Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×

Microsoft Employees May Lose Admin Rights 502

Posted by Zonk from the root-to-moot dept.
daria42 writes "As Microsoft moves its internal desktop systems to Windows Vista, the company is contemplating whether to change a long running tradition and take away admin rights from its employees in order to improve security." From the article: "'We haven't made that final determination yet. We would like to absolutely look at scenarios where we can look at elements of User Access Control -- that is the feature in Vista -- so that we can start moving in that direction ... It is a tough balance and every company has to decide what is right for them,' said Estberg. However, Estberg said that for the moment, the company will continue to leave the responsibility of installing software with its employees."
This discussion has been archived. No new comments can be posted.

Microsoft Employees May Lose Admin Rights More

Microsoft Employees May Lose Admin Rights

Comments Filter:

  • Only makes sense... (Score:3, Interesting)

    by TripMaster Monkey ( 862126 ) * on Tuesday May 23, 2006 @10:44AM (#15386969)


    From TFA:
    Currently, the majority of Microsoft's employees enjoy full admin rights on their desktop PCs, which is an unusual practice in the enterprise space as it makes possible for users to install unauthorised software and introduce unwanted pests -- such as spyware.
    No wonder:
    • There's so many poorly designed apps out there that demand admin rights to run, even though they don't actually need that level of access,
        - and -
    • Windows itself handles rights failures so poorly (erroring out or worse, instead of just providing a prompt for the user to enter admin credentials).

    Mabye if M$ developers were forced to run as non-privileged users once in a while, they'd realize that there's a lot of problems with trying to get through the day on a non-admin account. With any luck, this will spur them to design a better way of handling applications that fail due to insufficient privileges, as well as get tough on application developers who sloppily code their apps to demand admin rights.

    Again from TFA:
    According to Estberg, Microsoft's employees provide an excellent test-bed for the company's products and by providing honest feedback, they also have an opportunity to influence future products.
    I'd hardly call an environment where users have full admin rights to their systems an adequate test-bed.

    Once more from TFA:
    "We are not smarter than any other enterprise in terms of knowing how to address security. We are in the same boat as everyone else," he [Estberg] added.
    Saying that Microsoft is 'not smarter than any other enterprise in terms of knowing how to address security', while technically true, is deeply misleading. Any company that purports to "eat its own dog food", but performs their testing with full admin rights to the box clearly has a dangerous lack of understanding of security...a lack that we all pay the price for every day.

  • Let's hope they do (Score:5, Interesting)

    by creepynut ( 933825 ) * <teddy(slashdot) AT teddybrown DOT ca> on Tuesday May 23, 2006 @10:46AM (#15386986) Homepage
    Who better to test and actually use the "User Access Control" than Microsoft's own employees?

    Clearly, they weren't "trying out" the Limited User accounts when Windows XP was in its infancy. Otherwise, it might actually be useful to us today.

  • Better still (Score:2, Interesting)

    by fishdan ( 569872 ) on Tuesday May 23, 2006 @10:48AM (#15387000) Homepage Journal
    would be if they'd remove admin rights from friggin Outlook

  • Contrast this with Sun (Score:2, Interesting)

    by Anonymous Coward on Tuesday May 23, 2006 @10:54AM (#15387045)
    Saying that Microsoft is 'not smarter than any other enterprise in terms of knowing how to address security', while technically true, is deeply misleading. Any company that purports to "eat its own dog food", but performs their testing with full admin rights to the box clearly has a dangerous lack of understanding of security...a lack that we all pay the price for every day.

    Compare and contrast this approach with Sun. Employees in Sun are all equiped with Javacards which they can insert into a Sun Ray appliance anywhere on the Sun network. AFAIK, only the staff responsible for administering their Sun Ray network have sysadmin credentials within the environment: all other users get a set of applications which are deployed to the user, with no ability to install anything else. And it works - a user can walk out of an office in GB, fly to the USA and plug in their Javacard, resuming their session exactly where it was.

    The similarity with Microsoft is that the employees had to cope with some pretty dreadful software a few years ago. Disgruntled colleagues are always a rather special spur to developers, and the Sun Ray technology is now tip top. Perhaps the same will happen to Microsoft ...

  • Would this mean... (Score:5, Interesting)

    by zappepcs ( 820751 ) on Tuesday May 23, 2006 @10:58AM (#15387065) Journal
    Would this mean that if they switch MS employees to Vista with only user rights, that Vista would be delayed yet another couple of years while they work out the bugs? If it doesn't work for MS employees, it can't possibly work well for anyone else. Surely, they have to make sure it works since its part of securing the system. Right?

  • If they want to installed firefox or opera... (Score:3, Interesting)

    by cyfer2000 ( 548592 ) on Tuesday May 23, 2006 @11:01AM (#15387092) Journal
    They will need to go to the administrors...Aha! No more firefox and opera from M$ campus.

