Return to: U of M Home

What's Inside

Related Links

1-HELP

System Status

OIT Security & Assurance Critical Server Scan Process

The Office of Information Technology (OIT) scans critical University servers using a commercial network-based software product (ISS scanner). The goal of the scans is to reduce the vulnerability of University computers and the network to hacking, denial of service, and other security risks from both inside and outside the University. To make best use of scarce resources, higher risks are given priority, but other computers are also scanned upon request.

Critical servers are identified in consultation with collegiate units. The considerations and criteria used to assist in identifying critical servers includes:

  • Number of users (i.e., large number of users)
  • Stores critical information (e.g., grades, social security number)
  • High Availability/ maximum uptime (e.g., 7 x 24 availability/ little downtime tolerated)
  • Financial impact due to downtime (i.e., thousands of dollars)
  • Impacts reputation of the University due to downtime
  • Difficult to resume operation if data is lost or corrupted (e.g., many coordination and synchronization issues)
  • Backup and retention needs (e.g., daily backup with retention greater than 1 yr.)

For more information on identifying and reporting critical servers, see http://www.umn.edu ssLINK/OIT__12594_REGION1.

The software tool used is Internet Security Scanner (ISS) from Internet Security Systems (www.iss.net). This is a network-based scanner used by OIT Security & Assurance to actively probe for computer vulnerabilities. ISS does a multi-level scan using a large database of known (and ISS discovered) security holes to identify common system vulnerabilities, many of which are caused by oversights such as misconfiguration or missing patches. Many of the vulnerabilities are also included in the CERT, CIAC, and SANS security organization advisories.  Click here for more information on the scan tool.

ISS provides a detailed security report, often including detailed instructions on how to fix or reduce the vulnerability.

The tool identifies and classifies the vulnerability as high, medium or low:

  • High-risk vulnerabilities are those that provide unauthorized access to the host, and therefore, the network.
  • Medium risks include those that provide access to sensitive network data that may lead to exploitation of higher risk vulnerabilities.
  • Low are those that provide access to sensitive, yet non-lethal, network data.

The scan process at the U of M can be broken into 4 steps:

  • Schedule/Notification-- Critical servers are scheduled for scanning once per quarter. A subset of the critical servers deals with the Enterprise Systems, which are scanned more frequently. Server administrators are contacted to schedule or confirm time periods to run the scan as well as which servers to scan. NTS groups are notified of the scheduled scans and the scans are set up on the ISS scheduler.


  • ISS Scan-- A pre-scan is run to verify operating system. The level of scan (a modified level 4) and time/date are set up on the schedule. The ISS scan tool then performs each vulnerability test and produces a vulnerability report.


  • Review Results-- The ISS reports are reviewed by OIT Security & Assurance staff for vulnerabilities. If high-risk vulnerabilities are found, they are highlighted and administrators are notified to fix the vulnerability or to document why the vulnerability cannot be fixed or does not pertain.


  • Distribute Reports-- All technical scan reports are sent to the computer administrator with a memo explaining what to do and requesting that they review and notify OIT Security & Assurance of changes to the list of servers to be scanned in the future. A copy of the line management scan report is filed in OIT Security & Assurance office.


  • Re-scan if necessary-- Re-scans are scheduled as soon as notification is received that previously identified vulnerabilities have been fixed. A copy of the line management scan report is filed in OIT Security & Assurance office.

To request a scan, send e-mail to oit.security@umn.edu or call 612-626-1527.

OIT Security also coordinates the external vulnerability scan for servers involved in credit card processing that must meet the Payment Card Industry (PCI) Scanning (PDF) requirement.