Improving Security Using Attack Surface Analyzer
Published: March 21, 2011
Author: Solomon Lukie, Program Manager, Microsoft Trustworthy Computing
Attack Surface Analyzer is a Microsoft verification tool designed to catalog changes in system state, runtime parameters, and securable objects on the Windows operating system. This analysis helps identify any increase in the attack surface that is caused by installing applications. Developed by the Security Engineering group team, Attack Surface Analyzer is the first tool of its kind available for public use, and it runs on the Windows Vista, Windows 7, and Windows Server 2008 operating systems.
In this article:
Microsoft released a public Beta of the tool on January 18, 2011 to assist independent software vendors (ISVs) during the verification phase of the Microsoft Security Development Lifecycle (SDL) as they evaluate the changes their product makes to the attack surface of a computer. Because Attack Surface Analyzer does not require source code or symbol access, IT professionals and security auditors can also use the tool to gain a better understanding of the aggregate attack surface change that may result from the introduction of line-of-business (LOB) applications to the Windows platform.
The tool does not analyze a system based on signatures or known vulnerabilities; instead, it looks for classes of security weaknesses Microsoft has seen when applications are installed on the Windows operating system, and it highlights these as issues. The tool also gives an overview of changes to the system that Microsoft considers important to the security of the platform, and it highlights these changes in the attack surface report. Some of the checks performed by the tool include analysis of changed or newly added files, registry keys, services, Microsoft ActiveX controls, listening ports, access control lists, and other parameters that affect a computer's attack surface.
Using the tool involves taking snapshots of your system during the installation and configuration of an application, and comparing these snapshots to identify changes. Taking multiple snapshots enables a more granular analysis of individual components. There is no difference in the information collected from the computer during each snapshot, and depending on how much software is installed on the target computer scanning will take between 5 and 30 minutes to complete.
Microsoft offers Attack Surface Analyzer to developers as a stand-alone tool. It has a wizard to step through the scanning and analysis process; a command-line version supports automation and older versions of Windows, and assists IT professionals as they integrate the tool with existing enterprise management tools. Attack Surface Analyzer enables:
Snapshots can be taken on Windows 7 and Windows Server 2008 R2 using the graphical wizard (Attack Surface Analyzer.exe); alternatively the command-line version (asa.exe) can be run on Windows Vista and Windows Server 2008 in addition to Windows 7 and Windows Server 2008 R2.
Analysis of data from Attack Surface Analyzer and report generation uses the graphical wizard (Attack Surface Analyzer.exe) and requires either Windows 7 or Windows Server 2008 R2 with the Microsoft .NET Framework 3.5 Service Pack 1 (SP1).
There are two separate MSI packages: one for 32-bit systems (x86) and one for 64-bit systems (x64).
Attack Surface Analyzer can be installed using the downloadable MSI packages or it can be directly copied to a computer for execution. As Attack Surface Analyzer looks for changes in system state, it does not make any changes to the system itself, with the exception of extracting the executable files to disk and adding a shortcut to the Start menu for the graphical wizard. During execution, the tool will create a data directory in %userprofile%\Attack Surface Analyzer, and upon completion of a scan it will compress these files into a Microsoft Cabinet (CAB) file.
Data Collection Via Wizard (Windows 7 and Windows Server 2008 R2)
For installation using the wizard, follow the steps below:
Data Collection Via Command Line (Windows Vista and Windows Server 2008 R1)
You can either analyze the results on the computer you generated your scans from, or copy the CAB files to another computer for analysis.
Attack Surface Analyzer will inspect the contents of these files to identify changes in system state and, if applicable, important security issues that should be investigated. Severity 1 issues are those that the SDL requires to be fixed; Severity 2 issues are those that the SDL recommends to be resolved. If a web browser is installed on the computer performing the analysis, it will automatically load the Attack Surface Analyzer report—an HTML file.
The report includes built-in help using the “Explain…” link in each section heading.
Review the report to ensure the changes are the minimum required for your product to function and are consistent with your threat risk model.
After addressing issues generated from the tool, you should repeat the scanning process on a clean installation of Windows (i.e., without the artifacts of your previous installation) and re-analyze the results. We have found this approach more reliable and accurate than product uninstall and reinstalls.
As the process may need to be repeated a number of times, we recommend using a virtual machine with "undo disks", “differencing disks” or the ability to revert to a prior virtual machine snapshot/ configuration to perform your Attack Surface assessments. You can download Microsoft Hyper-V Server 2008 R2 or Microsoft Virtual PC 2007 free of charge to assist with testing.
About the Author
Solomon Lukie is a program manager in the Trustworthy Computing Security group at Microsoft focused on building tools and automation to find security vulnerabilities. He provides thought leadership and internal consulting on attack surface analysis and reduction across a number of Microsoft product groups as part of the Security Development Lifecycle.
Solomon joined Microsoft in 2008 with more than 10 years of experience in architecting secure solutions based on Microsoft technologies in both the private sector and classified government environments. In his free time, Solomon enjoys studying Asian languages and traveling the world to visit family and friends.
While we cannot reply to every email individually, you are welcome to send feedback, comments, and suggestions about the ASA tool to firstname.lastname@example.org.