×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Employees May Lose Admin Rights

Zonk posted more than 7 years ago | from the root-to-moot dept.

502

daria42 writes "As Microsoft moves its internal desktop systems to Windows Vista, the company is contemplating whether to change a long running tradition and take away admin rights from its employees in order to improve security." From the article: "'We haven't made that final determination yet. We would like to absolutely look at scenarios where we can look at elements of User Access Control -- that is the feature in Vista -- so that we can start moving in that direction ... It is a tough balance and every company has to decide what is right for them,' said Estberg. However, Estberg said that for the moment, the company will continue to leave the responsibility of installing software with its employees."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

502 comments

It'll turn out just fine (4, Funny)

PrescriptionWarning (932687) | more than 7 years ago | (#15386966)

they'll probably just install linux instead :-O

Re:It'll turn out just fine (2, Informative)

tehcyder (746570) | more than 7 years ago | (#15387035)

No, they want real security, so the choice should be BSD.

>> Runs for cover

Actually (-1)

argoff (142580) | more than 7 years ago | (#15387353)

they'll probably just install linux instead :-O

Actually, I wouldn't be supprised if that is what's driving this. They need to lock down their boxes to make sure that their employees don't discover the utility of free software (like firefox). How in the world will they convince customers to use IE when they can't even convince their own employees? How in the world will they be able to expect big brother corporate overloards to impose microsoft drm^H^H^H "solutions" on every box, when they can't even control boxes on their own network? In the end we should learn a lesson from this. Just as proprietary software requires an environment of coercion and control to survive internally, it is also required to survive in society at large as well.

Re:It'll turn out just fine (1, Funny)

Anonymous Coward | more than 7 years ago | (#15387365)

And imagine the savings in licensing costs!

Only makes sense... (3, Interesting)

TripMaster Monkey (862126) | more than 7 years ago | (#15386969)



From TFA:
Currently, the majority of Microsoft's employees enjoy full admin rights on their desktop PCs, which is an unusual practice in the enterprise space as it makes possible for users to install unauthorised software and introduce unwanted pests -- such as spyware.
No wonder:
  • There's so many poorly designed apps out there that demand admin rights to run, even though they don't actually need that level of access,
      - and -
  • Windows itself handles rights failures so poorly (erroring out or worse, instead of just providing a prompt for the user to enter admin credentials).

Mabye if M$ developers were forced to run as non-privileged users once in a while, they'd realize that there's a lot of problems with trying to get through the day on a non-admin account. With any luck, this will spur them to design a better way of handling applications that fail due to insufficient privileges, as well as get tough on application developers who sloppily code their apps to demand admin rights.

Again from TFA:
According to Estberg, Microsoft's employees provide an excellent test-bed for the company's products and by providing honest feedback, they also have an opportunity to influence future products.
I'd hardly call an environment where users have full admin rights to their systems an adequate test-bed.

Once more from TFA:
"We are not smarter than any other enterprise in terms of knowing how to address security. We are in the same boat as everyone else," he [Estberg] added.
Saying that Microsoft is 'not smarter than any other enterprise in terms of knowing how to address security', while technically true, is deeply misleading. Any company that purports to "eat its own dog food", but performs their testing with full admin rights to the box clearly has a dangerous lack of understanding of security...a lack that we all pay the price for every day.

"Unusual practice" ... wtf. (4, Insightful)

Kadin2048 (468275) | more than 7 years ago | (#15387008)

Currently, the majority of Microsoft's employees enjoy full admin rights on their desktop PCs, which is an unusual practice in the enterprise space ...

An unusual practice? Where? Most places I know have their users running as admin, because there is still software around that won't function properly if it's not run that way.

If Microsoft forces its employees to run as non-admin users, I think it's a good thing, because maybe it will lessen the amount of crap software that's designed with the assumption that it's going to be run that way.

Unfortunately, that doesn't help the situation with the tons of legacy apps that assume this, and it only takes one important legacy app in a corporate environment to hose the entire security model of non-admin users.

