Microsoft Employees May Lose Admin Rights

daria42 writes "As Microsoft moves its internal desktop systems to Windows Vista, the company is contemplating whether to change a long running tradition and take away admin rights from its employees in order to improve security." From the article: "'We haven't made that final determination yet. We would like to absolutely look at scenarios where we can look at elements of User Access Control -- that is the feature in Vista -- so that we can start moving in that direction ... It is a tough balance and every company has to decide what is right for them,' said Estberg. However, Estberg said that for the moment, the company will continue to leave the responsibility of installing software with its employees."

It'll turn out just fine

[PrescriptionWarning]

they'll probably just install linux instead :-O

Justice,

[linzeal]

Now maybe Media Player will work properly on non-admin machines, or do they all use winamp?

su got you a vist from security

[DrDitto]

I used to work for a Fortune-50 company and we had Unix workstations for software development. The system was configured such that if you tried or accidently entered "su", you got a visit from security within 5-10 minutes.

It happened to me when I mistakenly typed "su" instead of "du".

spyware addicted MS employees

[JonNoH]

I wonder what made them think about it in the first place... too much Banzai Buddy?

Re:It'll turn out just fine

[clown_puncher]

http://www.knoppix.org/ [knoppix.org]

Re:su got you a vist from security

[limabone]

That su*(#@&(*@&#NO CARRIER

Firefox

[lolindrath]

How will they install Firefox then?

Re:It'll turn out just fine

[Anonymous Coward]

And imagine the savings in licensing costs!

Yep... that WILL improve security.

[Vo0k]

The employees instead of typing the admin password will actively look for holes to get the admin rights, spot them and eventually later patch them. Things like "cancel" button in Win98 login screen won't get overlooked :)

Re:It'll turn out just fine

[Impy the Impiuos Imp]

> I shared the hilarity with my hand-maiden, who

Leave Rosie outta this, nerd!

Re:"Unusual practice" ... wtf.

[arodland]

Think I'm exaggerating? Why do you think I don't have those jobs anymore?

Maybe it was because you're prone to exaggeration and it was interfering with your job performance ;)

Re:Reminds me of where I used to work

[haleyeah]

I got hired at a 'mom & pop' to be the general IT jack of all trades. They had a peer to peer network running with some wierd ip scheme some consultant setup. Of course I setup a file server as well as upgraded the PCs from win 98/95 to XP. I took away local machine admin rights. Well in a couple of days I got support calls from all the old ladies who worked there. Their webshots no longer worked plus they couldn't install those damn web games. I was able to hold out by throwing around some technobabble and scaring the boss about all those security risks on the internet. Well after a few weeks serious support calls dropped to nothing. After setting up a linux box to run mysql and developing some applications in VB to replace the myriad of excel files they use,I had run out of projects. Between boredom and the boss eyeing me everytime he passed my office, I enabled local admin rights again. Lets just say between cleaning spyware and adware I've been staying busy.

Re:"Unusual practice" ... wtf.

[monopole]

If Microsoft forces its employees to run as non-admin users... ...If only we could make stupidity more painful...

I suddenly felt a disturbance in the Force. It was as if thousands of non-admin users cried out at once and then suddenly rebooted...

Anything less would be hypocrisy

[seniorcoder]

Seeing as they have already denied many rights to non-Microsoft people, they were looking for another segment of humans to restrict. It seems they have found it.

Exactly!

[Jesus_666]

That's why we have instated a super-secure system. First of all, our su doesn't sit in /bin/su. Instead the file gets copied to a random place in the file system with a random filename at random intervals. Of course this is not logged, in order to improve security. Also, the only computer where it's possible to get root access at all (we use a special version of the Linux kernel that does not allow local users to become root and immediately detects any attempt to do so on all other computers) sits in an hermetically sealed room with three redundant sets of motion detectors that can only be disabled by the CEO, the CIO and our lawyer, respectively. A fourth set of motion detectors ensures that there is never more than one person in the room. The floor of the room is made up of 2x2" tiles, most of which are pressure sensitive and are not ever to be touched. The touchable tiles are dispersed in a semi-random pattern; the administrator has to know which ones are rigged, dancing a delicate ballet while passing the fifty meters between the door and the computer. Authorization itself requires the use of a special key, a keycard, two passphrases, a fingerprint, a tongue print, a retina scan, a blood sample, a sperm sample and a spoken passphrase, which is a tonguetwister in Frisian, spoken backwards. When in root mode the administrator has to press a key at least every five seconds but not faster than twice per second.

If at any point anything unusual is detected our sensitive corporate data is automatically protected from being compromised as C4 charges in the walls and floors are detonated, immediately annihilating the entire building and everything within ten meters of it.

Some say that our approach might be a bit too proactive, but =%&/(&%/%&$/"$?=(/)&%=/%/)+NO CARRIER

Re:Exactly!

[cgenman]

You kids and your unsecured computer systems.

At my company, the entire system is run by a benevolent AI known only as ALICE. If you visit any porn sites, ALICE will have you run out the building. If you start going to sites you normally don't, ALICE will get suspicious and have you run out the building. If you stop going to sites you normally do, or start getting some real work done, ALICE will get suspicious and have you run out the building.

If you want software installed, you have to ask her directly for it.

However, there is only one microphone terminal to access Alice. First you have to go into the basement vault, which is locked behind two keys which are 10 feet apart and have to be turned simultaneously. Thermal scanning ensures that only one person is in the room at any given time. Once you're through the door, you'll meet an old man by the name of Razael. Trust nothing this man tells you, but gain his confidence at all costs. After the swamp of misery, you'll find the server closet hidden in a disused lavatory. It's the disused lavatory with 5' thick reinforced steel and concrete walls. That's when the trouble starts.

There you will find an a NeXT cube and a Sparc station. Be warned, these are both cooled by Nitroglycerin, a highly volitile liquid explosive. You must synchronize the "keymaster" file on these two machines within 20 seconds using nothing more than an Appletalk network. Failure to succeed in this time frame will warm the Nitroglycerin enough to trigger a reaction that, when combined with the ball bearings and shards of glass stuffed in the machine, would be most unpleasant.

The keymaster file gets you as far as the login prompt on the mainframe. But if you want to talk to Alice you need the second layer password, that of the Lowest access User, or LUser. Only Razael knows that password. Once he has input it, immediately kill him. Don't worry, we have more. No, I'm not at liberty to explain that last sentence.

Be very careful with ALICE. She gets grumpy sometimes and is known to take things the wrong way. Once you have LUser access, just plug your microphone in and carefully ask ALICE for whatever it is that you need. You did bring a serial microphone with you, didn't you?

No? Oh dear, back to square one.