization Administrator and click MANAGE > NOTIFICATIONS and select the OrgSettings tab. Use this page to specify the type of notifications you want to receive for each remediation and scan related event. Figure 93: Notification Settings - Org Settings Remediation Related Events Specify the checkbox for the type of notification (SNMP or email) you want to receive for each remediation related event. Scan Related Events Specify the checkbox for the type of notification (SNMP or email) you want to receive for each scan related event. To save changes, click Save. To cancel any changes made, click Reset. Specifying When Event Notifications Should be Sent To get here you must be logged onto the Foundstone Enterprise Manager as a Global Administrator. Click Manage > Notifications. Use the General Settings section of the Notifications Settings page to specify when event notifications are to be sent: • • Ticket generated Ticket assigned for export Figure 94: Notification Settings - General Settings 263 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Viewing Vulnerability Details To get here, click the link in a notification message. Event notification messages include an unauthenticated URL that points to the Foundstone Enterprise Manager Web server. The URL shows full, generic details of the vulnerability with no identifying information such as computer name or IP address (this information is included in the notification message). 264 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Enabling SNMP Notifications To get here you must be logged onto the Foundstone Enterprise Manager as a Global Administrator. Click Manage > Notifications. Use the SNMP Settings section of the Notification Settings page to specify the SNMP manager and agent. Figure 95: Notification Settings - SNMP Settings Check the box to Enable SNMP Notifications. Then complete the remaining information, specifying the SNMP version, and incoming and outgoing SNMP settings. SNMP General Settings Settings Description SNMP Version Click the arrow to specify the SNMP version: 1 or 2c. Community String Enter the SNMP community string. Throttle Click the arrow to select the throttle (number of maximum messages per second): 1, 5, 10, 25, 50, 100, 200, or Unlimited. Incoming SNMP Settings Settings Description Address Enter the listening IP address, fully qualified domain name, or host name of the SNMP agent that is to receive incoming SNMP messages from an external SNMP manager. Port Enter the listening port number. 265 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Settings Description Senders List Enter the names of authorized senders of SNMP messages. For example, you may want to enter the name of the outgoing SNMP management node here, so that the Foundstone Notification Service will listen to messages sent by that SNMP management node. If you do not enter a name in this field, no messages will be processed by the Foundstone Notification Service. Add Click this button to add the name in the Senders List. Remove Select a name in the Senders List and click this button to remove the name from the list. Allow Verify Vulnerability Check this box if you want Foundstone to respond to SNMP trap messages requesting verification of a vulnerability. Outgoing SNMP Settings Settings Description Address Enter the IP address, fully qualified domain name, or host name of the SNMP management node Foundstone is to send SNMP messages to. Port Enter the port number of the SNMP management node. 266 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Enabling Email Notifications To get here you must be logged onto the Foundstone Enterprise Manager as a Global Administrator. Click Manage > Notifications. Use the Email Settings section of the Notification Settings page to specify the email server settings. Note: If you have McAfee VirusScan Enterprise On-Access Scanner enabled, the Foundstone Notification service will fail to connect to your email server. To receive email notifications, exclude the Notification service from VirusScan Enterprise. See the Foundstone Enterprise Install Guide for further information about using Foundstone and VirusScan Enterprise. Figure 96: Notification Settings - Email Settings Check the box to Enable Email Notifications. Then complete the remaining information, specifying the email server's address, and the email addresses of the sender/recipient. Note: Email notifications for updates applied via the Foundstone Configuration Manager are sent to the address listed for Foundstone Operations. If you have enabled email notifications in the Foundstone Configuration Manager Preferences, be sure to include an email address in the Foundstone Operations field. 267 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Email Server Settings Description Address Enter the address of the mail server. Use either the IP address, fully qualified domain name, or host name of the server (up to a maximum of 256 characters). Port Enter the port number of the mail server to which notification messages are to be sent. Server Requires Authentication Check this box to log on to the mail server with a username and password. Username Enter the user name required to log onto the mail server. The user name can be up to 64 characters long. Password Enter the password associated with this user name. The password can be up to 128 characters long. Email Messages Setting Description Header Message Optional. Enter your organization's security banner here. While Foundstone 6.5 controls the bodies of these messages, you can configure an opening statement as needed. For example, you could include internal contact information or policy notices. Enter a maximum of 256 characters. The email header message can include alphanumeric characters plus underscores, periods, parentheses, hyphens, spaces, commas, slashes (/), and colons. Header Footer Optional. While Foundstone 6.5 controls the bodies of these messages, you can configure a closing statement as needed. For example, you could include internal contact information or policy notices. Enter a maximum of 256 characters. The email footer message can include alphanumeric characters plus underscores, periods, parentheses, hyphens, spaces, commas, slashes (/), and colons. 268 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Event and Address Settings The following settings apply to each notification type: Ticket Integration, Foundstone Operation, User Remediation, and User Scan Status. Setting Description From Name Enter the name of the sender. This is the person or organization that the email will appear to be coming from. Enter up to 64 characters. From Address Enter the email address of the person or organization sending the email. If the recipient replies, the reply is sent to this email address. Enter up to 256 characters using a proper format (for example, first.last@yourcompany.com). To Name Enter the name of the person or organization who will receive notification emails for this type. Enter up to 64 characters. To Address Enter the email address of the recipient that is to receive event notifications. Enter up to 256 characters using a proper format (for example, first.last@yourcompany.com). Managing Custom Community Strings Foundstone allows you to set custom community strings for your SNMP servers. You can set custom community strings for your SNMP Read (public) community names and your SNMP Write (private) community names. The public and private community strings are used during discovery and assessment. This allows Foundstone to discover SNMP servers running custom (non-standard) community names and also assess those custom community names for vulnerabilities. Foundstone supports discovering open UDP port 161 (SNMP) using SNMP version 1 probes. If Advanced UDP scanning (page 377) is enabled (as a Service), Foundstone can detect any version of SNMP. SNMP Settings user interface To get here, log on as the Global Administrator and select MANAGE > POLICY. Click the SNMP tab to view the SNMP settings. Groups SNMP is the only group available. In future releases, other groups may be added to this list. SNMP Read/Write Community Names The SNMP Read/Write Community Names check for vulnerabilities related to SNMP read and write access. The SNMP Read Community Names use the SNMP Default Community Name vulnerability check. The SNMP Write Community Names uses the 269 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide SNMP Writable Community Strings vulnerability check. These vulnerability checks will assess if an SNMP community name exists and if the Read/Write capability is enabled. The list of SNMP Read/Write Community Names that appear after install is a list of common SNMP Read/Write community names. Modify this list to meet your company's needs. SNMP Read/Write community names used by your company must appear at the top of the list to ensure these names are assessed during a scan. Any asset discovered with an SNMP community name with read or write enabled will appear in the report. Check each discovered asset for other SNMP community names with read or write capabilities enabled. ¾ To add a community name 1 Click the plus sign next to SNMP Read/Write Community Names. A blank field is added to the bottom of the list. 2 Type the community name into the field. 3 Click Save. ¾ To remove a community name 1 Click the minus sign next to the community name you want to remove. 2 Click Save to save your changes, or click Cancel to return to your previously saved state. SNMP Read/Write Community Name Maximum Determines the maximum number of SNMP Read/Write community names to use for read/write operations. Using the default setting means a scan only searches for the first enabled SNMP Read/Write community name on the list. Using a higher number means the scan will search up to that many SNMP Read/Write community names, starting at the top of the list. For example, if the maximum number is set to five, then the first five SNMP community names on the list will be used in the scan and the rest of the names in the list (if there are more than five) will be ignored. Note: Using fewer SNMP Read/Write community names increases performance but can decrease accuracy. The FoundScan Engine allows 6 minutes per check, so using too many names can result in a timeout for this vulnerability check. SNMP Community Names The SNMP Community Names are used by checks to establish an SNMP connection. The list of SNMP Community Names that appear after install is a list of common SNMP community names. Modify this list to meet your company's needs. SNMP community names used by your company must appear at the top of the list to ensure these names are used when establishing an SNMP connection. 270 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide ¾ To add a community name 1 Click the plus sign next to SNMP Community Names. A blank field is added to the bottom of the list. 2 Type the community name into the field. 3 Click Save. ¾ To remove a community name 1 Click the minus sign next to the community name you want to remove. 2 Click Save to save your changes, or click Cancel to return to your previously saved state. SNMP Community Name Maximum Determines the maximum number of SNMP community names to use for establishing a connection. Using the default setting means an SNMP connection will only be attempted with the first SNMP community name on the list. Using a higher number means the scan will attempt a connection with other SNMP community names, starting at the top of the list. For example, if the maximum number is set to five, then the first five SNMP community names on the list will be used in the scan and the rest of the names in the list (if there are more than five) will be ignored. Note: Using fewer SNMP community names increases performance but can decrease accuracy. The FoundScan Engine allows 6 minutes per check, so using too many names can result in a timeout for this vulnerability check. Other Policy Manager functions Settings Description Save Saves changes you have made to the current page. Cancel Returns the page settings to the last time you saved. Set to Defaults Returns the page settings to the program defaults. Warning: Agreeing to reset all values to default removes all custom settings for the currently selected policy. Config Takes you to the Configure Policy Manager (on page 272) page. 271 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Configure Policy Manager To get here, log on as the Global Administrator. Select MANAGE > POLICY and click the SNMP tab. ¾ To export custom SNMP strings to an XML file 1 Set up and save your custom SNMP strings. 2 Click Config. The Configure Policy Manager page appears. 3 Click Export to XML. Your settings are saved as a compressed file. 4 Click Save. 5 Navigate to a folder location to save your file, then click Save. ¾ To import custom SNMP strings from a XML file 1 Click Browse. 2 Select the file you want to import and click Open. 3 Click Import from XML. ¾ To add a new value to the user name selection box 1 Click Add New Value. 2 Type the Display Name. 3 Type the Actual Value. 4 Click Save. Managing Metrics - FoundScore Settings To get here, in the Foundstone Enterprise Manager click MANAGE > METRICS. You must be logged in as the Root Organization Administrator to use this page. You can change the metrics used to calculate the FoundScore. This is done through the settings on the three tabs: General (see "Metrics - General Settings" on page 282), External (see "Metrics - External Scan Settings" on page 284), and Internal (see "Metrics - Internal Scan Settings" on page 286). Figure 97: Manage Metrics Tabs 272 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Scope The settings on this page affect the entire organization, including all workgroups. Workgroup administrators cannot make changes to these settings MyFoundScore Settings If you use MyFoundScore, you can change the following metrics to meet the needs of your enterprise: Scan Type Internal Scans Vulnerability Score Exposure Score y y y y y Maximum points that can be lost (70 default) High risk multiplier (5 default) Medium risk multiplier (3 default) Low risk multiplier (1 default) y y y 273 Maximum points that can be lost (30 default) Points lost for rogue applications (1 default) Points lost for Wireless Access Points (1 default) Points lost for discovered Trojan programs (30 default) Criticality Specify the asset criticality multiplier used. - 1 (0.50 default) - 2 (0.75 default) - 3 (1.00 default) - 4 (1.25 default) - 5 (1.50 default) - unassigned (1.00 default) 6.5 Enterprise Manager Administrator Guide External Scans y y y y Foundstone 6.5 Reference Guide Maximum points that can be lost (50 default) Points lost for each high risk vulnerability (50 default) Points lost for each medium risk vulnerability (10 default) Points lost for each low risk vulnerability (5 default) y y y y y y y Maximum points that can be lost (50 default) Points lost for each non-essential service (1 default) Maximum points that can be lost for non-essential services discovered (20 default) Points lost for each non-essential host (1 default) Maximum points that can be lost for non-essential hosts (15 default) Points lost for allowing inbound UDP on ports other than port 53 (10 default) Points lost if inbound ICMP traffic is permitted (5 default) Specify the asset criticality multiplier used. - 1 (0.50 default) - 2 (0.75 default) - 3 (1.00 default) - 4 (1.25 default) - 5 (1.50 default) - unassigned (1.00 default) Notes: When you activate MyFoundScore and specify MyFoundScore metrics, the metrics apply to all scan configurations within the organization.(You cannot specify different metrics for different scan configurations within the same organization.) Activating MyFoundScore does not affect previously generated reports. If you activated MyFoundScore before generating this report, it will not reflect MyFoundScore unless you re-generate the report. All future scans will reflect the MyFoundScore criteria. 274 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide How FoundScore is Calculated A perfect score is 100. Foundstone deducts points from the score based on the violations found during a scan. There are two categories of violations: vulnerabilities and exposures. [vulnerability score] + [exposures score] = FoundScore Default Scores Internal FoundScore External FoundScore Vulnerabilities 70 50 Exposures 30 50 Total Score 100 100 These scores can be modified by using MyFoundScore (page 272). The minimum FoundScore is 0. If a network has a large number of vulnerabilities and exposures, it may take considerable effort to resolve them to get the FoundScore above 0. Vulnerabilities Score The Vulnerabilities score is based on the combination of high, medium and low risk vulnerabilities discovered within your environment. Points are deducted for each vulnerability found based on its risk ranking (high, medium, low). High Risk An attacker might gain privileged access (administrator, root) to the machine over a remote connection. Examples: • • IIS Remote Data Services provides remote control RPC Auto-mounted attack Medium Risk An attacker might gain non-privileged (user) access to the machine over a remote connection. Examples: • • ColdFusion viewexample.cfm Open and accessible NetBIOS ports 275 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Low Risk The vulnerability provides enticement data to the attacker that may be used to launch a more informed attack against the target environment. It may indirectly lead to some form of remote connection access to the machine. Examples: • • Anonymous FTP access Easy-to-guess SNMP community string Informational Risk Available data that is less valuable to an attacker than the low risk vulnerability. You may also not be able to address informational findings; they may be inherent to the network services or architecture in use. For example, an informational vulnerability might include gaining access to data using NetBIOS name table retrieval (NBTStat). However, the ability to enumerate Windows user accounts via a null session is a low vulnerability. You may also not be able to address informational findings—they may be inherent to the network services or architecture in use. For example, the SSH protocol requires a version number, support cipher and methods exchange to be included in the service banner. Point Scoring For Internal scans, Foundstone 6.5 considers the size of your network. Network size is not a consideration in External scans. This reflects the philosophy that a vulnerability exposed to the Internet gives a hacker potential access to your network, which is equally dangerous regardless of the size of the network. However, for internal scans, risk is proportional to the number of machines that can be accessed within the network. Vulnerability Rank Examples Points lost per Points lost incident per incident (Internal Scan) (External Scan) High-Risk Vulnerability (5*x14/number of hosts) points 50* points Medium Risk Vulnerability (3*x14/number of hosts) points 10* points Low Risk Vulnerability (1*x14/number of hosts) points 5* points Informational Risk Vulnerability 0 points 1* point * These values can be modified by changing the MyFoundScore criteria (see "Using MyFoundScore" on page 81). 276 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide The Exposure Score is different for Internal and External scan types. This table shows the Exposure Scoring for Internal Scans. FoundScore - Internal Deduction Descriptions Internal Exposures Number of Rogue Applications Description 1* point each, up to a maximum of 30*. Applications and services not critical to typical business operation can create significant security exposures. Reduce the number of active network services and enforce an acceptable use policy to reduce the likelihood of security breaches. These applications can open unsecured ports on the host machine, allowing for remote connections or even exploitation of the host. Some applications allow for plain-text communication of potentially sensitive corporate information, which could be easily eavesdropped by an unintended third party. Examples of rogue applications include: y y y Number of Wireless Devices Music file-sharing programs, such as Morpheus and Kazaa. These music sharing programs open unique ports on the host and allow it to act as a file server for remote clients using the same file-sharing program. Real-time chat programs, such as IRC, Yahoo! Pager, MSN Messenger, and so on. These applications allow unsecured, plain text communication. File and resource sharing programs, such as Limewire and Hotline. 1* point each, up to a maximum of 30* Wireless access points can potentially allow an attacker with a laptop and a wireless LAN card to view all traffic that passes through that access point. They also have the potential to allow others to join as a node on the network itself, exposing seemingly private, internal resources. Wireless access points should be properly configured to allow only authorized resources to connect to the network. 277 6.5 Enterprise Manager Administrator Guide Internal Exposures Number of Trojans/ Backdoor Applications Foundstone 6.5 Reference Guide Description 30* points each, up to a maximum of 30* Certain services are commonly associated with Trojan and backdoor applications that can compromise a host and/or network's security: y y y Users can mistakenly install them by using the Internet or email Attackers can "plant" them for later use Attackers can load them on compromised hosts These service can provide unauthorized remote connections to the host, or provide information relative to the host and/or target network. Retrieval of usernames and passwords, enumeration of other network information and resources, retrieval of host data, or launching an attack against other systems/networks are all possible if a machine is compromised with a Trojan or backdoor program. * These values can be modified by changing the MyFoundScore criteria (see "Using MyFoundScore" on page 81). This table shows the Exposures scoring for External Scans. FoundScore - External Deduction Descriptions External Exposures Machines with Non-Essential Services Description 1 point deducted for each violation up to a maximum of 20 points. However, if you have assigned criticality factors to your assets, the deduction is multiplied by the criticality factor. An asset can have a criticality from none (zero) to high (5). The actual FoundScore deduction is determined using the following equation: FoundScore Non-essential service deduction = SUM(nonessential service * asset criticality) 278 6.5 Enterprise Manager Administrator Guide External Exposures Foundstone 6.5 Reference Guide Description If MyFoundScore is in use, then the following equation is used to determine the actual deduction: MyFoundScore Non-essential service deduction = SUM(nonessential service * asset criticality * MyFoundScore weighting value) It is possible to find non-essential services without generating deductions: An asset with a criticality of zero will not take any deductions from MyFoundScore. Although non-essential services are not critical to typical Internetrelated business operations, they can still create significant security exposures. To help protect your environment from these exposures, limit active network services to those that are absolutely necessary. By reducing the number of external network services, you reduce the likelihood of security breaches. For example, a network running 10 services is at greater risk than a network running five services because it contains twice the number of services to configure, manage, update, and audit. And given the dynamic nature of security, even a small number of additional network services can exponentially increase the network's exposure. New vulnerabilities are released on a frequent, often daily, basis. Nonetheless, the following services are essential to most networks that require an external presence: For every non-essential network service (services not listed above) discovered to be accessible and active, one point is deducted from the overall FoundScore ranking, up to a maximum of 20 points. 279 6.5 Enterprise Manager Administrator Guide External Exposures Machines without a Single Essential Service Foundstone 6.5 Reference Guide Description 1* point deducted for each violation up to a maximum of 15* points. Machines that do not perform a core business operation should be minimized and/or removed to reduce the risk of a security breach. Non-essential machines increase system administration overhead and often host non-essential services that pose additional security risks. In the FoundScore rating, a non-core machine is one that does not have an active, essential service. Any machine identified as alive (by responding to an ICMP request or one of a variety of TCP/UDP "pings"), but not running an essential service on a known port, is considered detrimental to the overall security posture. For each machine discovered in this category, one point is deducted from the FoundScore ranking, up to a maximum of 15 points. Inbound UDP on ports other than 53 10* points deducted if found UDP services are typically not required for machines exposed to the external Internet, with the exception of DNS on port 53. UDP services are not typically required on machines exposed to external scans. UDP is a security exposure because it is a common transport protocol for popular Denial of Service attacks and backdoor programs such as trin00 and Back Orifice. In addition, the connection-less nature of UDP complicates monitoring and auditing UDP-based services. If UDP is permitted in the environment other than on port 53, 10 points are deducted from the overall FoundScore. Inbound ICMP ports Permitted anywhere 5* points deducted if found Although useful for simple diagnostic testing, permitting inbound ICMP traffic creates significant exposure because attackers use it for popular Denial of Service attacks such as mstream and Tribal Flood Network. If ICMP is permitted, 5 points are deducted from the overall FoundScore. * These values can be modified by changing the MyFoundScore criteria. 280 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide This table shows the Exposures scoring for External Scans. External Service Name Protocol Ports DNS UDP 53 FTP TCP 21 HTTP TCP 80, 8080, 8000, 9000 HTTPS (SSL) TCP 443 SMTP TCP 25 SSH TCP 22 281 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide What FoundScore does not indicate Although the FoundScore provides a measurable metric for determining your network’s vulnerability posture, it cannot predict what will happen. This table shows some risks that you should keep in mind when reviewing your FoundScore. Indication Description The security of unscanned portions of your network FoundScore is limited to the range of IP addresses you provide; it does not assess machines outside the range provided, nor does it assess devices inside your organization that cannot be reached from the location of the FoundScan Engine in the network. The effectiveness of your security policy To determine the effectiveness of any security policy, manual review of the policy itself is necessary, as well as in-depth knowledge of the network and its applications. Even if a policy is built around sound security principles, it may be poorly implemented. The FoundScore rating is based on general best practices for a typical environment. Your network may have unique needs. What is commonly considered an exposure could actually be an acceptable preference in your environment. The likelihood of attack The attractiveness of an environment to potential attackers is somewhat intangible and impossible to quantify. Factors include a potential victim's reputation and prestige, an attacker's perception of personal benefit, the perceived value of vulnerable data and other information, and much more. Personal motives such as revenge (employee termination, for instance) must also be considered. Metrics - General Settings This page contains general settings for changing the metrics used to determine your FoundScore. Procedures On this page: • • To customize the criticality multiplier that Foundstone 6.5 uses to calculate your FoundScore, use "MyFoundScore". Set Use MyFoundScore to Yes. Then change the criticality multiplier as needed in the Custom column. To return adjusted criticality multipliers to their default setting, click Reset. 282 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide (Although not done on this page) to configure the FoundScore so that it takes asset criticality into consideration, you must first assign criticality levels to your assets (see "Criticality Levels" on page 154). Otherwise all assets use the multiplier of 1. General Metric Settings Setting Description Use MyFoundScore To enable MyFoundScore throughout the reports for this organization, select Yes. If No is selected, the reports and summaries show the default FoundScore. Default vs. Custom (column headings) The default value shows you what Foundstone 6.5 uses to calculate the regular, default FoundScore. If Use MyFoundScore is set to Yes, Foundstone 6.5 uses the Custom settings to calculate MyFoundScore. Asset Criticality These are the criticality ratings that can be assigned in Asset Management. By default, all assets are counted as "Moderate", and have a multiplier of "1". (See below.) Asset Criticality does not affect the FoundScore until you change the criticality of specific IP addresses or groups in Asset Management. If an asset is not assigned a criticality, its rating is automatically set at 0. 283 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Criticality Multiplier Asset Criticality Rating FoundScore Multiplier Calculated cost for a medium, 10-point risk: Unassigned (0) 1.0 (10*1.00) = 10 points Low (1) 0.5 (10*0.5) = 5 points Limited (2) 0.75 (10*0.75) = 8 points Moderate (3) 1.0 (10*1.00) = 10 points Significant (4) 1.25 (10*1.25)= 12 points Extensive (5) 1.5 (10*1.5)= 15 points Metrics - External Scan Settings This page determines the number of deductions taken from your External FoundScore for each vulnerability type. If MyFoundScore is turned on (see "Metrics General Settings" on page 282) (set to Yes), the numbers in the Custom column are used. Procedures On this page: • • To customize the deductions that Foundstone 6.5 uses to calculate your FoundScore, use "MyFoundScore". Set Use MyFoundScore to Yes. Then change the deduction as needed in the Custom column. To return all modified deductions to their default setting, click Reset. Figure 98: Manage Metrics - External FoundScore Settings 284 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Vulnerability Deduction Descriptions Vulnerability Deductions Maximum Deductions – Total Description This setting determines the maximum number of deductions that can be taken for Vulnerabilities. The default is set at 50 points, meaning that external vulnerability risks have the same weight as external exposures (also 50 points). If you change the weighting for this setting, make sure that the maximum deductions for Exposures and this score both sum up to 100 points. Each High Risk Vulnerability Each Medium Risk Vulnerability Each Low Risk Vulnerability Change the number of points that should be deducted for each level of vulnerability risks discovered in your environment. Remember that the FoundScore cannot be deducted more than the Maximum Deductions. Setting a High Vulnerability Risk to the maximum number automatically deducts all possible vulnerability points. This reflects the seriousness of the vulnerability discovered. Exposure Deduction Descriptions Exposure Deductions Description Maximum Deductions Total This setting determines the maximum number of deductions that can be taken for Exposures. The default is set at 50 points, meaning that external exposure risks have the same weight as external vulnerabilities (also 50 points). If you change the weighting for this setting, make sure that the maximum deductions for Vulnerabilities and this score both sum up to 100 points. Maximum Deductions Non-Essential Services When Foundstone 6.5 finds this number of nonessential services, it stops deducting points from the FoundScore. Each Discovered Non-Essential Service Deduct this number of points from the FoundScore for each non-essential service found, up to the Maximum Deductions - Non-Essential Services value. Maximum Deductions Machines without an Essential Service When Foundstone 6.5 finds this number of machines that do not host an essential service, it stops deducting points from the FoundScore. 285 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Exposure Deductions Description Each machine without an Essential Service Deduct this number of points from the FoundScore for each machine that does not host an essential service, up to the Maximum Deductions - Machines without an Essential Service value. UDP Permitted Other Than Deduct this number of points from the FoundScore if Port 53 (DNS) any UDP port, other than port 53 (DNS), is found open on the network. ICMP Permitted Inbound Deduct this number of points from the FoundScore if Foundstone 6.5 finds any open Inbound ICMP ports on the network. Metrics - Internal Scan Settings This page determines the number of deductions taken from your Internal FoundScore for each vulnerability type. If MyFoundScore is turned on (see "Metrics General Settings" on page 282) (set to Yes), Foundstone 6.5 uses the numbers in the Custom column. Procedures On this page: • • To customize the deductions that Foundstone 6.5 uses to calculate your FoundScore, use "MyFoundScore". Set Use MyFoundScore to Yes. Then change the deduction as needed in the Custom column. To return all modified deductions to their default setting, click Reset. Figure 99: Manage Metrics - Internal FoundScore Settings 286 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Vulnerability Deduction Settings Internal Vulnerability Deductions Description Maximum Deductions Total This setting determines the maximum number of deductions that can be taken for Vulnerabilities. The default is set at 70 points, meaning that internal vulnerability risks have a much higher weight than internal exposures (default 30 points). If you change the weighting for this setting, make sure that the maximum deductions for Exposures and this score both sum up to 100 points. High Risk Vulnerability Multiplier Medium Risk Vulnerability Multiplier Foundstone 6.5 considers the size of your network when determining your Internal FoundScore. This is because in an internal setting, the risk is proportional to the number of machines on your network. More machines create more risk. Low Risk Vulnerability Multiplier To reflect this in the FoundScore, Foundstone 6.5 uses the following equation: FoundScore Deduction = X*14/Number of hosts The "X" is the variable you can change by modifying the risk multiplier. Exposure Deduction Settings Internal Exposure Deductions Description Maximum Deductions Total This setting determines the maximum number of deductions that can be taken for Exposures. If you change the weighting for this setting, make sure that the maximum deductions for Vulnerabilities and this score both sum up to 100 points. Each Discovery of a Rogue Application Deduct this number of points from the FoundScore for every Rogue Application discovered on the network. Each Discovery of a Wireless Access Point Deduct this number of points from the FoundScore for every Wireless Access Point discovered on the network. Each Discovery of a Trojan or Backdoor Service Deduct this number of points from the FoundScore for every Trojan or backdoor program discovered. This is such a serious risk, the default setting deducts the maximum number of points for exposures. 287 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Working with Scans To get here, hold the mouse over SCANS on the global navigation menu. The Remediation Administrator has access to these features if explicitly assigned access rights to scans Figure 100: Scan Menu - Scan Status, Edit Scans, New Scan The SCAN menu shows the following options: • • • • SCAN STATUS - view the status of current scans (see "Scan Status" on page 290) in your organization/workgroup. EDIT SCANS - view, edit, delete, or launch a scan (see "Editing Scans" on page 293) in your organization/workgroup. Also lets you view templates (see "Viewing Scan Templates" on page 295) and create new scans (see "Creating New Scans" on page 291). NEW SCAN - create new scans (see "Creating New Scans" on page 291). VULN FILTERS - save a group of vulnerability checks as a filter (see "Vulnerability Filters" on page 409). Then when you create a new scan, you can load the filter to automatically select the specific scans in that filter. The Remediation Administrator has access to this feature if explicitly assigned access rights to scans Note: If you run two scans simultaneously that have similar checks, such as the checks to identify the operating system in scans based on the Asset Discovery Scan template, you may see different results when viewing reports. This is because one scan may be accessing one system in your network at the same time as the second scan. For example, the first scan may be blocking an open port, so the second scan will not report that port as open. ¾ Quick steps to creating a new scan 1 Choose SCANS > NEW SCAN. 2 In the Scan Details (see "Creating New Scans" on page 291) page, choose how you want to create the scan: • To create a scan based on the default settings, select Use Foundstone's default settings and click Next. • To create a scan based on a template, select Use a Foundstone template, select the template you want to use, and click Next. • To create a scan based on an existing scan, select Use an existing scan, select the scan you want to use, and click Next. 288 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide 3 In the IP Selection page (page 359), enter or change the Scan Name and Description. 4 Select the Scan Type, if necessary. Most often, you will use the default setting for Custom. 5 Specify the IP addresses to be scanned by: • Entering IP addresses (page 362) • Browsing through a list of assets (page 364) • Searching for specific assets (page 368) 6 Click Next or click the Settings tab. 7 In the Settings page, click the icon on the left side of the page to change the settings for the following: • Hosts (page 370) to specify options for ICMP, UDP, and TCP scanning • Services (page 377) to specify the services you want discovered on your network • Credentials (see "Managing Credentials" on page 380) to create and manage credentials used to access systems on your network • Vuln Selection (page 388) to specify the vulnerabilities you want checked under the General, Windows, Wireless, and Shell categories • Web Module (page 393) to specify if you want to search your network for Web applications and any relevant vulnerabilities • Optimize (page 398) to change settings to optimize the performance of Foundstone 8 Click Next or click the Reports tab. 9 In the Reports (page 400) page, specify if you want to create remediation tickets for this scan when it has completed running. Uncheck the box if you do not want remediation tickets created. 