Re:"Unusual practice" ... wtf. (4, Insightful)

lgw (121541) | more than 7 years ago | (#15387081)

I don't know of a large company that still lets most employees install software, have admin rights, or do anything like that. The desktop PC has to be locked down if you want to manage 100000 desktops on a modern IT budget.

It would be wonderful if Microsoft did this! The result would be that, at least for Microsoft software, the developers would be forced to care whether their software ran without admin rights.

Re:"Unusual practice" ... wtf. (3, Informative)

Anonymous Coward | more than 7 years ago | (#15387115)

I work for Intel. Because XP is a piece of crap, all Intel employees have administrative rights on their own desktops. It's the only way to make way too much software work. If they took away my local administrative rights at least three applications I depend on for my job would stop working properly.

Re:"Unusual practice" ... wtf. (1, Informative)

msh104 (620136) | more than 7 years ago | (#15387143)

I worked at "stork worksphere" in the netherlands, which is really a big company, and all have admin access to there local pc.

Re:"Unusual practice" ... wtf. (1, Informative)

Anonymous Coward | more than 7 years ago | (#15387177)

Symantec. Ditto what the above say, admin for everyone. Though they do at least use GPO's that make it dificult to fiddle around with the SAV and SNS stuff. Not like a local admin can't get around a GPO, but anyone with that level of skill is probably okay as an admin anyway.

Re:"Unusual practice" ... wtf. (1)

ergo98 (9391) | more than 7 years ago | (#15387315)

Symantec. Ditto what the above say, admin for everyone.

While the GP didn't specifically state it, presumably they were excluding technology companies. Among normal companies where computers and software are tools for achieving some other goal, it is extremely rare to have admin rights. I'm talking about banks, telecommunications companies, etc. For these firms you either have to use special management software to install software, or you have to request that IT come out and do it.

Very painful when you're in a software development group at said corporations.

Re:"Unusual practice" ... wtf. (1)

Burlap (615181) | more than 7 years ago | (#15387234)

same here, my current company has everyone with admin rights and we have close to 50,000 employees world wide.

Re:"Unusual practice" ... wtf. (1)

lucky130 (267588) | more than 7 years ago | (#15387241)

There are still many large companies that allow their users admin rights. My guess is that their IT staff doesn't want/can't afford to take the time to sit down and work out all of the necessary permissions on files, folders, and registry keys needed to run certain programs. OR, they've found the 'run as...' command an unsatisfactory substitute for sudo or su.

My company does. (2, Interesting)

FatSean (18753) | more than 7 years ago | (#15387253)

They support a few more than 100,000 desktops :)

They make Slashdot every now and then too.

Re:"Unusual practice" ... wtf. (4, Interesting)

vought (160908) | more than 7 years ago | (#15387254)

I don't know of a large company that still lets most employees install software, have admin rights, or do anything like that. The desktop PC has to be locked down if you want to manage 100000 desktops on a modern IT budget.

You forgot about Apple. You know - the little company that makes iPods.

Over 10,000 employees, each with admin rights. No viruses, no malware, no screwed up OS that lets any process run with global read/write priviedges...no kidding.

The only difference is that they don't run Windows on those desktops.

Re:"Unusual practice" ... wtf. (1)

leuk_he (194174) | more than 7 years ago | (#15387127)


An unusual practice? Where? Most places I know have their users running as admin, because there is still software around that won't function properly if it's not run that way.


Almost every compagny i worked for (as contracted) and work with NT4 or higher.

As a developer I always hate day i get a new PC. It is very hard to install oracle without admin rihgts. It is also very hard to let the normal it drones make a oracle installtion (I am not talking the default client. It only takes 2 or 3 days to convince for local admin rights .

Re:"Unusual practice" ... wtf. (1)

archen (447353) | more than 7 years ago | (#15387212)

... there is still software around that won't function properly if it's not run that way. ... maybe it will lessen the amount of crap software that's designed with the assumption that it's going to be run that way.

That sort of contradicts itself. Wheither MS runs as admin or not has absolutly nothing to do with third party developers requireing their software to do so? Is MS going to tell third party developers not to write registry keys in HKLM (for regular usage)? If developers do it NOW it's because they're freaking lazy or idiots, and that isn't going to change. One peice of software I was told by a vendor required Administrator privleges to run. Turns out it didn't, it just wrote temp files to %windir%/temp instead of a more logical place like whatever %temp% happened to be - stupidity like that has little to do with what MS dictates.

