Google your Windows security vulnerabilities

The following tip is one of a series on why and how to perform security scans against your public-facing servers using Google. Return to the main series page for the complete list of tips.

If you perform information security assessments -- penetration tests, vulnerability assessments or broader ethical hacking tests -- there's one testing tool you must not be without. Although it may be hard to be "without" a Web site, Google (yes, www.google.com) is one of the hottest tools you can use on a regular basis to test Windows systems for security holes. Given that its functionality and power can even be used against you, it's a good tool to get to know and use on your systems before malicious attackers do it for you.

Aside from all the neat things you can do with Google, one of its greatest qualities is its non-existent price. Google can be considered the poor man's vulnerability assessment tool or the tool for security administrators with little or no IT budget (i.e. most everyone). I'm a big advocate of commercial security tools, which tend to offer more thorough testing features, superior reporting capabilities and other utilities that can make your life easier. However, the adage 'you get what you pay for' doesn't ring true with them. Google provides a hacker's eye view in doing things you never imagined, or were able, to do with any security testing tool (commercial, freeware or open source) – all for free!

Like many external testing tools, Google is great for seeing what you're currently serving up to the world. However, it also crawls, caches, pokes and prods to dig up information you never new existed, much less knew was available for the taking on the Internet. You have several options to perform your security assessment queries. There's the Google home page, the Advanced Search page and you can even write your own custom Web applications using the Google API.

When conducting information security tests on your systems, ideally you w

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Internet Explorer management Four Internet Explorer 8 group policy security settings Safe enterprise Web browsing: Five tips in five minutes Top client security tips of 2006 Phishing filter: Step 2 General security configuration: Step 1 Windows Vista and IE7: Step 5 ActiveX opt-ins, information bar and cross-domain protection: Step 4 Protection against international domain names, URL handling: Step 3 IE8 brings focus to cross-browser compatibility and Web standards Cross-site Scripting 102: How to defend against cross-site scripting Intrusion detection, prevention and removal Windows security tools for the busy desktop administrator Check IT List: Five steps for rootkit detection Top Windows client security tools for end users Tools for virus removal and detection Buffer overflows can be prevented by GS cookies Determining the proper Microsoft malware removal tool October patches fix four threats Cool things about security, nothing about Britney Spears Run third-party malware detection tools in Windows Malware prevention and detection webcast series

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary ActiveX  (SearchEnterpriseDesktop.com) ActiveX control  (SearchEnterpriseDesktop.com) Internet Explorer  (SearchEnterpriseDesktop.com) Internet Explorer Administration Kit  (SearchEnterpriseDesktop.com) tabbed browsing  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ant to look at things from a hacker's eye view -- which is where Google excels. Here's just a sampling of information Google can find during your ethical hacking tests:

As an example related to that last item, when performing a basic search of Google Groups, I came across support group information posted by a network administrator for a telecom vendor I was considering. The posting divulged details about the vendor's internal network configuration, including network layout, internal IP addresses and host names. He revealed a little too much information, giving me the gut feeling that I shouldn't trust that company with my sensitive corporate information. I found this information with a simple search of the company name and a few keywords – just the beginning of what can be found using advanced Google queries!

In today's world of high-priced vulnerability assessment tools, Google is a breath of fresh air and its security testing queries are unmatched. To stay on top of security vulnerabilities, you not only have to think like a hacker, but you also have to use new and innovative methods for testing. Google allows you to do just that.

In the near future, I'll talk about the types of Windows-centric tests you can perform against your systems along with actual Google queries you can use to help make sure your Windows systems' security is the best it can be.

About the author: Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC, where he specializes in information security assessments for those who take security seriously and incident response for those who don't. He is author of the book Hacking For Dummies and co-author of the upcoming book Hacking Wireless For Dummies, both by Wiley Publishing. Send your ethical hacking questions to Kevin today.

More information from SearchWindowsSecurity.com