In this second article in my series focused on Microsoft’s free security tools, I’d like to introduce you to the Attack Surface Analyzer version 1.0.  Back in January of 2011 the Security Development Lifecycle team released a beta version of the Attack Surface Analyzer and today they announced the release of version 1.0.

Attack Surface Analyzer can help software developers and Independent Software Vendors (ISVs) understand the changes in Windows systems’ attack surface resulting from the installation of the applications they develop.  It can also help IT Professionals, who are responsible for managing the deployment of applications or the security of desktops and servers, understand how the attack surface of Windows systems change as a result of installing software on the systems they manage.  Some use cases include: 

• Developers can use the tool to view changes in the attack surface resulting from the introduction of their code on to the Windows platform
• IT Professionals can use the tool to assess the aggregate attack surface change by the installation of an organization's line of business applications
• IT Security Auditors can use the tool to evaluate the risk of a particular piece of software installed on the Windows platform during threat risk reviews
• IT Security Incident Responders can potentially use the Attack Surface Analyzer to gain a better understanding of the state of a system’s security during investigations (if a baseline scan was taken of the system during the deployment phase)

This tool essentially allows you to take a “snap shot” of a bunch of security related information on a system.  Then after the system changes, you can take another “snap shot” and the tool will compare the before and after “snap shots” and show you what changed in an HTML report.  The security related information captured in a snap shot includes:

• System Information
• Running Processes
• Executable Memory Pages
• Windows
• Impersonation Tokens
• Kernel Objects
• Modules
• Network Information
• Network Ports
• Named Pipes
• RPC Endpoints
• System Environment, Users, Groups
• Accounts
• Groups
• Group Membership 

Figure: an example of an Attack Surface Analyzer report

The “Security Issues” tab highlights specific potential issues such as access control lists (ACLs) that could be problematic.  The “Attack Surface” tab provides insight into what has changed on the system and how the attack surface of the system has been altered.

You can download the Attack Surface Analyzer version 1.0 for free from http://www.microsoft.com/en-us/download/details.aspx?id=24487

Tim Rains
Director, Trustworthy Computing