And as you say the legacy is going to be a big hold up anyway, so I doubt anyone will listen to MS telling people to not use old apps - especially if some of them are proprietary apps with no upgrade solutions.

Re:"Unusual practice" ... wtf. (2, Insightful)

lucky130 (267588) | more than 7 years ago | (#15387267)

And you still run into those programs that don't seem to understand the concept of environment variables or the fact that you don't really need to use the registry in many situations.

Re:"Unusual practice" ... wtf. (2, Insightful)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#15387344)

That sort of contradicts itself. Wheither MS runs as admin or not has absolutly nothing to do with third party developers requireing their software to do so?

Actually, it does. MS makes userland software as well. Major applications they develop do not run, or run properly (or at all) as a regular user. Now developers may consider making their software work for normal users, but if MS does not, why should they bother? Obviously no one is going to run as a non-admin anyway, since the built-in software doesn't work. MS sets the standard for their own OS. They also write the most common dev tools for their OS, which determines how easy it is to make applications work for non-admin users. If it takes extra work due to the APIs and dev tools, enough extra work that MS does not bother, then it will be enough extra work for third-party developers as well.

And as you say the legacy is going to be a big hold up anyway, so I doubt anyone will listen to MS telling people to not use old apps - especially if some of them are proprietary apps with no upgrade solutions.

MS bought Connectix. With half a clue, Vista would run a VM environment for all apps, both old and new and this would not be an issue at all. The rest of the industry is already moving that way.

Stop perpetuating the myth ... (0, Troll)

hal9000(jr) (316943) | more than 7 years ago | (#15387039)

There's so many poorly designed apps out there that demand admin rights to run, even though they don't actually need that level of access,

Unless you have actually tried to configure a ton of apps, you have no authority to make this claim. This was true with NT because is was a fundamentally new OS, but with Windows 2000 and beyond, only the lamest of developers (ie not serving the enterprise space) would distribute an app that requires admin rights to *run*. Installs need admin rights, because of where they write files and keys, but not to run.

Re:Stop perpetuating the myth ... (0, Troll)

TripMaster Monkey (862126) | more than 7 years ago | (#15387137)


Unless you have actually tried to configure a ton of apps, you have no authority to make this claim.

I actually have, and I do have the authority, thanks.

Here's a partial list of programs that require admin rights to run (not merely install):
  • Kodak Share software
  • Autocad
  • Any serial port emulation program
  • PowerDVD
  • Oracle
  • Windows Media Player
  • etc.

For a detailed discussion of this issue, you might want to look here [slashdot.org] and here [slashdot.org] .

The issue is more widespread than you think.

Re:Stop perpetuating the myth ... (3, Insightful)

jacksonj04 (800021) | more than 7 years ago | (#15387162)

Windows Media Player 11 *doesn't* need admin rights, hopefully in preparation for Vista.

At least one application has got the idea, even if it is from the company behind the OS.

Re:Stop perpetuating the myth ... (3, Informative)

lucky130 (267588) | more than 7 years ago | (#15387191)

Just so you know, not all of these programs need admin rights to run; they need certain privs on certain folders (usually either write or modify to their program directory).

Re:Stop perpetuating the myth ... (3, Informative)

colganc (581174) | more than 7 years ago | (#15387194)

Are you sure on Windows Media Player? I'm able to run it at work without admin rights. I can rip MP3's with it as well.

Re:Stop perpetuating the myth ... (1)

dogmatixpsych (786818) | more than 7 years ago | (#15387308)

Yeah, I was about to post a similar thing. I've run WMP perfectly fine without admin rights; then again, it was version 8 or something like that.

Re:Stop perpetuating the myth ... (3, Insightful)

debest (471937) | more than 7 years ago | (#15387336)

Here's a partial list of programs that require admin rights to run (not merely install): ........

        PowerDVD


Can't attest to any of the other examples you listed (I don't use WMP, and haven't installed any of the others), but I can attest that I use PowerDVD on my limited-priveleges account just fine, thank you.

