Thanks, I was planning on doing both. Running a server scan without credentials (External IP Scan), and then a web app scan with credentials. I will have safe scans enabled. If I have all the plugins enabled, safe scan will ensure that the non-safe ones aren't run right? The server is run through a PaaS provider, so my friend isn't sure about all the services running so I want to be thorough.
I've never run a scan on a live, external server before, so I'm just trying to be cautious. I kind of wish I had an external server to test the scans on first, but oh well.