Attack Surface Analyzer

Attack Surface Analyzer is a tool created for the analysis of changes made to the attack surface of the operating systems since Windows Vista and beyond. It is a tool recommended by Microsoft in its SDL guidelines in the verification stage of the development.

History
According to the Microsoft SDL Team, they did not have an all in one tool for checking the changes made to the attack surface of Windows Operating System before Attack Surface Analyzer was developed. It was a problem to check and verify the effects of various software installations on the system way back since Windows Server 2003 was being developed. Back then they had to use multiple tools for every type of change made to the attack surface. It was a painful process when they had to check for everything again and again and using multiple tools.

It was this problem that made Microsoft create an application with which developers could analyze the changes made to the Windows Attack Surface. It has at first been used by the developers at Microsoft. Later, on January 18, 2011, a beta version (version 5.1.3.0) of a tool named Attack Surface Analyzer was released in public for the testers and IT administrators. Attack Surface Analyzer can compare two scan data of a system called the baseline scan and product scan. Both 32-bit and 64-bit versions of software are available for Windows Vista and Windows 7 (and respective Server editions). There is no news about a Windows XP version being released.

Analysis of Different Threat Categories
Attack Surface Analyzer is all in one tool for analysis of changes made to the various parts of the attack surface of Windows 6 series Operating System (includes Windows Vista and Windows 7). Using this one tool, you can analyze the changes made to the Registry, File permissions, Windows IIS Server, GAC assemblies and a lot more can be done. According to Microsoft, it is the same tool in use by the engineers of the security team at Microsoft to analyze the effects of software installation on the Windows Operating System.

It would not have been possible when there was no all in one tool. You would have had to use different software for all the different parts of Windows and then combine the effects logically by yourself. The tool enlists the various elements it enumerates while running a system scan. The elements are:


 * files
 * registry keys
 * memory information
 * windows
 * Windows firewall
 * GAC Assemblies
 * network shares
 * Logon sessions
 * ports
 * named pipes
 * autorun tasks
 * RPC endpoints
 * processes
 * threads
 * desktops
 * handles
 * Microsoft Internet Information Services Server

The above list is a comprehensive set of elements that are both possible as well as important elements that can be changed when new software is installed on the system. While some software might change only a few elements in the list, some other can change a few more and different elements on the system. Attack Surface Analyzer combines all of them so that it is easier to analyze all parts.

Enlisting Threats
While Attack Surface Analyzer can tell you the changes for sure, in some cases, it will also be able to tell you that a particular change in the configuration is causing a threat. As of now, the tool does not enlist the threats in all the categories (or parts of the Operating System) it scans but only a few, the most noticeable of which are the issues in services configurations, File system ACLs and issues related to the processes running on the system.

Determining Threat Severity
Getting the list of threats to the system is a great thing when you have it from software released by Microsoft itself. After all, no one knows Windows better than Microsoft. With the improved concerns over security shown by Microsoft, it is important that the severity of a threat is also known to the IT team of an enterprise. The Attack Surface Analyzer also shows the severity of the threats that it finds. However, it seems not to report the severity of each and every threat. Instead it shows the severity of the threat by its category. For example, the severity of threat caused by “Executables With Weak ACLs” (threat severity of level 1) is less than that caused by “Processes With Impersonation Tokens” (threat severity of level 2). It is surely a desirable feature to enlist the level of severity caused by each threat rather by the category to which it belongs. There however, is no news about when that might be available.

Built in Help
Every organization has its experts on various domains of security. There may be a case when a network security expert in an organization is not aware of the details and terminology of some other domain (say Windows Services). However, the two issues may be connected to each other. While it is not possible (and in some case not important) for the experts of two security expert teams to know everything about the terms in use by each other, it might be required in a few cases. A brief description (along with a link to technet library describing the term in detail) of all threats and changes to the attack surface are enlisted in the report generated by the Attack Surface Analyzer. While the brief description is usually enough for the experts, it might be needed in other cases. Microsoft has made it easy to find the right resource for the term rather than relying upon the web search engines.

Organization of Changes made to the Attack Surface
Attack Surface of Windows Operating System concerns various parts of the Operating System. It would have been difficult for anyone to understand the report if all of the changes were listed in serial order. Attack Surface Analyzer makes it easy for the user to browse through the report by listing the threats in categories and providing a Table of contents in an HTML page.

Report Generation
Attack Surface Analyzer can compare two scan data (generated by itself on two different scans) and generate a report, which can then be viewed in the HTML format. It is also possible to run the scans on one system and then generate on another system using the same tool. This is good for Windows Vista Clients because it is not possible to generate report using the current version of Attack Surface Analyzer on Windows Vista. In such a case, Attack Surface Analyzer can be used to run scans on the Windows Vista Client, transfer the scan result files to a computer running Windows 7 and then generate and browse the report on the Windows 7 based computer.

System Requirements
Attack Surface Analyzer works on the Windows 6.X series of Operating Systems but report generation can only be done on 6.1 version Operating Systems. Following are the system requirements of Attack Surface Analyzer (from the official download page):

Installable on: Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2

Collection of Attack Surface Data: Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2

Analysis of Attack Surface data and report generation: Windows 7 or Windows Server 2008 R2 with Microsoft .Net 3.5 SP1

Microsoft has not enlisted any hardware requirements separately. The tool should be able to perform its job on any machine meeting the hardware requirements of the installed Operating System. Note, however, that the running time for generation of scan data and report depends on the hardware capabilities (better hardware would get the work done faster).

Scans
Attack Surface Analyzer list two types of scans namely baseline scan and product scan. In strict technical terms both the scans are same. The difference between them is logical, not technical.

Baseline Scan
This is the scan run that the user will run to generate the data on the initial system. This data is then compared with the product scan. After running the baseline scan, the product whose effect on the attack surface of the Operating System is to be checked is installed. The installation changes the system configuration (possibly) by installing services, changing firewall rules, installing new .NET assemblies and so on. Baseline scan is a logical scan run by the user using Attack Surface Analyzer that generates the file containing the configuration of the system before this software is installed.

Product Scan
Product scan signifies the state of the system after the ‘product’ was installed. In this context, the product is the software whose effects on the system upon installation are to be checked. To generate a report, two scans are required in minimum. The product scan would capture the changes made to the system by the installation of the software product under testing. The scan data generated in this scan is compared with the baseline scan data to find the changes made to the system configurations on different points. It is worth a note that more than one system state can be captured using Attack Surface Analyzer and any combination of them can be used for the report generation. However the ‘Baseline Scan’ should be the one that was taken before the other. The other can automatically be called as the product scan.