Attack Surface Analyzer 1.0 is a free Microsoft download that helps software developers determine the security risks their applications pose to Windows computers. Attack Surface Analyzer compares before-and-after snapshots of the system state so users can better understand changes resulting from installing new applications.
Microsoft first developed Attack Surface Analyzer to help with its own product development, but in 2011, the company released a beta version to the public. Since then, Microsoft has made a number of bug fixes and performance enhancements. As a result, version 1.0 of the tool returns fewer false positives, and its graphical user interface (GUI) performs better. Plus, the product includes in-depth documentation to make it easier to use. These improvements help make the Attack Surface Analyzer program a mainstay in the arsenal of development tools.
Understanding the free Microsoft software
Attack Surface Analyzer works by analyzing the files and registry keys that have been added or updated between system scans. The tool also analyzes services, process threads, ActiveX controls, listening ports and a variety of other parameters.
Specifically, Attack Surface Analyzer searches for security weaknesses that Microsoft has noted when installing applications on a Windows computer. This approach is different from that of similar tools, which analyze systems based on signatures and known vulnerabilities.
After Attack Surface Analyzer completes its analysis, it generates a report that shows what has changed and highlights any changes that Microsoft considers as important security issues.
Attack Surface Analyzer can help IT professionals better understand potential vulnerabilities. Software developers and independent software vendors can view changes to attack surfaces when they introduce their code on Windows systems.
Security auditors can also use the tool to assess the risks posed by new software, and other IT professionals can use it to learn how line-of-business applications might affect the attack surface. Even security incident responders can use Attack Surface Analyzer to gain a better understanding of a system's state during an investigation.
Using the Attack Surface Analyzer tool
The Attack Surface Analyzer tool performs two functions. The first is to scan a Windows system and collect data for analysis. The second is to conduct the analysis and generate a report based on its findings.
Attack Surface Analyzer is available in both 32-bit and 64-bit versions. It can collect data from computers configured with Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012. The tool can perform its analysis on any of the supported Windows operating systems except Vista. If you want to collect Vista data, you'll have to perform the analysis on one of the other operating systems.
Users can run Attack Surface Analyzer through its GUI (as Attack Surface Analyzer.exe) or a command-line utility (as asa.exe). To run the GUI, .NET Framework 4 must be installed on the Windows computer.
When collecting data, the Attack Surface Analyzer tool requires two snapshots of the system state, one before the product is installed and one after. Attack Surface Analyzer saves the state information to Microsoft Cabinet (CAB) files. The initial snapshot is referred to as the "baseline scan." The snapshot taken after the software is installed is referred to as the "product scan."
Attack Surface Analyzer works best on machines with a freshly installed version of the operating system. Scans on machines that are less than clean take more time than on freshly built systems. After you take the baseline scan, install the product and configure as many options as possible, especially those that pose the greatest security risk, such as enabling access through the firewall. Then, you should run the application and take the second snapshot.
More on Microsoft software and Windows security
Fixing Windows flaws with free tools
Built-in tools can make troubleshooting Windows 7 easier
Tightening desktop security with Security Compliance Manager
Forgotten flaws in Windows Server Update Services
More third-party tools for Windows management
Frequently asked questions about patching Windows
Once you've collected the data and created two snapshot CAB files, you can use Attack Surface Analyzer to run the analysis -- either on the computer where you collected the data (unless it's a Vista machine) or on another Windows computer. The computer running the analysis must have the .NET Framework 4 installed.
Attack Surface Analyzer will inspect and compare the files and then generate a report that identifies changes to the system state, as well as possible security issues. You can view the report in Internet Explorer, Google Chrome or Mozilla Firefox. If the tool identifies security problems, the report includes links to more information.
After you've reviewed the report and addressed any identified security issues, you should repeat the scanning process on a clean Windows installation, without any of the artifacts from the previous setup. You might have to repeat this process a number of times until you're satisfied with the results in the Attack Surface Analyzer report.
If you started your analysis process with the beta version of Attack Surface Analyzer, you'll have to start with new scans. Attack Surface Analyzer 1.0 is not compatible with the beta version, so it will not work with the beta CAB files.
If you want to finish a project based on previously created scans, then stick with the beta version until you've completed the development cycle. But note that the beta version of the tool will be available for only a limited time.
Benefiting from the security tool
Organizations can't take chances when it comes to security. Attack Surface Analyzer is free Microsoft software, so those who build and implement Windows-based applications have no reason not to take advantage of its capabilities.
On supported Windows systems, Attack Surface Analyzer will collect and analyze security data and present its findings in a browser-based report. In the past, identifying these issues required an assortment of tools, but Microsoft has combined the functionality into a single package. This could give IT admins more time to address vulnerabilities rather than spending time trying to find them.
This was first published in April 2013