10 Select the FoundScore Type you want used for this scan. This setting defines the set of calculations used to determine the FoundScore value. Choose Internal or External. 11 Select the format in which you want reports created. For PDF reports, expand the PDF Report Sub-Types section and select the reports you want generated in PDF format. 12 Click Next or click the Scheduler (page 404) tab. 13 In the Scheduler page, select if you want this scan activated or de-activated. If you choose to activate this scan, and set the Schedule Type to immediate, the scan will begin running right away. De-activated scans are saved but are not run automatically (you can run them manually by clicking Activate in the Edit Scans (see "Editing Scans" on page 293) page). 14 Select the FoundScan Engine and specify the network interface that the scan will use. Note: If the Select Engine displays AutoSelect, then the Global Administrator or Root Organization Administrator has enabled automatic scan engine selection. The scan will automatically select a scan engine based upon the IP addresses selected for this scan. 289 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide 15 Schedule the scan to run immediately, at a specific date and time, or on a recurring schedule. 16 If you want to use a Scan Window, so that the scan only runs during specific hours or on specific days, check the box and enter the window details. 17 Click OK to save the scan and exit the scan editor pages. Scan Status To get here, click SCANS > SCAN STATUS. The Remediation Administrator has access to these features if explicitly assigned access rights to scans. The Scan Status page shows the status of all the scans that user has access to. You must have view access to a scan for it to appear on this list. This list shows the pending and active scans so that you can monitor their status. Procedures On the Scan Status page you can do the following: • • • • • To pause a scan, click Pause. To resume a paused scan, click Resume. To stop a scheduled scan, click Cancel. To update the page, click Refresh. To sort the list, click a column heading. Figure 101: Scan Status page Scan Status Description Column Heading Description Engine This is the name of the engine running the scan. Name Shows the name of the scan configuration used for this scan. Job ID This is the internal number assigned to the scan job. Start Shows the date/time the scan began. Stop Shows the date/time the scan ended. 290 6.5 Enterprise Manager Administrator Guide Column Heading Foundstone 6.5 Reference Guide Description Duration Shows the amount of time that lapsed between the start time and the stop time. This amount includes any time the scan was interrupted or paused. Progress Shows the "percent complete" value for this scan. Status Shows the current status of the scan: Running, Complete, Error. Hosts Found Shows how many hosts were discovered by the scan. Action Pause - Pauses the scan and changes to Resume. Click Resume to continue running the scan. Cancel - Stop running the scan and remove it from the queue. Note: Clicking either action button refreshes the page. Refresh Update the scan status information. Clear all Inactive Remove all inactive scans from the queue. Note: This page shows only those scans that your account can view. Creating New Scans To get here, click SCANS > NEW SCAN. Only Root Organization Administrators and Workgroup Administrators can create a scan. The New Scan page starts the process for creating a new scan. You can base the new scan on pre-existing scan configurations, pre-configured templates, or using default settings. Scope Creating new scans is limited to the Global Administrator, Root Organization Administrator, or Workgroup Administrator. Other users cannot create new scans. Once a scan is created, any administrator (Global Administrator, Root Organization Administrator, or Workgroup Administrator) with access to this workgroup can view the scan. Other users can only see this scan if they are given explicit access (see "User Properties - Access Rights" on page 247) to it. Procedures On this page you can do the following: 291 6.5 Enterprise Manager Administrator Guide • • • Foundstone 6.5 Reference Guide Begin the process for creating a new scan by selecting the basis for the new scan. You can select Foundstone's default settings, a template (see "Scan Templates" on page 298), or an existing scan. If you create a new scan from an existing scan, View the Scan Properties page by clicking Next. Return to the previous page by clicking Cancel. Figure 102: New Scan - choose a template, scan, or defaults Scan Details Setting Description Use Foundstone's default settings This is the default scan. You can base it on the default and change the settings as desired to customize your scan. The table shows available, existing scans. Select one of these scans to use it as a basis for the new scan settings. This is the same as using the Use an existing scan option below. Select an existing scan and click Next. The new scan contains the same settings as the scan upon which it is based, except for the scan name and the schedule settings. Use a Foundstone template The available templates (see "Scan Templates" on page 298) appear in the bottom half of the page. Select a template and click Next. Use an existing scan The list of scans from your organization appears in the bottom half of the page. Select a scan and click Next. Note: Basing a scan on an existing scan does not allow you to change the engine or NIC the scan uses. 292 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide After clicking Next, the Scan Properties dialog box (see "Scan Properties" on page 358) appears so you can edit the original settings from the selected scan or template. Important: Do not scan any server that is currently a part of the Foundstone 6.5 system. Scanning another FoundScan Engine can cause inaccurate results. To sort the list of existing scans alphabetically The list of existing scans can be sorted by the date they were created, or alphabetically. However, this is done on a global scale for all users of Foundstone 6.5; it is a setting in the CONFIG.INI file on the Foundstone Enterprise Manager server and must be performed by an administrator with access to that server. 1 On the Foundstone Enterprise Manager server, open the CONFIG.INI file. 2 Add the following lines to the [optional] section: ; New Scan Page: "1" sorts scans alphabetically, "0" sorts by creation date. new_scan_alpha_sort = 1 3 Save and close the CONFIG.INI file. Editing Scans To get here, click SCANS > EDIT SCANS. The Remediation Administrator has access to these features if explicitly assigned access rights to scans. This page lists the scans that you can access within your organization. Procedures From this page you can do the following: • • • • To edit the scan's settings, click Edit. To review a scan's settings, click View. To remove the scan, click Delete. To run the scan according to it's scheduled settings, click Activate. 293 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Note: Activate is not available until the scan has run at least once. Figure 103: Scan list shows scans for your organization/workgroup Features and Settings Setting Description Edit Opens the scan properties page to make changes to the scan. Note: To edit a scan that is currently running, you must do it from the FoundScan Console. You cannot edit a running scan from the Foundstone Enterprise Manager. This option does not exist if you do not have permission to change this scan configuration. View Opens the scan properties page, but does not allow changes to be made. Delete Click Delete to remove this scan configuration and all associated scan jobs from the Foundstone Database. Warning: Deleting a scan removes all associated information including discovery data, vulnerability data, and remediation tickets. - you cannot generate reports from this scan - you cannot review reports from this scan over the Web server - you cannot manage remediation tickets generated by this scan This option does not exist if you do not have permission to change this scan configuration. 294 6.5 Enterprise Manager Administrator Guide Activate Foundstone 6.5 Reference Guide If the scan is not already scheduled to run, click Launch to set the scan schedule to "Immediate" and "Active". The scan launches immediately and runs one time. It produces the confirmation message "Your scan has been launched." When the scan finishes, its status returns to "Inactive". If the scan is already scheduled to run, it will not launch. Clicking Launch produces the message "An error has occurred. Could not launch the scan." Note: This button is inactive when the scan is associated with a scan engine that is offline or unavailable. Viewing Scan Templates To get here, click SCANS > EDIT SCANS. Then click the Templates tab. You must have access to view scans to use this feature. This page shows the templates that have been set up for this organization/workgroup. Click View to see the scan properties (on page 358) for any template. When you view scan properties for a template, the IP Address and Schedule are not available. All other settings are saved in the template. Scope Templates can only be managed (created, edited, deleted) from the FoundScan Console. However, you can create scans based on existing scans (see "Creating New Scans" on page 291). Procedures On this page you can do the following: • • To see the settings for a template, click View. The template opens in read-only mode. To see the list of scans in your organization/workgroup, click the Scans tab. 295 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide Click New Scan tab to create a new scan (Administrators only). Figure 104: Template list shows available templates Centralized Scan Management Using centralized scan management, you can assign your scan engines to IP addresses and ranges. When a user selects an IP range, the scan configuration will automatically select the assigned scan engine. Assigning IP addresses to scan engines is part of the Workgroup configuration process. Automatically selecting a scan engine based on the IP addresses selected is part of the Scan Configuration process. To set a scan engine to Auto Select To get here using the Foundstone Enterprise Manager, log on as the Global Administrator and select MANAGE > USERS/GROUPS. Using the FoundScan Console, select File > Users/Groups/Scans. 1 Create a new organization (see "New Organization Wizard" on page 211) or workgroup (see "Creating New Workgroups (Sub-Organizations)" on page 228), or use an existing organization or workgroup. 2 Right-click the organization or workgroup name and select Properties. 3 Select the Scan Engines tab. All engines assigned to this organization or workgroup are listed. 4 To automatically select a scan engine when setting up a scan, select the Auto Select checkbox. 5 Click OK to save your settings. 296 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide To create a scan using Auto Select In the Foundstone Enterprise Manager, select SCANS > NEW SCAN or SCANS > EDIT SCAN. 1 Create a new scan (see "Creating New Scans" on page 291) or edit an existing scan (see "Editing Scans" on page 293). 2 Select the Scheduler tab. 3 Select Active. 4 If the Auto Select scan engine function is active for this workgroup, AutoSelect will appear in the Select Engine field. 5 If AutoSelect does not appear, then the Auto Select function is not active, and you must select your scan engine. 6 Click OK to save your settings. 297 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Scan Templates Foundstone 6.5 comes with default templates that can be used to create your own scans. These templates have been carefully designed, based on the best-practices developed by McAfee’s Sales Engineers. The settings are determined by the size of the network and by the type of scan. Note: The settings defined in this document describe the scan template settings at the time of the release of Foundstone 6.5. Use these templates as guidelines Once you have created a scan based on a template, you can go in and change the settings, refining them to match your network configuration as needed. Refer to this guide for more information on each setting. Network size For the purposes of describing network sizes, this guide uses the following size definitions: • • • Small Network – up to 10 Class C networks (2560 potentially live hosts) Medium Networks – multiple Class C networks up to a Class B network (65536 potentially live hosts) Large Networks – multiple Class B networks up to a Class A network (16.7 million potentially live hosts) Template list These are the templates included with Foundstone 6.5: • • • • • ACSI 33 All Checks (on page 301) - This scan searches for vulnerabilities that would impact compliance with the Australian Government Information and Communications Technology Security Manual (ASCI 33); both intrusive and nonintrusive checks. ACSI 33 Non-Intrusive Scan (on page 303) - This scan searches for vulnerabilities that would impact compliance with the Australian Government Information and Communications Technology Security Manual (ASCI 33); non-intrusive checks only. Asset Discovery Scan (see "Asset Discovery Scan Template" on page 305) – The Asset Discovery Scan searches for the various devices on your network. This scan is meant to provide a high level view of the different types of Operating systems and devices on your network and is not meant to provide detailed information on services running or any vulnerabilities. COBIT All Checks (on page 307) - This scan searches for vulnerabilities that would impact compliance with Control Objectives for Information and related Technology (COBIT); both intrusive and non-intrusive checks. COBIT Non-Intrusive Scan (on page 310) - This scan searches for vulnerabilities that would impact compliance with Control Objectives for Information and related Technology (COBIT); non-intrusive checks only. 298 6.5 Enterprise Manager Administrator Guide • • • • • • • • • • • • Foundstone 6.5 Reference Guide FISMA All Checks (see "FISMA Compliance All Checks Scan Template" on page 313) - This scan searches for vulnerabilities that would impact compliance with the Federal Information Security Management Act (FISMA); both intrusive and non-intrusive checks. FISMA Non-Intrusive Scan (see "FISMA Compliance Non-Intrusive Scan Template" on page 316) - This scan searches for vulnerabilities that would impact compliance with the Federal Information Security Management Act (FISMA); non-intrusive checks only. Full Vulnerability Scan (see "Full Vulnerability Scan Template" on page 318) – The full scan lets you pick and choose the types of vulnerability checks to run against the network. HIPAA All Checks (see "HIPAA Compliance All Checks Scan Template" on page 320) - This scan searches for vulnerabilities that would impact compliance with the Health Insurance Portability and Accounting Act (HIPAA); both intrusive and non-intrusive checks. HIPAA Non-Intrusive Scan (see "HIPAA Compliance Non-Intrusive Scan Template" on page 323) - This scan searches for vulnerabilities that would impact compliance with the Health Insurance Portability and Accounting Act (HIPAA); non-intrusive checks only. ISO 17799-BS7799 All Checks (see "ISO 17799-BS7799 Compliance All Checks Scan Template" on page 325) - This scan searches for vulnerabilities that would impact compliance with the International Standards Organization (ISO) standards 17799 (United States) and BS7799 (United Kingdom), "Code of Practice for Information Security Management; both intrusive and non-intrusive checks. ISO 17799-BS7799 Non-Intrusive Scan (see "ISO 17799-BS7799 Compliance Non-Intrusive Scan Template" on page 328) - This scan searches for vulnerabilities that would impact compliance with the International Standards Organization (ISO) standards 17799 (United States) and BS7799 (United Kingdom), "Code of Practice for Information Security Management; non-intrusive checks only. Large Network Asset Discovery Scan (see "Large Network Asset Discovery Scan Template" on page 330) – This scan is optimized to discover Operating systems for inventory purposes only in Class A networks. Note: This type of scan requires high bandwidth utilization. Consult with McAfee Technical Support prior to running such a large scan. OS Identification Scan (see "OS Identification Scan Template" on page 334) - This scan is optimized to comprehensively discover and identify all network device operating systems on your network. Payment Card Industry (PCI) Non-Intrusive Scan (see "Payment Card Industry (PCI) Compliance Non-Intrusive Scan Template" on page 336) - This scan searches for vulnerabilities that would impact compliance with the Payment Card Industry (PCI) Data Security Standard; non-intrusive checks only. SANS/FBI Top 20 Scan All Checks (see "SANS/FBI TOP 20 All Checks Scan Template" on page 339) – This scan searches for the vulnerabilities that have been identified by the Federal Bureau of Investigation (FBI) as the top 20 most common vulnerabilities. It includes intrusive checks which can adversely affect the operation of the host being scanned. SANS/FBI Top 20 Scan Non-Intrusive (see "SANS/FBI TOP 20 Non-Intrusive Scan Template" on page 341) – This scan only searches for the vulnerabilities that have been identified by the Federal Bureau of Investigation (FBI) as the top 20 most common vulnerabilities. 299 6.5 Enterprise Manager Administrator Guide • • • • • • • Foundstone 6.5 Reference Guide Sarbanes-Oxley Non-Intrusive Scan (see "Sarbanes-Oxley Compliance NonIntrusive Scan Template" on page 343) - This scan searches for vulnerabilities that would impact compliance with the Sarbanes-Oxley (SOX) Act of 2002; nonintrusive checks only. Shell Advanced Scan (see "Shell Advanced Scan Template" on page 346) – This scan utilizes authenticated Shell credentials to assess UNIX-based hosts (including routers) for missing service patches and hotfixes. Single Vulnerability Scan (see "Single Vulnerability Scan Template" on page 347) – Use this scan to scan for a single vulnerability check. Web Server Scan (see "Web Server Scan Template" on page 349) – This scan searches the network for Web services. It probes for Web applications, looks for access points and weaknesses that could provide access into the network, and searches for various vulnerabilities associated with Web services. Windows Advanced Scan (see "Windows Advanced Scan Template" on page 352) – This scan will utilize domain credentials in order to scan the registry for missing service patches, local security policy violations, anti-virus, and other services. Windows Policy Compliance Scan (see "Windows Policy Compliance Scan Template" on page 354) – This scan searches for vulnerabilities that would impact compliance with the Windows Policy template; all user specified windows policy template settings are checked only. Wireless Discovery Scan (see "Wireless Assessment Scan Template" on page 356) - This scan will discover all unsecured wireless access points including their vulnerabilities. Common Report Settings in All Templates All templates have the following Report settings. Common Report Settings Feature Setting Remediation Options (available through the Foundstone Enterprise Manager) ON FoundScore Type Internal Network Reports: HTML Report ON PDF Report OFF CSV Report OFF XML Report OFF 300 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide ACSI 33 All Checks This scan searches for vulnerabilities that would impact compliance with the Australian Government Information and Communications Technology Security Manual (ACSI 33); both intrusive and non-intrusive checks. Scan Template Settings FISMA Compliance Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only UDP Scanning Default Use Advanced UDP Scanning Technique OFF Use UDP Static Source Port OFF TCP Scanning Default Full Connect Scan Use TCP Static Source Port OFF OFF Advanced: Enable Hostname Resolution ON Enable OS Identification ON Use credentials if available ON Randomize order of hosts scanned (by IP Address) ON Services UDP Scanning Default Use Advanced UDP Scanning Technique OFF 301 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide FISMA Compliance Scan Template Settings TCP Scanning Full Content Scan Default OFF Advanced Options: Vulns Selection Windows Module Wireless Module Shell Module Web Module Perform Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting HTTP, HTTPS General ON Vulnerability Checks Applicable Non-Intrusive and Intrusive checks selected Advanced - Run new checks OFF Windows ON Vulnerability Checks Applicable Non-Intrusive and Intrusive checks selected Advanced - Run new checks OFF Wireless ON Vulnerability Checks Applicable Non-Intrusive and Intrusive checks selected Advanced - Run new checks OFF Shell ON Vulnerability Checks Applicable Non-Intrusive and Intrusive checks selected Advanced - Run new checks OFF Enable Web Application Assessment Module OFF Optimize NORMAL Customize 302 OFF 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide ACSI 33 Non-Intrusive Scan This scan searches for vulnerabilities that would impact compliance with the Australian Government Information and Communications Technology Security Manual (ACSI 33); non-intrusive checks only. Scan Template Settings FISMA Compliance Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only UDP Scanning Default Use Advanced UDP Scanning Technique OFF Use UDP Static Source Port OFF TCP Scanning Default Full Connect Scan Use TCP Static Source Port OFF OFF Advanced: Enable Hostname Resolution ON Enable OS Identification ON Use credentials if available ON Randomize order of hosts scanned (by IP Address) ON Services UDP Scanning Default Use Advanced UDP Scanning Technique OFF 303 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide FISMA Compliance Scan Template Settings TCP Scanning Full Content Scan Default OFF Advanced Options: Vulns Selection Windows Module Wireless Module Shell Module Web Module Perform Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting HTTP, HTTPS General ON Vulnerability Checks Applicable Non-Intrusive and Intrusive checks selected Advanced - Run new checks OFF Windows ON Vulnerability Checks Applicable Non-Intrusive and Intrusive checks selected Advanced - Run new checks OFF Wireless ON Vulnerability Checks Applicable Non-Intrusive and Intrusive checks selected Advanced - Run new checks OFF Shell ON Vulnerability Checks Applicable Non-Intrusive and Intrusive checks selected Advanced - Run new checks OFF Enable Web Application Assessment Module OFF Optimize NORMAL Customize 304 OFF 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Asset Discovery Scan Template This scan is optimized to comprehensively discover and identify all the network devices on your network. Scan Template Settings Asset Discovery Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only UDP Scanning Default Use Default Advanced UDP Scanning Technique OFF Use UDP Static Source OFF Port TCP Scanning Default Full connect scan OFF Use TCP Static Source OFF Port Advanced: Enable Hostname Resolution ON Enable OS Identification ON Use credentials if available ON Randomize order of hosts scanned (by IP Address) ON Services UDP Custom 305 53 68-69 123 135 137-138 161 260 445 500 514 520 1434 16451646 1812-1813 2049 31337 43981 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Asset Discovery Scan Template Settings Use Advanced UDP Scanning Technique OFF TCP Custom 7 9 11 13 15 19 21-23 25 43 49 53 66-68 79-81 88-89 98 109-111 113 118-119 135 139 143 150 156 256-259 264 389 396 427 443 445 465 512-515 524 563 593 636 799 900-901 1080 1214 1243 1313 1352 1433 1494 1498 1521 15241525 1541-1542 1720 1723 1745 1755 1813 2000-2001 2003 2049 2080 2140 2301 2447 2766 2998 3128 3268 3300 3306 3372 3389 4045 4321 4665 4899 5222 5556 5631-5632 5800-5802 5900 6000 6112 6346 6666-6667 7000-7001 7070 7777 7947 8000-8001 8010 8080-8081 8100 8888 10000 12345 20034 30821 32768-32790 Full Connect Scan OFF Use TCP Static Source Port OFF Advanced Options: Enable Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting: Selected Services OFF General Vulns Enable General Vulnerability Assessment Module OFF Shell Module Enable Shell Assessment Module OFF Windows Module Enable Windows Host Assessment Module OFF Web Module Enable Web Application Assessment OFF Wireless Module Enable Wireless Assessment Module OFF Optimize FASTER 306 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Asset Discovery Scan Template Settings Customize OFF COBIT All Checks This scan searches for vulnerabilities that would impact compliance with Control Objectives for Information and related Technology (COBIT); both intrusive and nonintrusive checks. Scan Template Settings Asset Discovery Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only 307 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Asset Discovery Scan Template Settings UDP Scanning Default Use Default Advanced UDP Scanning Technique OFF Use UDP Static Source OFF Port TCP Scanning Default Full connect scan OFF Use TCP Static Source OFF Port Advanced: Enable Hostname Resolution ON Enable OS Identification ON Use credentials if available ON Randomize order of hosts scanned (by IP Address) ON Services UDP Custom 308 7 9 11 13 17 19 37 42 53 67-69 111 123 135 137 161 177 256 260 389 407 445 500 513-514 518 520 561 631 635 640 650 666 749 762 1024 1025-1028 1034 1060 1091 1352 1434 1645 1646 1701 1801 1812 1813 1900 1978 1999 2002 2049 2140 2161 2221 2301 2365 2493 2631 3179 3327 3456 3478 4045 4156 4296 4469 4802 5631 5632 7001 10080 11487 11493 22000 27444 31337 32768-32781 32783 32786-32790 40017 43981 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Asset Discovery Scan Template Settings Use Advanced UDP Scanning Technique OFF TCP Custom 7 9 11 13 15 17 19 21 22 23 25 37 42 43 49 53 66-68 79 80 81 88 98 106 109 110 111 113 119 130-132 135 139 143 150 199 256-259 264 311 389 427 443 445 457 464 465 512-515 524 540 543 544 548 554 563 587 593 631 636 691 784 873 898 900-903 992-993 995 1002 1022-1033 1045 1050 1080 1084 1100 1109 1214 1234 1243 1311 1313 1352 1433 1455 1494 1512 1521 1524 1525 1527 1529 1541 1542 1574 1582 1677 1718-1720 1723 1754 1755 1782 1801 1863 1987-1989 1996 1998 2000 2001 2003 2049 2080 2103 2105 2140 2301 2381 2401 2433 2447 2766 2998 3001 3006 3127 3128 3141 3264 3268 3269 3300 3306 3372 3389 3689 4000 4001 4002 4045 4321 4443 4444 4662 4899 5000 5001 5003 5050 5101 5232 5432 5490 5555 5556 5631 5800 5801 5802 5900 5901 5980-5981 5987 6000 6003 6112 6349 6387 6588 6666-6669 6699 6881 7000-7002 7005-7007 7070 7100 7161 7273 7777-7778 8000-8001 8007 8009 8010 8080-8081 8100 8484 8875 8888 8910 9090 9100 9999 10000 10520 12345-12346 12361-12362 12888 13722 13782 13783 20034 26000 30100-30102 31337 3276832790 33333 34324 40421-40423 49400-49401 65000 65301 Full Connect Scan OFF Use TCP Static Source Port OFF 309 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Asset Discovery Scan Template Settings Advanced Options: Enable Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting: Selected Services ON General Vulns Enable General Vulnerability Assessment Module ON Shell Module Enable Shell Assessment Module ON Windows Module Enable Windows Host Assessment Module ON Web Module Enable Web Application Assessment OFF Wireless Module Enable Wireless Assessment Module ON Optimize NORMAL Customize OFF COBIT Non-Intrusive Scan This scan searches for vulnerabilities that would impact compliance with Control Objectives for Information and related Technology (COBIT); non-intrusive checks only. Scan Template Settings Asset Discovery Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only 310 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Asset Discovery Scan Template Settings UDP Scanning Default Use Default Advanced UDP Scanning Technique OFF Use UDP Static Source OFF Port TCP Scanning Default Full connect scan OFF Use TCP Static Source OFF Port Advanced: Enable Hostname Resolution ON Enable OS Identification ON Use credentials if available ON Randomize order of hosts scanned (by IP Address) ON Services UDP Custom 311 7 9 11 13 17 19 37 42 53 67-69 111 123 135 137 161 177 256 260 389 407 445 500 513-514 518 520 561 631 635 640 650 666 749 762 1024 1025-1028 1034 1060 1091 1352 1434 1645 1646 1701 1801 1812 1813 1900 1978 1999 2002 2049 2140 2161 2221 2301 2365 2493 2631 3179 3327 3456 3478 4045 4156 4296 4469 4802 5631 5632 7001 10080 11487 11493 22000 27444 31337 32768-32781 32783 32786-32790 40017 43981 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Asset Discovery Scan Template Settings Use Advanced UDP Scanning Technique OFF TCP Custom 7 9 11 13 15 17 19 21 22 23 25 37 42 43 49 53 66-68 79 80 81 88 98 106 109 110 111 113 119 130-132 135 139 143 150 199 256-259 264 311 389 427 443 445 457 464 465 512-515 524 540 543 544 548 554 563 587 593 631 636 691 784 873 898 900-903 992-993 995 1002 1022-1033 1045 1050 1080 1084 1100 1109 1214 1234 1243 1311 1313 1352 1433 1455 1494 1512 1521 1524 1525 1527 1529 1541 1542 1574 1582 1677 1718-1720 1723 1754 1755 1782 1801 1863 1987-1989 1996 1998 2000 2001 2003 2049 2080 2103 2105 2140 2301 2381 2401 2433 2447 2766 2998 3001 3006 3127 3128 3141 3264 3268 3269 3300 3306 3372 3389 3689 4000 4001 4002 4045 4321 4443 4444 4662 4899 5000 5001 5003 5050 5101 5232 5432 5490 5555 5556 5631 5800 5801 5802 5900 5901 5980-5981 5987 6000 6003 6112 6349 6387 6588 6666-6669 6699 6881 7000-7002 7005-7007 7070 7100 7161 7273 7777-7778 8000-8001 8007 8009 8010 8080-8081 8100 8484 8875 8888 8910 9090 9100 9999 10000 10520 12345-12346 12361-12362 12888 13722 13782 13783 20034 26000 30100-30102 31337 3276832790 33333 34324 40421-40423 49400-49401 65000 65301 Full Connect Scan OFF Use TCP Static Source Port OFF 312 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Asset Discovery Scan Template Settings Advanced Options: Enable Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting: Selected Services ON General Vulns Enable General Vulnerability Assessment Module ON Shell Module Enable Shell Assessment Module ON Windows Module Enable Windows Host Assessment Module ON Web Module Enable Web Application Assessment OFF Wireless Module Enable Wireless Assessment Module ON Optimize NORMAL Customize OFF FISMA Compliance All Checks Scan Template This scan searches for vulnerabilities that would impact compliance with the Federal Information Security Management Act (FISMA); both intrusive and non-intrusive checks. Note: This template helps you prepare for achieving compliance for FISMA, but it does not cover the entire regulation. Failing any of the scans based on this template will likely prevent you from achieving certification, however not showing any vulnerabilities may not ensure you are compliant. Vulnerability assessment is only one facet of regulatory compliance - the facet that Foundstone can help you with. 313 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Scan Template Settings FISMA Compliance Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only UDP Scanning Default Use Default Advanced UDP Scanning Technique OFF OFF Use UDP Static Source Port TCP Scanning Full Connect Scan Use TCP Static Source Port Default OFF OFF Advanced: Enable Hostname Resolution ON Enable OS Identification ON Use credentials if available ON Randomize order of hosts scanned (by IP Address) ON Services UDP Scanning 314 Default 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide FISMA Compliance Scan Template Settings Use Advanced UDP Scanning Technique OFF TCP Scanning Default Full Connect Scan OFF Advanced Options: General Vulns Shell Module Windows Module Web Module Enable Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting HTTP, HTTPS Enable General Vulnerability Assessment Module ON Vulnerability Checks Applicable Non-Intrusive and Intrusive checks selected Advanced – Run new checks OFF Enable Shell Assessment Module ON Vulnerability Checks Applicable Non-Intrusive and Intrusive checks selected Advanced - Run new checks OFF Enable Windows Host Assessment Module ON Vulnerability Checks Applicable Non-Intrusive and Intrusive checks selected Advanced – Run new checks OFF Enable Web Application Assessment Module OFF Wireless Module Enable Wireless Assessment Module Vulnerability Checks Optimize ON Applicable Non-Intrusive and Intrusive checks selected except Custom Windows NORMAL 315 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide FISMA Compliance Scan Template Settings Customize OFF FISMA Compliance Non-Intrusive Scan Template This scan searches for vulnerabilities that would impact compliance with the Federal Information Security Management Act (FISMA); non-intrusive checks only. Note: This template helps you prepare for achieving compliance for FISMA, but it does not cover the entire regulation. Failing any of the scans based on this template will likely prevent you from achieving certification, however not showing any vulnerabilities may not ensure you are compliant. Vulnerability assessment is only one facet of regulatory compliance - the facet that Foundstone can help you with. Scan Template Settings FISMA Compliance Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only 316 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide FISMA Compliance Scan Template Settings UDP Scanning Default Use Default Advanced UDP Scanning Technique OFF OFF Use UDP Static Source Port TCP Scanning Full Connect Scan Use TCP Static Source Port Default OFF OFF Advanced: Enable Hostname Resolution ON Enable OS Identification ON Use credentials if available ON Randomize order of hosts scanned (by IP Address) ON Services UDP Scanning Default Use Advanced UDP Scanning Technique OFF TCP Scanning Default Full Connect Scan OFF Advanced Options: General Vulns Enable Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting HTTP, HTTPS Enable General Vulnerability Assessment Module ON 317 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide FISMA Compliance Scan Shell Module Windows Module Web Module Template Settings Vulnerability Checks Applicable Non-Intrusive checks selected Advanced – Run new checks OFF Enable Shell Assessment Module ON Vulnerability Checks Applicable Non-Intrusive checks selected Advanced - Run new checks OFF Enable Windows Host Assessment Module ON Vulnerability Checks Applicable Non-Intrusive checks selected Advanced – Run new checks OFF Enable Web Application Assessment Module OFF Wireless Module Enable Wireless Assessment Module Vulnerability Checks Optimize ON Applicable Non-Intrusive checks selected NORMAL Customize OFF Full Vulnerability Scan Template The full vulnerability scan comprehensively assesses your network for vulnerabilities using all existing non-intrusive vulnerability checks. Scan Template Settings Full Vulnerability Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only 318 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Full Vulnerability Scan Template Settings UDP Default Use Default Advanced UDP Scanning Technique OFF OFF Use UDP Static Source Port TCP Default Full connect scan OFF Use TCP Static Source OFF Port Advanced: Enable Hostname Resolution ON Enable OS Identification ON Use credentials if available ON Services Randomize order of hosts scanned (by IP Address) ON UDP Scanning Default Use Advanced UDP Scanning Technique OFF TCP Scanning Default Full Connect Scan OFF Advanced Options: General Vulns Enable Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting: Selected Services HTTP, HTTPS Enable General Vulnerability Assessment Module ON Vulnerability Checks Applicable Non-Intrusive checks selected 319 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Full Vulnerability Scan Shell Module Windows Module Web Module Template Settings Advanced – Run new checks ON (for all selected categories) Enabled Shell Assessment Module ON Vulnerability Checks All Non-Intrusive checks selected Enable Windows Host Assessment Module ON Vulnerability Checks All Non-Intrusive checks selected except for Custom Windows checks Enable Web Application Assessment Module OFF Wireless Module Enable Wireless Assessment Module Vulnerability Checks Optimize ON All Non-Intrusive checks selected FASTER Customize OFF HIPAA Compliance All Checks Scan Template This scan searches for vulnerabilities that would impact compliance with the Health Insurance Portability and Accounting Act (HIPAA); both intrusive and non-intrusive checks. Note: This template helps you prepare for achieving compliance for HIPAA, but it does not cover the entire regulation. Failing any of the scans based on this template will likely prevent you from achieving certification, however not showing any vulnerabilities may not ensure you are compliant. Vulnerability assessment is only one facet of regulatory compliance - the facet that Foundstone can help you with. 320 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Scan Template Settings HIPAA Compliance Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only UDP Scanning Default Use Default Advanced OFF UDP Scanning Technique OFF Use UDP Static Source Port TCP Scanning Full Connect Scan Default OFF Use TCP Static Source OFF Port Advanced: Enable Hostname Resolution ON Enable OS Identification ON Use credentials if available ON Services Randomize order of hosts scanned (by IP Address) ON UDP Scanning Default 321 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide HIPAA Compliance Scan Template Settings Use Advanced UDP Scanning Technique OFF TCP Scanning Default Full Connect Scan OFF Advanced Options: General Vulns Shell Module Windows Module Web Module Enable Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting HTTP, HTTPS Enable General Vulnerability Assessment Module ON Vulnerability Checks Applicable Non-Intrusive and Intrusive checks selected Advanced – Run new checks OFF Enable Shell Assessment Module ON Vulnerability Checks Applicable Non-Intrusive checks selected Advanced - Run new checks OFF Enable Windows Host Assessment Module ON Vulnerability Checks Applicable Non-Intrusive checks selected except Custom Windows Advanced – Run new checks OFF Enable Web Application Assessment Module OFF Wireless Module Enable Wireless Assessment Module Vulnerability Checks Optimize ON Applicable Non-Intrusive and Intrusive checks