Microsoft Security Tool for Windows - Attack Surface Analyzer

[m00nbl00d]

Quote:

The Attack Surface Analyzer application is similar to the same tool used by Microsoft's internal product teams to catalogue changes made to the operating system by the installation of new software.

Attack Surface Analyzer takes a snapshot of your system state before and after the installation of product(s) and displays the changes to a number of key elements of the Windows attack surface.

-http://news.softpedia.com/news/Download-Free-Microsoft-Security-Tool-for-Windows-Attack-Surface-Analyzer-178852.shtml

-http://www.softpedia.com/get/Security/Security-Related/Attack-Surface-Analyzer.shtml

[MrBrian]

This will be interesting to try. Thank you m00nbl00d .

It is interesting, having just tried it on my base VM snapshot in VMWare Workstation, win7x64 Ultimate, ran a baseline scan with Attack Surface Analyzer, then installed a well known Security Suite, complete with firewall, antivirus, Spyware protection and some HIPS functionality, then ran a second scan called "Product scan", then generate an "Attack surface report" based on the comparison between the Baseline and Product scans.

There are numerous "Weak ACL" reports on some of the directories, some vulnerable services, and vulnerable named pipes, among others, found as well. The report is very technical in content, better suited for experts for sure. I'm thinking MrBrian, Sully, kees, and a few others will understand the technical terminology better than I and most users, but it does illustrate the fact that installed software could cause security issues, but then how serious are they, and does the protection offered by the security suite offset the vulnerabilities caused by its presence in the O/S? I have no idea.

here's one of the far more technical entries for illustration:

Code:

Weak ACL on C:\Windows\winsxs\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818 allows tampering by NT SERVICE\TrustedInstaller.
Description:

The ACL on the directory C:\Windows\winsxs\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818 allows tampering by NT SERVICE\TrustedInstaller.
Details:

Path: C:\Windows\winsxs\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818
Weak ACLs:
Account 	Rights
NT SERVICE\TrustedInstaller (S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464) 	WRITE_OWNER WRITE_DAC FILE_ADD_FILE FILE_ADD_SUBDIRECTORY FILE_DELETE_CHILD FILE_WRITE_ATTRIBUTES FILE_WRITE_EA 

Some of them are, however, easy enough to understand.

BTW, thank you for this, m00nbl00d

[safeguy]

No 32-bit love here it seems....

[m00nbl00d]

Quote:

Originally Posted by safeguy

No 32-bit love here it seems....

I didn't even notice it. I wonder why no x86 flavor Maybe Microsoft wants users with x64 versions be the Guinea pigs.

-edit-

Hope is not lost, my friend! -http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e068c224-9d6d-4bf4-aab8-f7352a5e7d45

Softpedia just forgot to add the x86 link.

[ronjor]

Quote:

Attack Surface Analyzer 1.0 Released

SDL Team

Last year we released a beta version of our free Attack Surface Analyzer tool. The purpose of this tool is to help software developers, Independent Software Vendors (ISVs) and IT Professionals better understand changes in Windows systems’ attack surface resulting from the installation of new applications. Since the initial launch of Attack Surface Analyzer, we have received quite a bit of positive feedback on the value it has provided to customers. Today we are pleased to announce that the beta period has ended and Attack Surface Analyzer 1.0 is now available for download.

https://blogs.msdn.com/b/sdl/archive...edirected=true