Updated Home (markdown)
Guy Acosta
Родитель
577056e188
Коммит
9a24ac0483
76
Home.md
76
Home.md
|
|
@ -4,10 +4,10 @@
|
|||
## Why Attack Surface Analyzer
|
||||
Attack Surface Analyzer (ATSAN) is a Microsoft-developed Security tool that analyzes the attack surface of a Windows 10, Linux or MacOS system and reports on system changes with potential security implications introduced by the installation of software or by misconfiguration. The tool provided analysis has proven to be valuable in identifying additional items to be considered in a threat model and detecting specific areas for additional fuzz testing.
|
||||
|
||||
Typical users of ATSAN:
|
||||
• Test and Development Engineers to view changes to the aggregate attack surface caused by their product to reduce unintended changes in the final product and ensure accurate communication to customers regarding impact.
|
||||
• IT Security Auditors during threat risk reviews can evaluate the risk presented by a particular piece of software installed on the system.
|
||||
• IT Security Incident Responders gain a better understanding of the state of a system’s security.
|
||||
### Typical users of ATSAN:
|
||||
* Test and Development Engineers to view changes to the aggregate attack surface caused by their product to reduce unintended changes in the final product and ensure accurate communication to customers regarding impact.
|
||||
* IT Security Auditors during threat risk reviews can evaluate the risk presented by a particular piece of software installed on the system.
|
||||
* IT Security Incident Responders gain a better understanding of the state of a system’s security.
|
||||
|
||||
### Scenarios
|
||||
Attack Surface Analyzer can help identify potential security risks exposed through changes to services, user accounts, files, network ports, certificate stores, and the system registry. It also includes some support for “live” monitoring of certain system changes (i.e. file system and registry).
|
||||
|
|
@ -22,7 +22,7 @@ The application does not come with an installation program but binaries are prov
|
|||
|
||||
Installing Attack Surface Analyzer via NuGet
|
||||
Figure 2: Manage NuGet Packages for your solution
|
||||
1. Enter the package name you want to use, e.g. “Microsoft.Security.AttackSurfaceAnalyzer” and click “Install”
|
||||
1. Enter the package name you want to use, e.g. “Microsoft.Security.AttackSurfaceAnalyzer2” and click “Install”
|
||||
|
||||
Other Installation Information
|
||||
• ATSAN does not add or change any environment variables.
|
||||
|
|
@ -40,7 +40,7 @@ Note: Attack Surface Analyzer requires administrator privileges to accurately ga
|
|||
|
||||
## How to Run Attack Surface Analyzer
|
||||
|
||||
When running a Software Component Attack Surface Analysis, ASA will perform the most effective analysis if you run a scan on a system after the installation of the operating system and any required updates before you’ve installed your product or any of its dependencies. It is strongly recommended that no software, other than programs provided by the operating system installation, should be present on the machine. Running a scan when your machine is in this state you will provide a reliable reference that is referred to as a baseline scan. Subsequent scans that are run following the baseline scan and are called product scans and will allow you to use ASA most effectively by comparing your later scans to the baseline scan.
|
||||
When running a Software Component Attack Surface Analysis, ATSAN will perform the most effective analysis if you run a scan on a system after the installation of the operating system and any required updates before you’ve installed your product or any of its dependencies. It is strongly recommended that no software, other than programs provided by the operating system installation, should be present on the machine. Running a scan when your machine is in this state you will provide a reliable reference that is referred to as a baseline scan. Subsequent scans that are run following the baseline scan and are called product scans and will allow you to use ATSAN most effectively by comparing your later scans to the baseline scan.
|
||||
|
||||
The basic steps for running Attack Surface Analyzer are:
|
||||
1. Take a baseline scan on a clean machine. (See Collecting Data from the UI.)
|
||||
|
|
@ -49,53 +49,45 @@ The basic steps for running Attack Surface Analyzer are:
|
|||
4. Run data analysis. (See Analyzing Data from the UI.)
|
||||
|
||||
The assumption is that both data collection and data analysis will be run on the same machine.
|
||||
If you choose not to use the GUI, ASA can be run from the command prompt.
|
||||
If you choose not to use the GUI, ATSAN can be run from the command prompt.
|
||||
|
||||
## Running ASA from the GUI
|
||||
To run ASA, navigate to the Attack Surface Analyzer program from Start. Right-click Attack Surface Analyzer, and select Run as administrator from the context menu that appears. The screen depicted in Figure 1 will be displayed.
