Configuring the security settings on Windows servers, desktops and notebooks is an overly complex chore. Ensuring that the users do not reset any of the settings just adds to the headache. Policy Commander automates this task using predetermined policies.
Without wishing to sound unkind, Policy Commander is the Windows security equivalent of the Dummy's Guide To series of books. This is because it requires very little technical skill – it is supplied with around 70 pre-scripted policies ready to be applied to unprepared machines.
The advantage of using the templates is that they have been tried and tested for the roles they serve. For example, with eight basic roles for Windows servers and the possibility that any one server may take on two roles at a time, determining the correct settings requires technical knowledge, and a script would have to be constructed and applied. With Policy Commander, this becomes a plug'n'go task.
Senior IT staff may look down on this simple version of policy management, but Microsoft is rolling out more servers to the lower end of the market where technical expertise is rare.
First, the system needs to be set up, which means all managed computers have to have an agent installed. Only desktop and server OSs from Windows 2000 are supported, and the control system is based on a central Channel Server for policy management and a database server that stores data about the managed systems and the policies. The database can be Microsoft SQL Server or MSDE.
When the computer clients have been configured through the web browser interface, the next task is to keep them in compliance. This is done by polling the agents and any systems that have changed are flagged up. For unattended Policy Commander installations, an email can be sent to record this.
What happens next depends on the leniency of the settings. New Boundary recommends setting the system to take no action to see if users change settings. If they do, and there is a common factor, it could be worth investigating to see why. When happy with the settings, the level can be raised to "enforce" level, which will reset any modified computer.