Utility Spotlight: Analyze Your Software for Security Holes

The Microsoft Attack Surface Analyzer tool can pinpoint security flaws in the software you install.

Lance Whitney

Wondering what security issues might be present in the applications you install at your organization? A free tool from Microsoft can help you answer that question. The Attack Surface Analyzer takes a snapshot of a PC’s environment before and after you install a new application. The tool then scans for changes in the Registry, file system and other areas to report on any potential security problems caused by the newly installed program.

Each scan creates a CAB file. Then the tool uses this to generate an on-screen report with details on any changes made to Windows and possible security concerns introduced by the new program installation. The first scan is called the baseline. This takes a snapshot of your PC’s environment before you install a new program. The second scan is called the product scan. This takes another snapshot after installing the program.

You can install a single program or multiple programs between scans. It’s a better idea to install one program at a time so you know exactly which program is responsible for which specific security issues. Before you run a scan, make sure your test PC is set up with your organization’s standard Windows environment, including all applications, updates and middleware.

The tool is designed for developers who want to test their own applications for security holes. However, it’s also quite useful for IT professionals who need to be aware of possible security weaknesses introduced as a result of the software they install on their servers or client PCs. The tool’s description indicates it was developed by the Microsoft Security Engineering group, and the company’s own internal product groups use it for testing.

Testing, Testing

Download the Attack Surface Analyzer from the Microsoft Download Center. There you can grab the Attack_Surface_Analyzer_BETA_x86.msi file for 32-bit versions of Windows or the Attack_Surface_Analyzer_BETA_x64.msi for 64-bit versions. After installing the executable file, make sure you’re logged in as an administrator and launch Attack Surface Analyzer through its Start menu shortcut.

Your first step is to run the baseline scan. Make sure you select “Run new scan” as the action (see Figure 1). You can change the name and location of the CAB file it will generate if you wish. Then click the Run Scan button.

Running a new scan with the Microsoft Attack Surface Analyzer.

Figure 1 Running a new scan with the Microsoft Attack Surface Analyzer.

The Collecting Data window shows you the different tasks being completed by the tool (see Figure 2). This gives you an overall sense of how long the scan might take. Depending on your PC’s environment, you can expect to wait at least several minutes for the initial scan to complete.

First, the Attack Surface Analyzer gathers system data.

Figure 2 First, the Attack Surface Analyzer gathers system data.

After the base scan has finished, a Scan Complete window pops up, showing you the name and location of the CAB file (see Figure 3). Leave the Attack Surface Analyzer window open.

Then install your new program. After you’ve finished installation, you can reboot your computer if you need to. Then you’ll have to reopen Attack Surface Analyzer. Otherwise, return to the Attack Surface Analyzer window. Make sure the window is still listing the generated CAB file from the baseline scan and then click the Run Scan button.

The initial scan generates a CAB file.

Figure 3 The initial scan generates a CAB file.

The Collecting Data window will appear again. This time, it shows you the progress of the product scan. After this scan has completed, a Scan Complete window pops up with the name and location of the second CAB file.

Your next step is to generate the actual report. Select the “Generate an attack surface report” radio button. The window shows you the name and location of the baseline scan, the product scan and the report filename (see Figure 4). Click the Generate button. The tool analyzes the differences between the two scans.

Comparing the Baseline and Product scans determines any security issues.

Figure 4 Comparing the Baseline and Product scans determines any security issues.

After the analysis is complete, the report opens as an HTML file in your default browser (see Figure 5). Clicking the Report Summary tab displays basic information on the two CAB files and your version of Windows. The Security Issues tab highlights the actual security holes uncovered as a result of installing the new program. The Attack Surface tab provides more details on some of the changes made to Windows.

The final Attack Surface Analyzer Attack Surface Report.

Figure 5 The final Attack Surface Analyzer Attack Surface Report.

An Explain link on each of the three pages offers an in-depth explanation of the potential security holes and the changes made to Windows. It’s highly recommended that you read the Explain page so you can better understand the underlying security issues and whether they’re cause for concern.

The Microsoft Attack Surface Analyzer supports Windows 7, Windows Vista and Windows Server 2008. The data itself can be collected on any PC running Windows 7, Windows Vista, Windows Server 2008 or Windows Server 2008 R2. You can complete the data analysis and report generation on computers running Windows 7 or Windows Server 2008 R2 with the Microsoft .NET Framework 3.5 SP1.

Lance Whitney

Lance Whitney is a writer, IT consultant and software trainer. He’s spent countless hours tweaking Windows workstations and servers. Originally a journalist, he took a blind leap into the IT world in the early ’90s.