Contrast this with Sun (2, Interesting)

Anonymous Coward | more than 7 years ago | (#15387045)

Saying that Microsoft is 'not smarter than any other enterprise in terms of knowing how to address security', while technically true, is deeply misleading. Any company that purports to "eat its own dog food", but performs their testing with full admin rights to the box clearly has a dangerous lack of understanding of security...a lack that we all pay the price for every day.

Compare and contrast this approach with Sun. Employees in Sun are all equiped with Javacards which they can insert into a Sun Ray appliance anywhere on the Sun network. AFAIK, only the staff responsible for administering their Sun Ray network have sysadmin credentials within the environment: all other users get a set of applications which are deployed to the user, with no ability to install anything else. And it works - a user can walk out of an office in GB, fly to the USA and plug in their Javacard, resuming their session exactly where it was.

The similarity with Microsoft is that the employees had to cope with some pretty dreadful software a few years ago. Disgruntled colleagues are always a rather special spur to developers, and the Sun Ray technology is now tip top. Perhaps the same will happen to Microsoft ...

Re:Only makes sense... (0)

Anonymous Coward | more than 7 years ago | (#15387071)

Exactly! This reminds me of the guy who sits there saying, "Oh yeah, it works perfectly. I tested it myself." Meanwhile, it's clear he didn't even try to test it, since it doesn't even start properly.

Re:Only makes sense... (0, Flamebait)

grazzy (56382) | more than 7 years ago | (#15387186)

+1 Un-insightful.
+1 Troll
+1 Flamebait
+1 Lame
+1 Stupid

That'd be 0. To bad I dont have modpoints.

Justice, (1, Funny)

linzeal (197905) | more than 7 years ago | (#15386975)

Now maybe Media Player will work properly on non-admin machines, or do they all use winamp?

Re:Justice, (0)

Anonymous Coward | more than 7 years ago | (#15387017)

Winamp reqiures Admin priveleges unless you install the multi-user plugin [rosenkeller.org]

Re:Justice, (1)

belg4mit (152620) | more than 7 years ago | (#15387091)

Multi-user plugin is part of the core now (since 5.2), but you have to select
the right option when prompted (my clueless admin thought that shared meant
full control). Even then, it's still "usable", but changes to preferences are
lost.

Let's hope they do (5, Interesting)

creepynut (933825) | more than 7 years ago | (#15386986)

Who better to test and actually use the "User Access Control" than Microsoft's own employees?

Clearly, they weren't "trying out" the Limited User accounts when Windows XP was in its infancy. Otherwise, it might actually be useful to us today.

Eat your own dog food (5, Insightful)

mwvdlee (775178) | more than 7 years ago | (#15386993)

"Eat your own dog food".

If Microsoft's access rights model isn't good enough for their own purposes, it isn't good enough for the rest of the world either.

If they were truely confident that it works as they claim it does, they should have had their employees in a more secure and restricted environment years ago.

Re:Eat your own dog food (0, Redundant)

Webz (210489) | more than 7 years ago | (#15387033)

Amen Brother!! I was just about to post that very phrase! Eat your own dog food.

I don't know why people bother releasing products they themselves won't use... In almost all cases, the inventors/producers should be the champions of their own products.

Mod parent up!

Re:Eat your own dog food (3, Insightful)

Anonymous Coward | more than 7 years ago | (#15387073)

I hate to be the MS supporter here (and I rarely do), but Microsofts permission model is just as powerful as UNIX's. It is just harder to learn. But not that much harder.

If people suddenly switched to UNIX machines we would still have the same problem. The problem isn't that the OS has an insecure permission model (neither UNIX nor Windows NT do), but that noone wants to implement it. For the type of people who use Windows boxes, this will always be a problem. They use Windows *because* they don't want to deal with the details of system administration. If they suddenly switched to UNIX they would still not want to deal with the details of system administration (which is one of the reasons that they don't).

Re:Eat your own dog food (1)

jandrese (485) | more than 7 years ago | (#15387171)

Most people on Unix machines already run as normal users. Granted, since a lot of them are home machines they're also admins, but they don't escalate their privleges unless they need to install software or do some sort of maintenance. In normal day-to-day work they're normal users.

