I'm testing a friend's website running on Amazon's EC2 servers.  He put in a request to allow me to test it next week.  The terms are pretty standard, don't DoS the servers.  I'm planning on running Nessus (regular server scan and web app scan), Nikto and BurpSuite Scanner on the site.  Is there anything I should know, settings I should change in the scans before I start?

Thanks.

Thanks, I was planning on doing both.  Running a server scan without credentials (External IP Scan), and then a web app scan with credentials.  I will have safe scans enabled.  If I have all the plugins enabled, safe scan will ensure that the non-safe ones aren't run right?  The server is run through a PaaS provider, so my friend isn't sure about all the services running so I want to be thorough.

I've never run a scan on a live, external server before, so I'm just trying to be cautious.  I kind of wish I had an external server to test the scans on first, but oh well.

Thanks

I have checked skip sensitive devices   And I have Nikto integrated into Nessus.  I also set the max TCP connections very low, so I don't think I'll have a problem.

We'll see though...

And I just ordered Burp Pro.