Attack Surface Analyzer

Analyzing the attack surface in the Windows operating system is possible with the help of the Attack Surface Analyzer, a tool created by Microsoft back with the launch of Windows Vista. Now available under an open-source license, this application can analyze various sections of the attack surface in the attempt to find security-related vulnerabilities as caused by changes in the registry, file permissions, the IIS server, GAC assemblies, and so on. Needless to say, these kinds of changes are made with every new software installation, so analyzing their effects on the system’s security is quite important.

The application can be launched via the command console. As expected, it requires administrator rights to be able to work with it. The console commands allow you to collect operating system metrics (after defining the collectors), monitor the system activity, and launch in guide mode, but all those actions can also be undertaken from the web-based GUI, as you will read below.

The web-based interface provides quick access to all the features of the Attack Surface Analyzer and all its modules. Using this application to its full potential might require you to take the time to go through the documentation available on the GitHub Wiki page.

The first thing you might notice is that the application features a so-called “Guided mode”, which provides assistance in running collectors, monitoring changes and analyzing results. You can start by enabling the collectors you wish to run.

Attack Surface Analyzer features a file system collector and a registry collector, alongside other secondary collectors dedicated to certificates, ComObjects, drivers, event logs, the Windows firewall, network ports, processes and services, users and wireless connections.

The Author mode allows you to write, validate and import or export rules, while the Sandbox makes it possible to create objects and test rules against them.

In essence, the Attack Surface Analyzer tries to determine the effects of software installation on the Windows operating system and verify whether the system changes create new vulnerabilities that might be exploited.

The application really comes in handy to developers who need to oversee the changes in the attack surface resulting from executing their code onto a Windows system, as well as other experts whose responsibility is evaluating system security.