Vulnerability Scanning Services

Information Assurance (IA) conducts routine quarterly scans of all University of Michigan owned and managed networks and offers a monthly and on-demand scanning service on request. All networks, systems, databases, or applications that create, maintain, process, transmit, or store data classified as High or Restricted must be scanned monthly.

  • The scans try to connect to hosts on the target networks in various ways to determine which hosts are responsive. Hosts can include computer workstations and servers, network switched and routers, networked printers, scanners, copiers, digital telecommunications, and personally owned devices.
  • Discovered hosts are subsequently interrogated to find open ports for the scanner to probe.
  • Any open ports are examined for vulnerabilities and misconfigurations specific to the type of service detected on the port. Much of this examination relies on self-reporting by the host (such as reports of software version numbers).
  • Scans are limited to reviewing system and application configuration and do not open or examine content in email, documents, spreadsheets, databases, or any other application.

For answers to questions you may have about IA scans, see the Monthly & On-Demand Vulnerability Scanning FAQ.

Expand All Content

Scans Offered

Quarterly Vulnerability Scans—conducted routinely by IA

IA conducts quarterly vulnerability scans of the entire network address space registered to the University of Michigan. The scans come from a scanner positioned outside the university to give units the perspective of what an attacker can see from outside university networks.

Detailed vulnerability reports are provided to the identified contact person in a unit (as listed in the ITS Network Information Database—NetInfo). with the expectation that corrective actions will be taken.

Units are expected to remediate any identified vulnerabilities as outlined in Vulnerability Remediation.

Monthly and On-Demand Scanning Service—available free from IA on request

U-M units that would like regular scans of their networks without the cost of maintaining their own local scanning infrastructure can request monthly scans from IA, as well as customized one-time scans.

Web Application Scanning—available free from IA on request

Your unit's web applications are likely available publicly on the internet, which can leave them vulnerable to attack. Web application scans can crawl your websites and check for security vulnerabilities across your web server(s), proxy server, web application server, and other web services.

U-M units can request free, on-demand, web application scans of their networks from IA. IA uses scanning software that focuses on running security tests against web applications. Such scans are effective at finding vulnerabilities specific to web applications, such as SQL injection, cross-site scripting, and so on. A detailed report will be provided with specific vulnerability details and remediation steps.

As with standard monthly and on-demand scans, units may use the service to scan U-M-owned networks that are reachable from IA's scanning server. For networks that are not normally reachable due to a firewall, an exception would need to be created to allow the scanner full visibility of the target network.

Request a scan via the IT Security Essential section of Michigan IT Services Portal.

Targeted Scans for Specific Vulnerabilities—conducted by IA

IA occasionally performs narrowly targeted scans of all U-M networks to find high-risk vulnerabilities that pose an imminent threat.

When such scans are performed, every effort will be made to notify network owners in advance. An email notification will be sent to network administration lists such as FLN to advise of the scope and timing of the scan.

Units that observe unexpected scan traffic may contact security@umich.edu with the relevant source and target IP address to determine whether an IA scan is the root cause.

Unit-Performed Scans

Units interested in performing regular vulnerability scans should first evaluate the free IA monthly and on-demand scanning service to see if it will meet their needs. If that is deemed insufficient, you can contact IA via the ITS Service Center for vulnerability scanning suggestions.