Attack Surface Analyzer 1.0 Released

Last year we released a beta version of our free Attack Surface Analyzer tool.  The purpose of this tool is to help software developers, Independent Software Vendors (ISVs) and IT Professionals better understand changes in Windows systems’ attack surface resulting from the installation of new applications.   Since the initial launch of Attack Surface Analyzer, we have received quite a bit of positive feedback on the value it has provided to customers.  Today we are pleased to announce that the beta period has ended and Attack Surface Analyzer 1.0 is now available for download.

File Name      Size        
 Attack_Surface_Analyzer_x86.msi 1.8MB
 Attack_Surface_Analyzer_x64.msi 1.8MB
 Attack_Surface_Analyzer_ReadMe.docx 224KB



This release includes performance enhancements and bug fixes to improve the user experience.  Through improvements in the code, we were able to reduce the number of false positives and improve Graphic User Interface performance.  This release also includes in-depth documentation and guidance to improve ease of use.   For more information regarding the improvements see the ReadMe document.

The Attack Surface Analyzer tool is designed to assist independent software vendors (ISVs) and other software developers during the verification phase of the Microsoft Security Development Lifecycle (SDL) as they evaluate the changes their software makes to the attack surface of a computer.  Because Attack Surface Analyzer does not require source code or symbol access, IT professionals and security auditors can also use the tool to gain a better understanding of the aggregate attack surface change that may result from the introduction of line-of-business (LOB) applications to the Windows platform.

Unlike many tools that analyze a system based on signatures or known vulnerabilities, Attack Surface Analyzer looks for classes of security weaknesses Microsoft has seen when applications are installed on the Windows operating system, and it highlights these as issues. The tool also gives an overview of changes to the system that Microsoft considers important to the security of the platform, and it highlights these changes in the attack surface report. Some of the checks performed by the tool include analysis of changed or newly added files, registry keys, services, Microsoft ActiveX controls, listening ports and other parameters that affect a computer’s attack surface.

The tool has a stand-alone wizard to help guide users through the scanning and analysis process; a command-line version supports automation and older versions of Windows, and assists IT professionals as they integrate the tool with existing enterprise management tools.   Examples of the wizard can be seen below:

The image on the left below displays the Attack Surface Analyzer tool wizard at startup.  Once a new scan is run, the right image is displayed.  The tool should be run before new products are installed to provide a baseline.  Then install the products and run a new scan to identify changes in the attack surface..

The image on the left below is the screen in the tool users will see when the scan has completed.  From here users can select “generate report” to get the full details of the scan.  The image to the right represents an example of the attack surface report. 

The Attack Surface Analyzer enables:

  • Developers to view changes in the attack surface resulting from the introduction of their code on to the Windows platform
  • IT Professionals to assess the aggregate attack surface change by the installation of an organization’s line of business applications
  • IT Security Auditors to evaluate the risk of a particular piece of software installed on the Windows platform during threat risk reviews
  • IT Security Incident Responders to gain a better understanding of the state of a systems security during investigations (if a baseline scan was taken of the system during the deployment phase)

Whether you are a new Attack Surface Analyzer user or an existing customer, we hope you take advantage of the many great features this free tool has to offer in helping you reduce the attack surface of your systems.


Monty LaRue & Jimmie Lee
Trustworthy Computing Security



About the Author
SDL Team

Trustworthy Computing, Microsoft

Join the conversation

  1. Anonymous

    While the intent is very noble, the software itself cannot run on pre-Windows 7. Now it even dropped support for Vista as it was supported in beta.

  2. Anonymous

    Windows Vista is not officially supported anymore and XP hasn't got much time to run either. Enterprise arguments aside, the rest of the Windows-using world is on 7. The intent here may not be nobility, but it certainly is pragmatism!

  3. Anonymous

    XP may not have much time to run – but it very much is still deeply entrenched in many corporate environments.

    So I would most definitely not call this pragmatic – given that it is precisely these enterprise environments that probably care most about security.


    From the name I imagined this to be some kind of touch screen coffee table cyber attack tool.

    While not quite as exciting it does still look interesting, will be checking it out over the next couple of days.

  5. Anonymous

    I tried to download it, but got an err msg from Windows Security that it is not from a valid or trusted source, and so would not download.

  6. Anonymous

    stupid. Says it needs .NET4 for full implementation, but give no links to download/install from. Come on people you had years to get it right and your still making basic errors

  7. Anonymous

    In an n-tier system, what exactly should and should not be analyzed?

    If the system contains a separate database server, running SQL Server, should creation of the databases within SQL server be analyzed? Or should analysis be restricted to only custom code/applications?

    If there are custom OS configuration scripts that run after OS-imaging but before application installation, should they be analyzed? The ReadMe says "Install any software prerequisite packages before the installation of your application." But does this extend to pre-configuration scripts?

  8. Anonymous

    @onehunglo, this tool is not for rookie. If you can't get it to work, it's not for you. Go away.

  9. Anonymous

    @ Chris

    Well people still relying on XP should rather consider the attack surface of the whole OS… IMHO Microsoft has already done more than enough for XP support, and should stop losing precious time rolling out special code for die-hard laggards.

  10. Anonymous

    It looks like the tool says "Network Denied: false" even when PIPE_REJECT_REMOTE_CLIENTS is passed to CreateNamedPipe().  Perhaps it's only looking for a deny DACL on "Network".

    It also looks like the tool needs to be calibrated to handle the case when a new NIC is added to a system, since it complains about registry keys added for under the TCPIP and TCPIP6 services key that can be modified by the "Network Configuration Operators (S-1-5-32-556)" group.


    I like this tool but it is of limited use to me. I find it a little cumbersome that for this tool to be useful it needs to run on a newly installed version of Windows and then compared against the same machine when it is ready for use in the production environment.

    I don’t have many PCs but those that I have I would like to secure better. It looks like I will need to revert PC each to its original installation image that I created and then revert back to the in use image that reflects the PC as it is now. While I can see why this needs to be done, is it not possible to simply list the security issues found? E.g. for a test PC that I ran it on, it showed 5 weak ACLs present in the current state of the PC. Why can’t such weaknesses be detected on PCs in their current state without needing to revert to a clean install of Windows?

    This is just simply going to take a lot longer than it should since not everyone has the luxury of running it on a clean machine and then installing the necessary applications and then re-running the scan. I compared 2 scans taken 1 day apart from one another on a production system and the report showed no useful info.

    Thanks for creating this tool though.

  12. Anonymous

    JamesCollins_836 that's what VMs are for.  Testing on physical systems is so last decade.

  13. Anonymous

    Tackling this challenging aspect of security is another important layer of Microsoft's in-depth approach to defense. It has three parts:

    Trustworthy Identity

    Access Policy Management

    Information Protection

    so do i hire lawers to back your web or revere it into a policed stae with all beings RFID;d

  14. Anonymous

    Excellent post. I was checking continuously this blogs and I’m impressed! Very helpful information specially the remaining part 🙂 I care for such information much. I was looking for this particular info for a long time. Thanks and best of luck.want to see more detail visit

    home monitoring


    Nice i like it

Comments are closed.