A Better Windows Watcher
NetRAT provides in-depth analysis of Windows machines.
April 23, 2003
I started with a basic ping scan of the network, but abandoned this after watching the application trudge through the network. The few machines it scanned showed several services running, which I verified. NetRAT is slow because it does more than tap the port (open and close the connection); it opens a connection and queries the service to determine if the port and service match.
Discovery via Windows workgroups/domains was much quicker and yielded the in-depth information I had anticipated. NetRAT displayed every domain and workgroup on the network and caught one I hadn't realized existed. By logging into individual systems as a user with administrative rights, I could examine accounts and system information, including rights, groups and auditing data.
Interfaceclick to enlarge |
This information can be saved for future reference or immediately added for differential analysis, letting you compare single or multiple devices for changes over time. Discovered information is encrypted and saved to a proprietary database. This mechanism also can be used to track Registry changes. And NetRAT provides a centralized store in its databases for tracking config changes.
NetRAT's SNMP discovery handles v1 and v2 equally well, and its SNMP scan is much faster than its ping and port scans. Detailed information is returned via SNMP discovery for devices as well as machines. I pulled detailed information from our Cisco routers and switches, IP and interface statistics, and general system information. NetRAT says it plans to support Unix and Novell next.
Data BreakdownNo matter the scanning method, I received detailed, user-configurable reports--both text and graphic--on the gathered information. You can filter the data based on any information discovered by NetRAT, which means you can generate reports on a machine, domain, workgroup or the results of a network scan. This is not obvious at first: The initial report I generated showed all information across servers in that domain and I had to click on an individual server to drill down to data specific to it. This is a good method of reporting statistics across a domain, such as the number of disabled or locked accounts, failed logons or services running, but you have to filter the report to provide details on single devices.
If NetRAT is reporting on the services in a domain, it shows the number of services for the entire domain and does not break out services by machine. This is an area I'd like to see improved--breaking out the report manually on a per-machine basis is time-consuming.
The product's file-security feature gave me detailed information regardless of the OS. Files on our Network Security Systems' NAS device--a FreeBSD system--curiously showed up as an NTFS, but the file permissions and ownership were correct.
Technology editor Lori MacVittie works in our Green Bay, Wis., labs. Write to her at [email protected].Post a comment or question on this story.
You May Also Like