Attack Surface Analyzer can help you analyze your operating system’s security configuration for changes during software installation.
Microsoft Attack Surface Analyzer 2.1V is available for Linux and MacOS too.
Attack Surface Analyzer is a Microsoft-developed open source security software that analyzes the attack surface of a target system and reports on potential security vulnerabilities introduced during the installation of software or system misconfiguration.
- Attack Surface Analyzer can help identify potential security risks exposed through changes to services, user accounts, files, network ports, certificate stores, and the system registry. It also includes some support for “live” monitoring of certain system changes (i.e. file system and registry).
- Another key use for the software is in ensuring your software development process and products are following best practices for least privilege and reducing the attack surface for your customers by providing evidence, to your security and release teams, that your code does only what it claims. Maintaining customer trust is one reason why it is recommended from the Microsoft SDL Practices.
Potential users of Attack Surface Analyzer include:
- DevOps Engineers – View changes to the system attack surface introduced when your software is installed.
- IT Security Auditors – Evaluate risk presented by when third-party software is installed.
The core feature of Attack Surface Analyzer is the ability to “diff” an operating system’s security configuration, before and after a software component is installed. This is important because most installation processes require elevated privileges, and once granted, can lead to unintended system configuration changes.
Attack Surface Analyzer currently reports on changes to the following operating system components:
- File system (static snapshot and live monitoring available)
- User accounts
- Network Ports
- Registry (Windows only)
All data collected is stored in a local SQLite database called asa.sqlite.
How to Run Attack Surface Analyzer?
Attack Surface Analyzer 2.0 comes with both a command line (CLI) or an Electron-based graphical (GUI) option making it easy to use as part of a testing or release script or for standalone use. When using it, you create “snapshots” before and after you install the target software under consideration for analysis.
A clean initial system with minimal additional software is ideal, but not required. Snapshots are stored in a local SQLite database and used to generate reports of system changes.
You can also scan for changes after the software is used or while it is running to potentially capture additional changes made to the system.
Note: Attack Surface Analyzer requires administrator privileges to accurately gather system data.
The basic steps for running Attack Surface Analyzer are:
- Take a baseline scan on a clean machine.
- Install and run your product or application.
- Optionally make these two separate scans to distinguish between install vs run changes that are made.
- Take a product scan.
- Run data analysis.
The assumption is that both data collection and data analysis will be run on the same machine and that the same elements are collected in the baseline and subsequent scans.
Future Plans (tentative)
We plan on adding additional features to Attack Surface Analyzer, including those from the list below:
- Code signing info
- Drivers (partially covered presently via file system monitoring)
- Firewall settings
- Redistributable installations
- Network traffic (live monitoring)
- Registry (live monitoring)
Requested features which existed in the original Attack Surface Analyzer.
If you have feedback on these or other features, please open an issue.
Attack Surface Analyzer runs on Windows, Linux, and MacOS, and is built using .NET Core. It has both a command-line interface and ElectronNET GUI option available. Neither version currently has an installer.
See Microsoft Wiki Page to installation requirements.
Download Microsoft Attack Surface Analyzer