If you're sharing a Unix machine with other people, then you're pretty much guarenteed to be running a user account.

You know why people do this on Unix? Because it works. You don't run into fiddly problems all of the time with software that refuses to run or crashes randomly unless you have admin access. You don't have to go through this annoying logout/login procedure to escalate your privleges. You can just run the one command you need as root and then return to your regular activities.

I have to agree with one of the above posters. Microsoft needs to force their employees to just use usermode on their machines and come up with better ways to do common actions that don't require you to log in as administrator, or at least come up with a Mac OSX like model where you get an onscreen password prompt when you run something like Windows Update, and make sure that password prompt only comes up when it absolutely has to.

Re:Eat your own dog food (1)

Andrewkov (140579) | more than 7 years ago | (#15387242)

UNIX was originally created as a multi-user OS, Windows evolved from DOS, which was a single user system. I think inertia played a large roll in the current situation. But still, MS has taken *way* to long to get with times. I'm actually shocked to hear MS allows all their users to have local admin rights, although it does explain a lot about the current state of Windows.

Re:Eat your own dog food (1)

Vicegrip (82853) | more than 7 years ago | (#15387175)

"Just as powerful" and "harder to learn" in the same sentence is an oxymoron. Windows Access Control Lists APIs are a nightmare to program with that is also badly documented (or was the last time I looked at it).

When you have two APIs that provide/achieve the same thing, the 'simpler' one is by far the most powerful.

Re:Eat your own dog food (0, Offtopic)

towsonu2003 (928663) | more than 7 years ago | (#15387211)

I hate to be the MS supporter here (and I rarely do), but Microsofts permission model is just as powerful as UNIX's. It is just harder to learn. But not that much harder.
A bug in moderators? Did anyone file it yet?

Parent is funny not insightful.

Re:Eat your own dog food (1)

holden caufield (111364) | more than 7 years ago | (#15387080)

Agreed. Although, I don't think this will improve security directly, as much as it will improve their QA processes, which in turn makes more secure and stable products. Maybe now they'll discover you can't run WindowsUpdate on an XP Pro SP2 machine without admin privileges, and fix it!

Re:Eat your own dog food (2, Insightful)

XSforMe (446716) | more than 7 years ago | (#15387150)

"they'll discover you can't run WindowsUpdate on an XP Pro SP2 machine without admin privileges,"...

I differ, windowsupdate should not be runned in user space, at least not in a default configuation under a corporate environment. In a corporate envirnomente SUS should be used to push around patches.

Re:Eat your own dog food (0)

Anonymous Coward | more than 7 years ago | (#15387182)

Why do you expect to run Windows Update as a non-admin? All the update tools I've used under Linux require you to switch to root.

Anyways, I'd recommend checking out Vista to see how it handles things. Even admin users get prompted before doing anything that needs elevated permissions (logging in as an admin just means that you don't need a password to do those tasks). This prevents apps from doing things that you didn't realize they were doing to your system. Haven't tried it as a normal user yet, but I assume the experience is similar, but requiring an admin password to do the task.

The main result of this is that apps that require elevated permissions will annoy all users (admin or not), so hopefully developers would fix them.

Re:Eat your own dog food (0)

Anonymous Coward | more than 7 years ago | (#15387233)

The hotmail servers are still running Apache. They just changed the server signatures.

They can always run linux at home. (0)

Anonymous Coward | more than 7 years ago | (#15386994)

That should give 'em their "root" fix.

what need admin privs? (3, Insightful)

boxlight (928484) | more than 7 years ago | (#15386998)

I don't see why this is a big deal. Average desktop users should not have admin rights -- no?

boxlight

Re:what need admin privs? (0)

Anonymous Coward | more than 7 years ago | (#15387054)

If only many Windows apps considered themselves to be "average" apps admin rights wouldn't be necessary.

