Terminating services

Hey - our auditors need to run some domain wide vulnerability scans of our servers and workstations. To do so requires domain level admin rights.

As windows admins yourselves - how practical is it to monitor the performance these scans are having - and terminate the scans remotely if its deemed to be having a network performance impact? What tools can be used to monitor domain performance of these scans - and what tools can be done to terminate there scanning tools remotely from the admins desk?

Also - what would a back out plan include for auditors running vulnerability assessments? What technical controls are in place for a "back out" plan around users running vulnerability scanning software?
Who is Participating?
baghtalConnect With a Mentor Commented:
1. Depending on the scanning software they are using the ability to stop a scan or to stop scanning a particular IP or block of IP's is typically very easy to to.

2. (not part of your question but a lesson I've learned) Do an assessment of any trouble spots that you expect will have issues (Citrix Gateway Servers in our case), and schedule those for an independent time when you can be more attentive in watching those machines

3. Scans during backup times have proven to be challenging sometimes. We do use a SAN but for weekly backups (as opposed to the nightly incremental backups) we will pause scanning for a few hours to allow backups to finish.

4. We also have critical IP ranges that we don't scan during business hours, our mission critical apps are always scheduled during low-use periods.

5. the Back Out Plan for scanning is usually just to turn off the scanning software. If you've got a local agent installed on each workstation it will probably be more involved. I would check with the scanning software you're using, If it does have an automated way to install this client, there's likely an automated way to back it out also.

6. As far as domain-wide monitoring tools, I've never used any. We have a plethora of tools like Nagios, and HP OV, and such to watch workstations and traffic flows. These have been enough to show us issues when they do come up.

7. Final bit of advice: Make sure you've got the scans scheduled and know (or can easily access) what part of your network is being scanned at any given time. If you do have problems during a scan you'll want to be able to turn of the scan quickly to get service restored, but then later be able to determine if it was a problem caused by the scanning, or just a coincidence.
pma111Author Commented:
Plsu are there any periods of times when admins would not want auditors doing such scans. Can you give some examples on why an admin wouldnt want audit to do scans at a given time?
pma111Author Commented:
>>1. Depending on the scanning software they are using the ability to stop a scan or to stop scanning a particular IP or block of IP's is typically very easy to to.

Can you go into a bit more detail on how and with what tools an admin could monitor the scans impact and terminate it if needs be? I am more from the auditor side and not familiar with the tools available to stop the scan or monitor the impact it is having
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.