- Windows Attack Surface
Attack Surface Analyzer takes a snapshot of your system state before and after the installation of product(s) and displays the changes to a number of key elements of the Windows attack surface.
This allows:
- Developers to view changes in the attack surface resulting from the introduction of their code on to the Windows platform
- IT Professionals to assess the aggregate Attack Surface change by the installation of an organization's line of business applications
- IT Security Auditors evaluate the risk of a particular piece of software installed on the Windows platform during threat risk reviews
- IT Security Incident Responders to gain a better understanding of the state of a systems security during investigations (if a baseline scan was taken of the system during the deployment phase)
https://blogs.microsoft.com/cybertrust/2012/08/02/microsofts-free-security-tools-attack-surface-analyzer/
Collecting attack surface information with .NET Framework 4 installed
C1. Download and install Attack Surface Analyzer on a machine with a freshly installed version of a supported operating system, as listed in the System Requirements section. Attack Surface Analyzer works best with a clean (freshly built) system. Not running the Attack Surface Analyzer on a freshly built system requires more time to perform scanning and analysis.
C2. Install any software prerequisite packages before the installation of your application.
C3. Run Attack Surface Analyzer from the Start menu or command-line. If Attack Surface Analyzer is launched from a non-elevated process, UAC will prompt you that Attack Surface Analyzer needs to elevate to Administrative privileges.
C4. When the Attack Surface Analyzer window is displayed, ensure the "Run new scan" action is selected, confirm the directory and filename you would like the Attack Surface data saved to and click Run Scan.
C5. Attack Surface Analyzer then takes a snapshot of your system state and stores this information in a Microsoft Cabinet (CAB) file. This scan is known as your baseline scan.
C6. Install your product(s), enabling as many options as possible and being sure to include options that you perceive may increase the attack surface of the machine. Examples include; if your product can install a Windows Service, includes the option to enable access through the Windows Firewall or install drivers.
C7. Run your application.
C8. Repeat steps C3 through C5. This scan will be known as your product scan.
Analyzing the Results
Note: You can either analyze the results on the computer you generated your scans from, or copy the CAB files to another computer for analysis. To perform analysis and report generation, a machine with .Net Framework 4 is required:
A1. Run Attack Surface Analyzer from the Start menu. If Attack Surface Analyzer is launched from a non-elevated process, UAC will prompt you that Attack Surface Analyzer needs to elevate to Administrative privileges. Note: To view the full list of command line options, including generating the report from the command line, execute the command: ““Attack Surface Analyzer.exe” /?” (without the surrounding quotation marks) from the console.
A2. Choose the "Generate Report" action and specify your baseline and product scan CAB files. Note: Make sure that you have the cab files selected for both baseline and product correctly, then generate report. Attack Surface Analyzer will inspect the contents of these files to identify changes in system state and if applicable important security issues that should be investigated. If a web browser is installed on the machine performing the analysis it should automatically load Attack Surface Analyzer's report - it is a HTML file.
A3. Review the report to ensure the changes are the minimum required for your product to function and are consistent with your threat model.
After addressing issues generated from the tool you should repeat the scanning process on a clean installation of Windows (that is, without the artifacts of your previous installation) and re-analyze the results. As you may need to repeat the process a number of times, we recommend using a virtual machine with "undo disks", differencing disks or the ability to revert to a prior virtual machine snapshot/configuration to perform your attack surface assessments.
https://www.microsoft.com/en-us/download/details.aspx?id=24487