-
Notifications
You must be signed in to change notification settings - Fork 278
Home
The project master branch is now moved up to 2.1 for ongoing improvements. The 2.0 Official Release is the first release of this version of the tool which is a major update of the classic 1.0 version.
Attack Surface Analyzer (ASA) is a Microsoft-developed Security tool that analyzes the attack surface of a Windows 10, Linux or MacOS system and reports on system changes that may have potential security implications that are introduced by the installation of software or by system misconfiguration.
Attack Surface Analyzer 1.0 classic from Microsoft was released in 2012 and while still available it is no longer supported. Attack Surface Analyzer 1,.0 has been valuable to software developers and IT security personnel for years in helping detect key system changes that may occur from software installation.
Attack Surface Analyzer 2.0 is a rewrite from the ground up on Microsoft .NET Core and Electron and is deployed as Open Source for contribution and customization. Note: the official or master branch of the code is still managed by Microsoft.
- Attack Surface Analyzer can help identify potential security risks exposed through changes to services, user accounts, files, network ports, certificate stores, and the system registry. It also includes some support for “live” monitoring of certain system changes (i.e. file system and registry).
- Another key use for the tool is in ensuring your software development process and products are following best practices for least privilege and reducing the attack surface for your customers by providing evidence, to your security and release teams, that your code does only what it claims. Maintaining customer trust is one reason why it is recommended from the Microsoft SDL Practices.
- DevOps Engineers - View changes to the system attack surface introduced when your software is installed.
- IT Security Auditors - Evaluate risk presented when third-party software is installed.
Attack Surface Analyzer 2.0 comes with both a command line (CLI) or an Electron-based graphical (GUI) option making it easy to use as part of a testing or release script or for standalone use. When using it, you create “snapshots” before and after you install the target software under consideration for analysis. A clean initial system with minimal additional software is ideal, but not required. Snapshots are stored in a local SQLite database and used to generate reports of system changes.
You can also scan for changes after the software is used or while it is running to potentially capture additional changes made to the system.
Note: Attack Surface Analyzer requires administrator privileges to accurately gather system data.
- Take a baseline scan on a clean machine.
- Install and run your product or application. Optionally make these two separate scans to distinguish between install vs run changes that are made.
- Take a product scan.
- Run data analysis.
The assumption is that both data collection and data analysis will be run on the same machine and that the same elements are collected in the baseline and subsequent scans.
The Full GUI is a standalone Electron application powered by an ASP.NET backend which performs the heavy lifting. The Full GUI is currently available on Windows 10 and Linux.
Navigate to the Attack Surface Analyzer program folder where it was downloaded and right-click asa.exe
, and select Run as administrator from the context menu that appears.
sudo asa
The 'Slim' GUI is just the ASP.NET backend that powers the Electron GUI. This allows you to bring your own browser and is a smaller download. Further, the Slim GUI should function on older versions of Windows, where the Full GUI is restricted to Windows 10.
- Windows, open an Administrator Command Prompt and run
AttackSurfaceAnalyzer-GUI.exe
. - Mac OS/Linux, use sudo -
sudo AttackSurfaceAnalyzer-GUI
.
- Once you have started
AttackSurfaceAnalyzer-GUI
navigate tolocalhost:5000
in your browser of choice.
- Select Scan located from the top menu or Start Scan from the home page. Note: Scanning should never be run on live production servers since it can severely degrade the performance of the system.
- There are two options for collection of data: Static or Live. Static is selected by default and will collect indicated information for analysis.
- For a Live snapshot enter the directory you want monitored and click Scan.
- ASA will take a snapshot of your system state and store this information in a local SQLite file. This initial scan is called the baseline scan. Be sure to name note the datetime for future reference. You will see the Scan page update indicating collection status.
- Install your product or applications necessary to configure the machine enabling as many options as possible. Be sure to include options that you perceive may increase the attack surface of the machine. The baseline and product scans are now available to be analyzed for results.
- Select the Results menu from the top, then select the baseline and product scan to analyze and compare against. Collection elements that have results will be indicated. Use the collection filter to select what to view from the analysis. Use the More button to see additional results on the right.
- Review the identified changes to determine impact, severity and policy for the same.
- You can either analyze the results on the computer where you generated your scan, export the results to a JSON file or copy the SQLite file to another computer for analysis.
To run the program, open a shell as an administrator on Windows or for Linux and MacOS, use a SUDO user account or ensure and the files are located in an appropriate administrator folder respectively.
The CLI version of the tool comes with built-in help using a help parameter i.e. run AttackSurfaceAnalyzerCLI.exe with no arguments which lists all top level argument options or "AttackSurfaceAnalzerCLI help " where is one of the value listed when arguments are supplied e.g. "AttackSurfaceAnalzerCLI help collect".
Follow the same general baseline and product snapshot procedures for the GUI application.
Note that analyzer has high CPU and disk I/O demands, and may take a considerable amount of time to complete. Analyses should never be run on live production servers since it can severely degrade the performance of the system.
ASA is tested on Windows 7 (CLI version only), Windows 10, Linux (currently Mint) and MacOS systems. No installed pre-requisites or redistributables are required, beyond those of .NET Core.
Our core technologies are .NET Core 2.2 and Electron. No other systems are tested at present but .NET Core is supported on the following versions of Windows:
- Windows 7 SP1
- Windows 8.1
- Windows 10 Anniversary Update (version 1607) or later versions
- Windows Server 2008 R2 SP1 (Full Server or Server Core)
- Windows Server 2012 SP1 (Full Server or Server Core)
- Windows Server 2012 R2 (Full Server or Server Core)
- Windows Server 2016 or later versions (Full Server, Server Core, or Nano Server)
Additional OS compatibility for .NET Core is located here https://github.com/dotnet/core/blob/master/release-notes/2.2/2.2-supported-os.md.
Due to limitations in functionality of Server Core available, only the command line option is likely to be fully supported.
The application does not come with an installation program but binaries are provided with each mast and release branch update for convenience and can be downloaded for immediate use or you may build the source code and run it. Pre-built binaries are located under releases.
Installing Attack Surface Analyzer via NuGet Figure 2: Manage NuGet Packages for your solution Enter the package name “Microsoft.Security.AttackSurfaceAnalyzer2” and click “Install”
ASA does not add or change any environment variables. If you believe it has done so, check if it is an issue we've already identified.
Note that .cab files generated from versions of Attack Surface Analyzer are not compatible with Attack Surface Analyzer 2.0. You will need to run a new baseline and product scan to perform the analysis.
For submitting defects, just use the standard GitHub Issues link.
Security issues and bugs should be reported privately, via email, to the Microsoft Security Response Center (MSRC) at [email protected]. You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Further information, including the MSRC PGP key, can be found in the Security TechCenter.