With Version 9, GFI's Network Security Scanner has finally come of age. GFI has focussed the product on its core benefit – maintaining the security of the Windows enterprise – and the result is a powerful application that offers real benefits for the time-pressed network administrator.
Keeping abreast of the latest Microsoft patches and Service Packs, regular vulnerability scanning, corrective actions, software audit and enforcement in a challenging environment can really soak up your time. Not any more though – install Network Security Scanner and you can sit back while all this and more happens automatically across your entire estate.
The user interface for Version 9 is excellent; so intuitive in fact that we didn't touch the documentation at all yet managed all of the product's features. Each screen leads you to the next so effectively that you barely need to think about what you are doing and using the product quickly becomes second nature.
Version 8 was good, but with Version 9 GFI has done it again.
Installation is straightforward. All the software needs is an account to run under, details of its back-end database and a location to reside. MS Access, MSDE or MS SQL Server databases are supported and you can even migrate your data from one to another if needs be.
The separate toolbar scheduler from Version 8 is gone and, in its place, the opening screen gives you all the options you need: Scan this Computer, Scan the Network, Custom Scan or Scheduled Scan. Click ‘Scan this Computer' and the scan begins – just one simple mouse click and you're off.
Performance and Results
Scanning speed is just as good as Version 8 and in less than two minutes we had a summary of the results:
Simply look below the results summary and the handy Next Steps box (with amusing typographical error) leads you through the process of dealing with them.
The prospect of Analizing the results made our eyes water so, having taken care to protect our anatomy from any such unwarranted incursion, we clicked the link:
The scan results are grouped by category in the left column with details to the right. Expand the categories and you get a wealth of information.
The vulnerabilities themselves are described in detail with reference numbers and URLs to lead you to further resources, but that's not all. You also get the patch status of the scanned system, a list of open ports, a comprehensive hardware report, an inventory of the installed software and a system summary. Think of all this in terms of your enterprise – if you have this product scanning all your machines you can answer questions such as “Which machines are still on Service Pack 2?” or “How much memory is in each of the Sales PCs?” or “What software does Simon have installed on his laptop?” without going anywhere else. It's all there for you at the click of a mouse.
There are other gems here as well, too many to list but here are some of our favourites. Under Potential Vulnerabilities the scanner lists all the USB devices that had been connected so we could monitor the historical use of memory sticks and the like. And the software audit, useful in itself, held another delight. Right click on any software entry and you can tell the scanner to uninstall it, either from just this machine or from all the machines in the network. Go further and define a list of banned applications and the product will remove them for you, automatically, when it runs its regular scan. Imagine the face of that wayward user each morning …
Choose the Remediate link and you'll head off to the part of the product that installs patches and service packs. Needless to say, these can be downloaded for you from Microsoft as they are released and held by the product, ready for use:
You can either let the scanner automatically install whatever patches and service packs it finds missing or you can vet and release patches you want to allow. This will let you block the next release of Internet Explorer, for example, while allowing other critical patches through. You can also uninstall patches and service packs from here.
As in Version 8, you can also deploy custom software to a single machine or across your estate. In a nutshell, if it is executable or can be opened then you can deploy it. As a test we pushed a picture of a pair of cute kittens to a remote machine where the resident graphics program popped open to display them. You can install software just as easily provided the install needs no user intervention:
Alerts and Reporting
This is where GFI demonstrates it is serious about positioning this product as a robust and reliable enterprise-ready solution.
Firstly the scanner can email you the results of its nocturnal activities so all you have to do each morning is make yourself a coffee and check your inbox. We'd have liked to see this area expanded, perhaps with definable events that could trigger an SMS message, SNMP trap or a defined executable. Maybe in Version 10?
To convince your manager of the wisdom of your investment there is a good range of coloured charts and if you have the GFI report Manager framework the product slots right into that so you can generate detailed custom reports from the back-end database.
And speaking of the database, GFI has now provided maintenance options so you can schedule backups and perform management tasks from within the scanner itself; a good idea for a key application.
Subscribe to what?
A vulnerability scanner is only any good, of course, if it can be automatically updated with the latest exploits as they come out. GFI has changed the business model with Version 9, so you'll be expected to shell out a modest annual fee for a Software Maintenance Agreement (SMA) unlike Version 8 where you paid in full and updates were free thereafter.
A nag screen reminds you when your subscription runs out so you needn't worry about not noticing:
What more can we say? If you have an estate of Windows machines to secure and maintain then this is what you have been looking for. It does everything you might need and more, it's easy to use and delivers real-world benefits.