myU OneStop


What's Inside

Resources

ISS Scan Tool

OIT Security uses the Internet Scanner from ISS (www.iss.net).  The scanner performs a scan in the same manner that most vulnerability scanners do. The list of IPs is first pinged to see what responds. The addresses that respond are then port scanned to see what ports are open. Vulnerability tests are then performed where appropriate ports are found responding to probes. An example of this is: ports 80 and 139 are open, therefore Microsoft IIS checks should be run.

It is important to note that the ISS scanner is "mild" compared to the traffic that your server will see from the Internet (or would see if a firewall is left off for a few minutes by accident).

The group of ports and vulnerabilities that are selected to be used in a scan is called a scanning policy. Vulnerability checks are usually included in a policy unless they have any of the following problems:

  • The check requires administrative permissions on the target system to run accurately.
  • The check is brute force and requires excessive time to complete.

Also avoid checks that create a Denial of Service (DOS) condition.  In many cases, ISS is a bit conservative in how it classifies checks for this characteristic. OIT Security applies a benefit/risk analysis to decide whether the check should be included in the policy or not. The factors are:

  • Vulnerability Severity: If this vulnerability has buffer overflow qualities such that an exploit can get an attacker the ability to execute abitrary code with elevated permissions or otherwise creates an instant compromise condition, the check is more likely to be included.
  • DOS likelihood: By its nature and history, the check won't be selected if it is brute force, or has more of a tendancy to create a DOS.
  • DOS severity: A check that just slows a service down is more likely to be included than a check that makes a restart of a service or daemon (or worse yet, a reboot) necessary.
  • Information bearing: The check must inform with a reasonable amount of accuracy whether a specific vulnerability condition exists. For example, simple network protocol exploits such as LAND attacks are not included in any policy.

Care is taken when designing scanning policies to maximize accuracy and reduce impact of scanning on the target host.

OIT Security cannot guarantee that ISS scans will not effect services on computer. Therefore it is imperative that the affected computer or service have a maintenance window schedule agreed to by management or other pertinent personnel. If availability is too critical to have a window, then redundancies should be created.

For more information on the scan process, see http://www.umn.edu/oit/security/scanprocess.html