New Boundary Technology Inc.s Policy Commander automates what can be the overwhelming manual task of maintaining security settings on Windows desktop, laptop and server systems. The software-based Policy Commander, which works only with Windows systems, uses agents on each of the desktops and servers it manages to monitor, report and enforce security policies. New Boundary uses the same base agent with other products in its line, including Prism Deploy. This limits the number of management agents on a system and makes Policy Commander an especially good fit in shops that already use New Boundary products.New Boundary certainly could stand to brush up the administrative capabilities of its security policing tool, but the functionality Policy Commander provides, along with the opportunity to consolidate management tools on a base agent, makes the product worth evaluating. Policy Commander, which was released last month, costs $27.50 per workstation seat, including $5.50 for maintenance for the first year for the first 499 workstations. The product costs $495 per server, including a $100 maintenance fee for the first 50 servers. Costs drop per seat or server as the number of devices increases. To test Policy Commander, eWEEK Labs used desktop systems running a variety of Windows operating systems, including Windows 2000 Professional and Windows XP, as well as several servers running Windows 2000 Server and Windows Server 2003. Several of these machines were virtual systems on an IBM eServer 325 running VMware Inc.s VMware Workstation Version 4. We recommend using a similar setup to test Policy Commander in a lab setting before deploying it to the field. Click here to read a review of VMware Workstation 4.0. Out of the box, Policy Commander comes with 63 policies, covering a comprehensive range of scenarios. However, the product lacks an easy way to edit policies or create new ones. To adapt the policies provided, we had to go through a laborious process of opening the files in MMC (Microsoft Management Console). We did this with several policies just to get an idea of what was actually going on behind the curtains, and we found some pretty basic stuff: The policies instruct the Policy Commander agent on the monitored system to watch system services, registry entries, event logs and the file system. For example, one provided policy disables Microsoft Internet Information Services on unauthorized computers. The policy, among other things, disabled the IIS Admin Service in Windows System Services. Applying the policy to a machine was a simple process. We did find several first-version problems with Policy Commander, including one big one: There is only one log-on account for the product. This means that everyone who uses the system can see all the managed computers and can make any change he or she wishes to policies applied to those computers. Policy Commander administrative users can also view all reports. Most troubling is that anyone who is logged on to Policy Commander can change the policy action from the usual "send an e-mail," an action that simply notifies Policy Commander administrators that a violation has occurred, to "enforce," which takes the much more drastic measure of making changes to the end-user system (when possible) to correct the system configuration and bring the endpoint back into compliance. New Boundary officials said that a subsequent version of Policy Commander will include a way to create users with access restricted to groups of machines. Until then, only senior IT managers should be given access to the product. Flowing from the single-administrator concept was an annoying if not nearly as serious problem in the GUI. We had to scroll through what seemed like several pages of policies to find the one we were looking for. Although Policy Commander does have a way to order the presentation of policies based on name or the environment to which the policy applies, we would prefer to be able to force the most commonly used policies to the top of the list. This was especially true after we took a stab at creating custom policies. Eventually, we named all our policies with a prefix of "eWEEK" so that they would sort together in the lista reasonable but not graceful workaround. We got detailed reports when the agent detected unallowed actions. New Boundary officials suggest that policies be started off in a "no action" mode so that IT staffers get used to the kinds of changes users are making. After a suitable test period, the length of which will vary depending on the organization, policies should be changed to "enforce" mode. Next page: Evaluation Shortlist: Related Products.
Indeed, when deciding which security policy product to go with, IT managers first should consider the configuration management tools already in place. Policy Commander competes with products including Altiris Inc.s SecurityExpressions (part of Altiris acquisition of Pedestal Software Inc.).