|
||||
## Running ATSAN from the GUI
|
||||
To run ATSAN , navigate to the Attack Surface Analyzer program from Start. Right-click Attack Surface Analyzer, and select Run as administrator from the context menu that appears. The screen depicted in Figure 1 will be displayed.
|
||||
|
||||
### Collecting Data from the UI
|
||||
1. When the Attack Surface Analyzer window is displayed, select Run new scan located under Please select an action. Scanning should never be run on live production servers since it can severely degrade the performance of the system.
|
||||
2. There are two options for collection of data:
|
||||
a) SQL should be checked if your application includes a SQL Server installation. This will collect SQL information for analysis.
|
||||
b) Windows is selected by default and will collect Windows information for analysis.
|
||||
3. Confirm the directory and filename where you want the Attack Surface data to be saved and click Run Scan. You will see Figure 2 Collecting Data Screen. ASA will take a snapshot of your system state and store this information in a Microsoft Cabinet (.cab) file. This initial scan is called the baseline scan. Be sure to note the name and location of this file for future reference. At the completion of your product scan, the screen depicted in Figure 3 will be displayed.
|
||||
4. Install your product or applications necessary to configure the machine enabling as many options as possible. Be sure to include options that you perceive may increase the attack surface of the machine. Examples of increasing the attack surface are:
|
||||
• The product installation requests to install a Windows service.
|
||||
• The product installation includes an option to enable access through the Windows Firewall.
|
||||
• The product installs drivers or attempts other operations in kernel mode.
|
||||
5. Run the newly installed products or applications following typical user scenarios. Scanning should never be run on live production servers since it can severely degrade the performance of the system.
|
||||
6. After installing and running your products or applications, run a scan as described in Step 1. Your product should be running at the time you take the scan. This subsequent scan is called the product scan.
|
||||
7. The baseline and product scans are now available to be analyzed. You can either analyze the results on the computer where you generated your scan, or copy the .cab files to another computer for analysis.
|
||||
* Select Scan located from the top menu or Start Scan from the home page. Scanning should never be run on live production servers since it can severely degrade the performance of the system.
|
||||
* There are two options for collection of data: Static or Live.
|
||||
* Static is selected by default and will collect indicated information for analysis.
|
||||
* Confirm the directory and filename where you want the Attack Surface data to be saved and click Run Scan. You will see Figure 2 Collecting Data Screen. ATSAN will take a snapshot of your system state and store this information in a Microsoft Cabinet (.cab) file. This initial scan is called the baseline scan. Be sure to note the name and location of this file for future reference. At the completion of your product scan, the screen depicted in Figure 3 will be displayed.
|
||||
* Install your product or applications necessary to configure the machine enabling as many options as possible. Be sure to include options that you perceive may increase the attack surface of the machine. Examples of increasing the attack surface are:
|
||||
* After installing and running your products or applications, run a scan as described in Step 1. Your product should be running at the time you take the scan. This subsequent scan is called the product scan.
|
||||
|
||||
You will need to run analysis in order to generate the Log files expected to submit your results to Quality Essentials (QE). The log file contains the defects found by ASA, while the CAB files contain the scans of your system. QE recognizes the analysis, not the scans.
|
||||
The baseline and product scans are now available to be analyzed. You can either analyze the results on the computer where you generated your scan, or copy the .cab files to another computer for analysis.
|
||||
|
||||
### Analyzing Data from the UI
|
||||
At the completion of your product scan, the screen depicted in Figure 3 will be displayed.
|
||||
1. Select Generate standard attack surface report.
|
||||
2. Specify your baseline scan and product scan .cab files. Double-check the paths for both scans.
|
||||
3. Your product/process should be running.
|
||||
4. Click Generate Report to produce the report.
|
||||
At the conclusion of the report generation, the HTML page shown in Figure 5 will open.
|
||||
1. At the completion of your product scan, the screen depicted in Figure 3 will be displayed.
|
||||
2. Select Generate standard attack surface report.
|
||||
3. Specify your baseline scan and product scan .cab files. Double-check the paths for both scans.
|
||||
4. Your product/process should be running.
|
||||
5. Click Generate Report to produce the report.
|
||||
6. At the conclusion of the report generation, the HTML page shown in Figure 5 will open.
|
||||
|
||||
See the Analysis of Attack Surface Analyzer Output section of this Getting Started Guide for more details on the information produced by your analysis.
