Tenable/List,
Starting last month, Nessus began crashing our Citrix
Metaframe farm (approximately 60 servers). The same scan ran every
month without incident for over a year prior to November. It may be
the case that the scan did not bring down all the servers, but brought down
certain services that are critical to Metaframe functionality. Here's a
quote from the Citrix administrator:
It seems that somehow the scan causes the IMA (Independent
Management Architecture) service to stop on almost all the MF servers. There
were only 5 that did not have the IMA service stopped. Of course, when that
happens, they are dead to the ZDC (Zone Data Collector) which reports them as
Server Down. The IMA service is critical to the communication between the MF
servers and the ZDC.
Pertinent facts:
- Scan authentication: none
- Nessus version : 3.0.4
- Plugin feed version :
200612082115
- Type of plugin feed : Direct
- Port scanner(s) :
nessus_tcp_scanner
- Port range : default
- Thorough tests : yes
- Experimental tests : no
- Safe checks : yes
- Max hosts : 10
- Max checks : 4
- Scan Start Date : 2006/12/9
12:32
- Scan duration : 155 sec
Nothing dangerous appears to be turned on, except possibly “thorough
tests.” I use Edgeos' python-based update-nessusrc.py script to keep the config file
up-to-date. The parameters I pass to the script (which show the plug-in
families I use) are in the attached file, update.txt.
The same servers were scanned last week with ONLY local
security checks / Microsoft bulletins turned on (checks for missing patches
only). Those scans use the same settings as above, only the port range is
1-65535, and Nessus authenticates to the servers with an account in the Domain
Admins group. That scan did not impact the servers at all.
John Scherff
Sr. IT Security Analyst
24 Hour Fitness
jscherff@24hourfit.com