Re:what need admin privs? (1)

Burlap (615181) | more than 7 years ago | (#15387124)

they shouldn't... but they need em. an anoying amount of software needs admin rights to run, just try and run your average XP box in "limited user" mode and see what all breaks

Re:what need admin privs? (1)

Malc (1751) | more than 7 years ago | (#15387270)

I think one of the biggest problems is that a lot of software was originally designed and implemented for Win9x. It doesn't have a security model like Win NT, so developers wrote code obliviously writing to HKLM (or open keys for reading but request ALL_ACCESS) or C:\Program Files\xxx\.

Another big source of problems I've had to work around is that the code generated by MSVC 6 for COM DLLs requires admin rights for RegisterServer calls. Most of the code can be converted to use HKCU allowing limited users to register COM DLLs for themselves... except for one call that registers the Typelib. There is an option for registry redirection (Win2K and above??), but without looking at MSDN, I'm not sure if that can be done by a limited user.

Re:what need admin privs? (1)

Colonel Angus (752172) | more than 7 years ago | (#15387297)

Admin rights are required in order to spellcheck your Office documents (in older Office versions).

Admin rights are required to run LiveUpdate.

It may be fixed now, but I remember a year or so ago reading that MS's own Media Center software couldn't be run under a limited user account and if you tried to get all wily on it and launch it with Run As... you'd still have limited functionality.

It's just horrifically implemented.

Excellent Idea (5, Insightful)

Whatsisname (891214) | more than 7 years ago | (#15387006)

Yes, having the employees run as 'regular' users would be a terrific idea. All the problems that limited user accounts have now would be encountered by those with the most ability to fix them.

su got you a vist from security (5, Funny)

DrDitto (962751) | more than 7 years ago | (#15387011)

I used to work for a Fortune-50 company and we had Unix workstations for software development. The system was configured such that if you tried or accidently entered "su", you got a visit from security within 5-10 minutes.

It happened to me when I mistakenly typed "su" instead of "du".

Re:su got you a vist from security (1)

Hoi Polloi (522990) | more than 7 years ago | (#15387111)

You must've had a lot of in-house support if they treated developers like that. That is, most of the environments I've worked in required having to do many tasks considered admin jobs and these required getting in as root (usually sudo'ing). Even for satellite control systems I was constantly going in as root for drive admin, installs, etc. It would've taken twice as long to do anything if I had to rely on getting a hold of a full-time admin, submit a request, wait for them to take care of it, get a confirmation, try it out, etc.

Re:su got you a vist from security (1)

jandrese (485) | more than 7 years ago | (#15387219)

I can just see the security guy now seeing "su -sk * | sort -n", and saying "Looks like DrDitto is trying to exploit su, better pull the shotgun out of storage."

Re:su got you a vist from security (0)

Anonymous Coward | more than 7 years ago | (#15387240)

cp /bin/su /tmp/.us

That is what we call "making a show of security" instead of actually having it. I bet they were deathly afraid that they'd type the top-seekrit password like "password" or "letmein" next and dispatched security before that could happen.

A really secure system would have MAC and a secure console. You just wouldn't get root unless you physically sat at that console. Yeah, kinda like Mission Impossible.

Re:su got you a vist from security (1)

dildo (250211) | more than 7 years ago | (#15387330)

At MIT we do something similar. The root password for the machines is known by everybody, but remote login on those machines is impossible. You can do a su command so you can do things like load CDs; all activities performed as root will be traceable to your account. I believe the su commmand has limitations; you can't really change any of the core configurations of the machine.

However, if you login as root, security folks come over in a couple of minutes. It sets off alarm bells.

Re:su got you a vist from security (1)

Gothmolly (148874) | more than 7 years ago | (#15387360)

That's stupid. There's perfectly acceptable reasons to use 'su'. And I work for $LARGE_US_BANK. I su from 1 user account to another all the time, depending on the task or application thats needed. And I'm not an admin.

I'd call this a good sign! (0, Redundant)

Opportunist (166417) | more than 7 years ago | (#15387014)

It hints that with Vista it should be possible to actually do some meaningful work without Admin privileges.

Won't fly (5, Insightful)

Utopia (149375) | more than 7 years ago | (#15387018)

With a huge percentage of the people being developers, these people need full control over their system.
I don't see how they can even implement this scheme.