selected NORMAL 322 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide HIPAA Compliance Scan Template Settings Customize OFF HIPAA Compliance Non-Intrusive Scan Template This scan searches for vulnerabilities that would impact compliance with the Health Insurance Portability and Accounting Act (HIPAA); non-intrusive checks only. Note: This template helps you prepare for achieving compliance for HIPAA, but it does not cover the entire regulation. Failing any of the scans based on this template will likely prevent you from achieving certification, however not showing any vulnerabilities may not ensure you are compliant. Vulnerability assessment is only one facet of regulatory compliance - the facet that Foundstone can help you with. Scan Template Settings HIPAA Compliance Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only 323 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide HIPAA Compliance Scan Template Settings UDP Scanning Default Use Default Advanced OFF UDP Scanning Technique OFF Use UDP Static Source Port TCP Scanning Full Connect Scan Default OFF Use TCP Static Source OFF Port Advanced: Enable Hostname Resolution On Enable OS Identification On Use credentials if available On Services Randomize order of hosts scanned (by IP Address) On UDP Scanning Default Use Advanced UDP Scanning Technique OFF TCP Scanning Default Full Connect Scan OFF Advanced Options: General Vulns Enable Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting HTTP, HTTPS Enable General Vulnerability Assessment Module ON 324 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide HIPAA Compliance Scan Shell Module Windows Module Web Module Template Settings Vulnerability Checks Applicable Non-Intrusive checks selected Advanced – Run new checks OFF Enable Shell Assessment Module ON Vulnerability Checks Applicable Non-Intrusive checks selected Advanced - Run new checks OFF Enable Windows Host Assessment Module ON Vulnerability Checks Applicable Non-Intrusive checks selected Advanced – Run new checks OFF Enable Web Application Assessment Module OFF Wireless Module Enable Wireless Assessment Module Vulnerability Checks Optimize ON Applicable Non-Intrusive checks selected NORMAL Customize OFF ISO 17799-BS7799 Compliance All Checks Scan Template This scan searches for vulnerabilities that would impact compliance with the International Standards Organization (ISO) standards 17799 (United States) and BS7799 (United Kingdom), "Code of Practice for Information Security Management; both intrusive and non-intrusive checks. Note: This template helps you prepare for achieving compliance for the ISO standard, but it does not cover the entire regulation. Failing any of the scans based on this template will likely prevent you from achieving certification, however not showing any vulnerabilities may not ensure you are compliant. Vulnerability assessment is only one facet of regulatory compliance - the facet that Foundstone can help you with. 325 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Scan Template Settings ISO 17799-BS7799 Compliance Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only UDP Scanning Default Use Default Advanced UDP Scanning Technique OFF OFF Use UDP Static Source Port TCP Scanning Full Connect Scan Use TCP Static Source Port Default OFF OFF Advanced: Enable Hostname Resolution On Enable OS Identification On Use credentials if available On Randomize order of hosts scanned (by IP Address) On Services UDP Scanning 326 Default 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide ISO 17799-BS7799 Compliance Scan Template Settings Use Advanced UDP Scanning Technique OFF TCP Scanning Default Full Connect Scan OFF Advanced Options: General Vulns Shell Module Windows Module Web Module Enable Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting HTTP, HTTPS Enable General Vulnerability Assessment Module ON Vulnerability Checks Applicable Non-Intrusive and Intrusive checks selected Advanced – Run new checks OFF Enable Shell Assessment Module On Vulnerability Checks Applicable Non-Intrusive checks selected Advanced - Run new checks OFF Enable Windows Host Assessment Module ON Vulnerability Checks Applicable Non-Intrusive checks selected except Custom Windows Advanced – Run new checks OFF Enable Web Application Assessment Module OFF Wireless Module Enable Wireless Assessment Module Vulnerability Checks Optimize ON Applicable Non-Intrusive and Intrusive checks selected NORMAL 327 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide ISO 17799-BS7799 Compliance Scan Customize Template Settings OFF ISO 17799-BS7799 Compliance Non-Intrusive Scan Template This scan searches for vulnerabilities that would impact compliance with the International Standards Organization (ISO) standards 17799 (United States) and BS7799 (United Kingdom), "Code of Practice for Information Security Management; non-intrusive checks only. Note: This template helps you prepare for achieving compliance for the ISO standard, but it does not cover the entire regulation. Failing any of the scans based on this template will likely prevent you from achieving certification, however not showing any vulnerabilities may not ensure you are compliant. Vulnerability assessment is only one facet of regulatory compliance - the facet that Foundstone can help you with. Scan Template Settings ISO 17799-BS7799 Compliance Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only 328 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide ISO 17799-BS7799 Compliance Scan Template Settings UDP Scanning Default Use Default Advanced UDP Scanning Technique OFF OFF Use UDP Static Source Port TCP Scanning Full Connect Scan Use TCP Static Source Port Default OFF OFF Advanced: Enable Hostname Resolution On Enable OS Identification On Use credentials if available On Randomize order of hosts scanned (by IP Address) On Services UDP Scanning Default Use Advanced UDP Scanning Technique OFF TCP Scanning Default Full Connect Scan OFF Advanced Options: General Vulns Enable Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting HTTP, HTTPS Enable General Vulnerability Assessment Module ON 329 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide ISO 17799-BS7799 Compliance Scan Shell Module Windows Module Web Module Template Settings Vulnerability Checks Applicable Non-Intrusive checks selected Advanced – Run new checks OFF Enable Shell Host Assessment Module ON Vulnerability Checks Applicable Non-Intrusive checks Advanced – Run new checks OFF Enable Windows Host Assessment Module ON Vulnerability Checks Applicable Non-Intrusive checks selected except Custom Windows Advanced – Run new checks OFF Enable Web Application Assessment Module OFF Wireless Module Enable Wireless Assessment Module Vulnerability Checks Optimize ON Applicable Non-Intrusive checks selected NORMAL Customize OFF Large Network Asset Discovery Scan Template For networks with up to 16.7 million potentially live hosts These settings are optimized for discovering all devices on a network in extremely large environments of multiple class B’s or class A address space. The results provide the operating system types, machine names, and a network topology of the networks scanned. This is a high-level view and does not provide all the services that could be listening on discovered hosts. Turning on all services for this type of scan is not recommended as the data presented will be extremely large. For a detailed view of individual hosts, smaller scans should be used to provide a report that can be used on an operational basis. 330 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Notes: Changes to these parameters can increase the scan time significantly. These parameters are optimal for this type of scan. Using them, a scan of this magnitude should be able to complete within 24 hours. Do not attempt to run a vulnerability assessment on this size of a network; the amount of information alone would be overwhelming. Imagine a report with 10,000 live hosts and each consisting of 3 vulnerabilities each (most systems have more than 3 each). This is a total of 30,000 vulnerabilities within one extremely large report. Scan Template Settings Large Network Asset Discovery Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only UDP Scanning Default Use Default Advanced UDP Scanning Technique OFF OFF Use UDP Static Source Port TCP Scanning Full Connect Scan Use TCP Static Source Port Default OFF OFF Advanced: Enable Hostname Resolution OFF Enable OS Identification On Use credentials if available On Randomize order of hosts scanned On Services UDP None OFF 331 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Large Network Asset Discovery Scan Template Settings Use Advanced UDP Scanning OFF TCP Custom 21 22 23 25 80 110 135 445 1025 Full Connect Scan OFF Advanced: Enable Banner Grabbing OFF Enable Load Balancer Detection OFF Service Fingerprinting OFF General Vulns Enable General Vulnerability Assessment Module OFF Shell Module Enable Shell Assessment Module OFF Windows Module Enable Windows Host Assessment Module OFF Web Module Enable Web Application Assessment OFF Wireless Module Enable Wireless Assessment Module OFF Optimize Fastest 332 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Large Network Asset Discovery Scan Template Settings Settings Customize Number of sub-scans 10 Inter-packet Delay (ms) 8 Batch Size 8192 Network Mapping OFF ICMP Timeout 1000 TCP Timeout (Host Discovery) 2000 TCP Timeout (Service Discovery) 2000 UDP Timeout (Host Discovery) 2000 UDP Timeout (Service Discovery) 2000 Number of passes (Host Discovery) 1 Number of passes (Service Discovery) 1 333 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide OS Identification Scan Template This scan is optimized to comprehensively discover and identify all network device operating systems on your network. Scan Template Settings OS Identification Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only UDP Scanning Default Use Default Advanced UDP Scanning Technique OFF OFF Use UDP Static Source Port TCP Scanning Full Connect Scan Use TCP Static Source Port Default OFF OFF Advanced: Enable Hostname Resolution On Enable OS Identification On Use credentials if available On Randomize order of hosts scanned (by IP Address) On Services UDP Scanning Custom 334 53 68-69 123 135 137-138 161 260 445 500 514 520 1434 1645-1646 1812-1813 2049 31337 43981 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide OS Identification Scan Template Settings Use Advanced UDP Scanning Technique OFF TCP Custom 7 9 11 13 15 19 21-23 25 43 49 53 66-68 79-81 88-89 98 109-111 113 118-119 135 139 143 150 156 256259 264 389 396 427 443 445 465 512-515 524 563 593 636 799 900901 1080 1214 1243 1313 1352 1433 1494 1498 1521 1524-1525 1541-1542 1720 1723 1745 1755 1813 2000-2001 2003 2049 2080 2140 2301 2447 2766 2998 3128 3268 3300 3306 3372 3389 4045 4321 4665 4899 5222 5556 56315632 5800-5802 5900 6000 6112 6346 6666-6667 7000-7001 7070 7777 7947 8000-8001 8010 80808081 8100 8888 10000 12345 20034 30821 32768-32790 Full Connect Scan OFF Advanced Options: Enable Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting: Selected Services HTTP, HTTPS, loc-srv General Vulns Enable General Vulnerability Assessment Module OFF Shell Module Enable Shell Assessment Module OFF Windows Module Enable Windows Host Assessment Module OFF Web Module Enable Web Application Assessment Module OFF Wireless Module Enable Wireless Assessment Module OFF Optimize FASTER 335 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide OS Identification Scan Template Settings Settings Customize Batch size ON OFF Number of sub-scans 8 Interpacket Delay (ms) 12 512 Network Mapping ICMP Timeout (ms): Host Discovery Service Discovery TCP Timeout (ms): Host Discovery Service Discovery UDP Timeout (ms): Host Discovery Service Discovery Number of Passes: Host Discovery Service Discovery 1500 NA 3000 3000 1500 1500 1 2 Payment Card Industry (PCI) Compliance Non-Intrusive Scan Template This scan searches for vulnerabilities that would impact compliance with the Payment Card Industry (PCI) Data Security Standard; non-intrusive checks only. Note: This template helps you prepare for achieving compliance for PCI, but it does not cover the entire regulation. Failing any of the scans based on this template will likely prevent you from achieving certification, however not showing any vulnerabilities may not ensure you are compliant. Vulnerability assessment is only one facet of regulatory compliance - the facet that Foundstone can help you with. 336 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Scan Template Settings PCI (MasterCard/Visa) Compliance Scan Template Settings Scan Type Hosts Custom ICMP Scanning ON Echo Request Only UDP Scanning Default Use Default Advanced UDP Scanning Technique OFF OFF Use UDP Static Source Port TCP Scanning Full Connect Scan Use TCP Static Source Port Default OFF OFF Advanced: Enable Hostname Resolution On Enable OS Identification On Use credentials if available On Randomize order of hosts scanned On Services UDP Scanning 337 Default 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide PCI (MasterCard/Visa) Compliance Scan Template Settings Use Advanced UDP Scanning OFF TCP Scanning Default Full Connect Scan OFF Advanced Options: General Vulns Shell Module Windows Module Perform Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting HTTP, HTTPS Enable General Vulnerability Assessment Module ON Vulnerability Checks Applicable Non-Intrusive checks selected Advanced – Run new checks OFF Enable Shell Assessment Module ON Vulnerability Checks Applicable Non-Intrusive checks selected Advanced – Run new checks OFF Enable Windows Host Assessment Module ON Vulnerability Checks Applicable Non-Intrusive checks selected except Custom Windows Advanced – Run new checks OFF Wireless Module Enable Wireless Assessment Module Vulnerability Checks Optimize ON Applicable Non-Intrusive checks selected NORMAL Customize OFF 338 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide SANS/FBI TOP 20 All Checks Scan Template This scan searches for the vulnerabilities that have been identified by the FBI and SANS as the top 20 most common vulnerabilities (both non-intrusive and intrusive checks). Scan Template Settings SANS/FBI Top 20 Vulnerability Scan Template Settings Scan Type SANS/FBI Top 20 (All Checks) Hosts ICMP Scanning ON Echo Request Only UDP Scanning Default Use Default Advanced UDP Scanning Technique OFF OFF Use UDP Static Source Port TCP Scanning Full Connect Scan Use TCP Static Source Port Default OFF OFF Advanced: Enable Hostname Resolution On Enable OS Identification On Use credentials if available On Randomize order of hosts scanned On Services UDP Scanning 339 Default 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide SANS/FBI Top 20 Vulnerability Scan Template Settings Use Advanced UDP Scanning OFF TCP Scanning Default Full Connect Scan OFF Advanced Options: Perform Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting HTTP, HTTPS Enable General Vulnerability Assessment Module ON Vulnerability Checks Applicable SANS/FBI Top 20 Intrusive and Non-Intrusive Checks Pre-selected Advanced – Run new checks OFF Enable Shell Assessment Module ON Vulnerability Checks Applicable SANS/FBI Top 20 Intrusive and Non-Intrusive Checks Pre-selected Advanced – Run new checks OFF Enable Windows Host Assessment Module ON Vulnerability Checks Applicable SANS/FBI Top 20 Intrusive and Non-Intrusive Checks Pre-selected Advanced – Run new checks OFF Web Module Enable Web Application Assessment OFF Wireless Module Enable Wireless Assessment Module ON General Vulns Shell Module Windows Module 340 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide SANS/FBI Top 20 Vulnerability Scan Vulnerability Checks Optimize Template Settings Applicable SANS/FBI Top 20 Intrusive and Non-Intrusive Checks Pre-selected FASTER Customize OFF SANS/FBI TOP 20 Non-Intrusive Scan Template This scan searches for the vulnerabilities that have been identified by the FBI and SANS as the top 20 most common vulnerabilities (non-intrusive checks only). Scan Template Settings SANS/FBI TOP 20 Non-Intrusive Scan Template Settings Scan Type SANS/FBI Top 20 (Non-Intrusive Checks) Hosts ICMP Scanning ON Echo Request Only 341 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide SANS/FBI TOP 20 Non-Intrusive Scan Template Settings UDP Scanning Default Use Default Advanced UDP Scanning Technique OFF OFF Use UDP Static Source Port TCP Scanning Full Connect Scan Use TCP Static Source Port Default OFF OFF Advanced: Enable Hostname Resolution On Enable OS Identification On Use credentials if available On Randomize order of hosts scanned On Services UDP Scanning Default Use Advanced UDP Scanning OFF TCP Scanning Default Full Connect Scan OFF Advanced Options: General Vulns Perform Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting OFF Enable General Vulnerability Assessment Module ON 342 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide SANS/FBI TOP 20 Non-Intrusive Scan Shell Module Windows Module Web Module Template Settings Vulnerability Checks Applicable SANS/FBI Top 20 NonIntrusive Checks Pre-selected Advanced – Run new checks OFF Enable Shell Assessment Module ON Vulnerability Checks Applicable SANS/FBI Top 20 NonIntrusive Checks Pre-selected Advanced – Run new checks OFF Enable Windows Host Assessment Module ON Vulnerability Checks Applicable SANS/FBI Top 20 NonIntrusive Checks Pre-selected Advanced – Run new checks OFF Enable Web Application Assessment OFF Wireless Module Enable Wireless Assessment Module Vulnerability Checks Optimize ON Applicable SANS/FBI Top 20 NonIntrusive Checks Pre-selected FASTER Customize OFF Sarbanes-Oxley Compliance Non-Intrusive Scan Template This scan searches for vulnerabilities that would impact compliance with the Sarbanes-Oxley (SOX) Act of 2002; non-intrusive checks only. Note: This template helps you prepare for achieving compliance for SOX, but it does not cover the entire regulation. Failing any of the scans based on this template will likely prevent you from achieving certification, however not showing any vulnerabilities may not ensure you are compliant. Vulnerability assessment is only one facet of regulatory compliance - the facet that Foundstone can help you with. 343 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Scan Template Settings SOX Compliance Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only UDP Scanning Default Use Default Advanced UDP Scanning Technique OFF OFF Use UDP Static Source Port TCP Scanning Full Connect Scan Use TCP Static Source Port Default OFF OFF Advanced: Enable Hostname Resolution On Enable OS Identification On Use credentials if available On Randomize order of hosts scanned On Services UDP Scanning 344 Default 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide SOX Compliance Scan Template Settings Use Advanced UDP Scanning OFF TCP Scanning Default Full Connect Scan OFF Advanced Options: General Vulns Shell Module Windows Module Web Module Perform Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting HTTP, HTTPS Enable General Vulnerability Assessment Module ON Vulnerability Checks Applicable Non-Intrusive checks selected Advanced – Run new checks OFF Enable Shell Assessment Module ON Vulnerability Checks Applicable Non-Intrusive checks selected Advanced – Run new checks OFF Enable Windows Host Assessment Module ON Vulnerability Checks Applicable Non-Intrusive checks selected Advanced – Run new checks OFF Enable Web Application Assessment OFF Wireless Module Enable Wireless Assessment Module Vulnerability Checks Optimize ON Applicable Non-Intrusive checks selected NORMAL Customize OFF 345 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Shell Advanced Scan Template This scan utilizes authenticated Shell credentials to assess UNIX-based hosts (including routers) for missing service patches and hotfixes. Scan Template Settings Full Vulnerability Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only UDP y y None Use Advanced UDP Scanning Technique Use UDP Static Source Port OFF OFF TCP y y 22, 23 Full connect scan Use TCP Static Source Port OFF OFF Advanced: y y y y Enable Hostname Resolution Enable OS Identification Use credentials if available Randomize order of hosts scanned On On On On Services UDP Scanning 137 Use Advanced UDP Scanning OFF TCP Scanning 22, 23 Full Connect Scan OFF 346 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Full Vulnerability Scan Template Settings Advanced Options: y y Perform Banner Grabbing Enable Load Balancer Detection ON OFF Service Fingerprinting: Selected Services None General Vulns Enable General Vulnerability Assessment Module OFF Shell Module Enabled Shell Assessment Module ON Vulnerability Checks All Non-Intrusive checks selected Windows Module Enable Windows Host Assessment Module OFF Web Module Enable Web Application Assessment OFF Wireless Module Enable Wireless Assessment Module OFF Optimize FASTER Customize OFF Single Vulnerability Scan Template Description: This scan allows you to quickly assess your network for the latest vulnerability When you have to create a scan to look for a single vulnerability like the Microsoft Windows RPC DCOM vulnerability that caused trouble in August ’03, use these recommended settings to optimize your scan. This template sets up the parameters for the scan; you still must select the module and checks to be scanned. Scan Template Settings Single Vulnerability Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only 347 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Single Vulnerability Scan Template Settings UDP Scanning Default Use Default Advanced UDP Scanning Technique OFF OFF Use UDP Static Source Port TCP Scanning Full Connect Scan Use TCP Static Source Port Default OFF OFF Advanced: Enable Hostname Resolution On Enable OS Identification On Use credentials if available On Randomize order of hosts scanned On Services UDP Scanning Default Use Advanced UDP Scanning Technique OFF TCP Scanning Default Full Connect Scan OFF Advanced Options: General Vulns Perform Banner Grabbing OFF Enable Load Balancer Detection OFF Service Fingerprinting OFF Enable General Vulnerability Assessment Module ON 348 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Single Vulnerability Scan Template Settings Vulnerability checks None. Select the vulnerabilities you want to check. Shell Module Enable Shell Assessment Module OFF Windows Module Enable Windows Host Assessment Module OFF Web Module Enable Web Application Assessment OFF Wireless Module Enable Wireless Assessment Module OFF Optimize FASTER Customize OFF Web Server Scan Template This scan assesses Web servers for misconfigurations, weak or default passwords, SQL error analysis, and other exposures. Scan Template Settings Web Server Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only 349 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Web Server Scan Template Settings UDP y y Default Use Advanced UDP Scanning Technique Use UDP Static Source Port TCP Scanning Custom OFF OFF 22 23 80 81 139 443 445 900 901 2301 3128 5800 5801 5802 7000 7001 7002 7070 8000 8001 8007 8009 8010 8080 8081 8200 8383 8888 9090 10000 11523 49400 49401 y Full Connect Scan y USE TCP STATIC SOURCE OFF PORT OFF Advanced: y y y y Enable Hostname ON Resolution Enable OS Identification Use credentials if available ON Randomize order of hosts ON scanned ON Services UDP Scanning 350 Default 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Web Server Scan Template Settings Use Advanced UDP Scanning OFF TCP Scanning Custom Ports: 22 23 80 81 139 443 445 900 901 2301 3128 5800 5801 5802 7000 7001 7002 7070 8000 8001 8007 8009 8010 8080 8081 8200 8383 8888 9090 10000 11523 49400 49401 Full Connect Scan OFF Advanced: y y Banner Grabbing Enable Load Balancer Detection ON OFF Service Fingerprinting: y y Detect services running on non-standard port ON Services HTTP, HTTPS General Vulns Enable General Vulnerability Assessment Module ON Vulnerability Checks All Non-Intrusive checks selected for the “Web” category Advanced – Run new checks ON (for all selected categories) Shell Module Enable Shell Assessment Module OFF Windows Module Enable Windows Host Assessment Module OFF Web Module Enable Web Application Assessment ON 351 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Web Server Scan Template Settings Source Sifting ON Smart Guesswork ON SQL Security Analysis ON Source Code Disclosure ON Authentication Testing ON Forms Based Authentication ON y y ON HTTP Basic NTLM Authentication Maximum Links to crawl ON 500 Wireless Module Enable Wireless Assessment Module OFF Optimize FASTER Customize OFF Windows Advanced Scan Template This scan utilizes Windows administrative credentials to assess Windows hosts for missing service patches, local security policy violations, anti-virus policy violations, existence of Trojan applications, and other Windows vulnerabilities. Note: Credentials are required in order to execute this scan. Scan Template Settings Windows Advanced Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only 352 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Windows Advanced Scan Template Settings UDP Scanning Default Use Default Advanced UDP Scanning Technique OFF Use UDP Static Source Port OFF TCP Scanning Default Full Connect Scan Use TCP Static Source Port OFF OFF Advanced: Enable Hostname Resolution OFF Enable OS Identification Use credentials if available OFF Randomize order of hosts scanned OFF OFF Services UDP Scanning Default Use Advanced UDP Scanning OFF TCP Scanning Default Full Connect Scan OFF Advanced Options: Perform Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting OFF General Vulns Enable General Vulnerability Assessment Module 353 OFF 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Windows Advanced Scan Template Settings Shell Module Enable Shell Assessment Module OFF Windows Module Enable Windows Host Assessment Module ON Vulnerability Checks All Non-Intrusive checks selected for the Windows Module category Advanced – Run new checks ON (for all selected categories) Enable Web Application Assessment OFF Web Module Wireless Module Enable Wireless Assessment Module OFF Optimize FASTER Customize OFF Windows Policy Compliance Scan Template This scan searches for vulnerabilities that would impact compliance with the Windows Policy template; all user specified windows policy template settings are checked only. Scan Template Settings Windows Policy Compliance Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only 354 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Windows Policy Compliance Scan Template Settings UDP Scanning Default Use Default Advanced UDP Scanning Technique OFF Use UDP Static Source Port OFF TCP Scanning Default Full Connect Scan Use TCP Static Source Port OFF OFF Advanced: Enable Hostname Resolution ON Enable OS Identification Use credentials if available ON Randomize order of hosts scanned ON ON Services UDP Scanning Default Use Advanced UDP Scanning OFF TCP Scanning Default Full Connect Scan OFF Advanced Options: Perform Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting ON Selected Services HTTP General Vulns Enable General Vulnerability Assessment Module 355 OFF 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Windows Policy Compliance Scan Template Settings Windows Module Enable Windows Host Assessment Module ON Vulnerability Checks Security Policy/Options Advanced – Run new checks ON (for all selected categories) Wireless Module Enable Wireless Assessment Module OFF Shell Module Enable Shell Assessment Module ON Web Module Enable Web Application Assessment OFF Optimize NORMAL Customize OFF Wireless Assessment Scan Template This scan discovers wireless access points on your network and assesses them for known vulnerabilities. Scan Template Settings Wireless Assessment Scan Template Settings Scan Type Custom Hosts ICMP Scanning ON Echo Request Only 356 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Wireless Assessment Scan Template Settings UDP Scanning Default Use Default Advanced UDP Scanning Technique OFF OFF Use UDP Static Source Port TCP Scanning Full Connect Scan Use TCP Static Source Port Default OFF OFF Advanced: Enable Hostname Resolution On Enable OS Identification On Use credentials if available On Randomize order of hosts scanned On Services UDP Scanning Default Use Advanced UDP Scanning OFF TCP Scanning Default Full Connect Scan OFF Advanced Options: Perform Banner Grabbing ON Enable Load Balancer Detection OFF Service Fingerprinting: Selected Services OFF General Vulns Enable General Vulnerability Assessment Module OFF Shell Module Enable Shell Assessment Module OFF 357 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Wireless Assessment Scan Template Settings Windows Module Enable Windows Host Assessment Module OFF Web Module Enable Web Application Assessment OFF Wireless Module Enable Wireless Assessment Module ON Vulnerability Checks All Non-intrusive checks selected Advanced – Run new checks ON (for all selected categories) Optimize FASTER Customize OFF Scan Properties To get here, click SCANS > NEW SCAN, and click Next. Or, click SCANS > EDIT SCAN, and click Edit. Or, click MANAGE > USERS/GROUPS. Double-click the scan to edit. The Remediation Administrator has access to these features if explicitly assigned access rights to scans. The scan properties page displays the following tabs: • • • • IP Selection (page 359) - edit the scan name, scan type, and specify IP Addresses (or assets) to be scanned. Settings - edit the discovery (page 370) and service (page 377) options, vulnerability selection (page 388) (for General, Windows, Wireless, and Shell vulnerability checks) and optimization settings (page 398). Reports (page 400) - edit the FoundScore type, remediation ticket generation, and reporting options. Scheduler (page 404) - Activate the scan, set a schedule for recurring scans. Figure 105: Scan Properties tabs Warning: More than one administrator can edit a scan at the same time. The application does not lock a scan as it is being edited. If a scan is edited by more than one person at one time, whoever saves it last makes the final decision. McAfee recommends that you carefully implement policy regarding who can edit and administrate scans. 358 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Scan Properties - IP Selection Tab To get here in the Foundstone Enterprise Manager, click SCANS > NEW SCAN, and click Next. Or, click SCANS > EDIT SCAN, and click Edit. Or, click MANAGE > USERS/GROUPS and double-click the scan to edit. Then click the IP Selection tab. The Remediation Administrator has access to these features if explicitly assigned access rights to scans. The IP Selection properties let you define the addresses or assets that you will be scanning. Procedures Use the IP Selection tab: • • • Enter or change the Scan Name and Description Select the Scan Type Specify the IP addresses to be scanned by: • Entering IP addresses (page 362) • Browsing through a list of assets (page 364) • Searching for specific assets (page 368) Figure 106: Scan Properties - IP Selection Tab 359 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide IP Selection Tab Descriptions Setting Description Name Enter a name for the scan to identify it. Tip: If you use part of your workgroup name as a prefix to your scan names, they will be easier to identify at the root organization level. Description The description is optional, but can be used to provide more information about the scan. Type The scan Type determines which modules and FSL Check scripts will be selected for the scan. y y y y y Custom - Allows you to modify the module and check selections. Sans/FBI Top 20 - Forces all module and check selections to check against the SANS/FBI Top 20 list of vulnerabilities and exploits. Sans/FBI Top 20 (Non-intrusive Only) - Forces all module and check selections to check against the SANS/FBI Top 20 list of vulnerabilities and exploits. But it does not select intrusive checks in any of the modules. IAVA - Forces all module and check selections to check against the Information Assurance Vulnerability Alert (IAVA) list of vulnerabilities and exploits. IAVA - (Non-intrusive Only) - Forces all module and check selections to check against the IAVA list of vulnerabilities and exploits. But it does not select intrusive checks in any of the modules. Note: The IAVA selections only appear on IAVA-enabled military and government systems. Range Select this tab to define IP address ranges by entering a beginning and ending IP address (page 362). This tab is selected by default when you first display the IP Selection tab. Browse Select this tab to define IP address ranges by browsing an asset list (page 364) and dragging assets or groups of assets from the list to the IP Range list. By default this tab shows the active assets. Search Select this tab to define IP address ranges by searching for assets (page 368) with a specific label, IP, operating system, NetBIOS name, DNS name, or domain name. By default this tab shows the active assets. Included Ranges Shows the ranges that will be included in the scan. Excluded Ranges Shows addresses that are explicitly excluded from the scan. 360 6.5 Enterprise Manager Administrator Guide Setting Foundstone 6.5 Reference Guide Description Lets you import IP Addresses from a file. Lets you export IP Addresses to a file. Deletes the selected range or address. View Global IP Pool Displays a dialog box containing all of the IP address ranges in your Global IP Pool. OK Saves the changes to the Scan Properties and closes the Scan Properties window. Cancel Closes the Scan Properties window without saving any changes. Next >> Displays the Settings tab. ¾ To import a list of IP Addresses 1 Click Import. 2 Browse to the file to be uploaded and click Import. Make sure the file is properly formatted (see "Import File Format" on page 361) before uploading. You are limited to the following number of lines in the file being imported: • 2500 lines in the Foundstone Enterprise Manager • 7999 lines in the FoundScan Console The ranges from the file appear when the upload finishes. Then click OK. Import File Format You can import IP addresses from a prepared .txt file to speed IP address entry. When preparing your .txt file, follow these guidelines: • • • Add one IP address or range per line. Use "-" (dash) to separate ranges. Use "/" (forward slash) as a network mask character. See the example below. Possible Input Formats When entering IP address ranges, Foundstone 6.5 accepts the following inputs. 361 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Valid Entry Resulting Start Range Resulting End Range 1.2.3.4 1.2.3.4 1.2.3.4 1.2.3.40-50 1.2.3.40 1.2.3.50 1.2.3.40-1.3.3.0 1.2.3.40 1.3.3.0 10.0.0.5/24 10.0.0.5 10.0.0.255 10.0.0.5/8 10.0.0.5 10.255.255.255 Adding IP Addresses by Entering a Range Use the Range tab to define IP address ranges by entering a beginning and ending IP address. This tab is selected by default when you first display the IP Selection tab. Figure 107: IP Ranges - By IP Address tab 362 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide By IP Address Tab Settings Setting Description Host Name Enter the NetBIOS name of a host or a Fully Qualified Domain Name. For example, enter Hostname or Hostname.Foundstone.com. Starting IP Address Enter the first IP Address of a range. If adding a single IP Address, enter it here. Ending IP Address Enter the last IP Address of the range. CIDR Address Enter a beginning address for the range. After the slash (/) enter the CIDR-formatted bit value to specify the range. The following list shows the possible values: y y y y 8 - sets the range to scan the last three network blocks (0.x.x.x) from the address you specified. For example, 10.1.2.3/8 scans the range 10.1.2.3 10.255.255.255. 16 - sets the range to scan the last two network blocks (0.0.x.x) from the address you specified. For example, 10.1.2.3/16 scans the range 10.1.2.3 10.1.255.255. 24 - sets the range to scan the last network block (0.0.0.x) from the address you specified. For example, 10.1.2.3/24 scans the range 10.1.2.3 10.1.2.255. 32 - sets the range to scan a single address. For example, 10.1.2.3/32 scans the single IP address 10.1.2.3. ¾ To add a host using the host's name 1 Make sure the Included Ranges tab is selected. 2 Enter the name of the computer in the Host name field. 3 Click to add the address to the list. Foundstone 6.5 resolves the host name through the DNS service to find the IP address for that host. The Starting IP Address and Ending IP Address columns show the resolved address. ¾ To add a single address 1 Make sure the Included Ranges tab is selected. 2 Enter the single IP address in the Starting IP Address box. 3 Enter the same IP address in the Ending IP Address box. 4 Click to submit the address to the list. 363 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide ¾ To add a range of addresses 1 Make sure the Included Ranges tab is selected. 2 Enter the beginning IP address in the Starting IP Address box. 3 Enter the ending IP address in the Ending IP Address box. 4 Click ¾ To exclude addresses from the range 1 Click the Excluded Ranges tab. 2 Enter a host name in the Host Name field, or a range of IP addresses using the Starting IP Address and Ending IP Address fields. 3 Click to add the range to the list. to add the IP address(es) to the exclusion list. CIDR Support Foundstone 6.5 supports a slightly modified Classless Inter-Domain Routing (CIDR) format from the strict definition. Where the strict definition selects an entire address block, Foundstone 6.5 lets you define the beginning address, and selects the rest of the address block from that point. Examples Under the strict CIDR definition, the string 10.1.2.3/8 would result in the range 10.0.0.0-10.255.255.255. It would start from the top 8 bits of the network address and finish with the last valid IP address for that network. In Foundstone 6.5, the string 10.1.2.3/8 results in the range 10.1.2.310.255.255.255. You can provide a specific starting IP address, rather than always starting from the beginning of the network block. Adding IP Addresses By Browsing an Asset List Use the Browse tab to define IP address ranges by dragging assets or groups of assets from the assets list to the IP Range list. By default this tab shows the active assets. Procedures Using this view you can do the following: 364 6.5 Enterprise Manager Administrator Guide • • • • Foundstone 6.5 Reference Guide Add assets to the Included Ranges List (top panel) by dragging and dropping assets from the bottom panel. To display assets in the bottom panel, select or drill down using the tree on the left. Remove assets from the Included Ranges List (see "To remove an asset from the list" on page 366). Add assets to the Excluded Ranges List. View the properties of an asset. The properties are displayed in the search results (bottom panel). Figure 108: Scan Properties - IP Selection by Browsing Browse Settings Setting Description Tree View (Left Panel) Shows a hierarchal list of defined asset groups for your organization or workgroup. Click the + sign to expand any collapsed groups. View To specify whether the assets displayed are active (assets found during the last scan) or inactive (assets found during a previous scan but not found during the last scan), click this button. ¾ To change the view of available assets 1 Click View. 2 Select the option you want to view: • All Assets: Shows all of the assets listed in the Global IP Pool, whether they are listed as being active or inactive. 