Developer(s) | Microsoft Corporation |
---|---|
Final release | 1.0.0.0 / August 2, 2012 |
Operating system | Microsoft Windows |
Platform | Microsoft Windows |
Type | Security |
Website | Attack Surface Analyzer |
Attack Surface Analyzer is a tool created for the analysis of changes made to the attack surface of the operating systems since Windows Vista and beyond. It is a tool recommended by Microsoft in its SDL guidelines [1] in the verification stage of the development.
According to the Microsoft SDL Team, [2] they did not have an all in one tool for checking the changes made to the attack surface of Windows Operating System before Attack Surface Analyzer was developed. It was a problem to check and verify the effects of various software installations on the system way back since Windows Server 2003 was being developed. Back then they had to use multiple tools for every type of change made to the attack surface. [3] It was a painful process when they had to check for everything again and again and using multiple tools.
It was this problem that made Microsoft create an application with which developers could analyze the changes made to the Windows Attack Surface. It has at first been used by the developers at Microsoft. Later, on January 18, 2011, a beta version (version 5.1.3.0) of a tool named Attack Surface Analyzer was released in public for the testers and IT administrators. Attack Surface Analyzer can compare two scan data of a system called the baseline scan [4] and product scan. [5] Both 32-bit and 64-bit versions of software are available [6] for Windows Vista and Windows 7 (and respective Server editions). There is no news about a Windows XP version being released.
Attack Surface Analyzer is all in one tool for analysis of changes made to the various parts of the attack surface of Windows 6 series Operating System (includes Windows Vista and Windows 7). Using this one tool, you can analyze the changes made to the Registry, File permissions, Windows IIS Server, GAC assemblies and a lot more can be done. [7] According to Microsoft, it is the same tool in use by the engineers of the security team at Microsoft to analyze the effects of software installation on the Windows Operating System.
It would not have been possible when there was no all in one tool. You would have had to use different software for all the different parts of Windows and then combine the effects logically by yourself. The tool enlists the various elements it enumerates while running a system scan. The elements are:
The above list is a comprehensive set of elements that are both possible as well as important elements that can be changed when new software is installed on the system. While some software might change only a few elements in the list, some other can change a few more and different elements on the system. Attack Surface Analyzer combines all of them so that it is easier to analyze all parts.
While Attack Surface Analyzer can tell you the changes for sure, in some cases, it will also be able to tell you that a particular change in the configuration is causing a threat. As of now, the tool does not enlist the threats in all the categories (or parts of the Operating System) it scans but only a few, the most noticeable of which are the issues in services configurations, File system ACLs and issues related to the processes running on the system.
Getting the list of threats to the system is a great thing when you have it from software released by Microsoft itself. After all, no one knows Windows better than Microsoft. With the improved concerns over security shown by Microsoft, it is important that the severity of a threat is also known to the IT team of an enterprise. The Attack Surface Analyzer also shows the severity of the threats that it finds. However, it seems not to report the severity of each and every threat. Instead it shows the severity of the threat by its category. For example, the severity of threat caused by “Executables With Weak ACLs” (threat severity of level 1) is less than that caused by “Processes With Impersonation Tokens” (threat severity of level 2). It is surely a desirable feature to enlist the level of severity caused by each threat rather by the category to which it belongs. There however, is no news about when that might be available.
Every organization has its experts on various domains of security. There may be a case when a network security expert in an organization is not aware of the details and terminology of some other domain (say Windows Services). However, the two issues may be connected to each other. While it is not possible (and in some case not important) for the experts of two security expert teams to know everything about the terms in use by each other, it might be required in a few cases. A brief description (along with a link to technet library describing the term in detail) of all threats and changes to the attack surface are enlisted in the report generated by the Attack Surface Analyzer. While the brief description is usually enough for the experts, it might be needed in other cases. Microsoft has made it easy to find the right resource for the term rather than relying upon the web search engines.
