User manual SOPHOS SAFEGUARD PORTAUDITOR 3.20 USER HELP 3-2010

[. . . ] SafeGuard PortAuditor 3. 20 User help Document date: March 2010 SafeGuard® PortAudtior 3. 20, user help Important Notice This user help is delivered subject to the following conditions and restrictions: This user help contains proprietary information belonging to Sophos. Such information is supplied solely for the purpose of assisting explicitly and properly authorized SafeGuard PortAuditor users. No part of its contents may be used for any other purpose, disclosed to any person or firm or reproduced by any means, electronic or mechanical, without the express prior written permission of Sophos. The text and graphics are for the purpose of illustration and reference only. [. . . ] This protocol is typically enabled on computers, and requires the following: Remote Registry service running on the endpoints File and print sharing enabled on the endpoints' network cards Port 445 (TCP) OR port 139 (TCP) open in the firewall/personal firewall Local administrative privileges on the endpoint 14 SafeGuard® PortAuditor 3. 20, user help Note: The SetupAPI protocol is not suitable to audit Windows Vista endpoints. An additional scan protocol, WMI, may be useful if the endpoints in your network do not allow File ad print sharing or do not run the Remote Registry service. This is the main protocol used today for controlling and monitoring Windows based machines. If you wish to audit the computer from which you are running the audit, type in the word "local" (before you type in any names, "local" appears by default). 16 SafeGuard® PortAuditor 3. 20, user help 3. 4. 1 IP Addresses Range Audit Click the IP Range radio button (or press Alt+I) and type in the IP range you would like to audit in the two fields that follow (lowest address on the left, highest address on the right). Note: When scanning by IP range, this may include certain IP addresses that are not currently assigned. Upon scanning, the Auditor ignores such IP addresses and moves on to the next one in the range. 3. 5 Audit Filters After selecting the target computers you can further filter the auditing process to include or exclude specific ports, previously connected devices or specific device types/WiFi network types. This is does from the Audit Filters section, as described below. 3. 5. 1 Device Port SafeGuard PortAuditor supports scanning of the following endpoint ports: USB FireWire PCMCIA PCI Internal Storage - includes internal hard disks connected over IDE, SATA, SCSI etc. WiFi ­ includes all the networks to which the endpoint has connected (SSID, MAC of the Access Point and encryption/authentication schemes) By default when you open the application, USB, FireWire, PCMCIA and WiFi are selected to be audited. To include/exclude a port from the audit: Check/uncheck the port checkbox. Note: When using WMI for auditing it is not possible to distinguish between devices connected over PCMCIA and PCI. Important: WiFi auditing only includes networks that are/were connected through Windows standard WiFi support (WZC). It is also not possible to distinguish between WiFi networks that the computer is currently connected to and those to which it was connected in the past. For this reason the audit results display "n/a" in the "connected" field. 17 SafeGuard® PortAudtior 3. 20, user help 3. 5. 2 Additional Filters You can specify additional filters (device types, storage device types, WiFi networks) for your audit. The More Filters window appears: 3. 5. 2. 1 Detect Connected Devices You can choose the audit report to include only devices connected to endpoints at the time of the scan, or devices previously connected as well. To include only the devices currently connected: In the Detect Connected Devices section, click the Detect currently connected devices only radio button. To include both currently connected and previously connected devices: In the Detect Connected Devices section, click the Detect both currently and previously connected devices radio button (this radio button is selected by default). Note: This definition does not filter WiFi networks, since it is not possible to distinguish between WiFi networks that the computer is currently connected to and those to which it was connected in the past. 18 SafeGuard® PortAuditor 3. 20, user help 3. 5. 2. 2 Device Types You can further limit the audit results to include only specific device types or WiFi networks. This is useful when you are only interested in specific device/network types (e. g. Device types include: Devices (non-storage) Human Interface Device (keyboards, mice, joysticks etc. ) Printing Device PDA Windows Mobile / Pocket PC Device Blackberry Device Palm OS Device Mobile Phone Network Adapter Imaging Device 1 2 3 4 5 6 7 8 9 10 Audio/Video Device 11 Smart Card 12 Content Security Device (tokens and dongles aimed for software licensing etc. ) 13 Unclassified (to include devices which do not fall under any of the above categories) Storage Devices Removable Media (includes Disk On Keys and removable hard disks) CD/DVD Drive Floppy Drive Tape Drive Hard Disk (internally attached) WiFi Networks Network (infrastructure) Peer to Peer (ad hoc) 1 2 3 4 5 1 2 19 SafeGuard® PortAudtior 3. 20, user help To exclude a device type or a WiFi network type: Uncheck the checkbox for the devices/storage device/networks you wish to exclude, and click OK. If you have made any changes to the default selection (all selected) the message "Detect only selected device types" appears in Audit Filters section's More Filters field. 3. 6 Selecting Output Destination Before you perform the audit, you must set a folder in which the output data and the formatted results will be stored. You do this in the Output Options section. 3. 6. 1 Report Name Each time you perform a scan and create an audit report, SafeGuard PortAuditor also creates a folder in which to store all the report's files and data. The results are saved in an HTML page called AuditRes. html which is found in the report folder. [. . . ] Click the Show each device/WiFi network only once link above the table to filter the report. To revert back to the full report, click Show every occurrence of device/WiFi network. 3. 8. 2 Viewing Audit Results in Excel The Auditor may export the collected results to a formatted Microsoft Excel file, which allows you to analyze the audit results using the full power of Excel. An Excel file with the name AuditRes. xls is created in the folder where the results of the current scan are stored. Note: This feature requires Microsoft Excel 2003 to be installed on the same machine on which the report is generated. [. . . ]