365 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide Active Assets: Shows assets that were reported as being active in the last job run in which they participated. To add assets to the IP list Choose from the following methods to add an asset to the IP list: • • • • Add a group - With the Include tab selected, drag an entire asset group from the asset list (left panel) to the IP Range List (top panel). Add a single IP from a group - If you want to include individual assets that belong to the group, click the group to select it. The group's contents appear in the bottom panel. Drag individual assets from the list to the IP Range List. Add a single IP - Click the IP Range in the left panel that contains the IP you want to add. The individual IPs appear in the bottom panel. With the Included Ranges tab selected in the top panel, drag the IP from the bottom panel to the top panel. You can also right-click an asset group or individual asset and choose Include or Exclude from the shortcut menu. Figure 109: IP Selection - Adding an asset by right-clicking Note: If you add an asset group to the list, all members of that group are included. You cannot break up the group to include some hosts and exclude others. ¾ To remove an asset from the list • Right-click the entry to be removed and choose Remove from the shortcut menu displayed. The entry is removed from the IP list. ¾ To view the properties of an asset group • In the asset list (left pane), right-click the asset group and choose Properties from the shortcut menu displayed. The asset's properties page opens. See Managing Assets (on page 131) for more information. ¾ To view the properties of an asset • In the list of assets in the bottom pane, right click the asset and choose Properties from the shortcut menu. The Asset Properties dialog box is displayed. You can also double-click the asset to display the Asset Properties dialog box. See Managing Assets (on page 131) for more information. 366 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Adding IP Addresses By Browsing a LDAP Server Use the Browse tab to define IP address ranges by dragging IP addresses from an LDAP server list to the list of Included Ranges or Excluded Ranges. Note: The LDAP server must be setup as a data source before you can select from that LDAP list. Procedures Using this view you can do the following: • • • • Add assets to the Included Ranges List (top panel) by dragging and dropping assets from the bottom panel. To display assets in the bottom panel, select or drill down using the tree on the left. Remove assets from the Included Ranges List (see "To remove an asset from the list" on page 366). Add assets to the Excluded Ranges List. View the properties of an asset. The properties are displayed in the search results (bottom panel). Figure 110: Scan Properties - IP Selection by Browsing Browse Settings Setting Description Tree View (Left Panel) Shows a hierarchal list of defined asset groups for your organization or workgroup. Click the + sign to expand any collapsed groups. 367 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description View To specify whether the assets displayed are active (assets found during the last scan) or inactive (assets found during a previous scan but not found during the last scan), click this button. To add a LDAP server to the Browse list 1 Click View 2 Select the LDAP server you want to add to the Browse list LDAP servers will have (LDAP) after the server name. 3 Expand the .com list 4 Expand the LDAP server list 5 Select a group under the LDAP server name Assets should appear in the lower pane. 6 Drag and drop assets to either the Included Ranges or Excluded Ranges tab. Adding IP Addresses by Searching Use the Search tab to define IP address ranges by searching for assets with a specific label, IP, operating system, NetBIOS name, DNS name, or domain name. By default this tab shows the active assets. Procedures Using this view you can do the following: • • • Add assets to the Included Ranges List (top panel) by dragging and dropping assets from the search results. The search results are displayed in the bottom panel. Remove assets from the Included Ranges List (see "To remove an asset from the list" on page 366). Add assets to the Excluded Ranges List. 368 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide View the properties of an asset. The properties are displayed in the search results (bottom panel). Figure 111: Scan Properties - IP Selection by Searching Search Settings Setting Description String to search for Enter the text you want to find in the String to search for: text box. For all searches except for IP address, you can enter all or part of the string. For IP addresses, you must enter an exact IP address (in the correct net mask format, such as 10.0.1.89). General Filter Select the type of search you want to perform: Label, IP Address, Operating System, DNS Name, NetBIOS Name, or Domain Name. Criticality Filter To filter your search by a specific criticality level, under Criticality Filter, select the criticality level of the asset. This creates an "AND" search so that if you search for a Windows operating system with a criticality level of "Significant", your search results include all assets that are Windows operating systems and with a criticality "Significant." Unchecking all boxes provides the same result as if all boxes were checked: your search results include assets with any criticality. Search To stop the search, click this button. There may be a slight delay before the Stop button becomes available. During this time the results are being retrieved from the database. 369 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide ¾ To search for assets on the IP Selection page 1 Enter the text you want to find in the String to search for: text box. For all searches except for IP address, you can enter all or part of the string. For IP addresses, you must enter an exact IP address (in the correct net mask format, such as 10.0.1.89). 2 For General Filter, select the type of search you want to perform: Label, IP Address, Operating System, DNS Name, NetBIOS Name, or Domain Name. 3 To filter your search by a specific criticality level, under Criticality Filter, select the criticality level of the asset. This creates an "AND" search so that if you search for a Windows operating system with a criticality level of "Significant", your search results include all assets that are Windows operating systems and with a criticality "Significant." Unchecking all boxes provides the same result as if all boxes were checked: your search results include assets with any criticality. The search results appear in the lower pane. Then you can select individual assets from the results list and add them to your IP List. ¾ To remove an asset from the list • Right-click the entry to be removed and choose Remove from the shortcut menu displayed. The entry is removed from the IP list. ¾ To view the properties of an asset • In the list of assets in the bottom pane, right click the asset and choose Properties from the shortcut menu. The Asset Properties dialog box is displayed. You can also double-click the asset to display the Asset Properties dialog box. See Managing Assets (on page 131) for more information. Scan Properties - Host Discovery Settings To get here in the Foundstone Enterprise Manager, click SCANS > NEW SCAN, and click Next. Or, click SCANS > EDIT SCAN, and click Edit. Or, click MANAGE > USERS/GROUPS and double-click the scan to edit. Click the Settings tab. Then click Hosts on the left. The Remediation Administrator has access to these features if explicitly assigned access rights to scans. This page determines how the scan will behave when searching for live hosts on your network. Procedures The Host Discovery settings let you do the following tasks: • • • Set options for ICMP scanning (see "ICMP Scanning Settings" on page 372) Set options for UDP scanning (see "UDP Scanning Settings for Host Discovery" on page 372) Set options for TCP scanning (see "TCP Scanning Settings for Host Discovery" on page 373) 370 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide Set advanced options (see "Scan Properties - Advanced Host Discovery Settings" on page 375). Figure 112: Scan properties - Host discovery settings Host Discovery Features and Settings Setting Description ICMP Scanning (see "ICMP Scanning Settings" on page 372) Click Enable to use ICMP scanning; clear the Enable box to disable it. Choose which ICMP requests to use. Choose which ports to scan and other UDP options. UDP Scanning (see "UDP Scanning Settings for Host Discovery" on page 372) TCP Scanning (see "TCP Choose which ports to scan and other TCP options. Scanning Settings for Host Discovery" on page 373) Advanced Options (see "Scan Properties Advanced Host Discovery Settings" on page 375) Provides options for identifying and labeling DNS names and operating systems. Lets you randomize the order in which hosts are scanned. 371 6.5 Enterprise Manager Administrator Guide ¾ Foundstone 6.5 Reference Guide ICMP Scanning Settings ICMP Scanning uses the ICMP protocol to elicit answers from live hosts. Clear this checkbox to disable ICMP Pinging from the discovery scan. With ICMP Pinging enabled, you can use any number of the following methods to test for live hosts, but you must select at least one. ICMP Settings Setting Description Echo Request Pings the host and checks for a response. If you know that Pings and ICMP requests cannot pass through the routers or firewalls on your network, you can deselect this option and use a different method. Address Mask Request Sends an ICMP request type 17 to get the netmask of the host's network card. Timestamp Request Sends an ICMP type 13 "Timestamp" request to see the time zone of the host. Information Request Sends an ICMP request for general system information. Many networks allow different types of ICMP requests. Restrict ICMP requests to those types that are allowed on your network for best results. ¾ UDP Scanning Settings for Host Discovery The default UDP technique uses a patent-pending algorithm for determining whether a UDP port is open by sending special packets to the target port. If the target system responds with a normal UDP packet, then the port is determined to be open. UDP Scanning Settings Setting Description None The scan will not use UDP scanning. When selected, the rest of the UDP Scanning settings are grayed out. Default Select this option to scan using the default UDP ports as defined in the Preferences. The Ports dialog box shows the default ports that have been set up. Custom Select this option to enter your own list of ports in the Ports box. The Ports box shows the last ports that you entered, or it shows the default ports if you have not entered your own list. Use advanced UDP scanning technique This method uses an advanced algorithm for UDP detection that is more accurate at discovering hosts and services. 372 6.5 Enterprise Manager Administrator Guide Setting Foundstone 6.5 Reference Guide Description Use UDP static source Specify a static source port for sending UDP packets. This port specifies the port on which the UDP packets originated. There are two general cases where source ports can be useful: y y Configure your scan to comply with existing firewall rules. Identify services that watch for packets coming from a specific port. For example, traditional Cisco IOS routers employ rule sets that allow for traffic coming from TCP port 20 (FTP data) or UDP port 53 (DNS). This is required because the router/firewall does not maintain the state of the connection, and these services either run on multiple ports depending on the direction or the connection or they use a connection-less UDP protocol. As a result, when you enable source port for your host or service discovery, you may reveal a large number of systems alive and ports open that had been previously unknown to you. Also, some services only respond if a request comes from a specific port. Important: If you use source ports, do not use the TCP Full Connect Scan option in the Host Discovery options or the Services Discovery options. This can cause TCP host and service discovery to run very slowly, and can cause the program to appear temporarily frozen although the scan continues running. TCP Scanning Settings for Host Discovery Foundstone 6.5 uses TCP SYN scans to find active hosts. Note: TCP scans are an integral part of the operating system identification feature. Without TCP scanning, Foundstone 6.5 might not identify the appropriate operating system, affecting which vulnerability checks are run against any discovered hosts. McAfee recommends using TCP scans for host discovery. Setting Description None The scan will not use TCP scanning. When selected, the rest of the TCP Scanning settings are grayed out. Default Select this option to use scan the default TCP ports as defined in the Engine preferences (see "Engine Preferences - Default Ports" on page 175). The Ports box shows the default ports that have been set up. Custom Select this option to enter your own list of ports in the Ports box. The Ports box shows the last ports that you entered, or it shows the default ports if you have not entered your own list. 373 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description All Include all 65,535 ports on each host in your TCP scan. This option seriously increases the time it takes to run the scan. Full connect scan By default, FoundScan uses TCP SYN scanning only. The Full Connect Scan ensures a full three-way handshake between the source and target hosts during TCP scanning phases. If you are scanning an internal network, TCP SYN scanning should provide reasonable results. However, scanning external networks often require several SYN scan passes to get the same level of results as a single full connect scan. Note: Using this feature can substantially increase the duration of the scan. Warning: Do not select this option if you are using Static Source Port options for either Host Discovery or Services Discovery. Using source ports together with full-connect TCP scanning (for either Host Discovery or Services Discovery) can cause TCP host and service discovery to run very slowly. It can cause the program to appear temporarily frozen although the scan continues running. When using full-connect mode, the system cannot reuse the local IP:port socket until the network system TCP_WAIT timeout period has elapsed. The Foundstone 6.5 installation program sets this timeout value to the minimum level allowed by Windows (30 seconds). Use TCP static source port Specify a static source port for sending TCP packets. This identifies the TCP packets as though they come from the specified port. Use this to configure your scan to comply with existing firewall rules. For example, traditional Cisco IOS routers employ rule sets that allow for traffic coming from TCP port 20 (FTP data) or UDP port 53 (DNS). This is required because the router/firewall does not maintain the state of the connection, and these services either run on multiple ports depending on the direction or the connection or they use a connection-less UDP protocol. As a result, when you enable source port for your host or service discovery, you may reveal a large number of systems alive and ports open that had been previously unknown to you. Also, some services only respond if a request comes from a specific port. 374 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Scan Properties - Advanced Host Discovery Settings To get here in the Foundstone Enterprise Manager, click SCANS > NEW SCAN, and click Next. Or, click SCANS > EDIT SCAN, and click Edit. Or, click MANAGE > USERS/GROUPS and double-click the scan to edit. Click the Settings tab. Click Hosts on the left. Then click Advanced. Figure 113: Scan Properties - Advanced Host Discovery Options Advanced Host Discovery Settings Setting Description Enable Hostname Resolution Select this option to identify and display DNS names in several places throughout the reports. Enable OS Identification Select this option to identify known operating systems. Operating System identification uses three RFC-compliant packets in TCP scans, and six RFC compliant packets for our ICMP scans (one of which is a single UDP packet). Based on the host's response Foundstone 6.5 determines the running operating system. See Operating systems that Foundstone can identify (on page 375) for more information. Use Credentials if Available Select this option if you want to use authenticated credentials when scanning a host for OS identification. See Scan Properties - Credentials (see "Managing Credentials" on page 380) for more information. Randomize order of hosts scanned (by IP address) If this option is selected, Foundstone 6.5 randomizes the IP addresses before it creates batches for scanning. This option reduces the network load when the IP addresses included for the scan are routed through different, dispersed gateways. 375 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Operating systems that Foundstone can identify Foundstone 6.5 identifies the following operating systems in order to determine which scripts should be run against the host to check for vulnerabilities. The following operating systems can be identified by Foundstone: • • • • • • • • • • • • • • • • • • BSD Red Hat Enterprise Linux versions 3, 4 SuSE 8, 9, 10 Sun Solaris versions 8, 9, 10 IRIX Hewlett-Packard HP-UX IBM AIX versions 5.1, 5.2, 5.3 Macintosh Windows NT Windows XP Windows 2000 Windows 95/98/ME Windows 2003 Printer Router Novell UNIX Cisco IOS versions 11.3, 12.2, 12.3 Note that most scripts simply identify a broader category. This means that the "Windows" includes Windows 95/98/ME/2000/XP/2003, and those scripts will run against that host. The broader categories are: • • • • UNKNOWN MAC WINDOWS ROUTER The UNIX scripts are more targeted, so they specify the actual operating system, such as Linux, Solaris, HP-UX, and AIX. 376 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Scan Properties - Service Discovery Settings To get here in the Foundstone Enterprise Manager, click SCANS > NEW SCAN, and click Next. Or, click SCANS > EDIT SCAN, and click Edit. Or, click MANAGE > USERS/GROUPS and double-click the scan to edit. Click the Settings tab. Click Services on the left. The Remediation Administrator has access to these features if explicitly assigned access rights to scans. Service discovery identifies the various services running on your network. It scans specified ports to determine which services are running. It also allows Foundstone 6.5 to identify the hosts that are running on the network. Procedures The Service Discovery Settings page allows the following tasks: • • • Set UDP Scanning settings (see "UDP Scanning for Service Discovery" on page 377) Set TCP Scanning settings (see "TCP Scanning for Service Discovery" on page 378) Click Advanced Options (see "Scan Properties - Advanced Service Discovery Settings" on page 379) for banner grabbing, load balancer detection, and service fingerprinting. Figure 114: Scan Properties - Service Discovery Options 377 6.5 Enterprise Manager Administrator Guide ¾ Foundstone 6.5 Reference Guide UDP Scanning for Service Discovery The default UDP technique uses a patent-pending algorithm for determining whether a UDP port is open by sending special packets to the target port. If the target system responds with a normal UDP packet, then the port is determined to be open. Setting Description Custom Select this option to enter your own list of ports in the Ports box. The Ports list displays the last ports that you entered, or it shows the default ports if you have not entered your own list. To change the ports listed, click the browse button to display the Select Ports dialog box. (This option is available only when creating or editing a scan configuration using the FoundScan Console.) Default Select this option to use the default UDP technique to scan ports, as defined in Preferences. The Ports dialog box shows the default ports that have been set up. All Selects all ports. None The scan will not use UDP scanning. When selected, the rest of the UDP Scanning settings are grayed out. Use advanced UDP scanning technique This method uses an advanced algorithm for UDP detection that is more accurate at discovering hosts and services. Important: If you use source ports, do not use the Full Connect Scan option in the Host Discovery options or the Services Discovery options. This can cause TCP host and service discovery to run very slowly, and can cause the program to appear temporarily frozen although the scan continues running. 378 6.5 Enterprise Manager Administrator Guide ¾ Foundstone 6.5 Reference Guide TCP Scanning for Service Discovery The default TCP technique uses a patent-pending algorithm for determining whether a TCP port is open by sending special packets to the target port. If the target system responds with a normal TCP packet, then the port is determined to be open. Setting Description Custom Select this option to enter your own list of ports in the Ports box. The Ports box shows the last ports that you entered. By default it shows the default ports until you enter your own list. To change the ports listed, click the browse button to display the Select Ports dialog box. (This option is available only when creating or editing a scan configuration using the FoundScan Console.) Default Select this option to use the default TCP technique to scan ports, as defined in Preferences. The Ports box shows the default ports that have been set up. All Include all 65,535 ports on each host in your TCP scan. This option seriously increases the time it takes to run the scan. None The scan will not use TCP scanning. When selected, the rest of the TCP Scanning settings are grayed out. Full connect scan This method uses an advanced algorithm for TCP detection that is more accurate at discovering hosts and services. Scan Properties - Advanced Service Discovery Settings To get here in the Foundstone Enterprise Manager, click SCANS > EDIT SCANS. Click Edit. Click the Settings tab. Click Services on the left. Then click Advanced. To get here in the FoundScan Console, click Users/Groups/Scans from the File menu. Doubleclick the scan to edit. Click the Settings tab. Click Services on the left. Then click Advanced. This page contains the Advanced Service Discovery settings. 379 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Advanced Service Discovery Settings Setting Description Perform Banner Grabbing Enable this option to have Foundstone 6.5 report on any ports that return banner information. Network services such as FTP, telnet, SSH, HTTP, and DNS each return banner information. Enable Load Balancer Detection This feature detects the presence of load balancers on your network. It displays the load balancer as a node on the Network Topology Report. Selecting this option results in a longer scanning process. Service Fingerprinting Foundstone 6.5 can scan non-standard ports for common services like HTTP, FTP, POP3, TELNET and several others. Rogue applications or end-users may set up these services on non-standard ports to avoid detection. Warning: Service Fingerprinting can be a scan-intensive process. McAfee recommends using one port at a time when running Service Fingerprinting scans. ¾ To use Service Fingerprinting 1 Select a service from the Available Services list. 2 Click >> to add the service to the Selected Services list. WARNING: Foundstone 6.5 scans each live host, scanning every port one time for each service listed. This intensive scanning dramatically increases the duration of the scan. Recommendations: McAfee recommends that you scan for one service at a time. Design scans with service fingerprinting in mind. Managing Credentials To get here in the Foundstone Enterprise Manager, click SCANS > NEW SCAN, and click Next. Or, click SCANS > EDIT SCAN, and click Edit. Or, click MANAGE > USERS/GROUPS and double-click the scan to edit. Click the Settings tab, then click Manage Credentials. The Remediation Administrator has access to these features if explicitly assigned access rights to scans. Foundstone 6.5 can use credentials to authenticate itself to a Windows, UNIX, or infrastructure host. This allows the FSL scripts to access the Windows registry and other information. Infrastructure hosts are other network devices, such as Cisco routers and switches. 380 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide This feature lets you add credentials to authenticate an account on a host: • • • • • • • Windows Domain Windows Workgroup Windows Individual Host Windows Default Shell Domain Shell Individual Host Shell Default Each method of authentication requires a user ID (user name), and some methods require a password. The Foundstone Database stores the encrypted user names and passwords for this scan. When the scan begins, Foundstone 6.5 uses this information to attempt authentication on each discovered host system (see "Steps to Authentication" on page 386). Warning: Ensure that you set up credentials in compliance with your network security policies. It is possible to provide multiple credentials with the same username. When Foundstone 6.5 tries each of these credentials, it may surpass the limits allowed by your network policy without warning, possibly resulting in locked accounts on scanned hosts. Procedures From the Credentials pop-up window you can do the following: • • • Create a new credential record (see "To create a new credential record" on page 383) Edit an existing record (see "To edit an existing credential record" on page 383) Remove a credential record (see "To delete a credential record" on page 384) Note: Credentials are saved with the scan itself. After leaving the Credentials window, you must click OK to save the scan to save the credentials with the scan. 381 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Entering credentials for one scan does not make them available to other scans, unless you base a new scan from an existing scan that already contains credentials. Credentials Features and Settings Setting Description New Click to add a new credential record (see "To create a new credential record" on page 383). For additional information on default credentials, see Using multiple default credentials (on page 387). Delete Click to delete the selected credential record. Properties Click to edit or view the properties of the selected credential record. Trust unknown remote-shell targets Check this box if you want to trust all unknown shell targets. Unknown targets are those targets for which you did not collect the public certificates (you can gather keys from the target systems and store them on the certificate keyring using the Foundstone Configuration Manager). When a FoundScan Engine cannot authenticate to an untrusted host, and this box is not selected, the scan will fail and an error appears in the Application Status area for Shell messages (in the FoundScan Console). Note: For security reasons, McAfee recommends that you do not use a root user to authenticate to these unknown targets. 382 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide ¾ To create a new credential record 1 Click New. The New Credentials dialog box (on page 384) appears. 2 For Type, click the arrow to specify the type of credential you want to create. You can set up credentials for Windows domains, Windows Workgroups, Windows individual hosts, Windows default credentials, Shell domains, Shell individual hosts, or Shell default credentials. 3 Do one of the following: • For Windows credentials, enter the name of the Domain, Workgroup, Individual Host, or Folder (for default credentials). Then enter a user name, and enter and confirm the password associated with the user name. • For Shell credentials, enter the name of Domain, Individual Host, or Folder (for default credentials). Then enter a user name, select the Protocol you want to use for the credential, the level of security, and specify if you want to enable Root Access. 4 Click OK to add the credential to the User Accounts list. Figure 115: Scan Settings - Managing Credentials ¾ To edit an existing credential record 1 On the Credentials page, select the credential you want to edit. To do this, select the Domain, Workgroup or Individual Host setting in the Credentials Management tree on the left. 2 In the User Accounts list, select the credential you want to edit. 3 Click Properties. Tip: You can also right-click the credential in the User Accounts list and choose Properties from the shortcut menu. 383 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide ¾ To delete a credential record 1 On the Credentials page, select the credential you want to edit. To do this, select the Domain, Workgroup or Individual Host setting in the Credentials Management tree on the left. 2 Under User Accounts, select the credential record you want to remove. 3 Click Delete. Tip: You can also right-click the credential in the User Accounts list and choose Delete from the shortcut menu. Creating Credentials If you move a group of assets, the label shows asset id. If you move a single asset, the label shows the IP address unless you choose your own label. Moving assets into a group, undiscovered, the label that has been assigned is the asset ID. Reports can search for the asset ID. If you just grab one asset New Credentials dialog box This dialog box appears when you click New in the Credentials page of scan settings. Use this dialog box to specify the credentials to use for Windows and shell hosts. Figure 116: Scan Settings - New Credential dialog box 384 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide New Credentials Settings Setting Description Type Choose the credential type from the dropdown box: y y y y y y y Folder This field changes depending on the Type of credential you selected: y y y y User ID Windows Domain Windows Workgroup Windows Individual Host Windows Default Shell Domain Shell Individual Host Shell Default For Windows Domain or Shell Domain, enter the domain name associated with this credential. For Windows Workgroup, enter the workgroup name associated with this credential. For Windows Individual Host or Shell Individual Host, enter a specific IP address, fully-qualified domain name, or NetBIOS name. Use the "default" setting if you want to use this credential if no credentials can be used to log in to this host. For Windows or Shell default credentials, enter a Folder name under which the credential will be located in this dialog box. Select a folder from the dropdown list, or type in a name to create a new folder. Create new folders by typing in a new name here. Enter the user ID associated with this credential. Enter a maximum of 50 characters. Leave this entry blank if your credential does not require a username. For example, some Cisco routers only require passwords; not user IDs. Password/ Confirm Password Enter and confirm the password associated with the User ID. Enter a maximum of 117 characters in each field. Protocol For Shell credentials, select the protocol you want used with this credential: y y y SSHv2 Only SSHv2 or SSHv1 SSHv2, SSHv1, or Telnet For example, if you want to try to authenticate using SSHv2 first and, if not available, then try SSHv1, select the second option. 385 6.5 Enterprise Manager Administrator Guide Security Used Foundstone 6.5 Reference Guide For Shell credentials, select the level of security: y y Certificate Only Certificate or Password When you select Certificate or Password, enter and confirm a password associated with the user ID (at the top of the dialog box). Root Access For Shell credentials, check the box to enable Root Access, and then enter a User ID (optional) and password used to gain root access. Note that it is not necessary to enter a user ID if you plan to use "su" to gain access. You will need to enter a password, however. Root Access on UNIX Systems In order to properly/fully assess a UNIX system, the supplied credentials must be sufficient to allow read access to the following information on the system: • • set of installed applications list of installed patches Root access is generally optional, but is required in circumstances where the list of applications and installed patches is only available when root level credentials are supplied. When root access is required, the root user id is optional and only the root password is needed. Root access may be required in future versions of the product where a “deeper” assessment of the UNIX system is supported. Steps to Authentication Foundstone 6.5 follows these steps to attempt authentication: 386 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide 1 Find out if the host is a Windows, UNIX, or infrastructure system. If so, go to the next step. 2 Look for a credential record for the host's IP Address or system name. Use it to attempt authentication. If it doesn't exist or doesn't succeed, go to the next step. 3 Find out if the host is part of a domain. If it is, look for a credential record for the domain and use it to attempt authentication. If it doesn't exist or doesn't succeed, go to the next step. 4 If the host is a Windows host, find out if the host belongs to a Workgroup. If it does, look for a credential record for the Workgroup, and attempt authentication. If it doesn't work or doesn't succeed, go to the next step. 5 If that doesn't work, attempt authentication with the default credentials. This can be useful when administrators know that local hosts contain a local administrator account with a specific password. If this does not work, Foundstone 6.5 was unable to authenticate to this host. By trying specific machine credentials first, Foundstone 6.5 looks for credentials that take precedence over domain credentials. This helps authentication to systems on the domain that have specialized security settings where the domain credentials do not work. For example, this can cover systems whose domain administrator account has been removed from the Local Administrators group. Credentials at the same level are searched in the order in which they appear on the list. Normal domain credentials are tried before “Foreign domain” credentials. Credentials are considered in a “foreign domain” if they meet the following rules: • • • • they are domain credentials the domain in the credentials contains a dot (period, “.”) the FQDN of a particular host was determined during discovery the domain from the FQDN does not match the credentials’ domain. To determine if credentials are valid, Foundstone 6.5 attempts to use the NetUseAdd win32 API call (same as the NET USE command) to connect to the remote system. If that call fails, it tries the next credential. If the call succeeds, the connection must still be validated due to a bug in the Win32 API; Foundstone 6.5 calls NetServerGetInfo. If this call fails, it tries the next credential. If it succeeds, then we continue on with processing that host. The process involves determining the level of access granted by the credentials, eliminating any script that requires a higher level of access, and then running all remaining scripts against that host. Using multiple default credentials You can create multiple default credentials for Windows or Shell hosts. This allows you to use the same scan configuration to scan different networks that use different credentials. For example, you may want to use the same scan configuration to scan Windows hosts on the Marketing and Sales networks. Create a default Windows credential for each network, and use the same scan configuration to check each network for vulnerabilities. 387 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Note: With Foundstone 6.5, multiple Windows or Shell default credentials can be setup with the same user name (e.g. Administrator) with different passwords. ¾ To create multiple default credentials using the same user name To get here, either create a new scan or edit an existing scan, and select the Settings tab. Click the Credentials icon in the left pane. 1 Create a new credential (see "To create a new credential record" on page 383) or edit an existing credential (see "To edit an existing credential record" on page 383). 2 Click on the Defaults folder in the Manage Credentials navigation tree. 3 Click New. 4 Select a Windows or Shell type from the Type menu. 5 Highlight the text in the Folder field. 6 Enter a unique name (e.g. Marketing). 7 Enter the user name in the User ID field. 8 Enter the password required for the user name. 9 Enter the password again to confirm the password. 10 If you selected a Shell-type credential, select the appropriate Shell options. 11 Click OK to save your changes. 