Attack Surface of Windows Operating System concerns various parts of the Operating System. It would have been difficult for anyone to understand the report if all of the changes were listed in serial order. Attack Surface Analyzer makes it easy for the user to browse through the report by listing the threats in categories and providing a Table of contents in an HTML page.
Attack Surface Analyzer can compare two scan data (generated by itself on two different scans) and generate a report, which can then be viewed in the HTML format. It is also possible to run the scans on one system and then generate on another system using the same tool. This is good for Windows Vista Clients because it is not possible to generate report using the current version of Attack Surface Analyzer on Windows Vista. [8] In such a case, Attack Surface Analyzer can be used to run scans on the Windows Vista Client, transfer the scan result files to a computer running Windows 7 and then generate and browse the report on the Windows 7 based computer.
Attack Surface Analyzer works on the Windows 6.X series of Operating Systems but report generation can only be done on 6.1 version Operating Systems. Following are the system requirements of Attack Surface Analyzer (from the official download page):
Installable on: Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2
Collection of Attack Surface Data: Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2
Analysis of Attack Surface data and report generation: Windows 7 or Windows Server 2008 R2 with Microsoft .Net 3.5 SP1
Microsoft has not enlisted any hardware requirements separately. The tool should be able to perform its job on any machine meeting the hardware requirements of the installed Operating System. Note, however, that the running time for generation of scan data and report depends on the hardware capabilities (better hardware would get the work done faster).
Attack Surface Analyzer list two types of scans namely baseline scan and product scan. In strict technical terms both the scans are same. The difference between them is logical, not technical.
This is the scan run that the user will run to generate the data on the initial system. This data is then compared with the product scan. After running the baseline scan, the product whose effect on the attack surface of the Operating System is to be checked is installed. The installation changes the system configuration (possibly) by installing services, changing firewall rules, installing new .NET assemblies and so on. Baseline scan is a logical scan run by the user using Attack Surface Analyzer that generates the file containing the configuration of the system before this software is installed.
Product scan signifies the state of the system after the ‘product’ was installed. In this context, the product is the software whose effects on the system upon installation are to be checked. To generate a report, two scans are required in minimum. The product scan would capture the changes made to the system by the installation of the software product under testing. The scan data generated in this scan is compared with the baseline scan data to find the changes made to the system configurations on different points. It is worth a note that more than one system state can be captured using Attack Surface Analyzer and any combination of them can be used for the report generation. However the ‘Baseline Scan’ should be the one that was taken before the other. The other can automatically be called as the product scan.
A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.
Windows Update is a Microsoft service for the Windows 9x and Windows NT families of operating system, which automates downloading and installing Microsoft Windows software updates over the Internet. The service delivers software updates for Windows, as well as the various Microsoft antivirus products, including Windows Defender and Microsoft Security Essentials. Since its inception, Microsoft has introduced two extensions of the service: Microsoft Update and Windows Update for Business. The former expands the core service to include other Microsoft products, such as Microsoft Office and Microsoft Expression Studio. The latter is available to business editions of Windows 10 and permits postponing updates or receiving updates only after they have undergone rigorous testing.
The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.
The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.
Microsoft Defender Antivirus is an anti-malware component of Microsoft Windows. It was first released as a downloadable free anti-spyware program for Windows XP and was shipped with Windows Vista and Windows 7. It has evolved into a full antivirus program, replacing Microsoft Security Essentials in Windows 8 or later versions.
Norton Internet Security, developed by Symantec Corporation, is a discontinued computer program that provides malware protection and removal during a subscription period. It uses signatures and heuristics to identify viruses. Other features include a personal firewall, email spam filtering, and phishing protection. With the release of the 2015 line in summer 2014, Symantec officially retired Norton Internet Security after 14 years as the chief Norton product. It was superseded by Norton Security, a rechristened adaptation of the Norton 360 security suite.
Microsoft Servers is a discontinued brand that encompasses Microsoft software products for server computers. This includes the Windows Server editions of the Microsoft Windows operating system, as well as products targeted at the wider business market. Microsoft has since replaced this brand with Microsoft Azure, Microsoft 365 and Windows 365.