|
||||
|
||||
## Running ASA from the Command Line
|
||||
|
||||
### Collecting Data from the Command Line
|
||||
Various command arguments are available when running asa.exe from the command prompt. These are documented in the Attack Surface Analyzer User Guide located at http://codebox/asa. Alternatively, the list of supported arguments can be viewed by entering asa.exe /? at an elevated command prompt. For this example, we will take the defaults.
|
||||
1. Open an elevated command prompt.
|
||||
2. Navigate to the ASA installation folder. Program files for ASA are installed in the %Program Files%\Microsoft\Attack Surface Analyzer directory by default. Alternatively you can specify these commands using the fully-qualified pathname of the executable. In either case, no data is written to the installation folder.
|
||||
3. Run asa.exe using the following syntax to perform data collection. Scanning should never be run on live production servers since it can severely degrade the performance of the system. Note the name of the .cab file that is generated. (By default, this is saved into the Attack Surface Analyzer folder in the logged-on user’s profile folder but this can be overridden using the /outdir switch.) This .cab file will serve as your baseline scan.
|
||||
asa.exe [/outdir <directory>]
|
||||
4. Install the product or applications necessary to configure the machine, enabling as many options as possible. Be sure to include options that you perceive may increase the attack surface of the machine. Examples of increasing the attack surface are:
|
||||
• The product installation requests to install a Windows service.
|
||||
• The product installation includes an option to enable access through the Windows Firewall.
|
||||
• The product installs drivers or attempts other operations in kernel mode.
|
||||
5. Run the newly installed products or applications following typical user scenarios.
|
||||
6. Run asa.exe. Your product should be running at the time you take the scan. Scanning should never be run on live production servers since it can severely degrade the performance of the system. Again note the name of the .cab file that is generated. This file will serve as your product scan.
|
||||
Analyzing Data from the Command Line
|
||||
Various Command-line arguments are available when running analyzer.exe from the command line. However, it is recommended you run ASA with the defaults. To see the list of arguments enter, analyzer.exe /?. Note that analyzer does not need to be run elevated.
|
||||
* Various command arguments are available when running asa.exe from the command prompt. The list of supported arguments can be viewed by entering asa.exe /? at an elevated command prompt. For this example, we will take the defaults.
|
||||
* Open an elevated command prompt.
|
||||
* Navigate to the ASA installation folder. Program files for ASA are installed in the %Program Files%\Microsoft\Attack Surface Analyzer directory by default. Alternatively you can specify these commands using the fully-qualified pathname of the executable. In either case, no data is written to the installation folder.
|
||||
* Run asa.exe using the following syntax to perform data collection. Scanning should never be run on live production servers since it can severely degrade the performance of the system. Note the name of the .cab file that is generated. (By default, this is saved into the Attack Surface Analyzer folder in the logged-on user’s profile folder but this can be overridden using the /outdir switch.) This .cab file will serve as your baseline scan.
|
||||
* asa.exe [/outdir <directory>]
|
||||
* Install the product or applications necessary to configure the machine, enabling as many options as possible. Be sure to include options that you perceive may increase the attack surface of the machine. Examples of increasing the attack surface are:
|
||||
* The product installation requests to install a Windows service.
|
||||
* The product installation includes an option to enable access through the Windows Firewall.
|
||||
* The product installs drivers or attempts other operations in kernel mode.
|
||||
* Run the newly installed products or applications following typical user scenarios.
|
||||
* Run asa.exe. Your product should be running at the time you take the scan. Scanning should never be run on live production servers since it can severely degrade the performance of the system. Again note the name of the .cab file that is generated. This file will serve as your product scan.
|
||||
|
||||
After you’ve finished collecting your baseline and product scans, run the following from the installation directory while your process/product is running:
|
||||
Analyzer.exe <productcab> /Baseline <baselinecab>
|
||||
|
|
@ -104,7 +96,7 @@ Example:
|
|||
Analyzer.exe "%USERPROFILE%\Attack Surface Analyzer\Product.cab" /Baseline "%USERPROFILE%\Attack Surface Analyzer\Baseline.cab"
|
||||
|
||||
Note that analyzer has very high CPU and memory demands, and often takes a considerable amount of time to complete. Analyses should never be run on live production servers since it can severely degrade the performance of the system.
|
||||
See the Analysis of Attack Surface Analyzer Output section of this Getting Started Guide for more details on the information produced by your analysis.
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче