Stirling Work

Microsoft has taken Antigen, developed a new version of Forefront and turned it into an impressive piece of software for combating the inevitable security risks that come from connecting to the Internet

When Microsoft purchased Antigen a few years ago, it filled one of the missing links in the total solution for e-mail. Until then there was no Microsoft-based solution for the boundary, no virus checking and no antispam handling. This was all left to the third parties, and leading the pack was Sybari Antigen.

With the purchase of Antigen, Microsoft leapfrogged the competition and then integrated Antigen into the Exchange model to produce the first version of Forefront for Exchange (a separate product). I was tickled to see that in the management console the proud Sybari and Antigen banner had been replaced with Microsoft and Forefront, but that nothing else had really changed. The rather awful Sybari management interface was pretty much the same.

Making its Mark
The Microsoft development team has now got to grips with Antigen big time and Forefront is expanding. The new enterprise version of Forefront, codenamed Stirling, is completely different and encompasses far more than just Exchange. Even the highly successful ISA Server has now been incorporated, as Forefront Threat Management Gateway (TMG). The third component of the product is the client management software, called Forefront Client Security. This provides a total security policy management system for clients and boundary connections.

The evaluation product (which consists of several large VHD disks loaded into Microsoft Virtual Server) has a Vista-like, retro look with a simple list of links in the left-hand navigation pane and reported results and several embedded scrolling windows in the right-hand results pane.

It is interesting to see the development of these administration tools. From the early days it was “User Manager for Domains” and “Server Manager” in NT 4. Then came the first iteration of the management console framework MMC 2.0 and “Active Directory Users and Computers” in Windows 2000 and 2003. Now in this latest version, using MMC 3.0 and the characteristic three panes, we have ADUC for Windows 2008 and the likes of Exchange System Manager. But what epitomises Windows 2008 for me is the all-embracing Server Manager.

Throughout the development of these interfaces, the style and efficiency have been consistently improved and the functions consolidated. We now have what looks like a two-pane management console that holds a series of hyperlinks in the left-hand pane (called the digital dashboard), which when clicked show the results in the right-hand pane.

What Does It Do?
The aim is to unite a series of disparate products, including the former Antigen, ISA Server and of course the ability to drive in (Internet) security policy settings otherwise seen in the local security policy. As this is a global solution, individual servers and workstations may be logically grouped to receive settings from the Stirling server. Various default policies are already defined, including Client and Exchange server policies.

Clearly administrators would want to create their own policies. The policy creation process allows you to pull together a group of (say) desktops by a search, and through a fairly high level set of tick boxes tie down the workstations to a tightly defined security policy covering things such things as the standard firewall, Windows Defender malware and Network Access Protection. A similar process could be run for a policy that is imposed on all the Exchange (2007) servers, but the settings would be different and would include such things as spam handling and antivirus checks. The policy is applied to a predefined group, which is typically built using a search on the Active Directory for a particular subset of machines (based on their departmental use, for example) or maybe identified user accounts.

Underlying the strategy of enterprise protection is a multilayered approach that ensures each component of the network has its own protection in place, rather than relying entirely on a straightforward boundary check. The management console allows each included machine to be examined for all the typical security settings. Take the ubiquitous User Account Control (UAC) as an example. If a user is an administrator of his or her laptop (not at all an unusual situation) it is easy to switch UAC off. This change may be seen through the Stirling management interface by means of a table displayed in the results window that flags these security transgressions.

Having identified the machine, the management console can interrogate it to see if any malware has been detected and cleaned by the security check. At that stage the Stirling administrator may remotely force UAC back on. It does not automatically issue 40 lashes to the recalcitrant user, but I understand that this has been considered as a downloadable extra (OK, perhaps not, though it would be tempting!).

Security Check
One of the major selling points of Stirling is Dynamic Response. In the policy at the base of the policy settings section is a Monitoring and Response subsection that includes a Response plan. As with all of these, it requires a new definition. When a new Response is created, a series of tick boxes allow the administrator (for instance) to instruct Forefront TMG (ISA Server) to block the offending machine from external access. A secondary action forces a comprehensive scan on the client to ascertain the cause of the problem. This whole process is automated (and will require some careful thought lest an over-zealous Stirling administrator locks everyone out of their precious Internet because of a minor infringement of the rules).

The role of managing this aspect of computer security may well be split between those who manage Exchange servers and maybe the desktop team of administrators, not to mention the folk who have traditionally managed the boundary (ISA). In the Stirling dashboard, you can customise the contents to reflect the requirement of Exchange administrators, for example. Once configured, the dashboard is saved and may then even be e-mailed as an attachment to the Exchange administrator’s team. (The same principle of focused customisation may be applied for a desktop team.)

Understanding precisely what has been configured with respect to external security exposure, and assessing the threat level, has always been difficult. So far this assessment has been based on a combination of ISA settings, Group Policy-based security settings, and additional Exchange-related settings from Forefront (Antigen). What Stirling offers is a comprehensive reporting tool that pulls together all these separate threads and presents them as an easily understandable enterprise security summary report.
The report has at its head a threat risk assessment for the whole organisation, conveniently colour banded Green (none), Yellow (low), Orange (medium) and Red (high). Under this, the next level of detail reflects the risk of each section based on Exchange Servers – maybe the groups that were defined earlier or even defined groups of user accounts. When the report is produced the visual impact is immediate. Clearly a lot of Red is bad news, Orange is relatively neutral, but Green or Yellow will melt those tensions away…

When you drill down to the detail, you’ll notice that the style is similar to that of the Reliability reports for Windows 2008 and Vista. Historical data is presented to reveal any trends or issues regarding security lapses, based on machines or even users. Clearly this collated information is going to be extremely useful in getting a sense of the security health of the organisation.

Major Steps
This new version of Forefront is a major leap forward from the previous versions as it encompasses the full range of risks that inevitably arise with any connection to the Internet. Stirling goes beyond the traditional boundary level protection offered by many third-party application boxes with an integrated approach that includes Exchange servers, client machines and even client accounts themselves. This can only be good news for the traditional medium-sized to large companies, which will be able to afford the resources (in time and money) to build and configure this impressive piece of software. I look forward to a release candidate and, of course, a final product, which I estimate will appear in 2009. Would I be presumptuous in guessing that it might be called the Forefront 2009 suite of products?