  • If they don't, who can (Score:3, Interesting)

    by swanriversean ( 928620 ) on Tuesday May 23, 2006 @11:05AM (#15387122)
    If Microsoft can't implement this for their own employees, any CTO looking at Vista would be foolish to think that he could in his company.

    Others have given the example of XP, and so true.

    If you have to manage Vista the same way you manage XP, that is one less reason to upgrade, and another reason to look at alternatives.

    Look at Novell with their internal deployment of Suse. They've had to suffer for a while, but slowly they are starting to show it can be done, and have gained a bunch of knowledge doing so. Novell customers may actually believe them when they suggest they can deploy Suse for some systems instead of Windows. Who believes you can run Windows without adminstrative rights?

  • My company does. (Score:3, Interesting)

    by FatSean ( 18753 ) on Tuesday May 23, 2006 @11:21AM (#15387253) Homepage Journal
    They support a few more than 100,000 desktops :)

    They make Slashdot every now and then too.

  • Re:"Unusual practice" ... wtf. (Score:5, Interesting)

    by vought ( 160908 ) on Tuesday May 23, 2006 @11:21AM (#15387254)
    I don't know of a large company that still lets most employees install software, have admin rights, or do anything like that. The desktop PC has to be locked down if you want to manage 100000 desktops on a modern IT budget.

    You forgot about Apple. You know - the little company that makes iPods.

    Over 10,000 employees, each with admin rights. No viruses, no malware, no screwed up OS that lets any process run with global read/write priviedges...no kidding.

    The only difference is that they don't run Windows on those desktops.

  • Re:Personal Compter? (Score:3, Interesting)

    by mattpalmer1086 ( 707360 ) on Tuesday May 23, 2006 @11:34AM (#15387352)
    I agree that personal computing enabled everyone to benefit from cheap, ubiquitous computing power, which the mainframes of the day couldn't provide.

    Of course, this was back before anyone realised total cost of ownership was far greater than the purchase price of the machine. And viruses and worms hadn't been invented, and you needed to be a guru to change the machine configuration, and they only ran a single application at one time, and we weren't connected to a vast global network filled with script kiddies and criminal hackers.

    We aren't really going back to a central processing model. We are trying to regain some of the management and security benefits the old central processing model had by default and that general purpose networked personal computers can only acquire with a lot of hard work.

    Frankly, for what most people use their PCs for at work, and given the ubiquitous network, it would be far cheaper for many enterprises to run thin client diskless workstations and actually return to a central processing model, if we hadn't already bought so heavily into the current model.

  • Reminds me of where I used to work (Score:3, Interesting)

    by sgant ( 178166 ) on Tuesday May 23, 2006 @11:46AM (#15387458) Homepage Journal
    I used to work nights as a Photoshop guy at a color pre-press shop in the burbs of Chicago. They had an SGI server running IRIX and the people that ran it were two guys that knew a little about computers. One used to be in the sales department, and the other guys dad got him his job there straight out of high school. Neither one had any formal training in IT or even a basic computer course...let alone Unix security. To be fair, I wasn't a computer expert either, but I read a lot and knew a few things...but hardly an IT professional.

    Anyway, when I first started there, I offered my help at night since they weren't there and sometimes it got slow in my department. They declined with an attitude of like "pfft....yeah, we're fine guy, just go away". So I did, and I didn't want to ruffle any feathers as I had just started there. But what I DID notice is that everything they did on the server they did in root mode. All the terminals were in root, all the back-ups they did were in root and even just normal maintenance was all done with root! Now, I thought that was basic 101 computer security and SAFETY not to do everything in root. Plus, none of the terminals were locked away in a room...anyone could walk up to any terminal and just start typing away, from the CEO to the janitor. I pointed out this very basic breach of security and again got the attitude of "we know what we're doing, go back to Photoshop"...so I did and kept my mouth shut.

    Well, to make a long story longer, they had the whole system hacked into, a guy set up a spam-bot network using their equipment and T1 line....but did they lose their jobs? No, not at all...they actually got promoted later on, but it was pretty funny at the time.

  • Re:"Unusual practice" ... wtf. (Score:4, Interesting)

    by vought ( 160908 ) on Tuesday May 23, 2006 @12:04PM (#15387625)
    .. which makes you wonder why no other large company uses macs?


    Well, it isn't the support costs. When I worked there, IS&T was located in (should I say?) a place where grapes grow, many miles from Cupertino - and they didn't do normal help desk work. That was for ATCs - regular Apple employees trained to do help desk-type stuff. In AppleCare, we had one for about every 30-40 people, and the arrangement worked quite well.

    More interesting than anything else would be a support cost per employee breakdown between Apple and another computer company - say, Dell - excluding headcount from the support organization to normalize things a bit.

Slashdot Top Deals

It's a naive, domestic operating system without any breeding, but I think you'll be amused by its presumption.

Close