How to analyze attack surface using Attack Surface Analyzer?

There are a few things to be kept in mind when running Attack Surface Analyzer. First, you will need administrative privileges for running it. Second, it can be used for two cases; running a scan and analyzing results.

Since Attack Surface Analyzer is used to scan for changes made to the system core, it is important that the software has access to the important parts of the system. For this reason, Attack Surface Analyzer will need the administrative privileges on the system. What it would mean is the UAC prompt coming up, asking for permission to allow Attack Surface Analyzer to access resources which Windows thinks are important.

Attack Surface Analyzer
can be used to find out the security problems that Windows might get by installing particular software. For this, the Attack Surface Analyzer has to scan your system twice. The results of the scan generated by Attack Surface Analyzer are kept in the .CAB (also called as the CABinet) format. Make sure that you are saving the scan analysis files at a place which you shall remember. These files are what will be used to get the report later on.

But how do you get to know the details of what Attack Surface Analyzer has found? Well, it generates a report! This report generation takes place only on the Windows 7 and Windows Server 2008 with the .NET Framework 3.5 SP1 installed. So in case your system does not have the requirements fulfilled, you can get the report generated on another system. All you need to do is to get the files from your system and save it on a system which fulfils the requirements for the Attack Surface Analyzer. Then you can run the Attack Surface Analyzer on that system, select the “Generate Report” option, locate the files and click on the “generate attack surface report” button and it will create a report and open it automatically in a easy to browse HTML format. Isn’t that nice!

That’s how we can use Attack Surface Analyzer. Now we shall see, what all it scans to analyze the attack surface of the system. While this is trivial, we would still tell you how to run a scan: just launch the Attack Surface Analyzer, click on ‘yes’ button on the UAC prompt and then select “Run a new scan” option on the Attack Surface Analyzer window, note the location or change it for saving the analysis file and hit the “Run scan” button. That’s it, and Attack Surface Analyzer will start the system scan. While it is scanning, it shall show you what it is scanning along with the status. The jobs which are not started yet show “Pending” in the start time column, those which are running shall show the time when the job was started, and those which are completed will show “completed’ under the same column. Following is the list of jobs that Attack Surface Analyzer will show:

  1. Enumerating files
  2. Enumerating Registry keys
  3. Enumerating memory information
  4. Enumerating windows
  5. Enumerating Windows firewall
  6. Enumerating GAC Assemblies
  7. Enumerating network shares
  8. Enumerating Logon sessions
  9. Enumerating ports
  10. Enumerating named pipes
  11. Enumerating autorun tasks
  12. Enumerating RPC endpoints
  13. Enumerating processes
  14. Enumerating threads
  15. Enumerating desktops
  16. Enumerating handles
  17. Enumerating Microsoft Internet Information Server
  18. Enumerating Services
  19. Releasing File Database
  20. Writing Security Identifiers

Here is the screenshot (click on the picture to enlarge it):Attack Surface Analyzer Scan Screenshot

When Attack Surface Analyzer has done the scan, it will return to its main window again with a message which would tell you the location of the scan analysis cab file. This saves you in case you did not notice where the file was being stored. By default the file would get stored under the “C:\Users\USERNAME\Attack Surface Analyzer” folder.

If you read the suggestion made by the Attack Surface Analyzer after a scan, you will find that it tell you about the next step to be taken. The text precisely reads: “If this was a baseline scan, your likely next step is to run a product scan. If this is a product scan, you can view the report now, or run additional scans with different features of your product installed.” There are two new terms in this text: Baseline scan and Product Scan which we have talked about later. In case you have difficulty understanding anything related to the Attack Surface Analyzer, we would surely ask you to go to the links and read about what those scan types mean.

Add new comment

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>