May be they can take the admin rights from their Managers computers.

Re:Won't fly (0)

Anonymous Coward | more than 7 years ago | (#15387069)

Sufficient if they run the MakeMeAdmin Script if necessary to install software, but normally run unpriviledged.
(http://blogs.msdn.com/aaron_margosis/archive/2004 /07/24/193721.aspx)

Re:Won't fly (2)

Utopia (149375) | more than 7 years ago | (#15387126)

(Replying to AC)

I develop software myself. I don't use MakeMeAdmin that you mention.
Instead I have sucessfully used Drop my rights [microsoft.com] .

And I have zero infections in last 14 years of computer usage.
Although I have had lots of fun infecting Virtual Machines with various virii and malwares.


Re:Won't fly (2, Insightful)

arivanov (12034) | more than 7 years ago | (#15387102)

Not necessarily.

You may need admin rights to test and to package, but you should not need admin rightsfor 95%+ of the development cycle.

With the current crop of vmware and CPU based virtualization the necessity of having admin rights to your machine for 99% of the development cycle is no longer there.

Re:Won't fly (1)

Otter (3800) | more than 7 years ago | (#15387361)

You may need admin rights to test and to package, but you should not need admin rightsfor 95%+ of the development cycle.

I think this is less about "need" than "want" -- I was just bitching about not having access to change [Unix environment tweak] and having to go through a sysadmin for it, but it hardly rises to the level of "need".

Re:Won't fly (1)

CaptnMArk (9003) | more than 7 years ago | (#15387170)

Since when does 'cc' require root privileges?

Sure, testing installation would require it, but development? No.

I'm sure one can run a per-user web server for testing web apps.

NOT all developers (1)

stibrian (848620) | more than 7 years ago | (#15387172)

what's a "huge percentage"? when you consider the $hit that the marketdroids put on their machines, and the massive number of them that MS must have, this is a good testbed. The number of actual software devs in the MS org must be surprisingly low...

Re:Won't fly (0)

Anonymous Coward | more than 7 years ago | (#15387210)

That was my first thought too. However, I'm not really sure if MS has more developers than corporate, management, marketing, sales, QA, support etc folk. Even for lots of developers who are not working on OS and driver stuff non-admin may be good enough.

spyware addicted MS employees (2, Funny)

JonNoH (973783) | more than 7 years ago | (#15387023)

I wonder what made them think about it in the first place... too much Banzai Buddy?

Would this mean... (4, Interesting)

zappepcs (820751) | more than 7 years ago | (#15387065)

Would this mean that if they switch MS employees to Vista with only user rights, that Vista would be delayed yet another couple of years while they work out the bugs? If it doesn't work for MS employees, it can't possibly work well for anyone else. Surely, they have to make sure it works since its part of securing the system. Right?

Who cares? (-1, Troll)

Tebriel (192168) | more than 7 years ago | (#15387078)

Why is this even newsworthy? Does this really matter to anyone not working at MS?

Re:Who cares? (4, Insightful)

Eideewt (603267) | more than 7 years ago | (#15387217)

It matters to anyone who was hoping for useful limited user accounts in Vista, because if they have to use them then there's a chance that they'll actually work.

If they want to installed firefox or opera... (3, Interesting)

cyfer2000 (548592) | more than 7 years ago | (#15387092)

They will need to go to the administrors...Aha! No more firefox and opera from M$ campus.

Re:If they want to installed firefox or opera... (1)

Dareth (47614) | more than 7 years ago | (#15387317)

Firefox and Opera can function quite nicely on plain user accounts under XP.

At least until I block ports 80/443 at the firewall and demand that they route thru the proxies.

IE + outlook + admin rights = disaster (1)

jonastullus (530101) | more than 7 years ago | (#15387094)

i can't believe that an enterprise like microsoft has gotten away with employees having admin rights all these years. how did they prevent all those worms, viruses and trojans from infecting their pcs? i assume that at microsoft people mainly use IE and outlook; and this in conjunction with admin rights all around should really spell disaster.

in a sense, it's nice for those working there because i've seen myself how limited one can get in certain situations without some non-standard rights, but from the IT department's point of view, ubiquituous amateur administrators are a real nightmare.