AutoRun and the companion feature AutoPlay are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted.
Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, which was released five years earlier, at the time being the longest time span between successive releases of Microsoft's Windows desktop operating systems. Development was completed on November 8, 2006, and over the following three months, it was released in stages to computer hardware and software manufacturers, business customers, and retail channels. On January 30, 2007, it was released internationally and made available for purchase and download from the Windows Marketplace; this is the first release of Windows to be made available through a digital distribution platform.
Windows Genuine Advantage (WGA) is an anti-infringement system created by Microsoft that enforces online validation of the licensing of several Microsoft Windows operating systems when accessing several services, such as Windows Update, and downloading Windows components from the Microsoft Download Center. WGA consists of two components: an installable component called WGA Notifications that hooks into Winlogon and validates the Windows license upon each logon and an ActiveX control that checks the validity of the Windows license when downloading certain updates from the Microsoft Download Center or Windows Update. WGA Notifications covers Windows XP and later, with the exception of Windows Server 2003 and Windows XP Professional x64 Edition. The ActiveX control checks Windows 2000 Professional licenses as well.
A registry cleaner is a class of third-party utility software designed for the Microsoft Windows operating system, whose purpose is to remove redundant items from the Windows Registry.
Microsoft Baseline Security Analyzer (MBSA) is a discontinued software tool which is no longer available from Microsoft that determines security state by assessing missing security updates and less-secure security settings within Microsoft Windows, Windows components such as Internet Explorer, IIS web server, and products Microsoft SQL Server, and Microsoft Office macro settings. Security updates are determined by the current version of MBSA using the Windows Update Agent present on Windows computers since Windows 2000 Service Pack 3. The less-secure settings, often called Vulnerability Assessment (VA) checks, are assessed based on a hard-coded set of registry and file checks. An example of a VA might be that permissions for one of the directories in the /www/root folder of IIS could be set at too low a level, allowing unwanted modification of files from outsiders.
BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in cipher block chaining (CBC) or XTS mode with a 128-bit or 256-bit key. CBC is not used over the whole disk; it is applied to each individual sector.
There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.
MSConfig is a system utility to troubleshoot the Microsoft Windows startup process. It can disable or re-enable software, device drivers and Windows services that run at startup, or change boot parameters.
Windows Vista contains a range of new technologies and features that are intended to help network administrators and power users better manage their systems. Notable changes include a complete replacement of both the Windows Setup and the Windows startup processes, completely rewritten deployment mechanisms, new diagnostic and health monitoring tools such as random access memory diagnostic program, support for per-application Remote Desktop sessions, a completely new Task Scheduler, and a range of new Group Policy settings covering many of the features new to Windows Vista. Subsystem for UNIX Applications, which provides a POSIX-compatible environment is also introduced.
Shavlik Technologies was a privately held company founded in 1993 by Mark Shavlik, who was one of the original developers of Windows NT in the late 1980s and early 1990s at Microsoft.
Microsoft Office shared tools are software components that are included in all Microsoft Office products.
Microsoft Product Activation is a DRM technology used by Microsoft Corporation in several of its computer software programs, most notably its Windows operating system and its Office productivity suite. The procedure enforces compliance with the program's end-user license agreement by transmitting information about both the product key used to install the program and the user's computer hardware to Microsoft, inhibiting or completely preventing the use of the program until the validity of its license is confirmed.
A disk utility is a utility program that allows a user to perform various functions on a computer disk, such as disk partitioning and logical volume management, as well as multiple smaller tasks such as changing drive letters and other mount points, renaming volumes, disk checking, and disk formatting, which are otherwise handled separately by multiple other built-in commands. Each operating system (OS) has its own basic disk utility, and there are also separate programs which can recognize and adjust the different filesystems of multiple OSes. Types of disk utilities include disk checkers, disk cleaners and disk space analyzers