Microsoft Download Center Archive

Attack Surface Analyzer (classic)

  • Published:
  • Version: 1.0.0.0
  • Category: Tool
  • Language: English

Analyzes changes to Windows attack surface

  • Attack Surface Analyzer 1.0 (classic version) was developed by the Trustworthy Computing Security group and released publically back in 2012.
    While this older version continues to be made available for download it is no longer supported in favor of the the newer 2.0 version described by the project home page on Github. Note differences in feature sets and supported operating systems exists between the two versions which are described on the Attack Surface Analyzer 2.0 project wiki and FAQ's.

    The remainder of this download description is for the 1.0 version exclusively.

    Attack Surface Analyzer takes a snapshot of your system state before and after the installation of product(s) and displays the changes to a number of key elements of the Windows attack surface.

    This allows:
    - Developers to view changes in the attack surface resulting from the introduction of their code on to the Windows platform
    - IT Professionals to assess the aggregate Attack Surface change by the installation of an organization's line of business applications
    - IT Security Auditors evaluate the risk of a particular piece of software installed on the Windows platform during threat risk reviews
    - IT Security Incident Responders to gain a better understanding of the state of a systems security during investigations (if a baseline scan was taken of the system during the deployment phase)

Files

Status: Deleted

This download is no longer available on microsoft.com. The downloads below are archives provided by the Internet Archive Wayback Machine from the Microsoft Download Center prior to August 2020.

FileSize
Attack_Surface_Analyzer_ReadMe.docx
SHA1: 10ac8251ccd07e402890cca3143966870af018f2
195 KB
Attack_Surface_Analyzer_x64.msi
SHA1: 0e582a8463120242fe468004d4b4523fb6b10419
1.53 MB
Attack_Surface_Analyzer_x86.msi
SHA1: 91d50e2172f5df2c261b5401e4d844ca523696f1
1.49 MB

System Requirements

Operating Systems: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Vista

  • Collection of Attack Surface data: Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

    Analysis of Attack Surface data and report generation: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012. Microsoft .NET Framework 4 is required.

    See the Attack Surface Analyzer ReadMe for detailed system requirements

Installation Instructions

  • Note: To run Attack Surface Analyzer, you will require Administrator privileges on the computer.

    Collecting attack surface information with .NET Framework 4 installed
    C1. Download and install Attack Surface Analyzer on a machine with a freshly installed version of a supported operating system, as listed in the System Requirements section. Attack Surface Analyzer works best with a clean (freshly built) system. Not running the Attack Surface Analyzer on a freshly built system requires more time to perform scanning and analysis.
    C2. Install any software prerequisite packages before the installation of your application.
    C3. Run Attack Surface Analyzer from the Start menu or command-line. If Attack Surface Analyzer is launched from a non-elevated process, UAC will prompt you that Attack Surface Analyzer needs to elevate to Administrative privileges.
    C4. When the Attack Surface Analyzer window is displayed, ensure the "Run new scan" action is selected, confirm the directory and filename you would like the Attack Surface data saved to and click Run Scan.
    C5. Attack Surface Analyzer then takes a snapshot of your system state and stores this information in a Microsoft Cabinet (CAB) file. This scan is known as your baseline scan.
    C6. Install your product(s), enabling as many options as possible and being sure to include options that you perceive may increase the attack surface of the machine. Examples include; if your product can install a Windows Service, includes the option to enable access through the Windows Firewall or install drivers.
    C7. Run your application.
    C8. Repeat steps C3 through C5. This scan will be known as your product scan.


    Collecting attack surface information without the .NET Framework 4 installed
    Note: The (command line) method is recommended when .NET Framework 4 is not installed. To perform analysis and report generation, a machine with .Net Framework 4 is required.
    C1. Download and install Attack Surface Analyzer on a machine with a freshly installed version of a supported operating system, as listed in the System Requirements section. Attack Surface Analyzer works best with a clean (freshly built) system. Not running the Attack Surface Analyzer on a freshly built system requires more time to perform scanning and analysis.
    C2. If your Windows installation does not have the .NET Framework 4 installed, you have an option of updating your .NET Framework installation or installing only ASA.exe and dependent components. If you choose to install .Net Framework 4, please see the above section, “Collecting attack surface information with the .Net Framework 4 installed”.
    C3. Navigate to the Attack Surface Analyzer installation directory. The default installation directory is C:\Program Files\Attack Surface Analyzer\.
    C4. Run Attack Surface Analyzer.exe from the command line. If Attack Surface Analyzer.exe is launched from a non-elevated process, UAC will prompt you that Attack Surface Analyzer needs to elevate to Administrative privileges. To view the full list of command line options execute the command: ““Attack Surface Analyzer.exe” /?” (without the surrounding quotation marks) from the console.
    C5. Attack Surface Analyzer will then take a snapshot of your system state and store this information in a CAB file, saving the results to your user profile directory - the default is: C:\Users\%username%\Attack Surface Analyzer\. This scan is known as your baseline scan.
    C6. Install your product(s), enabling as many options as possible and being sure to include options that you perceive may increase the attack surface of the machine. Examples include; if your product can install a Windows Service, includes the option to enable access through the Windows Firewall or install drivers.
    C7. Run your application.
    C8. Repeat steps C3 and C5, this scan will be known as your product scan.


    Analyzing the Results
    Note: You can either analyze the results on the computer you generated your scans from, or copy the CAB files to another computer for analysis. To perform analysis and report generation, a machine with .Net Framework 4 is required:
    A1. Run Attack Surface Analyzer from the Start menu. If Attack Surface Analyzer is launched from a non-elevated process, UAC will prompt you that Attack Surface Analyzer needs to elevate to Administrative privileges. Note: To view the full list of command line options, including generating the report from the command line, execute the command: ““Attack Surface Analyzer.exe” /?” (without the surrounding quotation marks) from the console.
    A2. Choose the "Generate Report" action and specify your baseline and product scan CAB files. Note: Make sure that you have the cab files selected for both baseline and product correctly, then generate report.Attack Surface Analyzer will inspect the contents of these files to identify changes in system state and if applicable important security issues that should be investigated. If a web browser is installed on the machine performing the analysis it should automatically load Attack Surface Analyzer's report - it is a HTML file.
    A3. Review the report to ensure the changes are the minimum required for your product to function and are consistent with your threat model.


    After addressing issues generated from the tool you should repeat the scanning process on a clean installation of Windows (that is, without the artifacts of your previous installation) and re-analyze the results. As you may need to repeat the process a number of times, we recommend using a virtual machine with "undo disks", differencing disks or the ability to revert to a prior virtual machine snapshot/configuration to perform your attack surface assessments.

    For questions and support contact us on our blog: http://social.msdn.microsoft.com/Forums/en-US/sdlprocess/

Related Resources