12 To create another credential using the same user name, follow steps 3 through 11 again. Be sure to create a unique name in the folder field. Warning: Be sure to click the OK button in the New Credentials window. If you click the OK button in the Manage Credentials window, it will close the window without saving your settings. Scan Properties - General Vulnerabilities To get here in the Foundstone Enterprise Manager, click SCANS > NEW SCAN, and click Next. Or, click SCANS > EDIT SCAN, and click Edit. Or, click MANAGE > USERS/GROUPS and double-click the scan to edit. Click the Settings tab. Then click Vuln Selection on the left. The Remediation Administrator has access to these features if explicitly assigned access rights to scans. The Vulnerability Module shows the vulnerability checks that are selected for the scan. If you have selected a specific scan Type on the IP Selection tab, the individual checks on this page are pre-selected and inactive. If you have selected a specific scan Type on the IP Selection tab, the individual checks on this page are pre-selected and inactive. Procedures On the Vulnerabilities Settings page you can do the following: 388 6.5 Enterprise Manager Administrator Guide • • • • • • Foundstone 6.5 Reference Guide Enable or disable General, Windows, Wireless, and Shell vulnerability checks for this scan. View vulnerability checks by category, risk rating, or CVE number. Mass-select vulnerability checks by category, risk rating, or CVE number. Search for vulnerability checks by name, risk rating, or CVE number. Click a vulnerability name to see its details. Determine which (if any) categories of vulnerability checks should automatically select new checks when they come out (see "To automatically select updated checks" on page 392). Note: If you have selected a SANS/FBI Top 20 or IAVA scan type on the IP Selection tab, the options on this page are automatically selected for you. Figure 117: Scan Properties - Vulnerabilities 389 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Vulnerability Selection Features and Settings Setting Description General Windows Wireless Shell Select the checkbox for the module for the scans you want to activate. Clear the checkbox to disable vulnerability checking for the specific module. y y y y The General Vulnerability Assessment Module shows the vulnerability checks that are not specific to an operating system. These checks do not require credentials to the host. The Windows Assessment Module shows the vulnerability checks specifically meant for scanning hosts running the Windows operating system. Most of these checks require credentials to the host so that Foundstone 6.5 can access the Windows Registry and file system. Foundstone 6.5 detects and assesses 802.11-based wireless devices that have an IP address and participate on a TCP/IP network. Wireless access points are displayed in the network topology map as purple nodes. The Wireless Assessment module finds and assesses wireless network devices for vulnerabilities. Wireless connections can provide network access to arbitrary users, completely bypassing firewalls and other security devices. They can also expose your network traffic to anyone looking for it. Its capabilities depend on the Wireless Assessment checks you choose here. The Shell Assessment Module shows the vulnerability checks specifically meant for scanning hosts running UNIX. This includes infrastructure devices such as Cisco routers and switches. All of these checks require credentials to the host so that Foundstone 6.5 can access the systems. Click the checkbox next to an individual vulnerability check to select it. Click the checkbox of a category to select all vulnerability checks within that category. Expand the list of vulnerabilities in a closed folder. Collapse the list of vulnerabilities in an open folder. Vulnerability Risk Each vulnerability check is identified with a colored bullet showing the risk rating associated with the vulnerability: High Risk, Medium Risk, Low Risk, Information Exposure. 390 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description Advanced The Advanced button toggles the Run new checks option (see "To automatically select updated checks" on page 392) on and off for each vulnerability category. Note: The advanced options only apply when the vulnerabilities are displayed by Category. Display by Changes the way the vulnerability checks are displayed on this page: y Category - displays the vulnerability checks in categories. Vulnerability check categories fall into two important categories: Intrusive - these checks are likely to interfere with the host's normal operating behavior. Some intrusive checks can cause a denial-of-service condition or require that the host be restarted. If you enable Intrusive checks, monitor the devices both during and after the scan to ensure they are performing as anticipated. Non-Intrusive - these checks do not affect the host being scanned. y MS Number - sorts and categorizes the vulnerability checks according to the Microsoft Security Bulletin numbers. y Risk Level - sorts and displays the vulnerability checks according to their risk level: Informational, Low, Medium, and High. y CVE - sorts and categorizes the vulnerability checks according to their CVE numbers. y Vuln Filters - lists the vulnerability filters that you have created, so you can quickly create a new scan using predefined vulnerability checks. Warning: When displaying vulnerability checks by CVE Number or Risk Rating, the intrusive checks and nonintrusive checks are combined. Selecting entire CVE Number or Risk Rating categories will result in selecting a mixture of intrusive and non-intrusive checks. Search by Select the data you want to search on: y y y Name - search through vulnerability check names. CVE Number - search for a specific CVE number Risk Level - Enter a value between 1 and 9 to search for vulnerabilities with specific risk scores. Enter the criteria you want to search, based on your Search by selection. Search Click Search to change the display, only showing the vulnerability checks that matched your search criteria. 391 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description Clear Resets the search criteria. ¾ To automatically select updated checks If you want this scan to automatically select new, updated vulnerability checks when they are released, follow these steps: 1 In the Scan Properties > Settings Tab > Vuln Selection page, click Advanced to show the Run new checks option for each vulnerability category. 2 For each vulnerability category for which want to include updated vulnerability checks in this scan, select the Run new checks checkbox. When Foundstone 6.5 receives an update, new checks within the selected category are automatically selected to be scanned the next time this scan runs. WHAM Checks that do not Require Credentials Although many Windows Host Assessment Module (WHAM) checks require credentials, some require no credentials and some require NULL-SESSION credentials. Those that require no credentials or NULL SESSION credentials can run even when no credentials are supplied to WHAM. You can, therefore, create a scan that includes these specific WHAM checks without supplying credentials. In general, the credential-less checks include all the “whammisc-netbios” checks: • • • • • • • • • Admin No Password Guest No Password Null Session OS Version Shares No Password Enumerate Shares Shares Writable Enumerate Users Other checks under the "wham-misc-netbios" category These checks must be run by WAM (they cannot be configured as general vulnerabilities). Microsoft Windows only allows one active NetBIOS session to any given computer at any given time. Windows does not support simultaneous connections with different credentials. WAM is the entity within FoundScan that manages NetBIOS connections and ensures that conflicts do not occur. Therefore, any checks that directly use NetBIOS must be configured to run as WAM checks in order to avoid credentials conflict. 392 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Scan Properties - Web Module Settings To get here in the Foundstone Enterprise Manager, click SCANS > NEW SCAN, and click Next. Or, click SCANS > EDIT SCAN, and click Edit. Or, click MANAGE > USERS/GROUPS and double-click the scan to edit. Click the Settings tab. Then click Web Module on the left. The Remediation Administrator has access to these features if explicitly assigned access rights to scans. The Web Module searches for Web applications and analyzes those that it finds for common vulnerabilities. Procedures The Web Module Settings page lets you do the following: • Determine which Web Analysis tools to use in Web server vulnerability evaluations. Figure 118: Scan Properties - Web Module Settings 393 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Settings Description Enable Web Application Assessment Module Select this checkbox to activate Web application assessment. Clear this checkbox to disable it. Advanced Lets you set performance options, regulating how the scan affects the Web servers as it analyzes them. Source Sifting Looks through Web applications for information in HTML comments, hyperlinks, email addresses, keywords in meta tags, hidden fields, and client-side scripts. Specifically, it looks for email addresses, include files, and absolute file paths. These items can provide valuable information to attackers. Smart Guesswork Tests for hidden security risks such as "left-behind" data archives, backups, and known directories that contain application information. All unnecessary recovered files are listed in the report, allowing the security team to evaluate what they should block direct access to or remove from the system. SQL Security Analysis Identifies and enumerates SQL vulnerabilities in Web applications. The report lists possible SQL entry points where an attacker can extend or tamper a SQL query to break the web application boundaries. Source Code Disclosure If a source code disclosure vulnerability is found on a target server, Foundstone 6.5 applies the vulnerability to all scripts the crawler has gathered and tries to recover the actual source code of the files. The report shows the information it can get from code. 394 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Settings Description Web Authentication Analysis McAfee's Web Authentication Analysis discovers popular login points where users must be authenticated to access the application. It probes these points to determine where attackers might easily guess usernames and passwords. The Vulnerable Accounts by Web Server Report comes from this analysis. Select at least one of the testing options: y y Basic - Tests common usernames and passwords against HTTP/HTTPS entry points to see if they are easily guessed. You can also customize the usernames and passwords used in these authentication attempts. NTLM - Tests common usernames and passwords against NTLM entry points in Web applications. You can customize the list of usernames and passwords that the Web Authentication Analysis uses to attempt access at entry points in the Web applications it discovers. These customizations affect all organizations. To do this, modify the user.txt and pass.txt files included in the Foundstone 6.5 program directory. Caution: Adding a small number of new usernames and passwords can substantially lengthen the scan duration because the module tries each username with each password. y Forms - Tests forms in Web applications to find vulnerabilities that attackers can use. Scan Properties - Advanced Web Module Settings To get here in the Foundstone Enterprise Manager, click SCANS > NEW SCAN, and click Next. Or, click SCANS > EDIT SCAN, and click Edit. Or, click MANAGE > USERS/GROUPS and double-click the scan to edit. Click the Settings tab. Click Web Module on the left. Then click Advanced. The advanced Web Application Assessment Options dialog/page lets you change advanced settings that affect the performance of the scan. Procedures: From this page you can do the following tasks: • Determine how deep the Web Application Assessment digs to find problems 395 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide Specify the performance settings of the assessment scan, and the impact on the discovered Web servers. Figure 119: Scan Properties - Advanced Web Assessment Settings Coverage Settings Setting Description Maximum number of links to crawl Set this number to limit the Web Assessment to a certain number of links. You can set any number up to 50,000. Higher numbers can affect the length it takes to complete the Web Crawl. Maximum depth of pages to crawl Depth refers to subdirectory levels. Setting this number to 4 would let the Crawl Engine search up to four subdirectories deep on a given path. For example, http://www.mcafee.com/us/enterprise/products/index.html is four subdirectories deep. 396 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Performance Settings from the left to the right Thread / Crawl Phase Threads per Analysis Thread Reallocation Requests per second Minimum CPU 1 Impact 1 NO 50 (max.) Reduced CPU Impact 4 2 NO 50 (max.) Normal Operation 8 8 NO 100 (max.) Enhanced Performance 16 8 16 Threads per Engine (max.) 250 (max.) Maximum Performance 32 8 Max. allowable threads per engine 1000 (max.) Setting 397 Other Sequential Engine Operation 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Scan Properties - Optimization Settings To get here, create or edit a scan configuration. On the Settings tab, click Optimize on the left. The Remediation Administrator has access to these features if explicitly assigned access rights to scans. The Optimization Settings let you tweak Foundstone 6.5 to your needs. Figure 120: Scan Properties - Optimization Settings Slider Settings The slider provides five sets of predetermined values for optimization settings, ranging from scans that use little network bandwidth, to those using much more bandwidth. Changing the position of the slider affects the values under Settings. Customized Settings Click Customize to enable and modify the settings under Settings. Selecting Customize disables the slider; moving the slider has no effect on the settings. 398 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Optimization Settings Setting Description Number of sub-scans Foundstone 6.5 begins creating sub-scans once 256 IP Addresses have been discovered. Enter the maximum number of sub-scans to use once the limit has been reached. Foundstone 6.5 will not create more sub-scans than this limit. Batch size Batch size controls the number of IP addresses scanned simultaneously and thus has an effect on how often the status display is updated. Higher values typically result in faster scans, although the status display is not updated as frequently. A default value of 256 is recommended. Network Mapping (Tracerouting) Enable this option to generate topology maps of your environment in your reports. It lets you quickly see high-risk areas, allowing you to drill down into the report for more information. You can quickly determine where wireless devices are, and make a quick assessment regarding how the different subnets score against each other in terms of risk posture. Use Auto Discovery Mode Optimizes the service discovery portion of the scan, affecting TCP and UDP timeout values, number of passes, and interpacket delay settings. Enable this option to produce faster scans. ICMP timeout (ms) Determines how long the FoundScan Engine will wait for a response from the host before taking the next action. The default is 3000 ms (2 seconds) for TCP and UDP and 1500 ms (4 seconds) for TCP and UDP timeouts. TCP timeouts (ms) UDP timeouts (ms) Increase the timeout length if the network speed is slow and you believe that you can get better results. As a general rule, the shorter the timeout setting, the faster the scan time can be. However, shorter timeouts can miss heavily trafficked hosts that take longer to respond. Number of passes Determines how many times the system will scan each host. Additional passes increase the accuracy of the discovery process, but they also increase the duration of the scan. Interpacket delay (ms) (Packet Interval) Determines how many milliseconds elapse between each sent packet. Lower the interval on faster local subnets to increase the scan performance. Increase the interval if the scan misses hosts or if it utilizes a low speed link. 399 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Scan Properties - Reports Tab To get here in the Foundstone Enterprise Manager, click SCANS > NEW SCAN, and click Next. Or, click SCANS > EDIT SCAN, and click Edit. Or, click MANAGE > USERS/GROUPS and double-click the scan to edit. Then click the Reports tab. The Remediation Administrator has access to these features if explicitly assigned access rights to scans. The reports tab lets you choose what kind of reports will be generated automatically after the scan is finished. After the scan has completed, you can re-generate reports for any scan job in the database through the MANAGE > REPORTS page (see "Generating Scan Reports" on page 60). Procedures From the Reports Tab you can perform the following tasks: • • • Turn remediation tickets on or off for this scan. Choose the FoundScore type - Internal or External. Choose the format for reports to be created. Figure 121: Scan Properties - Reports Tab 400 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Report Settings Setting Description Create Remediation Tickets Select this option to have Foundstone 6.5 create remediation tickets when the scan is complete. If this option is not selected, this scan will not produce remediation tickets. FoundScore Type Defines the set of calculations used to determine the FoundScore value. Choose Internal or External. Reporting Options HTML Report The HTML Report allows Foundstone Enterprise Manager users to view report results online through their browser. PDF Report Select this option to create PDF reports for this scan. PDF reports are printable files and can be viewed with the Adobe Acrobat Reader or other PDF software. Choose which reports you want to print to a PDF file. When selected, you can choose from the various PDF reports available under the PDF Report Sub-Types option. Note: The Scan Summary PDF report sub-type must be selected in order to create the Compliance Pass/Fail Report (on page 71). The Configuration History PDF report subtype must be selected in order to create the Compliance Scan Differences Report (on page 72). 401 6.5 Enterprise Manager Administrator Guide Setting CSV Report Options Foundstone 6.5 Reference Guide Description This option creates comma-separated-value reports. These can be easily imported into spreadsheets and other programs. The following reports are provided in the comma-separatedvalue format. y authenticated_hosts.csv (contains the following columns): IP Address DNS Name NetBIOS Name Asset Name Asset Criticality OSID Owner SSHv2Certificate (Root, User, or No Access) SSHv2Credentials (Root, User, or No Access) SSHv1 (Root, User, or No Access) Telnet (Root, User, or No Access) Error Code Error Description y vulnerabilities.csv (contains the following columns): IP Address DNS Name NetBIOS Name Asset Name Asset Criticality OSID Owner Vulnerability ID (corresponds to the ID in vulndatabase.xml) y network_assets.csv (contains the following columns): IP Address DNS Name NetBIOS Name Asset Name Asset Criticality OSID Owner Workgroup Banner XML Report Create XML output for reading the data into other programs. PDF Subtypes Click to expand these options. Once it is expanded, select the reports you want to see in PDF format. 402 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide ¾ To download a report 1 On the Reports page, go to the report you want to download, and click DOWNLOAD. Click any of the icons next to the DOWNLOAD link to get specific reports -- XML, CSV, PDF, or HTML. Figure 122: Reports page - click DOWNLOAD to save to disk 2 Your browser asks if you want to save the file. Click Save. Figure 123: Browser - download dialog box 3 Choose the directory in which to save the file. 403 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Scan Properties - Schedule Settings To get here in the Foundstone Enterprise Manager, click SCANS > NEW SCAN, and click Next. Or, click SCANS > EDIT SCAN, and click Edit. Or, click MANAGE > USERS/GROUPS and double-click the scan to edit. Click the Scheduler tab. The Remediation Administrator has access to these features if explicitly assigned access rights to scans. The Schedule Tab lets you activate and set a recurring schedule for the scan. Procedures On this page you can perform the following tasks: • • • • Activate or de-activate the scan, whether it be set to run immediately or at a scheduled time. Select the FoundScan Engine and specify the network interface that the scan will use. Schedule the scan to run immediately, at a specific date and time, or on a recurring schedule. Set Scan Windows so that the scan only runs during specific hours or on specific days. Figure 124: Scan Setup - Schedule Tab 404 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Scan Settings (Basic Settings) Setting Description Select Engine This list contains the different FoundScan Engine servers that have been set up for your workgroup or organization. If only one FoundScan Engine is available, there in only one FoundScan Engine listed and it is automatically selected. If automatic scan engine selection is enabled, then Auto Select will appear as the Select Engine. Note: This setting is inactive if you created this scan based on another scan. Also, if you specify that a scan is to use a specific engine, the scan will not run on other engines through an alternate interface. For example, specifying a scan engine on the Foundstone Enterprise Manager does not allow you to run the scan on a different engine from the FoundScan Console. Select NIC If the FoundScan Engine contains more than one network card, this dropdown box displays each NIC found on the selected engine. If each engine only has one MAC Address, this dropdown box does not appear at all. If there is only one engine, but it contains multiple MAC Addresses, this dropdown box shows the NIC identities for that engine. Active Make this scan active. If Immediate is also selected, the scan will begin as soon as you exit this window. If you select the active and immediate options, Foundstone 6.5 begins running the scan as soon as you are done editing it. Inactive The scan configuration can be saved, but will not automatically run. You can manually start an inactive scan by clicking Activate in the Edit Scans (see "Editing Scans" on page 293) page. Note: Inactive scans will not run; even when they are scheduled. Immediate The scan starts immediately, if active. It runs one time, and then becomes inactive. 405 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide One Time The scan runs one time, on the date and time that you choose. After running one time, Foundstone 6.5 sets the scan configuration to inactive. To change the date, click the calendar and select the date you want the scan to run. To change the time, click the arrow for the hour and minute you want the scan to start. Recurrence For recurring scans, specify how often you want the scan to occur: Daily, Weekly, Monthly, Continuous. See the following sections for more information on the settings for recurring scans. Scan Windows To specify the hours your scan will run, check the box to enable Scan Windows. (This option is not available for Continuous scans.) For more information, see the following section on "Scan Windows". Schedule Settings (Daily Scans) The scan runs on the start date at the start time; then it runs each day after that at the same specified time. Figure 125: Scan Properties - Daily Schedule Settings Setting Description Start On Click the calendar icon to specify the date on which you want the daily scans to start. At Click the arrows to specify the hour and minutes (using a 24hour clock) at which you want the scans to start. 406 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Schedule Settings (Weekly Scans) Weekly scans let you set the days of the week to run your scans. By setting the number in the Recur every week box, you can also specify that the scan should run every week, every two weeks, every three weeks, and so forth. Figure 126: Scan Properties - Weekly Schedule Settings Setting Description Start On Select the days of the week for when you want the weekly scan(s) to run. At Click the arrows to specify the hour and minutes (using a 24hour clock) at which you want the scans to start. Recur Every Click the arrow to specify how often you want the weekly scan to recur. Select from 1 to 5 weeks. Schedule Settings (Monthly Scans) Monthly scans let you specify specific days of the month. Schedule a scan for a particular day of the month or a particular day of the week. You can also set up combinations of dates, like the second and fourth Wednesday of the month and every 15th day. The recurrence options lets you run the scan every month, every two months, and so forth. Figure 127: Scan Properties - Monthly Schedule Settings 407 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description Start On Click the arrows to specify the day of the month on which you want the scans to run. Select the occurrence (First through the Fifth) and the day of the week (Sunday through Saturday). Add Click this button to add the specified period to the scan window list. Remove Click this button to remove the selected period from the list. Remove All Click this button to remove all of the time periods from the list. Date Check this box if you want to specify the day of the month (131) on which you want the scan to run. Use this option if you do not want to use the default method of choosing the day of the week (such as the first Sunday). Run At Click the arrows to specify the hour and minutes (using a 24hour clock) at which you want the scans to start. Recur Every Click the arrow to specify how often you want the monthly scan to recur. Select from 1 to 12 months. Schedule Settings (Continuous) Continuous scanning is the most exhaustive option for monitoring your network, but offers continuous information. Set the date and time for the scan to begin. When the scan is finished, it begins again. Figure 128: Scan Properties - Continuous Schedule Settings Setting Description Start On Click the calendar icon to specify the date on which you want the daily scans to start. At Click the arrows to specify the hour and minutes (using a 24hour clock) at which you want the scans to start. 408 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Scan Windows Use Scan Windows to specify the hours your scan will run. When you enable Scan Windows, your scan will run only during the hours you specify on the day(s) you have it scheduled. Then select the amount of time that is available for scanning. Once this amount of time has been reached, the scan will pause until the next available scan window occurs. Figure 129: Scan Properties - Scan Window Settings Setting Description Use Scan Windows Check this box to enable Scan Windows. Start Window Click the arrows to select the hour and minutes (using a 24hour clock) for when you want scanning to begin. End Window Click the arrows to select the hour and minutes (using a 24hour clock) for when you want scanning to stop. Add Click this button to add the specified window period to the scan window list. Remove Click this button to remove the selected scan window from the list. Remove All Click this button to remove all of the scan window time periods from the list. 409 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Vulnerability Filters To get here, click SCANS > VULN FILTERS This feature lets you search through the list of vulnerability checks and save the resulting list as a vulnerability filter. Use the filters you create to select vulnerabilities when creating a scan (see "Creating New Scans" on page 291). The vulnerability filters act as a "template" when you create a new scan, so you can quickly create standard, identical scans for each organization. Scope The Root Organization Administrator can create vulnerability filters for the entire organization. Anyone with access to a scan can create vulnerability filters that only they can use. Display a list of vulnerabilities by class (name, risk level, or CVE number) or search for the vulnerabilities you want used in a scan. Procedures On this page you can do the following: • • • • • View the list of vulnerabilities by an already-defined filter by choosing the filter name from the Display By list. Display a list of vulnerabilities by name, risk level, or CVE number. To do this, select type from the Display By list. Search for a vulnerability: • Search for text in the vulnerability name or description by selecting Name from the Search By list. Enter the text you want to find in the text box and click Search. The Search Results section displays the updated results. Expand the categories to see specific vulnerability checks. • Search for vulnerability checks relating to a specific CVE number by selecting CVE Number from the Search By list. Enter the text you want to find in the text box and click Search. The Search Results section displays the updated results. Expand the categories to see specific vulnerability checks. • Search for vulnerabilities belonging to a specific risk level by selecting Risk Level from the Search By list. Select the risk level from the list and click Search. The Search Results section displays the updated results. Expand the categories to see specific vulnerability checks. Select vulnerabilities to include in the filter: • Select a specific vulnerability check by checking the checkbox next to the name. • Select all of the vulnerabilities in a specific category by checking the checkbox next to the category. All vulnerability checks with in that category are selected. Save the search results as a Vulnerability Filter by entering the name for the vulnerability filter in the Save As box. Specify whether it is an organizational filter (by clicking Organization Wide) or as a personal filter (by clicking User Filter). 410 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide View the details of an individual vulnerability check by clicking the vulnerability description. A new browser window appears, showing the vulnerability details. Vulnerability Filter Settings Setting Description Display By Shows the filters that have been defined: both organizational filters and personal filters. This list also contains the display filters so that you can show the list by category, CVE, and so on. Note: Only the Root Organization Administrator can create vulnerability filters for the entire organization. Delete Click to delete the selected vulnerability filter. Search By Select the data you are searching: y y y Name (a word included in the vulnerability name or description CVE Number Risk level Search Searches vulnerability names and descriptions for the specified text. Reset Resets the search results and clears any checked vulnerabilities. Save As Enter the name for this vulnerability filter. The filter name can contain up to 25 characters (alphanumeric, spaces, and apostrophes only). Save Saves the selected vulnerabilities as a vulnerability filter. 411 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting Description Organization Filter Select this option to make this filter available to the entire organization. Note: This option only appears when you're logged on as the Root Organization Administrator. Only the Root Organization Administrator can create vulnerability filters for the entire organization. User Filter Select this option to make a personal filter. It will not be available to other users. Note: This option appears only when you're logged on as the Root Organization Administrator. Only the Root Organization Administrator can create vulnerability filters for the entire organization. Search Results Shows the vulnerability checks. Select vulnerability checks from this list. Filter this list by running a search or selecting a filter from the Display By list. ¾ To see the vulnerability details • Click the vulnerability. A new browser window appears, showing the vulnerability details. ¾ To create a new vulnerability filter (searching by name, risk level, or CVE number) 1 Do one of the following: • To search by name, in the Search By list, select Name. Enter the text you want to find in the text box. For example, to search for Denial of Service attacks, enter dos. • To search by risk level, in the Search By list, select Risk Level. In the list next to Search By, select the level of risk (High, Medium, Low, Informational). • To search by CVE number, in the Search By list, select CVE Number. Enter the text you want to find in the text box. For example, to search for all CVE entries on SNMP, enter SNMP. 2 Click Search. The Search Results section displays the updated results. Expand the categories to see specific vulnerability checks. 3 Select the vulnerabilities to include in the filter. To do this: • Select a specific vulnerability check by checking the checkbox next to the name. • Select all of the vulnerabilities in a specific category by checking the checkbox next to the category. All vulnerability checks with in that category are selected. 412 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide 4 Save the selected vulnerabilities as a Vulnerability Filter by entering the name for the vulnerability filter in the Save As box. 5 Specify the type of filter. Do one of the following: • To create an organization filter, select Organization Wide. • To create a personal filter, select User Filter. Now you are ready to use the vulnerability filter when creating a scan (see "To use a vulnerability filter when creating a scan" on page 414). ¾ To create a new vulnerability filter (browsing by category, risk level, or CVE) 1 Do one of the following: • To display all vulnerabilities by category (name), in the Display By list, select Category. All vulnerabilities, grouped by category, are displayed in the Search Results section. • To display all vulnerabilities by risk level, in the Display By list, select Risk Level. All vulnerabilities, grouped by risk level category, are displayed in the Search Results section. • To display all vulnerabilities by CVE number, in the Display By list, select CVE Number. All vulnerabilities, grouped by major CVE number, are displayed in the Search Results section. Expand the categories to see specific vulnerability checks. 2 Select the vulnerabilities to include in the filter. To do this: • Select a specific vulnerability check by checking the checkbox next to the name. • Select all of the vulnerabilities in a specific category by checking the checkbox next to the category. All vulnerability checks with in that category are selected. 3 Save the selected vulnerabilities as a Vulnerability Filter by entering the name for the vulnerability filter in the Save As box. 4 Specify the type of filter. Do one of the following: • To create an organization filter, select Organization Wide. • To create a personal filter, select User Filter. Now you are ready to use the vulnerability filter when creating a scan (see "To use a vulnerability filter when creating a scan" on page 414). 413 6.5 Enterprise Manager Administrator Guide ¾ Foundstone 6.5 Reference Guide To use a vulnerability filter when creating a scan Use the vulnerability filters you create to select the vulnerabilities to be checked when creating a scan (see "Creating New Scans" on page 291). The vulnerability filters act as a "template" when you create a new scan, so you can quickly create standard, identical scans for each organization. • In the Foundstone Enterprise Manager, when you create a new scan, the option to select a vulnerability filter is available in the Settings page for General Vulnerabilities (page 388), Windows Module, and Wireless Module. To base the scan on the filter, click the arrow for Display By and select the filter you created. Search To get here, click REPORTS > SEARCH. You must be an administrator or user with scan - view access to use this feature. Set up your own search criteria for searching the scans that belong to your Workgroup or Organization. Search on a specific Hostname, Operating System, IP Address, NetBIOS Name, Service or Port, Banner, Vulnerability name or specific information that came back from a vulnerability check. Scope This feature searches through all the scans your account can access, including workgroups that have been created under your workgroup or organization. Procedures On this page you can perform the following tasks: • • • • Enter search criteria. Click Submit to begin the search. Click Reset to clear the search results. When the search results appear, click an IP Address on the results to see the Detailed Host Report (on page 126). 414 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Figure 130: Search page - search through scan results The details shown here are the information on the host from the most current scan job among all the scan configuration jobs that you have access to, regardless of the filter criteria. Note: Because the host data on “Host Discovery Details” page is derived from the single and most current scan configuration job, there may be cases where the host data on “Host Discovery Details” page does not correspond to that of the Search Results page. Search Categories Category Description Hostname Enter a partial hostname to find hosts with matching hostnames. Operating System Enter a partial operating system name to find hosts running that operating system. For example, searching for "Win" returns a list of hosts running all flavors of Windows, such as Windows 2000, Windows Server 2003, Windows XP and so forth. IP Address Enter a complete IP Address. NetBIOS Name Enter a partial NetBIOS name to find matching systems. Service/Port Enter a service name or a port number. Examples include http, https, snmp, nntp, smpt, ident, and so forth. Banner Enter a partial banner message that would be returned from a running service. It could be used to search for specific service settings, version numbers, or other information. 415 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Vulnerability Enter a partial vulnerability name. For example, searching on "2000" produces any vulnerability discovered in the scan that contains the number "2000" in its name. FSL Output Enter a partial word or phrase produced by a FSL Script during the scan. The search results show the script's request and the host's response. Working with Compliance Scans The Foundstone Enterprise Manager Policy Manager allows you to customize your policy settings. You can adjust the policies to match your corporate compliance standards or you can reset the policies to a default setting. The Policy Manager does not turn the scan on or off the scan for each policy that is done when you set up your scan (see "Creating New Scans" on page 291). The compliance report, generated from a policy scan, can help identify compliance/noncompliance with policies on a host level. This allows you to review and correct policy non-compliance for each scanned host on your network. Note: A Windows policy scan can take a long time to complete depending upon the number of hosts being scanned and the amount of information being returned to the database. McAfee recommends running a policy scan only when necessary. Windows Policy Settings To get here, log on to the Foundstone Enterprise Manager as the Global Administrator. Select MANAGE > POLICY. The Foundstone Enterprise Manager Policy Manager allows you to customize your Windows Policy settings, Registry Key permissions, File and Root File permissions, and your Service settings. Customizing policy settings for Microsoft Windows requires you to select an Operating System (Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, or Windows Vista) and customize the policy settings for that group. General Policy Allows you to customize your Windows Policy settings. The Windows policy defaults are set to Microsoft standards. • • When customizing policies, carefully read the policy descriptions. Selecting a checkbox means the statement in the description is True. Deselecting a checkbox means the statement is False. For example, if Administrator Account Password Never Expires. If the checkbox is selected, a host must never expire an administrator password for that host to be in compliance; if the checkbox is deselected, a host must force the administrator password to expire for the host to be in compliance. 