Introducing Stirling - Walkthroughs

  • Article

[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

Microsoft® Forefront™ codename Stirling is an integrated security system that combines next-generation Forefront endpoint, messaging and collaboration, and network-protection solutions with a central management console. Stirling delivers comprehensive, coordinated protection across your IT environment that makes security easier to manage and control.

Stirling includes:

  • Central management console for security configuration and enterprise-wide visibility.
  • Next-generation client protection with the next version of Forefront Client Security.
  • Next-generation messaging and collaboration protection with Forefront Security for Exchange Server and Forefront Security for SharePoint®.
  • Next-generation edge protection with Internet Security and Acceleration Server, to be renamed Forefront Threat Management Gateway (“Forefront TMG”).

Management and control

Stirling delivers comprehensive, coordinated protection across your IT environment that makes security easier to manage and control.

Comprehensive, coordinated protection

Stirling provides better protection by automatically responding to security threats at multiple layers in the enterprise:

  • Clients
  • Messaging & collaboration servers
  • The network edge

This improved protection makes it possible for administrators to save time while proactively securing the environment.

Simplified management

Stirling provides a single management console for configuring security across all the assets in your network, including clients, messaging and collaboration servers, and the network edge. Stirling easily integrates with existing infrastructure, such as Microsoft Active Directory® directory service, System Center Operations Manager, and Windows Server® 2008 Network Access Protection.

Critical visibility

Stirling provides in-depth reporting and remediation of threats, vulnerabilities, and configuration risks through a single Dashboard

All components within the integrated security system share assessments about the security state of assets in an organization. Assessments provide you with prioritized, actionable information about the risks that impact your organization.

The assessments contain a variety of information, including:

  • The computer or user that triggered the security assessment.
  • The extent of the damage or risk of damage.
  • The likelihood that the assessment represents a real threat.

These assessments are shared across the enterprise security assessment channel, of which all components of Stirling are a part. For each assessment, the protection technologies in Stirling can independently respond by sharing additional assessments concerning the asset in question, or by responding with a protection action.

About Stirling

Stirling integrates with Microsoft products, making it possible for administrators to get more value out of their existing investments while saving time and reducing costs. The Microsoft products that Stirling uses and integrates with are described in the following table.

Product Description

System Center Operations Manager 2007

Stirling uses System Center Operations Manager 2007 to provide management and health reporting capabilities.

SQL Server® 2005

Stirling stores historical data in a SQL Server database.

Windows Server Update Services

Stirling distributes definition updates via WSUS.

Active Directory Domain Services

Stirling can use Active Directory groups and organizational units to deploy policy.

Windows® Firewall

Stirling provides Windows Firewall management capabilities.

Windows Server 2008 Network Access Protection (NAP)

Stirling integrates with NAP to ensure that only assets that are in compliance with security policy are allowed access to the corporate network.

About Stirling groups

Groups in Stirling are collections of assets that have dynamic memberships based on the results of a query. The query that defines the membership of a group can be based on:

  • Computer name
  • Active Directory Domain Services organizational unit location
  • Group Definition Language query

For more information about groups, see Working with groups.

About Stirling policy

A policy in Stirling is a collection of settings that you can apply to one or more assets.

Policies are created by enabling the sections of a policy that represent the individual protection technologies. These sections are called policy units. When the policy unit is enabled, you can configure the settings in the policy unit and then save the policy.

When you create a policy, the configuration settings that you select do not automatically affect your assets. You must first link the policy to a target group. This process is called binding the policy to the group, and it deploys the policy.

For more information about policies, see Working with policies.

About these walkthroughs

The walkthroughs included in this guide have each been designed to demonstrate specific Stirling technologies. Each walkthrough guides you through individual technology areas. The format of each walkthrough is:

  1. You create Stirling policies for that protection technology
  2. You deploy the policies to assets.
  3. You then view the result of the policies on the assets and in the Stirling Dashboard.
  4. Finally, you test the respective protection technology, and view the result of the test in the Stirling Dashboard.

For ease of reference, these walkthroughs use example computer names. If you set up your own Stirling environment, you would use whatever computer names are appropriate in your organization.

The walkthroughs address the following specific areas:

Protecting assets from malware - Walkthrough

In this walkthrough, you create Stirling groups and Stirling policies. You then deploy Stirling policies to configure the Forefront Client Security agent on the assets. After verifying the result of the policies on the assets, you then view the result of the policy on the Stirling Dashboard. Finally, using sample malware, you test the Client Security agent on the asset and view the result on the Stirling Dashboard.

Integrating with Windows Firewall - Walkthrough

This walkthrough builds on the previous one, using the groups created in the "Protecting assets from malware - Walkthrough" topic. You create Windows Firewall policies in the Stirling console, and then deploy them to your assets. After verifying the results on the assets, you then view the results of the policy on the Stirling Dashboard. Finally, using a sample application that receives communication from the network, you test the Windows Firewall policy.

Using Security State Assessments - Walkthrough

This walkthrough also builds on the first one, using the groups created in the "Protecting assets from malware - Walkthrough" topic. You create Stirling Security State Assessment (SSA) policies in the Stirling console, and then deploy them to your assets. After verifying the results on the assets, you then view the results of the policy on the Stirling Dashboard. To see a configuration problem display on the Dashboard, you implement a noncompliant Internet Explorer® setting, run a manual SSA scan, and then view those results on the Dashboard.

Performing Remediation - Walkthrough

This walkthrough also builds on "Protecting assets from malware - Walkthrough", in addition to building on "Using Security State Assessments - Walkthrough". You first create and test Stirling policies that automatically remediate security configuration problems. Finally, you edit Stirling policies and test manual remediation of security configuration problems.

Automating Security Responses - Walkthrough

This walkthrough introduces assessments and response. Building on the previous walkthroughs, you create an additional group for servers, and you create and configure both manual and automatic security response policies for the desktops and the servers. You then deploy the policies and test the policies with sample malware.

Integrating with Network Access Protection - Walkthrough

This walkthrough guides you through configuring Windows Server 2008 Network Access Protection (NAP) to integrate with Stirling. After configuring NAP and configuring the Stirling server to be a remediation server, you configure the asset for NAP. You then view the asset's NAP status in the Stirling Dashboard, and then configure a Stirling policy that enforces NAP restriction based on the results of the Stirling policy. After you deploy the policy, you view the results of the policy both on the asset and in the Stirling Dashboard. You then configure the policy to require manual remediation, deploy the policy, and then manually remediate the asset by using the Stirling Dashboard.

Using PowerShell with Stirling - Walkthrough

In this walkthrough, you work with the Stirling snap-in in the Windows PowerShell™ environment. This walkthrough is similar to the first walkthrough, but you perform all Stirling commands in a PowerShell console with the Stirling snap-in, and you use PowerShell cmdlets in order to send tasks to the Stirling asset.

Protecting e-mail from viruses - Walkthrough

In this walkthrough, you create Stirling groups and Stirling policies for managing Forefront Security for Exchange Server. You then edit the policy in order to configure antivirus, file filter, and signature update settings for Forefront Security for Exchange Server, and then you deploy the policy to the managed Microsoft Exchange servers.  On the Stirling Dashboard, you then view the result of the policy.

Walkthrough environment

The following image illustrates the network environment used in the walkthroughs.

Stirling Walkthrough Diagram