Using the Attack Surface Analyzer

Q: We want to get a clear picture of the changes an application installation makes to our Windows systems and how these changes might impact the security of our systems. Does Microsoft provide a tool that can help us with this?

A: You can use Microsoft's free Attack Surface Analyzer to take a snapshot of your system state before and after the installation of an application. It reports the changes made to a number of key elements in the Windows attack surface. These key elements include the file system, registry, processes, services, and SIDs.

To evaluate the changes that an application makes to your system, the Attack Surface Analyzer requires you to:

Figure 1 shows the starting screen.

Figure 1: Selecting the Action You Want the Attack Surface Analyzer to Perform

The actions you can choose include Run new scan (for doing a baseline or application scan) and Generate standard attack surface report (for generating the HTML-formatted report file). Figure 2 shows the screen that the analyzer displays while it's collecting data.

Figure 2: Watching the Attack Surface Analyzer Collect Data

You can also run the Attack Surface Analyzer from Cmd.exe. To learn about the different command-line options, run the command:

"Attack Surface Analyzer" /?

You can download the Attack Surface Analyzer from the Microsoft Download Center. It requires that Microsoft .NET Framework 4.0 be installed on the system you want to scan. In addition, Microsoft recommends that you install the tool on a machine with a freshly installed version of Windows. Otherwise, it'll take more time for Attack Surface Analyzer to perform its scanning and analysis.