416 6.5 Enterprise Manager Administrator Guide • • • Foundstone 6.5 Reference Guide Some fields restrict how you can adjust them. For example, some fields require a value 0 or 1; anything else triggers an error when you try to save your policy settings, and must be fixed before you can save. The Set to Default icon resets that one policy setting to the Microsoft Windows default. The Set to Defaults button resets all policies in the selected OS group to the Microsoft Windows default. As a precaution, when you click this button, you are required to confirm or cancel the action. Once you are done customizing your policy settings, click Save. Registry Keys Set group rights for specified registry keys. • • • To add a registry key entry, click Add Registry Key. In the Registry Key field, type the path to the registry key. To add a group and specify access rights, click the plus sign next to the registry key. Select a group and a rights level from the drop-down lists. To delete a group, click the minus sign next to the group setting. Once you are done adding, editing, or removing your registry key group access rights, click Save to save your settings. File Permissions Set group permissions for root files. • • • To add a file permission entry, click Add Root File Permission. Select a group from the drop-down list. To add a user group, click the plus sign next to User Permissions then select the user/group and the rights level from the drop-down lists. When a User/Group Right provides the same function as the file permissions settings in Windows. The names of these functions correlate to an access rights macro in Windows. If you need to know the macro name for a file permission setting, see the table below. To add a file, click the plus sign next to Files then type the file name. If you want to set the User permissions to the Directory, add a blank File Name. When you are done adding, editing, or removing your file permissions, click Save. Root Drive Permissions Set group permissions for files within a designated directory path. • • To add a file permission entry, click Add File Permission. In the Directory Path field, you can enter the path to the file folder. To add rights, click the plus sign next to Rights. Then select a group right from the drop-down list. When you are done adding, editing, or removing your file permissions, click Save. 417 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Services Set service start and state conditions for specified users. • • To add a service, click Add Service. In the Service Name field, type the name of a service. To add a user, click the plus sign next to Users then type a user name. When you are done adding, editing, or removing your services, click Save. Configure Policy Manager To configure the policy manager, click the Config button at the bottom of the policy page. • • • To export your policy to an XML file: Click Export to XML Click Save Save the compressed file To import your policy (must be an XML file): Click Browse Select a policy file to import Click Open Click Import from XML To add Windows user options: Click Add New Value Enter a Display Name Enter an Actual Value When you are done with your configuration, click Save. File Permission/Access Rights Macro Names File Permission Access Rights Macro(s) Full Control STANDARD_RIGHTS_ALL | FILE_GENERIC_READ | FILE_GENERIC_WRITE | FILE_GENERIC_EXECUTE | FILE_DELETE_CHILD Modify FILE_GENERIC_READ | FILE_GENERIC_WRITE | FILE_GENERIC_EXECUTE | DELETE Read & Execute FILE_GENERIC_READ | FILE_GENERIC_EXECUTE Read FILE_GENERIC_READ Write FILE_GENERIC_READ | FILE_GENERIC_WRITE | FILE_GENERIC_EXECUTE 418 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Traverse Folder/Execute File FILE_TRAVERSE | FILE_EXECUTE List Folder/Read Data FILE_LIST_DIRECTORY | FILE_READ_DATA Read Attributes FILE_READ_ATTRIBUTES Read Extended Attributes FILE_READ_EA Create Files/Write Data FILE_ADD_FILE | FILE_WRITE_DATA Create Folders/Append Data FILE_ADD_SUBDIRECTORY | FILE_APPEND_DATA | FILE_CREATE_PIPE_INSTANCE Write Attributes FILE_WRITE_ATTRIBUTES Write Extended Attributes FILE_WRITE_EA Delete DELETE Read Permissions READ_CONTROL Change Permissions WRITE_DAC Take Ownership WRITE_OWNER Delete Subfolders and Files FILE_DELETE_CHILD 419 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Creating a Compliance Scan These are the steps for setting up a Windows Policy scan. For further information about scans, see Working with Scans (on page 288). 1 Log on to the Foundstone Enterprise Manager as the Root Organization Administrator. 2 Select SCANS > NEW SCAN. 3 Select Use a Foundstone template. 4 Select Windows Policy Template Scan. 5 Click Next. 6 Type a scan name and IP address(es). 7 Click Next. 8 Under the Vuln Selection, expand Windows Vulnerabilities. 9 Expand Security/Policy Options. All Microsoft Windows policies are selected by default. 10 Deselect an option for a script you don't want to run with this scan. 11 Select Credentials. Providing credentials is necessary for a Windows Policy scan to run successfully. To setup credentials, see Scan Properties - Credentials (see "Managing Credentials" on page 380). 12 Click Next. 13 Select report options. 14 Click Next. 15 Select schedule options. 16 Click OK to save your scan. Viewing Compliance Reports To get here from the Foundstone Enterprise Manager, click REPORTS > VIEW REPORTS and select Scan Reports in the Completed Reports area. Click View Report to view a report generated from a Windows Policy Template Scan. The Windows Policy Report provides information gathered from a Windows Policy Template Scan. This report identifies which scanned hosts are compliant and which are noncompliant. Use this report to help bring your scanned hosts into compliance. 420 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Compliance Summary Report To get here from the Foundstone Enterprise Manager, click REPORTS > VIEW REPORTS and select Scan Reports in the Completed Reports area. Click a report name for the Windows Policy Template Scan to view a report. Select Report Pages > Compliance Summary. This report provides an overview of a Windows policy compliance scan. Use it to quickly identify anomalies or problems in your environment. Compliance Summary Report Features Section Heading Description Scan specifications Displays information about the report section, the scan name, and the generation date/time. Host Summary Displays the number of hosts scanned, the number of Windows host assessment modules (WHAM) scanned, the number of hosts that are compliant, the number of hosts that are noncompliant, and the compliance percentage. Policy Summary Displays the Windows policy, the number of hosts scanned, the number of hosts that are compliant with this policy, the number of hosts that are noncompliant with this policy, the number of hosts where policy compliance could not be determined, and the compliance rate for this policy. (plus image, minus image) Clicking a plus icon expands a report section, and clicking a minus icon hides a report section. (search image) Use Search to find a specific policy or host in the compliance report. Compliance Policy Details To get here from the Foundstone Enterprise Manager, click REPORTS > VIEW REPORTS and select Scan Reports in the Completed Reports area. Click a report name for the Windows Policy Template Scan to view a report. Select Report Pages > Compliance Policy Details. This report displays a Windows policy and the systems affected by this policy. Use it to identify systems that are noncompliant. Compliance Policy Details Report Features Section Heading Description Scan Specifications Displays information about the report section, the scan name, and the generation date/time. 421 6.5 Enterprise Manager Administrator Guide Compliance Policy Details Foundstone 6.5 Reference Guide Displays the policy setting, the system(s) affected by the policy, the operating system, and the system policy status (Pass/Fail). Note: You can click the system IP address to view the system's Compliance Policies by IP report. (plus image, minus image) Clicking a plus icon expands a report section, and clicking a minus icon hides a report section. (search image) Use Search to find a specific policy or host in the compliance report. Compliance Hosts To get here from the Foundstone Enterprise Manager, click REPORTS > VIEW REPORTS and select Scan Reports in the Completed Reports area. Click a report name for the Windows Policy Template Scan to view a report. Select Report Pages > Compliance Hosts. This report provides an overview for each system in your Windows policy compliance scan. Use it to identify all noncompliance policy settings (marked as Failed) for each system in your environment. Compliance Hosts Report Features Section Heading Description Scan Specifications Displays information about the report section, the scan name, and the generation date/time. Compliance Policies By IP Displays all compliance policies affecting a single IP address. The list shows the Windows policy name and whether the system passed or failed compliance. (plus image, minus image) Clicking a plus icon expands a report section, and clicking a minus icon hides a report section. (search image) Use Search to find a specific policy or host in the compliance report. 422 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Managing Remediation To get here, click MANAGE > REMEDIATION. You must be logged in as the Root Organization Administrator, or Remediation Administrator to use this page. As the Root Organization Administrator or Remediation Administrator, you have the ability to manage remediation tickets throughout the organization and its workgroups. This includes setting up rules to auto-assign remediation tickets. The Remediation Management page contains two tabs: • • Rules (see "Remediation - Rules" on page 423) - lets you set up rules to automatically assign remediation tickets to your Foundstone 6.5 users. Global Options (see "Remediation - Global Options" on page 428) - lets you determine when remediation tickets should be created, enable the auto-close feature, and set default due dates for tickets--based on their risk level. Scope The settings on this page affect the entire organization, including all workgroups. Workgroup administrators cannot make changes to these settings. Remediation - Rules Foundstone 6.5 lets you create auto-assignment rules that automatically assign tickets upon creation to a user. In an auto-assignment rule, you determine the action that the rule will take, and you specify the criteria that will be used to qualify tickets for that rule. As soon as a ticket is qualified, the rule performs its action on that ticket. When a ticket is automatically assigned, the details are logged on the ticket details (on page 445) page for that ticket. This page contains all of the rules that have been created for Remediation. The list is empty by default until you add a new rule to it. You can add as many rules as you need. When tickets run through the assignment process, the first rule that matches the ticket determines what action to take for that ticket. Scope The settings on this page affect the entire organization, including all workgroups. Workgroup administrators cannot make changes to these settings. Procedures On this page you can do the following: • • • • To create a new rule, click New Rule. The Rule Editor page (page 425) appears. To edit an existing rule, click Edit. To delete an existing rule, click Delete. To run a rule on all existing, unassigned tickets, click Run. 423 6.5 Enterprise Manager Administrator Guide • • Foundstone 6.5 Reference Guide To change the order in which tickets are run, click Up and Down to adjust tickets in the list. The rules run in order, from the top of the list to the bottom. If a ticket is evaluated by all of the rules and matches none of them, the ticket remains unassigned. It then shows up as a new ticket on the REMEDIATION > NEW TICKETS page (see "New Tickets Page" on page 434) where the administrator can manually assign it. To activate or deactivate a rule, click Edit. Choose Inactive from the Status dropdown box and click Save. Figure 131: Remediation Rules List Rules Options Option Description Name Shows the name for the rule. Description Enter a description that quickly identifies the rule's actions. Status y y Active means the rule will be used to check all generated tickets. Inactive rules will remain in the system, but are not used to make ticket assignments. Edit Click to edit the rule. It opens the Rule Editor page (page 425). Delete Removes the rule from this list and deletes it from the system. If you want to keep the rule, make it inactive instead of deleting it. See To make a rule active or inactive (page 427). Run Checks through all unassigned tickets for any that match the rule's criteria. If any are found, the rule reassigns them according to its settings. Up / Down Click to move the rule up or down through the list. Foundstone 6.5 runs the rules from the top of the list. If a ticket is found that matches a rule, it is no longer checked against subsequent rules. 424 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Using the Rule Editor To get here, click REMEDIATION > RULES > New Rule or Edit an existing rule The Rule Editor lets you specify to whom the tickets will be assigned, the tickets' due dates, and the criteria that is used to match tickets to rules. Procedures On this page you can do the following: • • • • To create a new line of criteria, click Add Criteria. See To create new criteria (page 427). To remove a line of criteria, click Delete on the line you want removed. To automatically assign, export, or ignore a ticket, choose the appropriate behavior from the Action dropdown box. To activate the rule, choose Active from the Status dropdown box. Figure 132: Remediation Rule Editor Rule Editor Settings Option Description Rule Name Enter a name for the rule. The Rule Name box allows 50 characters, displays 30. Status Active means the rule will be used to check all generated tickets. Inactive rules will remain in the system, but are not used to make ticket assignments. 425 6.5 Enterprise Manager Administrator Guide Description Foundstone 6.5 Reference Guide Enter a description that quickly identifies the rule's actions. The Description box allows and displays 256 characters. Action Assign lets you specify the user and due date to which the tickets will be assigned. Export - all tickets that meet the criteria will be exported. This option is often used with helpdesk systems that create their own tickets from email messages. See the online help for more information on exporting tickets. Ignore - all tickets that meet the criteria will be ignored. Future scans that discover the same vulnerabilities on the same hosts will not generate tickets for those vulnerabilities. Assignee Asset Owner - this option assigns the ticket to the user specified as the action owner* on the Asset Management page in the Foundstone Enterprise Manager. *If the rule is set to assign a ticket to an asset owner and the asset owner is not assigned, the rule is ignored so that subsequent rules may be processed. Asset owners are assigned by the Workgroup Administrator. [name] - Choose the person to whom the tickets will be assigned. This list only shows users that have been entered into the system. Due Date Determines how long the user has to fix the vulnerability described on the ticket. The number of days is determined from the date that the ticket is discovered. Add Criteria Lets you create criteria for the rule. For more information, see To create new criteria (page 427). The following table describes the various criteria settings. For each setting, you can choose whether to find tickets that match (Equals) or that do not match (Not Equals). 426 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Criteria Settings Setting Description Risk The risk of the vulnerability identified by the ticket can be high, medium, low, or informational. Platform Enter a partial name of the Operating System running on the host. For example, the entry Win will match all versions of the Windows Operating System. The Platform box allows 160 characters, and shows 30. Asset Name If you have assigned asset names to any hosts in the Asset Management module, you can enter it here. Entering a partial name will apply the rule to any assets that match the partial name. The Asset Name box allows 160 characters, and shows 30. Asset Criticality If you have assigned asset criticality ratings to any hosts in the Asset Management module, you can specify the criticality here. IP Address Range Enter an IP Address range in the format "start range"-"end range". For example, you could enter 10.0.0.110.0.0.255. The IP Address Range box allows 160 characters and shows 30. Vulnerability Name If you are assigning tickets with specific vulnerabilities, you can enter the partial vulnerability name. Entering a partial name will apply the rule to any vulnerabilities that match the partial name. The Vulnerability Name box allows 160 characters and shows 30. Scan Name ¾ Choose the scan from the Scan Name dropdown box. To make a rule active or inactive 1 On the Rules List page, find the rule you want to change and click Edit. 2 In the Rule Editor, choose Active or Inactive. 3 Click Save. 427 6.5 Enterprise Manager Administrator Guide ¾ Foundstone 6.5 Reference Guide To create new criteria Set the criteria for the rule by changing the values on each criterion line. 1 Click Add Criteria. A new row appears, allowing you to select the options that will make up a criterion. You can click Add Criteria again to create as many criteria as you need for the rule. 2 Change the values of the criterion as needed. 3 Click Add Criteria to create another line, or click Save to save the rule. 4 Click Delete to remove a line if needed. Figure 133: Remediation rule criteria list Remediation - Global Options This page contains the global settings for Remediation. Scope The settings on this page affect the entire organization, including all workgroups. Workgroup administrators cannot make changes to these settings. Procedures On this page you can do the following: • • Set which level of vulnerability risk will start generating remediation tickets. Enable or disable the remediation ticket auto-close feature. Figure 134: Remediation - Global Options 428 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Global Remediation Settings Setting Description Create tickets for all vulnerabilities with a risk level higher than or equal to____ Choose the level of vulnerabilities that should cause a ticket to be generated. y y y y Enable automatic closure of tickets whose vulnerabilities have been resolved Informational - All vulnerabilities will produce a ticket. Low - Low, medium, and high-risk vulnerabilities will produce a ticket. Medium - Only medium and high-risk vulnerabilities will produce a ticket. High - Only high-risk vulnerabilities will produce a ticket. This feature is enabled by default. It automatically closes tickets that are resolved. See Setting up Tickets to be Automatically Closed. Tip: Enable this feature to quickly close tickets by verifying them through your regular scanning process. Ticket Default Dates Set the default due date for auto-assigned tickets, according to the ticket's vulnerability risk. For example, setting the high vulnerability risk tickets to 15 days means that if a new high-risk vulnerability is discovered, the ticket generated for it will have a due date of 15 days after the ticket was created. REMEDIATION Menu To see the menu, hold the mouse over REMEDIATION. Figure 135: Remediation Menu - New, Open, Review, Closed, Search Tickets 429 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Remediation Overview The REMEDIATION menu can lead you through the process of managing remediation tickets: • • • • • NEW TICKETS (see "New Tickets Page" on page 434) - shows the tickets that have not been assigned to a user. Administrators review new tickets and assign them to users. This can be done using rules that automatically assign tickets (see "Remediation - Rules" on page 423), or by manually assigning them through the New Tickets page. OPEN TICKETS (see "Remediation > Open Tickets" on page 437) - shows the tickets that have been assigned, but not resolved. Users that have tickets assigned to them come to the Open Tickets page to find their tickets. Users can open the ticket details page (see "Ticket Details" on page 445) for any of their tickets. After resolving the ticket, the user marks it Complete, or False-Positive, and submits notes on the ticket which sends it back to the administrator for approval. It is also possible for the user to assign the ticket to another user or administrator. REVIEW TICKETS (on page 439) - shows the tickets that have been resolved, but not approved. The administrator reviews the resolved tickets on the Review Tickets page. The administrator can then approve the resolution, send it back to the user, or reassign it to another user. CLOSED TICKETS (see "Remediation > Closed Tickets" on page 441) - shows the tickets that have been approved. Tickets can be closed by the administrator on the Review Tickets page (see "Review Tickets" on page 439), or automatically through the auto-close rules (see "Remediation - Global Options" on page 428). SEARCH TICKETS (see "Remediation > Search Tickets" on page 442) - lets you search the database for the tickets you can access. Remediation Roles and Scope Foundstone 6.5 supports the following roles in remediation administration. Remediation Roles - Access Rights Role Ticket Rights Scope Global Administrator None None Root Organization Administrator Assign, Review, View Own* Entire organization and all workgroups Remediation Administrator Assign, Review, View Own* Entire organization and all workgroups Workgroup Administrator Assign, Review, View Own* Workgroup and child workgroups 430 6.5 Enterprise Manager Administrator Guide User with Manage Access (Remediation Manager) Foundstone 6.5 Reference Guide Assign, Review, View Own* Scans for which he or she can view Remediation User with View View all tickets, View Access Own* Scans for which he or she can view Remediation User with no Access None View Own* * View Own rights pertain to ANY ticket assigned; they are not limited to any workgroup or scan. Rights The following rights describe the basic Remediation access privileges for the above roles. • • • Assign - When a new ticket is created, you can assign them to Foundstone 6.5 users. Review - When a user has marked a ticket as Complete or False Positive, you can review it and change it to Closed or False Positive Acknowledged. View Own - When a ticket is assigned to you, you can view its details and mark it as Complete or False Positive. Role Creation The following descriptions explain how the Foundstone 6.5 roles are created: • • • • • • Global Administrator - does not pertain to remediation. It is created when Foundstone 6.5 is installed. Root Organization Administrator - is created by adding a user to the Administrator group at the root level of the organization. Remediation Administrator - is created by adding a user to the Remediation Administrator group at the root level of the organization. Remediation Manager - is created by creating a user group with Manage Tickets by Scan privileges in the Access Rights dialog box. Workgroup Administrator - is created by adding a user to the Administrator group of a Workgroup. The three user roles (Manage, View, and none) are assigned on the User Properties - Access Rights page (see "User Properties - Access Rights" on page 247). These roles can also be created by adding a user to a group that has been defined with these rights. 431 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Ticket States In Foundstone 6.5, remediation tickets can exist in one of nine possible states. The following diagram shows the possible states for a ticket at any given time. Foundstone Automatic Action Remediation Manager Action Remediation User Action Final State AUTOCLOSED Live host found, vulnerability not found UNASSIGNED ASSIGNED New Ticket Generated by Foundstone Assigned by Manager or by a Remediation Rule COMPLETED CLOSED User has resolved the issue Approved by Manager FALSE POSITIVE FALSE POSITIVE ACKNOWLEDGED User believes the ticket is erroneous Approved by Manager EXPORTED Exported by Manager IGNORED Ignored by Manager Figure 136: Remediation - Ticket States Unresolved Ticket States Tickets in these state have not been resolved: • New/Unassigned - the ticket has been generated by Foundstone 6.5 but has not been assigned. A Remediation Manager can view these tickets on the New Tickets page (on page 434). The Manager can assign the ticket to a user (see "To assign tickets to a user" on page 436), export the ticket to a third-party ticketing system (see "To export tickets to a helpdesk system" on page 436), or ignore the ticket (see "To ignore a ticket" on page 437). 432 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide Open/Assigned - the ticket has been assigned to a user for remediation. The user reviews his or her list of assigned tickets on the Open Tickets (see "Remediation > Open Tickets" on page 437) page. The user can view the details for his or her tickets in the ticket details page (see "Ticket Details" on page 445). Ticket states Resolved by the User When a user works on a ticket, the user can change the ticket to one of the following two states: • • Completed - the user has done the required work and verified the ticket. Tickets in the Completed state must be verified by an administrator. False-Positive - the user has checked the machine and vulnerability listed by the ticket, and concluded that the vulnerability was a false alarm or should otherwise be ignored according to policy guidelines. Tickets in the False-Positive state must be verified by the administrator. Ticket States resolved by an Administrator Administrators and Remediation Managers access can set tickets to one of these states: • • • • Closed - after a user has marked a ticket as completed the administrator can verify that the vulnerability no longer exists on the host and set the ticket to the Closed state. Future tickets can be generated against this vulnerability on this host if the vulnerability is found by future scans. False-Positive Acknowledged - if a user marks the ticket as False Positive, the administrator can verify that it really should be a False Positive condition and set it to this state. Future scans that find the same vulnerability on the same host will not generate a new ticket if this ticket is set to False-Positive Acknowledged. Exported - Setting a ticket to Exported causes Foundstone 6.5 to send an email to a third-party helpdesk system or other system. Future tickets are not generated for a host/vulnerability when a ticket for that host/vulnerability has been exported. The email subject line contains the title "Helpdesk system ticket creation". The body of the email contains the details: "%scan_name%","%risk%","%vuln_name%","%vuln_details%","%IP%","%OS%", "%user%" Ignored - If you determine that a particular host/vulnerability should be ignored, set the ticket to this state. Future tickets are not generated for a host/vulnerability when a ticket for that host/vulnerability has been ignored. System-Resolved State Foundstone 6.5 can automatically resolve tickets to this state: • Auto-Closed - This state is used when Foundstone 6.5 automatically closes a ticket. 433 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide New Tickets Page To get here, click REMEDIATION > NEW TICKETS. You must be logged on as an administrator, remediation administrator, or be able to manage remediation tickets for a specific scan to see this page. The New Tickets page shows new tickets that have not been assigned. Scope • • This page is available to Remediation Administrators, Root Organization Administrators, Workgroup Administrators, and Remediation Managers. Workgroup Administrators and Remediation Managers see tickets for those workgroups and scans that they can access. See Remediation Roles and Scope (on page 430) for more information. Procedures On this page you can do the following: • • • • • To sort the tickets, click any column heading. To assign a ticket, select the checkbox(es) by the ticket(s) you want to assign. Under Due Date, select the date for the ticket completion deadline. Under User, select the assignee to receive the ticket. In the lower-right corner, make sure the dropdown box is set to Assign. Click Submit. To export a ticket, select the checkbox(es) for the ticket(s) you want to export. In the lower-right corner, change the Assign dropdown box to Export. Click Submit. Future scans that find this vulnerability on this host will see that this ticket was exported, and will not generate another ticket for it. To ignore a ticket, select the checkbox(es) for the ticket(s) you want to ignore. In the lower-right corner, change the Assign dropdown box to Ignore. Click Submit. Future scans that find this vulnerability on this host will see that this ticket was ignored, will not generate another ticket for it, and will not record it on future scan reports. To assign multiple tickets, select the checkboxes for each ticket to be assigned. At the bottom of the page, in the Make all due on box, select the due date for the tickets. In the Assign all to box, select the assignee to receive the tickets. Click Submit to make the assignments. 434 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide To view the details of any ticket, click . Figure 137: Remediation - New Tickets have not been assigned "New Tickets" Features Display Description Check the box to select the ticket for an action. ID Displays the internal ticket identification number. Scan Name Shows the name of the scan configuration that was used to generate the scan. Risk Shows the risk icon representing the risk level (high, medium, low). Vulnerability Shows the name of the vulnerability that the scan found. This is the vulnerability that needs to be fixed to close this ticket. Click the vulnerability title to see vulnerability details. System Shows the IP address of the vulnerable system. Criticality If a criticality level has been assigned to the system on which the vulnerability was found, the criticality appears here. 0 is used by default if there no criticality has been assigned. OS Shows the operating system on the vulnerable system. Due Date If you are assigning the ticket, use this field to assign a due date. Click to see a calendar. Selecting a date from the calendar enters it into the Due Date box. 435 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Display Description User This list contains the available users throughout the organization. Selecting a user from the dropdown box selects the ticket for an action. Click to see the details for this ticket. This opens the Ticket Details page (see "Ticket Details" on page 445). Make all Due on: If you are assigning multiple tickets, choose the due date here. Assign all to: Select the tickets you want to assign, choose the assignee from this dropdown box, and click Submit to make the changes. Select an action: Assign to the user in the User column, Export to an external helpdesk system, Ignore this vulnerability on this machine. Click to perform the action (assign, export, ignore) on the selected tickets. ¾ To assign tickets to a user 1 Select the checkbox next to the ticket you want to assign. • To select all displayed tickets, select the checkbox in the column heading. 2 In the User column, select the user you want to assign to the ticket. This action automatically selects the ticket's checkbox if it is not already selected. 3 Make sure the 4 Click Submit. dropdown box is set to "assign". Note: Multiple tickets can be assigned various users when you click Submit. They do not need to be the same user. ¾ To export tickets to a helpdesk system When you export a ticket, Foundstone 6.5 generates an email for that ticket. If you have selected multiple tickets and choose the Export option, it generates one email for each ticket. Note: To use this feature you must set up the Helpdesk system. 436 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide 1 Select the checkbox next to the ticket(s) you want to export. To select all displayed tickets, select the checkbox in the column heading. 2 In the User column, select the user you want to assign to the ticket. 3 Set the 4 Click Submit. dropdown box to Export. Note: If you select a user from the user dropdown box when you export the ticket, the user's name is included as one of the values in the email text. ¾ To ignore a ticket 1 Select the checkbox next to the ticket you want to ignore. To select all displayed tickets, select the checkbox in the column heading. 2 In the User column, select the user you want to assign to the ticket. 3 Set the 4 Click Submit. dropdown box to ignore. Remediation > Open Tickets To get here, click REMEDIATION > OPEN TICKETS. This page shows open tickets that have been assigned. Tickets remain on the OPEN TICKETS page until they have been marked as Completed or False-Positive, exported, or ignored. Scope • • • All users and administrators (except for the Global Administrator) can view this page. You can see any ticket assigned to you; regardless of your access rights or user role. Administrators and Remediation Managers also see tickets for those workgroups and scans that they can access. Procedures On this page you can do the following: • • • • To sort the tickets, click any column heading. To assign a ticket, select the checkbox for the ticket. Under Due Date, select the date for the ticket completion deadline. Under User, select the assignee to receive the ticket. Click Submit to make the assignment. To assign multiple tickets, select the checkboxes for each ticket to be assigned. At the bottom of the page, in the Make all due on box, select the due date for the tickets. In the Assign all to box, select the assignee to receive the tickets. Click Submit to make the assignments. Click to review the details of any ticket on the list. 437 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Note: The assignment options can only be used by administrators. Figure 138: Remediation - Open Tickets Open Tickets Features Display Description ID Displays the internal ticket identification number. Scan Name Shows the name of the scan configuration that was used to generate the scan. Risk Shows the risk icon representing the risk level (high, medium, low). Vulnerability Shows the name of the vulnerability that the scan found. This is the vulnerability that needs to be fixed to close this ticket. Click the vulnerability title to see vulnerability details. System Shows the IP address of the vulnerable system. Criticality If a criticality level has been assigned to the system on which the vulnerability was found, the criticality appears here. 0 is used if there is no criticality. OS Shows the operating system on the vulnerable system. User Shows the user that was assigned to this ticket. Due Date Shows the due date for the ticket. Click to go to the Ticket Details page. 438 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Make all Due on: If you are assigning multiple tickets, choose the due date here. Assign all to: Select the tickets you want to assign, choose the assignee from this dropdown box, and click Submit to make the changes. Select an action: Assign to the user in the User column, Export to an external helpdesk system, Ignore this vulnerability on this machine. Click to perform the action (assign, export, ignore) on the selected tickets. Review Tickets To get here, click REMEDIATION > REVIEW TICKETS. This option is only available if you have privileges to manage remediation tickets. This page shows open tickets that have been marked as Completed or FalsePositive. Review them, verify them, and close them. Scope • • This page is available to Remediation Administrators, Root Organization Administrators, Workgroup Administrators, and Remediation Managers. Workgroup Administrators and Remediation Managers see tickets for those workgroups and scans that they can access. See Remediation Roles and Scope (on page 430) for more information. Procedures On this page you can do the following: • To sort the tickets, click any column heading. • to see the ticket details page (see "Ticket Details" on To verify a ticket, click page 445). Click Verify. After giving Foundstone 6.5 enough time to verify that the ticket has been resolved, return to the Review Tickets page to see the updated status and acknowledge the ticket. To close multiple tickets, select the checkbox for each ticket you want to close. Click Acknowledge Selected Tickets. Tickets that were marked as Completed are now marked as Closed. Tickets that were marked as False Positive are now marked as False Positive Acknowledged. • Figure 139: Remediation - Review Tickets 439 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Open Tickets Features Display Description ID Displays the internal ticket identification number. Scan Name Shows the name of the scan configuration that was used to generate the scan. Risk Shows the risk icon representing the risk level (high, medium, low). Vulnerability Shows the name of the vulnerability that the scan found. This is the vulnerability that needs to be fixed to close this ticket. Click the vulnerability title to see vulnerability details. System Shows the IP address of the vulnerable system. Criticality If a criticality level has been assigned to the system on which the vulnerability was found, the criticality appears here. 0 is used if there is no criticality. OS Shows the operating system on the vulnerable system. User Shows the user that was assigned to this ticket. Due Date Shows the due date for the ticket. Status Shows the status of the ticket, as the user marked it. y y y y Verified Complete - the user resolved the vulnerability on the host. False-Positive - the ticket was not fixed, but is marked as a False-Positive. Future scans that find this vulnerability on this machine will not generate additional tickets. Ignored - this ticket is to be ignored. Future scans that find this vulnerability on this machine will not generate additional tickets. Exported - this ticket has been forwarded (via email) to a third-party help desk system. The third-party help desk system is now responsible for this ticket and a new ticket will not be generated for this vulnerability on the system on which it was found. Shows whether Foundstone 6.5 has verified that the vulnerability was not found on the host. Click to go to the Ticket Details page. 440 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Remediation > Closed Tickets To get here, click REMEDIATION > CLOSED TICKETS. This list contains the tickets that have been closed by the administrator, or that have been automatically closed by Foundstone. Scope • • This page is available to Remediation Administrators, Root Organization Administrators, Workgroup Administrators, and Remediation Managers. Workgroup Administrators and Remediation Managers see tickets for those workgroups and scans that they can access. See Remediation Roles and Scope (on page 430) for more information. Procedures • To see vulnerability details (see "Vulnerability Details List" on page 129), click the vulnerability name. • Click to see the details for any closed ticket. Figure 140: Remediation - Closed Tickets Closed Ticket Features Display Description ID Displays the internal ticket identification number. Scan Name Shows the name of the scan configuration that was used to generate the scan. Risk Shows the risk icon representing the risk level (high, medium, low). Vulnerability Shows the name of the vulnerability that the scan found. This is the vulnerability that needs to be fixed to close this ticket. Click the vulnerability title to see vulnerability details. System Shows the IP address of the vulnerable system. Criticality If a criticality level has been assigned to the system on which the vulnerability was found, the criticality appears here. 0 is used if there is no criticality assigned. 