An enterprise network can have sanctioned and unsanctioned servers on it. Sanctioned servers are approved by an administrator and perform tasks such as web page serving and mail routing. Unsanctioned servers are not approved by the administrator and represent possible security risks. A service monitor accesses one or more metadata sources having information describing the enterprise network, such as domain name system (DNS) records on the Internet. The service monitor analyzes the metadata and creates a security profile for the enterprise network. The security profile identifies the sanctioned servers. The service monitor monitors network traffic for compliance with the security profile, and detects unsanctioned servers on the network. The service monitor reports violations of the profile and informs the administrator of the unsanctioned servers.