Initial Home page
Guy Acosta
Коммит
577056e188
|
|
@ -0,0 +1,110 @@
|
|||
# Welcome to the Attack Surface Analyzer wiki!
|
||||
|
||||
|
||||
## Why Attack Surface Analyzer
|
||||
Attack Surface Analyzer (ATSAN) is a Microsoft-developed Security tool that analyzes the attack surface of a Windows 10, Linux or MacOS system and reports on system changes with potential security implications introduced by the installation of software or by misconfiguration. The tool provided analysis has proven to be valuable in identifying additional items to be considered in a threat model and detecting specific areas for additional fuzz testing.
|
||||
|
||||
Typical users of ATSAN:
|
||||
• Test and Development Engineers to view changes to the aggregate attack surface caused by their product to reduce unintended changes in the final product and ensure accurate communication to customers regarding impact.
|
||||
• IT Security Auditors during threat risk reviews can evaluate the risk presented by a particular piece of software installed on the system.
|
||||
• IT Security Incident Responders gain a better understanding of the state of a system’s security.
|
||||
|
||||
### Scenarios
|
||||
Attack Surface Analyzer can help identify potential security risks exposed through changes to services, user accounts, files, network ports, certificate stores, and the system registry. It also includes some support for “live” monitoring of certain system changes (i.e. file system and registry).
|
||||
|
||||
Another key use for the tool is in ensuring your software development process and products are following best practices for least privilege and reducing the attack surface for your customers by providing evidence, to your security and release teams, that your code does only what it claims. Maintaining customer trust is one reason why it is recommended from the [Microsoft SDL Practices](https://www.microsoft.com/en-us/securityengineering/sdl/practices).
|
||||
|
||||
## System Requirements
|
||||
Due to limitations in functionality of Server Core available, only the command line option is fully supported.
|
||||
|
||||
## Installation
|
||||
The application does not come with an installation program but binaries are provided with each master branch update for convenience and can be downloaded for immediate use or you may build the source code and run it.
|
||||
|
||||
Installing Attack Surface Analyzer via NuGet
|
||||
Figure 2: Manage NuGet Packages for your solution
|
||||
1. Enter the package name you want to use, e.g. “Microsoft.Security.AttackSurfaceAnalyzer” and click “Install”
|
||||
|
||||
Other Installation Information
|
||||
• ATSAN does not add or change any environment variables.
|
||||
|
||||
## For Previous Users of Attack Surface Analyzer
|
||||
Note that .cab files generated from versions of Attack Surface Analyzer also called ASA are not compatible with Attack Surface Analyzer 2.0 or ATSAN. You will need to run a new baseline and product scan to perform the analysis.
|
||||
|
||||
## How to Run Attack Surface Analyzer
|
||||
|
||||
Attack Surface Analyzer 2.0 comes with both a command line (CLI) or an Electron-based graphical (GUI) option making it easy to use as part of a testing or release script or for standalone use. When using it, you create “snapshots” before and after you install the target software under consideration for analysis. A clean initial system with minimal additional software is ideal, but not required. Snapshots are stored in a local SQLite database and used to generate reports of system changes.
|
||||
|
||||
You can also scan for changes after the software is used or while it is running to potentially capture additional changes made to the system.
|
||||
|
||||
Note: Attack Surface Analyzer requires administrator privileges to accurately gather system data.
|
||||
|
||||
## How to Run Attack Surface Analyzer
|
||||
|
||||
When running a Software Component Attack Surface Analysis, ASA will perform the most effective analysis if you run a scan on a system after the installation of the operating system and any required updates before you’ve installed your product or any of its dependencies. It is strongly recommended that no software, other than programs provided by the operating system installation, should be present on the machine. Running a scan when your machine is in this state you will provide a reliable reference that is referred to as a baseline scan. Subsequent scans that are run following the baseline scan and are called product scans and will allow you to use ASA most effectively by comparing your later scans to the baseline scan.
|
||||
|
||||
The basic steps for running Attack Surface Analyzer are:
|
||||
1. Take a baseline scan on a clean machine. (See Collecting Data from the UI.)
|
||||
2. Install and run your product or application.
|
||||
3. Take a product scan. (See Collecting Data from the UI.)
|
||||
4. Run data analysis. (See Analyzing Data from the UI.)
|
||||
|
||||
The assumption is that both data collection and data analysis will be run on the same machine.
|
||||
If you choose not to use the GUI, ASA can be run from the command prompt.
|
||||
|
||||
## Running ASA from the GUI
|
||||
To run ASA, navigate to the Attack Surface Analyzer program from Start. Right-click Attack Surface Analyzer, and select Run as administrator from the context menu that appears. The screen depicted in Figure 1 will be displayed.
|
||||
|
||||
### Collecting Data from the UI
|
||||
1. When the Attack Surface Analyzer window is displayed, select Run new scan located under Please select an action. Scanning should never be run on live production servers since it can severely degrade the performance of the system.
|
||||
2. There are two options for collection of data:
|
||||
a) SQL should be checked if your application includes a SQL Server installation. This will collect SQL information for analysis.