441 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide OS Shows the operating system on the vulnerable system. User Shows the user that was assigned to the ticket. Due Date Shows the due date assigned to the ticket. Status Shows the status. y y Verified Closed - The vulnerability was marked completed by a user, and verified by an administrator. AutoClosed - The vulnerability was tested for by Foundstone 6.5 and not found. Shows Passed if the verification showed that the vulnerability no longer exists on the host. Shows Failed if the verification showed that the vulnerability still exists on the host. Remediation > Search Tickets To get here, click REMEDIATION > SEARCH TICKETS. This page lets you search the database for tickets that match your search criteria. When you submit a search, the results appear on the same page so that you can refine your criteria if needed. Scope All users have access to search tickets, but the results only show the tickets that the user can access. Access rights can be granted to users on a scan-by-scan basis. Administrators can find all tickets that belong to scans in their own workgroup or organization. Procedures Several new features have been added to the Search Tickets page in Foundstone 6.5. • • To search for a specific ticket number, enter it in the Ticket ID box and click Search. To create search criteria, select the desired ticket status, enter the additional search criteria, and click Search. 442 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide The results appear on the same page, above your criteria, allowing you to modify it as needed. Figure 141: Remediation - Search Results Search Criteria Setting Description Ticket ID Lets you search for a specific ticket by entering the ticket number here. Type the Enter key to start the search. Note: The Ticket ID box appears throughout the Remediation Module, including the New Tickets (see "New Tickets Page" on page 434), Open Tickets (see "Remediation > Open Tickets" on page 437), Review Tickets (on page 439), Search Tickets, and Ticket Details (on page 445) pages. Status Choose the status of the ticket you want to find. You can select multiple ticket states here, but if left blank the search will not return any tickets. 443 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Assigned To Select a user from the dropdown box. The results show the tickets that have been assigned to this user. Operating System Enter a partial OS name like "Win" to limit the search to specific operating systems. Risk Choose the vulnerability risk level from the dropdown list. The results only show those tickets associated with a vulnerability that has this risk level. Asset Name Enter a partial asset name to find a ticket associated with a labeled asset. Criticality Choose the criticality from the dropdown list. The results will be limited to tickets associated with assets that have been assigned this criticality. IP From If searching for an IP range, enter the beginning IP in the range here. IP To If searching for an IP range, enter the ending IP in the range here. Due Date Prior to Click the icon to choose a date. Results will show the tickets that are due before this date. Note Since the due date is unknown until the ticket is assigned, search results using the Due Date do not show unassigned tickets. Scan Name Enter a partial scan name to get the tickets belonging to a specific scan. Sort by Choose the ticket property to use for the primary sort order. Then Choose the ticket property to use for the secondary sort order. Search Click to submit the criteria and begin searching for matching tickets. 444 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Ticket Details To get here, click REMEDIATION > NEW TICKETS, OPEN TICKETS, REVIEW TICKETS or CLOSED TICKETS and click the details icon . This page shows the details for an individual ticket. Procedures for Administrative Users On this page you can do the following: • • • • • • • To add a ticket comment, enter the comment in the Additional Comments box and click Submit. To resolve the ticket, select the Change ticket status to radio button. Choose the new status from the Change ticket status to dropdown box. Click Submit. To reassign the ticket, select the Assign/Reassign vulnerability to radio button. Choose the assignee from the Assign/Reassign vulnerability to dropdown box. Choose the due date from the and set the due date to: dropdown box. Add an optional comment, and click Submit. To see the next ticket in the list on the page you were on before coming to the details page, click Next Ticket at the top of the page. To see the detailed host report for the host, click the System IP address. To see more details about the vulnerability, click the Vulnerability name. To verify that a ticket's vulnerability has been resolved, click Verify. This process runs a single-IP, single-vulnerability check against the host associated with the ticket to see if the host is still vulnerable. If the vulnerability no longer exists, Foundstone 6.5 sets the ticket status to closed and moves the ticket to the Review bucket so that an administrator or remediation manager can review it. Remediation tickets are tied closely to the FoundScan Engine that found the vulnerability on the ticket. When you verify a ticket, Foundstone 6.5 searches for the FoundScan Engine that performed the original scan. It uses that FoundScan Engine to scan the vulnerable computer, ensuring that the vulnerability no longer exists. If the FoundScan Engine that originally performed the scan is not available, the primary scan engine performs the verification scan. The settings for specifying the primary FoundScan Engine are in the portal/include/config.ini file on the Web Server running the Foundstone Enterprise Manager. 445 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Administrative Users Administrators (Root Organization Administrators, Workgroup Administrators, and Remediation Administrators) see the following page. Figure 142: Remediation - Ticket Details Page 446 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Remediation-Only Users Users that do not have management or administrative privileges see the following page. Figure 143: Ticket Details - Remediation-Only Users The Ticket Details page shows specific information about a single ticket. Display Description Scan Shows the name of the scan configuration that was used to generate the scan. System Shows the IP address of the vulnerable system. Criticality If a criticality level has been assigned to the system on which the vulnerability was found, the criticality appears here. 0 is used if there is no criticality. 447 6.5 Enterprise Manager Administrator Guide Status Foundstone 6.5 Reference Guide Unassigned - the ticket has not been assigned to anyone. Assigned - the ticket has been assigned to an administrator or user. Completed - the ticket has been fixed. False-Positive - the ticket was not fixed, but is marked as a False-Positive. Future scans that find this vulnerability on this machine will not generate additional tickets. False-Positive Acknowledge - the ticket was acknowledged by the administrator as being false-positive. Note: Future scans that find this vulnerability on this machine will not record this vulnerability for this machine on future scan reports. Exported - this ticket has been forwarded (via email) to a third-party help desk system. The third-party help desk system is now responsible for this ticket and a new ticket will not be generated for this vulnerability on the system on which it was found. Ignored - this ticket has been set to ignored. Future tickets are not generated for a host/vulnerability when a ticket for that host/vulnerability has been ignored. Note: Future scans that find this vulnerability on this machine will not record this vulnerability for this machine on future scan reports. Resolution New - A new ticket that has not been assigned to a user. Open - A ticket that has been assigned. Closed - A ticket that is completed. Assigned to Shows the name of the user that owns this ticket. Vulnerability Shows the name of the vulnerability that the scan found. This is the vulnerability that needs to be fixed to close this ticket. Click the vulnerability title to see vulnerability details. Risk Details Shows the risk level (high, medium, low). Recommendation Foundstone 6.5 offers specific recommendations and instructions on removing and patching vulnerabilities. Comments Shows the comments entered regarding this ticket. Enter the comments below in the Ticket Changes section. Ticket Number Displays the internal ticket identification number. 448 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Risk Shows the risk icon representing the risk level (high, medium, low). OS Shows the operating system on the vulnerable system. Verification If this ticket has been verified, shows "Passed" if the vulnerability no longer exists, "Still vulnerable" if the vulnerability still exists, or "Error" if the engine did not run the FSL script. If the ticket has not been verified, this field is blank. The status shows “In progress” if the final results of the verification are not yet available. Due Date If you are assigning the ticket, use this field to assign a due date. ¾ To verify that a ticket's vulnerability has been resolved 1 Open the Ticket Details page for the ticket containing the vulnerability you want to verify. Tip: You can enter the ticket number in the search box at the top of any page under the REMEDIATION menu. 2 Click Verify. The system runs a single scan against the host listed on the ticket to check for the listed vulnerability. This can take up to a few minutes. 3 Click Refresh. Watch for the Verification status to change as you click Refresh. • In progress - the test is running; the results are not yet available. • Passed - The host has been scanned; the vulnerability was not found. • • • Still Vulnerable - The scan found the vulnerability on the host. Error - Foundstone did not run the script to verify the ticket. Blank - If the ticket has not been verified, the field is left blank. Managing Threats To get here, click THREATS on the global navigation menu. The Threat Correlation Module serves two major functions: Threat Correlation and Threat Compliance. Threat Correlation Use Threat Correlation (on page 451) to quickly respond to threats when and where it matters most in your organization. It enhances your ability to respond rapidly and effectively to critical threats such as coordinated attacks and rampant worms. The Threat Correlation Module receives Threat Intelligence updates from McAfee Labs, allowing you to immediately correlate these threats with the known open 449 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide vulnerabilities on your network. This allows you to respond immediately to breaking events. It profiles current threats such as worms, wide-scale attacks, and important new exploits, and correlates these events to your asset and vulnerability information already gathered by Foundstone 6.5. Threat Compliance Use Threat Compliance (see "Threat Response Compliance" on page 453) (in the lower half of the page) to see how compliant your network is for a given threat. The lower half of the page shows how compliant your network is for a given threat. The chart lets you correlate specific threats with specific groups of scans, called Business Units. Note: (N/A) indicates either no hosts were found matching the noted platform, or the selected scan did not include the related FSL checks for the threats. Scope Correlation reports and the settings you choose for Threat Compliance (on this page) are local; they affect what you see through your browser, but do not affect other users. However, the settings on the configuration pages affect all users. Procedures On this page you can do the following: • • • • • • • • To correlate a threat with vulnerable hosts, find the threat you want and click Correlate (see "Threat Correlation" on page 451). To learn more about a specified threat, click Details to display the Threat Details page, which provides information on how to fix the vulnerability, possible exploits, and additional correlation information. To search for a specific threat, click search ( ). Enter the text to search for, and click Go. Click Close to cancel the search. To see the compliance for a specified threat, choose the Start Date and End Date, select the threat to view from the Available Threats list, and select the Business Unit containing the scans that correlate to the selected threat(s). To save the Threat Compliance chart and its data to your local computer, click Download. To refresh the chart with updated settings, click Regraph. To change the data points in the table to days, weeks, or months, choose from the Display View list. See Dynamic Time-Scale (on page 455) for more information on the default display. To see the data used to create the chart, click Table View. 450 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide To see which scans were included to calculate the percentages in the Table View, check the box to Include Calculation Data. Figure 144: Threat Compliance - shows current threats and compliance Threat Correlation When you click Correlate, Foundstone 6.5 goes through the results of specific scans to find out which of your hosts are susceptible to that threat. This page shows those results. Procedures On this page you can do the following: • • To view host details, click an IP address. The correlation is done by selecting a threat on the Threats page (see "Managing Threats" on page 449). 451 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide To download the data in CSV format, click the download icon in the upper right corner. Figure 145: Threat Correlation Details Correlation Features Setting Description Risk Shows the calculated risk level, given the system and the vulnerability. See How threat risk is calculated (on page 452). System Shows the name of the vulnerable system. IP Address Shows the IP address of the vulnerable system. Click the address to see the host details. Criticality Shows the criticality assigned to this host. Matched By Shows how the correlation was matched. See Risk vs. Matched By (on page 453) for more information. Operating System Shows the operating system running on that host. Vulnerability Lists the vulnerability. Click the vulnerability name to see the vulnerability details. 452 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide How threat risk is calculated The Risk calculation displayed under Affected Hosts is a weighted indicator of threat significance based on the following factors: • • • Asset Criticality, which is defined for a host in the Asset Management function. If no asset criticality is entered for the host, risk is calculated based on a criticality of low (1). Threat Impact, which is a value assigned by McAfee Labs representing the significance of a threat event. Vulnerability Risk, which is included in the Risk calculation when a threat description includes one or more associated vulnerabilities. Risk vs. Matched By The Matched By column under Affected Hosts provides a relative indication of the confidence of a particular threat match, but this confidence is not factored into the Risk calculation. Given the same Criticality value, hosts matching four categories have the same risk as a host that matches one category. However, if a host matches on the vulnerability category, the Risk calculation increases because the Vulnerability Risk is included in the final equation. As a result, the hosts that are affected by the associated vulnerability tend to have the highest Risk values within their Criticality grouping. Threat Response Compliance Threat Compliance View Area Use the Threat Compliance View to see graphical representations of how threats affect the organization through the following charts: • • • Threat Compliance (see "Threat Compliance Over Time" on page 454) Threats by Business Unit (page 456) Threats by Platform (page 457) 453 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide The chart area changes according to the tab selected. Chart Limits The number of data points on the chart, and the number of threats allowed on one chart are both settings in the CONFIG.INI file (see "Setting the View Limits" on page 465). Threat Compliance Over Time The main view shows the Threat Compliance Over Time chart. It considers all hosts discovered within the Business Unit, and shows how many are compliant for each threat. When a host is compliant, it is not affected by the threat. Procedures On this page you can do the following: • • • To download this report in a compressed file format, click Download. To change the data displayed on the chart, choose the threats and business units you want to display, and click Regraph. To view the data used to create the chart, click Table View. Figure 146: Threat Compliance View - Compliance Over Time Each plotted line in the chart represents a specific threat. The percentage is based on the number of hosts you can see, based on your access rights. A lower percentage of compliance indicates that a larger percentage of hosts are vulnerable. 454 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Notes • • • • The date units are dynamically displayed across the bottom of the chart - see Dynamic Time-Scale (on page 455). The user selects specific threats to be displayed - see Changing the Chart Settings from the View (see "Adjusting the Chart Settings" on page 459). Administrators can configure the maximum number of threats and dates that can be shown on a single chart - see Setting the View Limits (on page 465). The default dates, threats, and regions can be configured by the administrator see Adjusting the Chart Settings (on page 459). Dynamic Time-Scale By default, the chart dynamically displays its information by days, weeks, or months. The time unit is determined by the number of days selected between the start date and the end date. Number of Days Selected Units Displayed 1 - 30 Days 31 - 90 Weeks > 91 Months You can override the default display by selecting an opton from the Display View list. 455 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Threats by Business Units This chart shows threat compliance by individual threat for each selected Business Unit. Procedures On this page you can do the following: • • • To download this report in a compressed file format, click Download. To change the data displayed on the chart, choose the threats and business units you want to display, and click Regraph. To view the data used to create the chart, click Table View. Figure 147: Threats by Business Units Download Clicking Download copies the current page and graph into a .zip file so you can download it from your Web browser. Update (shown as Regraph) Clicking Regraph causes Foundstone 6.5 to read all of the user-specified settings on this page, and use them to redraw the graph. Chart View Holding your mouse over one of the bars in the chart shows the actual value of that bar. 456 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Table View Clicking Table View displays the same information in a table, using the same values as those used in the chart. The columns show the selected threats and business units. Figure 148: Threats by Business Unit - Table View To see the details used to calculate the compliance data, check the box to Include Calculation Data, click Regraph, and then click Table View. Selectable Options The selectable options are the same as on the Threat Compliance tab. You can change the date, choose which threats to include, search for specific threats in the list, and select specific business units to be included. See Threat Compliance Over Time (on page 454) for more information. Note that this page does not show a Start and End date because the bar graph reflects a specific point in time; it does not reflect a range of dates. Notes • • • Compliance is grouped by business unit. Each bar represents a specific threat. For more information on selecting Threats and Business Units, see Changing the Chart Settings from the View (see "Adjusting the Chart Settings" on page 459). Threats by Platform The Threats by Platform bar chart shows the level of compliance per Operating System or Platform. It finds this information by comparing the total number of hosts with the total number of machines that were compliant for the selected threats. Procedures On this page you can do the following: • • To download this report in a compressed file format, click Download. To change the data displayed on the chart, choose the threats, business units, and platforms you want to display, and click Regraph. 457 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide To view the data used to create the chart, click Table View. Figure 149: Threats by Platform Download Clicking Download copies the current page and graph into a .zip file, and lets you download it through your Web browser. Regraph Clicking Update Graph causes Foundstone 6.5 to read all of the user-specified settings on this page, and use them to redraw the graph. Table View Clicking Table view displays the same information in a table, using the same values as those used in the chart. Figure 150: Threat Compliance by Platform - Table View 458 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Notes • • • • The date units are dynamic - see Dynamic Time-Scale (on page 455). The user selects specific threats to be displayed - see Changing the Chart Settings from the View (see "Adjusting the Chart Settings" on page 459). Administrators can configure the maximum number of threats and dates that can be shown on a single chart - see Setting the View Limits (on page 465). The default platforms and threats can be configured by the administrator - see Adjusting the Chart Settings (on page 459). Adjusting the Chart Settings You can configure the chart, changing the dates, which threats are shown, and which Business Units are included. These settings are available when the Threat Compliance tab is selected. Warning Message Choosing too many threats causes a warning to appear. The number of threats that can be included are determined by the limits set in the CONFIG.INI file. See Setting the View Limits (on page 465) for more information. Finding Threats Since the threat list can potentially become very long, the list of threats will be limited to the number that can fit in the box. However, you can type the first few letters of the threat to show matching threats. ¾ To set the Start and End dates The administrator selects the Start Date and End Date to determine the beginning and ending dates displayed on the chart. 1 In the Start Date box and End Date box, type the desired date using the format mm/dd/yyyy. Or, click the calendar icon to choose the date from a calendar. Once the calendar is open, click the desired date. 2 Click Regraph to update the graph with the new date. To choose which threats to include The administrator can choose which threats appear on the chart. 459 6.5 Enterprise Manager Administrator Guide 1 Foundstone 6.5 Reference Guide In the Available Threats box, double-click a threat to select it. When selected, the threat appears in the Selected Threats box. Scroll through the list, or type the first few letters of a specific threat in the Index Search box to find any matches. Figure 151: Threat Selection Box 2 Click Regraph to update the chart. ¾ To search for a specific threat You can search for a specific Threat using the Index Search box. • In the Index Search box, start typing the name of the threat you want to find. As you type, the threats listed in the Show Threats to be Included box will show threats that match your entry. Click Reset to clear the filter. ¾ To remove a threat from the list 1 Double-click the threat to be removed from the Selected Threats box. 2 Click Regraph to update the chart. ¾ To select which Business Units appear Business units are groups that contain scans. You can select specific business units to include in the Threat Compliance View from the View itself. 1 Double-click a business unit in the Show Business Units to be Included list to select it. 2 Click Regraph to update the graph with your changes. 460 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Threat Configuration - User Options This page lets you set the default options for the Threats page when you first open it. Scope The settings on this page only affect your login account. They do not affect others on the system. These options override some of the settings on the Global Options (see "Threat Configuration - Global Options" on page 463) page. Procedures On this page you can do the following: • • To set the default, selected threats on the THREATS page, add the threats from the Available Threats list to the Selected Threats list. Double-click a threat to move it between lists. To include threats that do not necessarily match the operating system specified in the threat details, check Include O/S Mismatches. This means the correlation will still match the other selected parameters. By default, Foundstone 6.5 discards hosts during correlation when the host's operating system does not match the operating system(s) specified in the Correlation Parameters under Threat Details threat definition (details), regardless of a port or service match. However, if this option is checked, threats that do not match the operating system specified in the threat details, but match other correlation parameters, are included under Affected Hosts. 461 6.5 Enterprise Manager Administrator Guide • Foundstone 6.5 Reference Guide To set which scans will be reviewed when correlating threats, select the checkbox for the scans in the Threat Correlation Options section. Figure 152: Threats Configuration - User Options 462 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Threat Configuration - Global Options This page sets the default options that all users will see when they open the Threats (see "Managing Threats" on page 449) page. Scope The settings on this page affect the entire organization, including all workgroups. Workgroup administrators cannot make changes to these settings. Procedures • To set the defaults, make the changes to this page and click Submit. Figure 153: Threat Configuration - Global Options 463 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Threat Global Options Setting Description Compliance Percentage The Compliance Over Time chart can contain a line on the Options graph showing corporate expectations for compliance. This allows you to set a gradually improving standard for enforcing compliance. Use it to measure business units by their compliance to your standards. Start Percentage - Enter the beginning percentage value for the compliance line. This corresponds with the Start Date below. End Percentage - Enter the final percentage value for the compliance line. This corresponds with the End Date below. Start Date - Enter the beginning date for the compliance line. End Date - Enter the ending date for the compliance line. Default Date Options Shows the default dates that will appear on the Threats Compliance Over Time (see "Threat Compliance Over Time" on page 454) chart, Threats by Business Unit Chart (page 456) and Threats by Platform (page 457) chart. Default Threats Specify the default threats that will be displayed in the Selected Threats list for the three Threat charts. This lets you keep important threats highly visible to THREAT users. Default Platforms Specify the default operating systems that will be selected for the Threat by Platforms chart. Default Business Units Specify the business units that should be selected by default in all three charts. Manage Business Units Opens the Business Unit Editor (see "Business Unit Setup" on page 465) page. Cancel Returns to the Threats (see "Managing Threats" on page 449) page without saving changes. Submit Saves changes made on this page and returns to the Threats (see "Managing Threats" on page 449) page. 464 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Setting the View Limits System Administrators, or those with physical access to the Foundstone Enterprise Manager server can determine the limits of the Threat Compliance View by configuring the Config.ini file. The CONFIG.INI file is located on the Web server that hosts the Foundstone Enterprise Manager. 1 On the Foundstone Enterprise Manager server, navigate to \Portal\Include\Config.ini. It is located under the folder where you installed Foundstone 6.5. The default location is c:\program files\foundstone\portal\include\config.ini 2 Double-click the file to open it. 3 Edit the file using NOTEPAD.EXE or another text editor. ¾ To change the CONFIG.INI settings for the Threat Compliance View • Edit the [Set Max Threats] section in the CONFIG.INI file. In the CONFIG.INI file, the Threat Compliance View settings are located under the [Set Max Threats] section. [Set Max Threats] Max_threats=6 Max_intervals=6 • Max_threats - the number of threats that can be included in the Threat Compliance View chart at any given time. • Max_intervals - the number of data points that can be displayed on the chart on a single page. This determines how quickly the data is broken into different pages. If you have trouble seeing all the data on the chart, lower this value to display fewer date intervals per page. Business Unit Setup This page lets you create and edit business units. A business unit in this sense refers to a group of scans that can be saved and called up as needed by the Threat Correlation Module. Scope The settings on this page affect admin's workgroup or organization. Changes to the business units in a workgroup or organization do not filter down to other workgroups. 465 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Procedures On this page you can do the following: • • • To create a business unit, click New. Enter the name of the new business unit in the New Business Unit dialog. Click OK. Any scans that were selected when you created the new business unit are automatically made a part of the new business unit. Click Save. To edit which scans belong to an existing business unit, select the business unit in the Business Units list. Select or de-select the scans that belong to that business unit in the Select Scans to Include list. Click Update Business Unit. To delete a business unit, select it from the business unit list and click Delete. Click Save to make your changes final. Figure 154: Business Unit Editor Business Unit Editor Features Setting Description Business Units list Shows the business units that have been created. Default business units are available (see "Using Default Business Units" on page 467) if your enterprise has decided to use them. Select Scans to Include list Shows the scans that belong to the selected business unit. Selecting scans before creating Business Unit Name textbox The textbox at the top of the Select Scans to Include list shows the name of the selected business unit. Enter a new name here and click Create Business Unit to create a new one. 466 6.5 Enterprise Manager Administrator Guide Foundstone 6.5 Reference Guide Update Business Unit Select a business unit, make changes to its scans, and click this button to update your changes. New Prompts you for the name of a new business unit. Delete Deletes the selected business unit. Select All Scans Selects all of the scans in the Select Scans to Include list. Clear All Scans De-selects all of the scans in the Select Scans to Include list. Save Saves all changes and returns to the Global Options (see "Threat Configuration - Global Options" on page 463) page. Close Returns to the Global Options page without saving any changes. ¾ To create a new Business Unit 1 Click New. 2 Enter the name of the business unit. 3 Select the scans to be included. 4 Click Save. ¾ To delete a Business Unit 1 Select the business unit to be removed. 2 Click Delete. 3 Click Save. ole_oa>n as a ogged ist be l You mu Units. Using Default Business Units Default business units contain all of the scans that you are allowed to see, based on your role or access rights. • • • For the Root Organization Administrator, this includes all of the scans throughout the organization. For the Workgroup Administrator, this includes all of the scans in the workgroup and all sub-workgroups under it in the organization hierarchy. For the Foundstone User, this includes any scans to which the user has been granted explicit view access (see "User Properties - Access Rights" on page 247). You can also set up the Threat Correlation Module to automatically select this Default Business Unit so that it is used each time the user comes to the Threat Correlation Module page. 467 6.5 Enterprise Manager Administrator Guide ¾ Foundstone 6.5 Reference Guide To configure default Business Units On the main Threats page, the following prompt appears and the threat compliance area is grayed out if there are no default Business Units. Figure 155: Threat Compliance - set up Business Units to use compliance view 1 Click Configure. The Threat Configuration - User Options page is displayed. 2 Click the Global Options tab. Note: Only a Root Organization Administrator can access the Global Configuration page. 3 In the lower half of the Global Configuration page, click Manage Business Units. The Business Unit Editor page (see "Business Unit Setup" on page 465) opens. New Users: Business Units are groups of scans. There is no need to set up business units until you have set up individual scans. After you have created business units, you can access the Threats page without receiving an error message. ¾ To enable the Default business unit When this feature is enabled (set to "1"), a business unit named Default will be available that contains all of the scans available to the user. • In the CONFIG.INI file, under the [optional] heading, change the following line to "= 1" instead of "= 0". tcv_enable_default_bu = 1 ¾ To select the Default business unit by "default" When this feature is enabled (set to "1"), the Default business unit will be selected whenever users come to the Threat Correlation Module page. • In the CONFIG.INI file, under the [optional] heading, change the following lines to "= 1" instead of "= 0". tcv_select_default_bu = 1 468 6.5 Enterprise Manager Administrator Guide ¾ Foundstone 6.5 Reference Guide To enable the Default business unit for the Root Organization Administrator When this option is enabled (set to "1"), the Root Organization Administrator can also use the default business unit. This business unit will contain all scans for the entire organization. • In the CONFIG.INI file, under the [optional] heading, change the following lines to "= 1" instead of "= 0". tcv_central_admin_default_bu = 1 Warning: This feature may not be appropriate for Root Organization Administrators in a large organization, due to the number of scans involved. 469 6.5 Enterprise Manager Administrator Guide Troubleshooting Troubleshooting In this Appendix Why does my browser ask me to load JRE?............................470 Why does my browser show a Hostname Mismatch warning? Why is a Scan Engine missing from the Manage > Engines list? Why does my LDAP data synchronization fail? .......................472 Uploading reports doesn't work ...............................................472 470 471 This section provides information on common questions and issues. Why does my browser ask me to load JRE? Foundstone 6.5 requires Java Runtime Environment 1.6.0_02 to run portions of the Foundstone Enterprise Manager on your browser. If this version of Java is not detected on your system, your browser asks if you want to install it. You do not need to uninstall other versions of the JRE to install this one. The installation process is relatively fast, and does not require external Internet access. Your browser might ask if you want to load an ActiveX control regarding the Java Runtime Environment 1.6.0_02. If it does, choose to install it to continue using Foundstone 6.5. Why does my browser show a Hostname Mismatch warning? Symptom When entering an area of Foundstone 6.5 that loads a Java application, like the MANAGE > USERS/GROUPS page, you might see the following message: The hostname in the server security certificate does not match the name of the server. Hostname of the URL: Hostname from the certificate: Do you want to proceed? This happens when you are using SSL and the computer name specified in the certificate on the Foundstone Enterprise Manager does not match the hostname on the server itself. It can happen the first time you load a java application during the 470 6.5 Enterprise Manager Administrator Guide Troubleshooting current browser session. Click Yes to proceed. This error will not appear again during this browser session. Problem This happens when Foundstone 6.5 is installed with default certificates. Your browser checks the certificate on the Web server to make sure it matches the Web server's host name. If Foundstone 6.5 was installed with default certificates, the default certificate uses "Foundstone Enterprise Manager" as the host name. Resolution If you install your own custom certificates on each of the Foundstone 6.5 servers, the custom certificates will use the fully qualified domain name as the host name. The browser will be able to match the host name with the name on the certificate and will not show this warning. Why is a Scan Engine missing from the Manage > Engines list? Symptom When you go to the Manage > Engines page, it shows the available engines; but one or more engines do not appear. Figure 156: Manage Engines - shows the available engines Problem The engine(s) in question is not available to your organization or workgroup. 