Microsoft Employees May Lose Admin Rights 502
daria42 writes "As Microsoft moves its internal desktop systems to Windows Vista, the company is contemplating whether to change a long running tradition and take away admin rights from its employees in order to improve security." From the article: "'We haven't made that final determination yet. We would like to absolutely look at scenarios where we can look at elements of User Access Control -- that is the feature in Vista -- so that we can start moving in that direction ... It is a tough balance and every company has to decide what is right for them,' said Estberg. However, Estberg said that for the moment, the company will continue to leave the responsibility of installing software with its employees."
Only makes sense... (Score:3, Interesting)
From TFA: No wonder:
- and -
Mabye if M$ developers were forced to run as non-privileged users once in a while, they'd realize that there's a lot of problems with trying to get through the day on a non-admin account. With any luck, this will spur them to design a better way of handling applications that fail due to insufficient privileges, as well as get tough on application developers who sloppily code their apps to demand admin rights.
Again from TFA: I'd hardly call an environment where users have full admin rights to their systems an adequate test-bed.
Once more from TFA: Saying that Microsoft is 'not smarter than any other enterprise in terms of knowing how to address security', while technically true, is deeply misleading. Any company that purports to "eat its own dog food", but performs their testing with full admin rights to the box clearly has a dangerous lack of understanding of security...a lack that we all pay the price for every day.
Let's hope they do (Score:5, Interesting)
Clearly, they weren't "trying out" the Limited User accounts when Windows XP was in its infancy. Otherwise, it might actually be useful to us today.
Better still (Score:2, Interesting)
Contrast this with Sun (Score:2, Interesting)
Compare and contrast this approach with Sun. Employees in Sun are all equiped with Javacards which they can insert into a Sun Ray appliance anywhere on the Sun network. AFAIK, only the staff responsible for administering their Sun Ray network have sysadmin credentials within the environment: all other users get a set of applications which are deployed to the user, with no ability to install anything else. And it works - a user can walk out of an office in GB, fly to the USA and plug in their Javacard, resuming their session exactly where it was.
The similarity with Microsoft is that the employees had to cope with some pretty dreadful software a few years ago. Disgruntled colleagues are always a rather special spur to developers, and the Sun Ray technology is now tip top. Perhaps the same will happen to Microsoft
Would this mean... (Score:5, Interesting)
If they want to installed firefox or opera... (Score:3, Interesting)
If they don't, who can (Score:3, Interesting)
Others have given the example of XP, and so true.
If you have to manage Vista the same way you manage XP, that is one less reason to upgrade, and another reason to look at alternatives.
Look at Novell with their internal deployment of Suse. They've had to suffer for a while, but slowly they are starting to show it can be done, and have gained a bunch of knowledge doing so. Novell customers may actually believe them when they suggest they can deploy Suse for some systems instead of Windows. Who believes you can run Windows without adminstrative rights?
My company does. (Score:3, Interesting)
They make Slashdot every now and then too.
Re:"Unusual practice" ... wtf. (Score:5, Interesting)
You forgot about Apple. You know - the little company that makes iPods.
Over 10,000 employees, each with admin rights. No viruses, no malware, no screwed up OS that lets any process run with global read/write priviedges...no kidding.
The only difference is that they don't run Windows on those desktops.
Re:Personal Compter? (Score:3, Interesting)
Of course, this was back before anyone realised total cost of ownership was far greater than the purchase price of the machine. And viruses and worms hadn't been invented, and you needed to be a guru to change the machine configuration, and they only ran a single application at one time, and we weren't connected to a vast global network filled with script kiddies and criminal hackers.
We aren't really going back to a central processing model. We are trying to regain some of the management and security benefits the old central processing model had by default and that general purpose networked personal computers can only acquire with a lot of hard work.
Frankly, for what most people use their PCs for at work, and given the ubiquitous network, it would be far cheaper for many enterprises to run thin client diskless workstations and actually return to a central processing model, if we hadn't already bought so heavily into the current model.
Reminds me of where I used to work (Score:3, Interesting)
Anyway, when I first started there, I offered my help at night since they weren't there and sometimes it got slow in my department. They declined with an attitude of like "pfft....yeah, we're fine guy, just go away". So I did, and I didn't want to ruffle any feathers as I had just started there. But what I DID notice is that everything they did on the server they did in root mode. All the terminals were in root, all the back-ups they did were in root and even just normal maintenance was all done with root! Now, I thought that was basic 101 computer security and SAFETY not to do everything in root. Plus, none of the terminals were locked away in a room...anyone could walk up to any terminal and just start typing away, from the CEO to the janitor. I pointed out this very basic breach of security and again got the attitude of "we know what we're doing, go back to Photoshop"...so I did and kept my mouth shut.
Well, to make a long story longer, they had the whole system hacked into, a guy set up a spam-bot network using their equipment and T1 line....but did they lose their jobs? No, not at all...they actually got promoted later on, but it was pretty funny at the time.
Re:"Unusual practice" ... wtf. (Score:4, Interesting)
Well, it isn't the support costs. When I worked there, IS&T was located in (should I say?) a place where grapes grow, many miles from Cupertino - and they didn't do normal help desk work. That was for ATCs - regular Apple employees trained to do help desk-type stuff. In AppleCare, we had one for about every 30-40 people, and the arrangement worked quite well.
More interesting than anything else would be a support cost per employee breakdown between Apple and another computer company - say, Dell - excluding headcount from the support organization to normalize things a bit.