Skip to main content

Improving Security Using Attack Surface Analyzer

Published: March 21, 2011

Author: Solomon Lukie, Program Manager, Microsoft Trustworthy Computing

Attack Surface Analyzer is a Microsoft verification tool designed to catalog changes in system state, runtime parameters, and securable objects on the Windows operating system.  This analysis helps identify any increase in the attack surface that is caused by installing applications.  Developed by the Security Engineering group team, Attack Surface Analyzer is the first tool of its kind available for public use, and it runs on the Windows Vista, Windows 7, and Windows Server 2008 operating systems.

In this article:


An Introduction

Microsoft released a public Beta of the tool on January 18, 2011 to assist independent software vendors (ISVs) during the verification phase of the Microsoft Security Development Lifecycle (SDL) as they evaluate the changes their product makes to the attack surface of a computer.  Because Attack Surface Analyzer does not require source code or symbol access, IT professionals and security auditors can also use the tool to gain a better understanding of the aggregate attack surface change that may result from the introduction of line-of-business (LOB) applications to the Windows platform.

The tool does not analyze a system based on signatures or known vulnerabilities; instead, it looks for classes of security weaknesses Microsoft has seen when applications are installed on the Windows operating system, and it highlights these as issues.  The tool also gives an overview of changes to the system that Microsoft considers important to the security of the platform, and it highlights these changes in the attack surface report.  Some of the checks performed by the tool include analysis of changed or newly added files, registry keys, services, Microsoft ActiveX controls, listening ports, access control lists, and other parameters that affect a computer's attack surface.

Using the tool involves taking snapshots of your system during the installation and configuration of an application, and comparing these snapshots to identify changes.  Taking multiple snapshots enables a more granular analysis of individual components.  There is no difference in the information collected from the computer during each snapshot, and depending on how much software is installed on the target computer scanning will take between 5 and 30 minutes to complete.

Microsoft offers Attack Surface Analyzer to developers as a stand-alone tool.  It has a wizard to step through the scanning and analysis process; a command-line version supports automation and older versions of Windows, and assists IT professionals as they integrate the tool with existing enterprise management tools.  Attack Surface Analyzer enables:

  • Developers to view changes in the attack surface resulting from their applications.
  • IT professionals to evaluate aggregate attack surface changes by LOB applications.
  • IT security auditors to identify risk related to attack surface during threat risk assessments.
  • IT security incident responders to better understand the state of securable objects on a system during investigations (if a baseline scan was taken of the system during the deployment phase).

Supported Platforms

Snapshots can be taken on Windows 7 and Windows Server 2008 R2 using the graphical wizard (Attack Surface Analyzer.exe); alternatively the command-line version (asa.exe) can be run on Windows Vista and Windows Server 2008 in addition to Windows 7 and Windows Server 2008 R2.

Analysis of data from Attack Surface Analyzer and report generation uses the graphical wizard (Attack Surface Analyzer.exe) and requires either Windows 7 or Windows Server 2008 R2 with the Microsoft .NET Framework 3.5 Service Pack 1 (SP1).

There are two separate MSI packages: one for 32-bit systems (x86) and one for 64-bit systems (x64).


Installation

Attack Surface Analyzer can be installed using the downloadable MSI packages or it can be directly copied to a computer for execution.  As Attack Surface Analyzer looks for changes in system state, it does not make any changes to the system itself, with the exception of extracting the executable files to disk and adding a shortcut to the Start menu for the graphical wizard.  During execution, the tool will create a data directory in %userprofile%\Attack Surface Analyzer, and upon completion of a scan it will compress these files into a Microsoft Cabinet (CAB) file.

Data Collection Via Wizard (Windows 7 and Windows Server 2008 R2)

For installation using the wizard, follow the steps below:

  1. Download and install Attack Surface Analyzer on a freshly built version of Windows.
  2. Run Attack Surface Analyzer from the Start menu. User Account Control (UAC) in Windows will prompt you that Attack Surface Analyzer needs to elevate to Administrator privileges.
  3. When the Attack Surface Analyzer window is displayed, ensure the "Run new scan" action is selected, confirm the directory and filename to which you would like the Attack Surface data saved, and click Run Scan.

