Evaluate the Server attack plane using Microsoft Security Tools

Security experts have created the term "attack plane" to describe how many methods a computer may be attacked by malicious entities. The attack entity may be either a malicious software or a malicious user. You can understand it as follows: the larger the attack plane, the larger the computer may be attacked. The smaller the attack plane, the less foothold the attacker can gain.

Microsoft has been emphasizing in previous versions that it wants to reduce the attack plane of Windows Server. Their idea is to reduce the attack plane by default, so that the newly installed Windows Server can easily avoid attacks. However, the concept of reducing attack planes applies to all versions of Windows products, including desktop and server versions.

Microsoft's work on reducing attack planes mainly focuses on improving the engineering design of applications on Windows, such as the default Operating System settings. However, third-party applications, from independent programs that do not cause damage to relatively complex programs that add device drivers, may also increase the Windows attack plane. Sometimes users or programmers are not aware of this, especially when the application changes the underlying elements of system functions, such as firewall or anti-virus software.

Until recently, programmers still have no practical method to check whether their programs will increase the attack plane of the system. The problem is often exposed only after being attacked. However, Microsoft released a beta tool at the Black Hat Technology Security Conference earlier this year. This tool allows IT professionals to determine whether a specified application significantly increases the overall attack plane of Windows Server. This tool is the Attack plane Analyzer Attack Surface Analyzer), which can be used in 32-bit and 64-bit versions. It is still in the testing stage and is requesting feedback from users.

The attack plane analyzer operates on two scans in Windows. The first is a baseline scan, that is, scanning on the system where the problematic program is not installed. Of course, to complete the baseline scan, you need to install the corresponding support library. NET Framework or SQL Server ). This scan covers all aspects of the system that may affect the attack plane, including the registry key, Security Identifier SID, and open port. The scan result is saved in A. CAB file in the current user directory. The file name is automatically generated by the current host name and scan time.

Figure 1: baseline scan of the attack plane Analyzer

The second scan should be performed after you install the tested program. In the attack plane analyzer, this is called "non-product scan aproduct scan". Any changes caused by the tested program will be recorded in detail. The scan results are saved in an HTML report, which describes the obvious security problems found during the scan and the details of possible attack planes. Note that a given attack plane is not always dangerous, but if it is noticed during scanning, it is worth noting.

Microsoft has written an article on measuring attack planes and compared the attack planes exposed in various Windows versions. Some concepts proposed in this article guide the emergence of the attack plane analyzer-specifically, it uses the opportunity of being attacked as a metric and considers what will be attacked first and fastest.

Figure 2: attack plane analyzer scans installed programs for vulnerabilities