471 6.5 Enterprise Manager Administrator Guide Troubleshooting Solution In the organization or workgroup properties, go to the engines tab and make sure that the engine(s) in question is available to your organization or workgroup. Figure 157: Workgroup Properties - Scan Engines Tab Why does my LDAP data synchronization fail? Symptom When you try to synchronize the data from your LDAP server, the data synchronization fails. Problem This happens when the Foundstone Data Synchronization Service and the LDAP server are not on the same domain. Resolution The Foundstone Data Synchronization Service and the LDAP server should be installed on the same domain, using the same DNS. If you previously set up your LDAP server as a Data Source in the Foundstone Enterprise Manager, you must delete it and create a new one after the Foundstone Data Synchronization Service and LDAP are on the same domain. The fully-qualified domain name (FQDN) cannot be changed once the data source is saved. 472 6.5 Enterprise Manager Administrator Guide Troubleshooting Uploading reports doesn't work Symptoms This issue can manifest itself in any of the following ways: • • • • No reports appear on the Foundstone Enterprise Manager, but they are correctly generated on the FoundScan Console. When HTML and PDF reports are generated, the PDF reports don't appear on the Foundstone Enterprise Manager. Some reports don't get uploaded to the Foundstone Enterprise Manager, but others seem fine. The log on the Remote tab in the FoundScan Console shows "Send End Fail - Files Sending Result = -399, State Sending Result = 0 (0). The log in the Foundstone Enterprise Manager shows [04-21-2005 03:00:40] Client at 10.110.120.130: Content-Length 1004856 exceeded maximum allowed. Request will be rejected. Site Instance='1', Raw URL='/reports/server/server.exp'. Problem An application on your network may be limiting the files that get passed through by their size. By default, the FoundScan Console breaks the reports into 1MB file segments. Any program that limits files to 1MB or smaller may be preventing reports from properly uploading. Solutions Check your network for any application that filters files according to their size. • • Check the IIS settings to see if you have set up ISAPI filters. If you are, remove the filter or edit its settings and see if the problem is resolved. Are you using URLScan on your network? URLScan can limit the size of files that can be uploaded to the Foundstone Enterprise Manager. You might need to change the setting in the URLSCAN.INI file. The setting MaxAllowedContentLength=1000000 is set to 1MB by default. Raise this limit to 2MB (2000000) to allow reports to be uploaded from the Foundstone Report Engine to the Foundstone Enterprise Manager. 473 6.5 Enterprise Manager Administrator Guide Index B Index background, database maintenance ...................... 167 bandwidth usage settings...................................... 398 banners A banner grabbing............................................... 379 access...................................................... 16, 247, 255 banner search................................................... 414 activating scans ..................................................... 404 Banners report ........................................................ 70 active assets .......................................................... 365 batch size.............................................................. 398 activity logs ........................................... 227, 239, 249 browsing, assets to add to scans ........................... 364 adding, IP addresses to scans................. 362, 364, 368 bulk assigning, remediation tickets ........................ 434 administering, organizations and workgroups.......... 18 C Administrator group .............................................. 259 administrators ................................................. 16, 445 canceling scans ..................................................... 290 alerts ........................................... 15, 25, 29, 125, 130 centralized scan management ............................... 296 allowed scan periods ............................................. 404 centralized scan management, set scan engine to Asset Discovery scan template ............................... 305 AutoSelect .................................................. 296 Asset Reports .......................................................... 41 create a scan using AutoSelect ......................... 297 Asset Report Template, working with ................. 42 changing.............. See changing, user properties, See assets ............ 131, 134, 138, 142, 154, 359, 364, 365 changing, user password asset groups ............................................. 147, 152 changing, user password .............................. 9, 244 asset owners..................................................... 155 changing, user properties ................................. 244 asset properties ................................ 134, 139, 152 CIDR address......................................... 231, 362, 364 assets, adding to scans ..................... 362, 364, 368 closed tickets................................................. 432, 441 assets, clearing attributes from ......................... 139 Common Vulnerabilities and Exposures (CVE) assets, criticality levels............... 134, 150, 152, 154 CVE, displaying vulnerabilities by ...................... 388 assets, defining IP ranges by ............................. 364 completed tickets .................................................. 432 assets, searching for ................................. 142, 143 Compliance Pass/Fail report ..................................... 71 assets, viewing.......................................... 134, 138 Compliance Scan Differences report ........................ 72 assigning tickets ............................................ 430, 434 compliance templates............ 316, 323, 328, 336, 343 assignment rules, automatic .................................. 423 compliance, response to threats ............................ 453 attributes, clearing asset ........................................ 139 CONFIG.INI............................................................ 465 authenticating, to Windows hosts ......................... 386 Configuration History report.................................... 73 auto-close tickets........................................... 428, 432 connection settings ............................................... 170 available address space.......................................... 231 console management options................................ 167 average FoundScore .......................................... 31, 34 creating creating, new scans .......................................... 291 creating, reports ................................................. 60 474 6.5 Enterprise Manager Administrator Guide Index credentials ..................................................... 115, 380 editing, workgroups ......................................... 230 criticality levels....................................................... 154 email CSV reports ............................................................. 60 email, address .................................................. 244 current threat index................................................. 31 email, alerts...................................................... 130 custom community strings..................................... 269 email, setting up server..................................... 173 custom community strings, SNMP settings ........ 269 ending IP address .................................................. 362 custom FoundScore settings .................................. 272 engines ................................................................. 165 engines, assigning ............................................ 237 D engines, connecting to new.............................. 175 dashboard ...................... 30, See executive dashboard engines, default settings................................... 167 database maintenance........................................... 167 engines, logging options .................................. 167 defaults ......................................................... 167, 175 engines, report settings .................................... 167 groups, using.................................................... 259 engines, selecting in scans ................................ 404 deleting engines, setting properties of .. 165, 167, 170, 173, deleting, asset groups....................................... 150 175 deleting, groups ............................................... 258 excluding, IP ranges from scans ............................. 359 deleting, old jobs .............................................. 167 executive dashboard 15, 25, 30, 31, 34, 35, 37, 39, 40 deleting, organizations ..................................... 219 exported tickets..................................................... 432 deleting, scan access................................. 247, 255 exporting, tickets to a help desk ............................ 434 deleting, scans.......................................... 240, 293 Exposures Score .................................................... 277 deleting, users .................................................. 249 external FoundScore...................................... 272, 284 deleting, workgroups........................................ 238 DHCP resolution .................................................... 167 F Discovered Hosts report..................................... 75, 93 false-positive tickets .............................................. 432 DNS, non-essential service ..................................... 281 FBI/SANS Top 20 ..................................................... 40 downloading reports ............................................. 403 Federal Information Security Management Act ...... See FISMA compliance scan template due dates, remediation tickets ............................... 428 fewest vulnerabilities, by platform ........................... 35 dynamic IP resolution.................. See DHCP resolution first name, of users........................................ 244, 250 E FISMA compliance scan template .................. 313, 316 editing footers, in reports.................................................. 123 editing, asset groups......................................... 150 FoundScore ....................................................... 31, 40 editing, groups ................................................. 253 FoundScore, customizing.................................. 272 editing, IP access....................................... 247, 255 FoundScore, external scan score ....................... 272 editing, organization properties ........................ 219 FoundScore, highest ........................................... 31 editing, scan access .................................. 247, 255 FoundScore, internal scan score........................ 272 editing, scans.................................................... 293 FoundScore, largest change................................ 34 editing, users .................................................... 244 FoundScore, lowest ............................................ 31 475 6.5 Enterprise Manager Administrator Guide Index FoundScore, per scan by month.......................... 34 HIPAA compliance scan template .................. 320, 323 FoundScore, risk level by month.......................... 31 HIPAA compliance scan templates ................. 320, 323 FoundScore Report ............................................ 79, 93 home page........................................................ 25, 29 Foundstone Enterprise Manager overview................ 16 host details, report ................................................ 126 Foundstone Scripting Language..................... 167, 414 host discovery Foundstone, overview of ......................................... 16 host discovery, default ports ............................. 175 FSL See Foundstone Scripting Language host discovery, details....................................... 126 FTP, non-essential service....................................... 281 host discovery, settings in scan properties......... 370 full access ...................................................... 247, 255 host name............................................................. 362 Full Vulnerability scan template...................... 318, 346 host name resolution........................................ 375 hosts discovered...................................................... 37 G HTML reports .......................................................... 60 General User properties ......................................... 244 HTTP/HTTPS, non-essential service ......................... 281 General Vulnerability settings, scan properties ....... 388 generating reports, from scans ........................ 60, 400 I getting started........................................................... 8 ICMP timeout........................................................ 398 global ignored tickets ...................................................... 432 global engine settings....................................... 167 ignoring tickets ..................................... 432, 434, 437 global IP pool.................................................... 365 importing, IP addresses.................................. 231, 361 global remediation settings............................... 428 including, IP ranges in scans .................................. 359 Global Administrator ................................. 16, 19, 430 index statistics, updating in database..................... 167 Greenwich Mean Time, in engine logs ................... 167 Internal FoundScore ...................................... 272, 284 groups, working with .................................... 206, 259 International Standards Organization 17799-BS7799... See ISO 17799-BS7799 compliance scan template groups, creating new........................................ 253 groups, deleting ............................................... 258 interpacket delay................................................... 398 groups, editing ................................................. 253 intrusive vulnerability checks.................................. 388 groups, managing ............................................ 206 IP groups, members of ................................. 246, 254 IP pools ...................................................... 19, 231 groups, naming ................................................ 206 IP, adding to scans............................ 362, 364, 368 groups, working with asset............................... 147 IP, limits per scan...................................... 212, 231 IP, range of addresses................................. 15, 359 H IP, searching by ................................................ 414 headers, in reports................................................. 123 IP, selecting in scan properties .......................... 359 Health Insurance Portability and Accountability Act See ISO 17799-BS7799 compliance scan template325, 328 HIPAA compliance scan template help, obtaining .................................................. 7, 470 L hierarchy, organizational ......................................... 17 Large Network Asset Discovery scan template ....... 330 highest FoundScore ................................................. 31 last name, of users ........................................ 244, 250 476 6.5 Enterprise Manager Administrator Guide Index launching scans ............................................. 240, 293 new ticket state..................................................... 432 LDAP ..................................................................... 156 NIC, selecting ........................................................ 404 LDAP, create data source .................................. 159 non-essential services ............................................ 277 levels, asset criticality ............................................. 154 notification settings............................................... 173 load balancer, detecting ........................................ 379 notifications, SNMP ............................................... 259 locking accounts.................................................... 244 number of passes .................................................. 398 logging.......................................................... 227, 249 logon message, to all users.... See Message of the Day O logs, activity .................................................. 239, 249 old jobs, deleting from database ........................... 167 Long Term Trend report..................................... 93, 97 open tickets .................................................. 432, 437 lowest FoundScore .................................................. 31 operating system operating system, identification settings ........... 375 M operating system, searching for ........................ 414 manage, tickets by scan................................. 247, 255 Operating System report ................................... 85, 93 menus ....................................... 25, 30, 288, 429, 449 optimization settings, scan properties.................... 398 Message of the Day................................................... 8 organizations .............................. 17, 18, 19, 206, 210 metrics, managing................................................. 272 organization administrator.................... 16, 18, 430 most vulnerabilities, by platform .............................. 35 organization tasks ............................ 210, 219, 227 My Account........................................................... 250 organizational hierarchy ..................................... 17 MyFoundScore ................................................ 40, 272 organizations, creating new.............................. 210 organizations, deleting ..................................... 219 N organizations, editing properties of .................. 219 name..................... 211, 230, 241, 244, 250, 253, 359 organizations, managing .................................. 206 navigating reports ................................................... 68 organizations, viewing activity logs ................... 227 NetBIOS name search ............................................ 414 OS Identification scan template ............................. 334 network overall risk index...................................................... 31 network mapping ............................................. 398 overview ................................................................. 16 network, setting engine connection options ..... 173 P Network Map report.......................................... 84, 93 packet interval............................ See interpacket delay new new, administrators .......................................... 243 passwords, working with........................... 9, 244, 250 new, asset groups............................................. 149 pausing, scans....................................................... 290 new, groups ..................................................... 253 Payment Card Industry (PCI) compliance template . 336 new, organization............. 210, 211, 212, 216, 217 PCI compliance scan template ........ See Payment Card Industry (PCI) compliance template new, scans........................................................ 291 new, users ........................................................ 241 PDF reports ............................................................. 60 new, workgroups ............................................. 228 phone number .............................................. 244, 250 new in this release..................................................... 6 platform, with most/fewest vulnerabilities ............... 35 477 6.5 Enterprise Manager Administrator Guide Index Policy Manager, configure ..................................... 272 report generation, engine behavior................... 167 ports report generation, scan properties settings ....... 400 ports, default.................................................... 175 reports .................................................... 64, 123, 125 ports, searching for........................................... 414 navigating .......................................................... 68 properties reports, navigating in.......................................... 68 properties, of asset groups................................ 152 reports, overview................................................ 67 properties, of assets................. See asset properties reports, overview of............................................ 67 properties, of general user ................................ 244 reports, queued.................................................. 62 properties, of groups ................................ 253, 254 reports, settings.................................... 60, 62, 300 properties, of organizations .............................. 219 reports, viewing detailed .................................... 68 properties, of scans.. 295, 359, 370, 377, 388, 393, reports, generated................................. 15, 25, 29, 64 398, 400, 404, See scan properties Banners report.................................................... 70 properties, of users ........................................... 244 Compliance Pass/Fail report ................................ 71 properties, of workgroups ................................ 230 Compliance Scan Differences report ................... 72 properties, setting engine ......................... 165, 170 Configuration History report............................... 73 Detailed Host report ......................................... 126 Q FoundScore ................ 81, 275, 277, 278, 281, 282 Quick Scans, running............................................... 28 Hosts report ..................................... 75, 76, 77, 78 Long-Term Trend report ......... 97, 98, 99, 100, 101 R Network Map report........................................... 84 random scan order ................................................ 375 Operating System report..................................... 85 reconciling dynamic IP addresses, engine setting.... 167 Scan Summary report ......................................... 93 remediation................................................... 429, 432 Services report.................................................... 95 remediation access rights.......................... 247, 255 Short-Term Trend report..................................... 73 remediation administrator................................... 16 Smart Guesswork report..................................... 95 remediation administrator group ...................... 259 Source Sifting report........................................... 96 Remediation Manager .............................. 247, 430 SQL Security Analysis report................................ 97 remediation options.......................................... 428 Vulnerabilities by IP report ................................ 109 remediation roles.............................................. 430 Vulnerabilities report ........................................ 106 remediation rules.............................................. 423 Vulnerability Check Configuration report.......... 108 remediation tickets .. 432, 434, 437, 439, 441, 442, Vulnerability Details report................................ 109 445 Vulnerable Accounts by Web Server report ....... 105 remediation tickets, turning on or off ............... 400 Web Application Assessment report ................. 110 remediation user............................................... 430 Web Server Inventory report ............................. 111 remediation, SNMP notifications ....................... 259 Web Site Contents report ................................. 111 Remediation menu ................................................ 429 Web Source Disclosure report........................... 113 report directory ..................................................... 167 Windows Access report .................................... 115 report generation .................................................... 60 Windows Assessment report............................. 114 478 6.5 Enterprise Manager Administrator Guide Index Windows Systems by Risk report....................... 118 scan templates, HIPAA compliance scans .. 320, 323 Windows Vulnerabilities by Category report...... 119 scan templates, ISO 17799-BS7799 compliance Windows Vulnerability Details report ................ 120 scans................................................... 325, 330 resuming, paused scans......................................... 290 scan templates, Large Network Discovery scans 330 reviewing scan templates, OS Identification scans............. 334 reviewing, running scans .................................. 290 scan templates, PCI compliance scans............... 336 reviewing, scan properties ........................ 293, 358 scan templates, SANS/FBI Top 20 All Checks scans reviewing, tickets...................................... 430, 439 ................................................................... 339 Risk by Platform, Dashboard .................................... 35 scan templates, SANS/FBI Top 20 Non-Intrusive Risk by Scan, Dashboard.......................................... 34 scans........................................................... 341 risk level .......................................................... 31, 130 scan templates, Sarbanes-Oxley compliance scans risk index ............................................................ 31 ................................................................... 343 rogue applications ................................................. 277 scan templates, Shell Advanced scans............... 346 role-based access..................................................... 16 scan templates, Single Vulnerability scans ......... 347 root organizations ........................... See organizations scan templates, Web Server scans..................... 349 rules, remediation.................................................. 423 scan templates, Windows Advanced scans ....... 352 running, scans ................................................. 28, 293 scan templates, Wireless Assessment scans....... 356 scans................. 28, 29, 206, 240, 290, 291, 293, 358 S scans, activating ............................................... 404 SANS Top 20 ........................................................... 40 scans, checking status of ............................ 13, 290 SANS/FBI Top 20 scan templates.................... 339, 341 scans, compliance templates.... 316, 323, 328, 336, Sarbanes-Oxley compliance scan template ............. 343 343 scan engines, in workgroups ................................. 237 scans, creating new .................................. 291, 414 scan properties .............................................. 240, 358 scans, editing ................................................... 293 General Vulnerability settings............................ 388 scans, granting access to .......................... 247, 255 Host Discovery settings ..................................... 370 scans, limiting window of time for.................... 404 scan properties, asset filters ................................ 48 scans, naming of .............................................. 206 scan properties, optimization settings ............... 398 scans, number of passes ................................... 398 scan properties, Reports tab.............................. 400 scans, optimization settings .............................. 398 scan properties, scheduling............................... 404 scans, pausing .................................................. 290 scan properties, selecting IPs............................. 359 scans, properties of . 358, 359, 370, 377, 393, 398, Service Discovery settings.................................. 377 400, 404 Web Module settings........................................ 393 scans, randomize order of hosts ....................... 375 Scan Summary report .............................................. 93 scans, results of .................................................. 15 scan templates .............................................. 298, 300 scans, running a Quick Scan ............................... 28 scan templates, Asset Discovery scans............... 305 scans, scheduling.............................................. 404 scan templates, FISMA compliance scans .. 313, 316 scans, selecting in Home page ............................ 29 scan templates, Full Vulnerability scans ............. 318 scans, sorting list of .......................................... 293 479 6.5 Enterprise Manager Administrator Guide Index scans, starting first.............................................. 10 starting, a scan ................................................. 240 scans, templates ....................................... 295, 298 starting, IP address ........................................... 362 scans, types of .................................................. 359 status, checking scan............................................... 13 scans, viewing .................................................... 29 sub scans .............................................................. 398 Scans menu........................................................... 288 sub-organizations........ See workgroups, working with scheduling scans.................................................... 404 support, obtaining..................................................... 7 scheduling scans, granting access to ......... 247, 255 Systems by Risk report........................................... 118 script, searching FSL output ................................... 414 T searching............................................................... 414 TCP searching, adding assets to scans...................... 368 searching, for assets ......... 133, 142, 143, 146, 364 TCP timeout ..................................................... 398 searching, tickets .............................................. 442 TCP, default ports............................................. 175 technical support, obtaining ...................................... 7 selecting selecting, scan engines ..................................... 404 templates, scans.................................... 291, 295, 298 selecting, scans to view....................................... 29 templates, compliance..... 313, 316, 320, 323, 325, 328, 336, 347 service detection details................................... 95, 126 service discovery .................................................... 377 templates, list and descriptions of..................... 298 service discovery, default ports.......................... 175 threads, setting per scanner .................................. 167 service fingerprinting ............................................. 379 threat index............................................................. 31 services.................................................................. 281 threats .......................... 449, 451, 453, 461, 463, 465 services, searching for....................................... 414 Threats menu ........................................................ 449 tickets Services report ................................................... 93, 95 settings ................................. 167, 173, 272, 300, 404 tickets, accessing your own ...................... 247, 255 Short Term Trend report .................................... 73, 93 tickets, assigning remediation........................... 434 Single Vulnerability scan template.......................... 347 tickets, closed................................................... 441 Smart Guesswork report.......................................... 95 tickets, details for administrators ...................... 445 SMTP server, configuring ....................................... 173 tickets, exporting to help desk .......................... 436 SMTP, non-essential service ................................... 281 tickets, ignoring................................ 432, 434, 437 SNMP notifications ................................................ 259 tickets, open..................................................... 437 Source Sifting report................................................ 96 tickets, review .................................................. 439 SOX compliance scan template..... See Sarbanes-Oxley tickets, searching.............................................. 442 tickets, state of................................................. 432 compliance scan template SQL Security Analysis report..................................... 97 tickets, verifying fixed vulnerabilities ................. 449 SSH, non-essential service...................................... 281 timeout settings .................................................... 398 SSL toolbars................................................................. 133 SSL, non-essential service.................................. 281 Top 20 Vulnerabilities.............................................. 40 SSL, settings ..................................................... 170 trend reports ..................................................... 73, 97 Trojan and backdoor applications .......................... 277 starting 480 6.5 Enterprise Manager Administrator Guide Index troubleshooting..................................................... 470 Vulnerabilities by Category - Windows ............. 119 Vulnerabilities by Platform .................................. 35 U Vulnerabilities by Scan ........................................ 34 UDP Vulnerabilities per Host....................................... 37 UDP timeout..................................................... 398 vulnerabilities, verifying in tickets...................... 445 UDP, default ports ............................................ 175 Vulnerability Details .................. 120, 126, 129, 388 unassigned tickets ................................................. 432 Vulnerability Report .......................................... 106 ungrouped assets .......................... 134, 138, 139, 365 Vulnerability Selection in Scans ......................... 388 unlocking accounts................................................ 244 Vulnerability Updates........................................ 388 updating .... See updating, index statistics in database, vulnerability checks See updating, automatically Vulnerability Checks - General .......................... 388 updating, automatically .................................... 388 W updating, index statistics in database ................ 167 user groups ......................... See groups, working with Web Module settings, in scan properties ............... 393 users ....................................................... 16, 206, 241 Web Server scan template ..................................... 349 users, account properties .................................. 244 Windows Advanced scan template ........................ 352 users, adding to groups ............................ 246, 254 Windows Compliance Scan ................................... 416 users, managing ............................................... 206 Creating a compliance scan .............................. 420 users, naming of............................... 206, 244, 250 Viewing compliance reports.............................. 420 UTC, time in engine logs ....................................... 167 wireless access points ............................................ 277 Wireless Assessment scan template ....................... 356 V workgroups, working with ...... 228, See organizations viewing workgroups, administrator ................... 16, 18, 430 viewing assets........................................... 359, 366 workgroups, contact information ..................... 236 Viewing Scan Properties.................................... 293 workgroups, creating new................................ 228 viewing scans ..................................................... 29 workgroups, deleting ....................................... 238 viewing, activity logs......................... 227, 239, 249 workgroups, editing ......................................... 230 viewing, setting access to scans ................ 247, 255 workgroups, managing .................................... 206 viewing, tickets by scan ............................ 247, 255 workgroups, naming ................................ 206, 230 vulnerabilities workgroups, naming of .................................... 206 Average Vulnerabilities per Scan ......................... 37 workgroups, viewing activity logs ..................... 239 Change from Last Period .................................... 37 details, from event notifications ........................ 264 X Observation ...................................................... 129 XML reports ............................................................ 60 resolving, recommendations for........................ 129 Search for Hosts with Specific Vulnerabilities..... 414 Search Vulnerabilities by CVE............................ 388 Total Vulnerabilities ............................................ 37 481