    Attack Surface Analyzer welcome screen

  4. Attack Surface Analyzer will then take a snapshot of your system state and store this information in a Microsoft CAB file.  This is the baseline scan.

    screenshot of Attack Surface Analyzer collecting data

  5. Install your product(s), enabling as many options as possible and including options that you perceive may increase the attack surface of the computer.  For example, if your product can install a Windows Service, include the option to enable access through the Windows Firewall or install drivers.
  6. Repeat steps 2 through 4. This is the product scan.
Data Collection Via Command Line (Windows Vista and Windows Server 2008 R1)
  1. Download and install Attack Surface Analyzer on a freshly built version Windows.
  2. Locate and execute asa.exe in the Attack Surface Analyzer installation directory— the default installation directory is C:\Program Files\Attack Surface Analyzer\.  UAC will prompt you that Attack Surface Analyzer needs to elevate to Administrator privileges if you are running from Windows Explorer or un-elevated command prompt.
  3. Attack Surface Analyzer will then take a snapshot of your system state and store this information in a Microsoft CAB file, saving the results to your user profile directory—the default is C:\Users\%username%\Attack Surface Analyzer\.  This scan is the baseline scan.

    screenshot of Attack Surface Analyzer taking a snapshot of the system state

  4. Install your product(s), enabling as many options as possible and including options that you perceive may increase the attack surface of the computer.  For example, if your product can install a Windows Service, include the option to enable access through the Windows Firewall or install drivers.
  5. Repeat steps 2 and 3.  This scan is the product scan.

Analysis

You can either analyze the results on the computer you generated your scans from, or copy the CAB files to another computer for analysis.

  1. Run Attack Surface Analyzer from the Start menu.  UAC will prompt you that Attack Surface Analyzer needs to elevate to Administrator privileges.
  2. Select the “Generate attack surface report” action and specify your baseline and product CAB files.  Then, click Generate.

    screenshot of Attack Surface Analyzer showing scan complete

Attack Surface Analyzer will inspect the contents of these files to identify changes in system state and, if applicable, important security issues that should be investigated.  Severity 1 issues are those that the SDL requires to be fixed; Severity 2 issues are those that the SDL recommends to be resolved.  If a web browser is installed on the computer performing the analysis, it will automatically load the Attack Surface Analyzer report—an HTML file.

screenshot of Attack Surface Report

The report includes built-in help using the “Explain…” link in each section heading.


Action

Review the report to ensure the changes are the minimum required for your product to function and are consistent with your threat risk model.

After addressing issues generated from the tool, you should repeat the scanning process on a clean installation of Windows (i.e., without the artifacts of your previous installation) and re-analyze the results.  We have found this approach more reliable and accurate than product uninstall and reinstalls.

As the process may need to be repeated a number of times, we recommend using a virtual machine with "undo disks", “differencing disks” or the ability to revert to a prior virtual machine snapshot/ configuration to perform your Attack Surface assessments.  You can download Microsoft Hyper-V Server 2008 R2 or Microsoft Virtual PC 2007 free of charge to assist with testing.

About the Author

Solomon Lukie is a program manager in the Trustworthy Computing Security group at Microsoft focused on building tools and automation to find security vulnerabilities. He provides thought leadership and internal consulting on attack surface analysis and reduction across a number of Microsoft product groups as part of the Security Development Lifecycle.

Solomon joined Microsoft in 2008 with more than 10 years of experience in architecting secure solutions based on Microsoft technologies in both the private sector and classified government environments. In his free time, Solomon enjoys studying Asian languages and traveling the world to visit family and friends.

Feedback

While we cannot reply to every email individually, you are welcome to send feedback, comments, and suggestions about the ASA tool to asa@microsoft.com.

Microsoft Security Newsletter

Sign up for a free monthly roundup of security news, bulletins, and guidance for IT pros and developers.