One of my network administrators asked me to stop scanning her system because her machine was randomly locking up. She was angry because she thought that the scanner was "abusing" her system. I had no reports of other systems doing the same thing, so I told her that I didn't think the scans were causing her problems. The problems continued, and she became angrier. The scanner had timestamps in the scan logs, which I consulted to see when her system was being scanned, and the NT 4.0 audit logs on her computer showed the scanner's password-guessing attempts. Her system logs also showed some I/O errors that happened at times when the system wasn't being scanned. A closer investigation revealed that she had a CD-ROM drive that was slightly out of balance, and its vibrations loosened her CD-ROM's IDE cable. When the cable started making intermittent contact, it caused problems with the motherboard. After she replaced the CD-ROM drive, the scanner wasn't quite so "abusive"!
A second problem came up when some network devices were showing high load levels only when they were being scanned. These devices turned out to have a Telnet service, and the scanner was trying to quickly check a lot of passwords on that service. To remedy the problem, I excluded those systems from scans until the administrators could reconfigure the systems to accept Telnet sessions only from networks the device's administrators would be logging on to.
Keeping Up the Good Work
New exploits constantly appear, and networks change. So run your scanner regularly, and keep your scanning software up-to-date. Some vendors offer update-notification services, but checking their Web sites for updates is still a good idea. Subscribe to one or more security-related mailing lists, such as the Windows 2000 Magazine Network's Security UPDATE (http://www.win2000mag.net/email), to keep abreast of new attacks. If the code or details of an exploit are available, you might want to manually check your systems for the vulnerability until your scanner vendor gets the check built into the software. You should also compare the results of your manual check with the results of the vendor's check.
Most likely, one check will work better than the other, so don't blindly switch to the vendor's check until you're sure it works as well as what you have.
A security-auditing tool can substantially improve your network security—if you use the tool properly. However, scanners don't always find every vulnerability, and the most secure OS is still the one with the best administrators.