Collecting attack surface information (Windows 7 / Windows Server 2008 R2):
C1. Download and install Attack Surface Analyzer on a freshly built version of Windows 7 Professional or Windows Server 2008 R2 (for server based applications).
C2. Run Attack Surface Analyzer from the Start menu. Windows (UAC) will prompt you that Attack Surface Analyzer needs to elevate to Administrative privileges.
C3. When the Attack Surface Analyzer window is displayed, ensure the "Run new scan" action is selected, confirm the directory and filename you would like the Attack Surface data saved to and click Run Scan.
C4. Attack Surface Analyzer will then take a snapshot of your system state and store this information in a Microsoft Cabinet (CAB) file. This scan is known as your baseline scan.
C5. Install your product(s), enabling as many options as possible and being sure to include options that you perceive may increase the attack surface of the machine. Examples include; if your product can install a Windows Service, includes the option to enable access through the Windows Firewall or install drivers.
C6. Repeat steps C2 through C4, this scan will be known as your product scan.