I’ve had a chance to spend some quality time with Microsoft’s Attack Surface Analyzer over the past week, which I’m going to refer to as “MS-ASA” to keep my word count down. The tool itself is pretty nifty, it gathers security and other system information from Windows, compiles it into a .CAB file (a ‘baseline’), and stores it for future analysis. The two most powerful features are the capability to pull this information from almost anywhere on the system, and to compare that information between baselines.
There are a three main conditions to using MS-ASA with control systems. First, MS-ASA doesn’t support Windows XP. This is a huge issue for control system owners and vendors, who are still working with a large XP install base.
Second, full installation of the tool requires the “.NET Framework 4 Extended”, which is not normally resident on control systems. Without .NET 4, MS-ASA can still be used in command-line form,but is limited to data collection only. Using just asa.exe, a user needs to transfer the resulting baseline .CAB to a system with the full version of MS-ASA for comparison and reporting. While this may seem like a complete detriment, use of asa.exe opens the door to automation of the scans, something I’m investigating for a much larger training program around MS-ASA.