|
||||
b) Windows is selected by default and will collect Windows information for analysis.
|
||||
3. Confirm the directory and filename where you want the Attack Surface data to be saved and click Run Scan. You will see Figure 2 Collecting Data Screen. ASA will take a snapshot of your system state and store this information in a Microsoft Cabinet (.cab) file. This initial scan is called the baseline scan. Be sure to note the name and location of this file for future reference. At the completion of your product scan, the screen depicted in Figure 3 will be displayed.
|
||||
4. Install your product or applications necessary to configure the machine enabling as many options as possible. Be sure to include options that you perceive may increase the attack surface of the machine. Examples of increasing the attack surface are:
|
||||
• The product installation requests to install a Windows service.
|
||||
• The product installation includes an option to enable access through the Windows Firewall.
|
||||
• The product installs drivers or attempts other operations in kernel mode.
|
||||
5. Run the newly installed products or applications following typical user scenarios. Scanning should never be run on live production servers since it can severely degrade the performance of the system.
|
||||
6. After installing and running your products or applications, run a scan as described in Step 1. Your product should be running at the time you take the scan. This subsequent scan is called the product scan.
|
||||
7. The baseline and product scans are now available to be analyzed. You can either analyze the results on the computer where you generated your scan, or copy the .cab files to another computer for analysis.
|
||||
|
||||
You will need to run analysis in order to generate the Log files expected to submit your results to Quality Essentials (QE). The log file contains the defects found by ASA, while the CAB files contain the scans of your system. QE recognizes the analysis, not the scans.
|
||||
|
||||
### Analyzing Data from the UI
|
||||
At the completion of your product scan, the screen depicted in Figure 3 will be displayed.
|
||||
1. Select Generate standard attack surface report.
|
||||
2. Specify your baseline scan and product scan .cab files. Double-check the paths for both scans.
|
||||
3. Your product/process should be running.
|
||||
4. Click Generate Report to produce the report.
|
||||
At the conclusion of the report generation, the HTML page shown in Figure 5 will open.
|
||||
|
||||
See the Analysis of Attack Surface Analyzer Output section of this Getting Started Guide for more details on the information produced by your analysis.
|
||||
|
||||
## Running ASA from the Command Line
|
||||
|
||||
### Collecting Data from the Command Line
|
||||
Various command arguments are available when running asa.exe from the command prompt. These are documented in the Attack Surface Analyzer User Guide located at http://codebox/asa. Alternatively, the list of supported arguments can be viewed by entering asa.exe /? at an elevated command prompt. For this example, we will take the defaults.
|
||||
1. Open an elevated command prompt.
|
||||
2. Navigate to the ASA installation folder. Program files for ASA are installed in the %Program Files%\Microsoft\Attack Surface Analyzer directory by default. Alternatively you can specify these commands using the fully-qualified pathname of the executable. In either case, no data is written to the installation folder.
|
||||
3. Run asa.exe using the following syntax to perform data collection. Scanning should never be run on live production servers since it can severely degrade the performance of the system. Note the name of the .cab file that is generated. (By default, this is saved into the Attack Surface Analyzer folder in the logged-on user’s profile folder but this can be overridden using the /outdir switch.) This .cab file will serve as your baseline scan.
|
||||
asa.exe [/outdir <directory>]
|
||||
4. Install the product or applications necessary to configure the machine, enabling as many options as possible. Be sure to include options that you perceive may increase the attack surface of the machine. Examples of increasing the attack surface are:
|
||||
• The product installation requests to install a Windows service.
|
||||
• The product installation includes an option to enable access through the Windows Firewall.
|
||||
• The product installs drivers or attempts other operations in kernel mode.
|
||||
5. Run the newly installed products or applications following typical user scenarios.
|
||||
6. Run asa.exe. Your product should be running at the time you take the scan. Scanning should never be run on live production servers since it can severely degrade the performance of the system. Again note the name of the .cab file that is generated. This file will serve as your product scan.
|
||||
Analyzing Data from the Command Line
|
||||
Various Command-line arguments are available when running analyzer.exe from the command line. However, it is recommended you run ASA with the defaults. To see the list of arguments enter, analyzer.exe /?. Note that analyzer does not need to be run elevated.
|
||||
|
||||
After you’ve finished collecting your baseline and product scans, run the following from the installation directory while your process/product is running:
|
||||
Analyzer.exe <productcab> /Baseline <baselinecab>
|
||||
Note that the <baselinecab> and <productcab> arguments represent the paths to the baseline and product scans respectively.
|
||||
Example:
|
||||
Analyzer.exe "%USERPROFILE%\Attack Surface Analyzer\Product.cab" /Baseline "%USERPROFILE%\Attack Surface Analyzer\Baseline.cab"
|
||||
|
||||
Note that analyzer has very high CPU and memory demands, and often takes a considerable amount of time to complete. Analyses should never be run on live production servers since it can severely degrade the performance of the system.
|
||||
See the Analysis of Attack Surface Analyzer Output section of this Getting Started Guide for more details on the information produced by your analysis.
|
||||
|
||||
|
||||
|
||||
Загрузка…
Ссылка в новой задаче