Security mavens have coined the term “attack surface” to describe the number of ways a given computer can be compromised...
by a hostile entity, whether it’s a piece of malware or a malicious user. It works like this -- the greater the attack surface, the more opportunities exist for a computer to be exploited. The smaller the attack surface, the fewer places there are for an attacker to get a toehold.
Microsoft has talked about reducing the attack surface in Windows Server throughout the last several editions of the product. The idea is to have a reduced attack surface by default, thus making it easier to avoid attacks with a fresh out-of-the-box installation of Windows Server. But the concept of a reduced attack surface applies to every version of Windows, desktop and server alike.
Most of Microsoft’s work in reducing attack surfaces has focused on the engineering applied to Windows, such as the way defaults for the OS are chosen. But third-party applications, from innocuous standalone apps to more complex ones that add device drivers, can increase the attack surface in Windows as well. Sometimes this can happen without the user or programmer realizing it, especially with applications that change low-level elements of the system’s functionality, such as a firewall or antivirus application.
Up until recently, there wasn’t really a practical way for programmers to determine whether or not their application increased the system’s attack surface, an issue that usually came to light when an exploit surfaced. At the Black Hat Technical Security Conference earlier this year, however, Microsoft released a beta version of a tool designed to allow IT professionals (not just programmers) to determine whether or not a given application will cause a noticeable increase in Windows Server’s overall attack surface. The tool is the Attack Surface Analyzer, currently available in both 32- and 64-bit editions as a beta version program for the sake of soliciting user feedback.
The Attack Surface Analyzer works by creating two scans of a Windows system. The first is the baseline scan, which is done on a system that doesn’t have the application in question installed, although you should install any supporting libraries (.NET Frameworks or SQL Server) for the sake of the scan. The scan covers many different aspects of the system that might affect the attack surface, including registry keys, security identifiers (SIDs), open ports, and so on. The results of the scan are saved into a .CAB file in your current user profile directory, with a filename created automatically from the current machine name and the time and date of the scan.
The second time you run the program will be after you’ve installed the application you’re testing. This is what the Attack Surface Analyzer calls a product scan, where any changes created by the program’s presence will be broken down in detail. The end result is a report in HTML format that describes any obvious security issues discovered by the scan, as well as details about possible attack surfaces. Note that a given attack surface may not be automatically dangerous, but all are worth taking note of if they turn up during a scan.
Microsoft has authored a paper on measuring attack surfaces where different versions of Windows are compared with respect to their relative exposure to attacks. Some of the concepts explored in the paper guided the creation of the Attack Surface Analyzer -- in particular, the concept of attack opportunity as a measurable metric, which takes into account what is most likely to be exploited first and fastest.
You can follow SearchWindowsServer.com on Twitter @WindowsTT.
ABOUT THE AUTHOR
Serdar Yegulalp has been writing about computers and information technology for more than 15 years for a variety of publications, including InformationWeek and Windows Magazine.