This Time Next Year (1)

SaidinUnleashed (797936) | more than 7 years ago | (#15387097)

I predict that by this time next year, we will be hearing that Microsoft has started using DeepFreeze or similar to "lock down their systems". =)

It's not like they could leave ....... (1)

chem girl (974031) | more than 7 years ago | (#15387104)

I doubt they could leave if they didn't like the new rules. I'm sure they had to sign an non competition agreement so they can't work for another computer/software/network/blah/blah/blah company for the rest of their natural life. It will be interesting to see what comes of this.

Linux Users (4, Insightful)

omeomi (675045) | more than 7 years ago | (#15387116)

It's not uncommon for Linux users (even developers) to use user accounts, because it's very easy to su any administrator tasks. So, maybe Vista will fit this model better, and having developers using user accounts won't be all that ridiculous...

Do I understand this right? (1)

kindbud (90044) | more than 7 years ago | (#15387118)

Not only does Microsoft not restrict their own users to unprivileged accounts, but their Director of Internal Security has no qualms about stating that in an interview for the press?

Advertising soft-chewy insides is for candy companies, not computer security experts.

If they don't, who can (3, Interesting)

swanriversean (928620) | more than 7 years ago | (#15387122)

If Microsoft can't implement this for their own employees, any CTO looking at Vista would be foolish to think that he could in his company.

Others have given the example of XP, and so true.

If you have to manage Vista the same way you manage XP, that is one less reason to upgrade, and another reason to look at alternatives.

Look at Novell with their internal deployment of Suse. They've had to suffer for a while, but slowly they are starting to show it can be done, and have gained a bunch of knowledge doing so. Novell customers may actually believe them when they suggest they can deploy Suse for some systems instead of Windows. Who believes you can run Windows without adminstrative rights?

Give them average-sized monitors too, dammit! (5, Insightful)

Anonymous Coward | more than 7 years ago | (#15387153)

Hell, make them work in monitors the size the average office supplies -- 15" or 17" where I work.

I'm so damn tired of apps that open big windows needlessly in the middle of the screen (MSWord's 'find' for example) covering whatever it is you wanted to actually operate on -- because some programmer had a 29" monitor -- or two -- to work in and never thought about fitting stuff into a real user's working screen.

Open find. Drag stupid window off the text area. Find. Damn, window moved back to the middle. Lather, rinse, repeat.

Sure, the IT department could supply larger monitors. But those are commodities and they're saving their budget for bells and whistles to impress top management.

Personal Compter? (0)

Anonymous Coward | more than 7 years ago | (#15387164)

Is this going back to a central processing model. The whole reason we have personal computers is because it empowered the end user from the bureaucracy of the main frame. Now we're heading backwards, full steam ahead.

Re:Personal Compter? (3, Interesting)

mattpalmer1086 (707360) | more than 7 years ago | (#15387352)

I agree that personal computing enabled everyone to benefit from cheap, ubiquitous computing power, which the mainframes of the day couldn't provide.

Of course, this was back before anyone realised total cost of ownership was far greater than the purchase price of the machine. And viruses and worms hadn't been invented, and you needed to be a guru to change the machine configuration, and they only ran a single application at one time, and we weren't connected to a vast global network filled with script kiddies and criminal hackers.

We aren't really going back to a central processing model. We are trying to regain some of the management and security benefits the old central processing model had by default and that general purpose networked personal computers can only acquire with a lot of hard work.

Frankly, for what most people use their PCs for at work, and given the ubiquitous network, it would be far cheaper for many enterprises to run thin client diskless workstations and actually return to a central processing model, if we hadn't already bought so heavily into the current model.

Employees may be fungused, but not fungible (1)

Ancient_Hacker (751168) | more than 7 years ago | (#15387252)

Er, I hope MSoft has a bit more sense than that. An employee isnt all that generic. Your basic manager just might be able run as a underprivilidged user, but the maybe 30% of actual coders will have a hard time of it. Quite often system coders need lots of privilidge, like to install dll's and drivers in %systemroot%, run kernel debuggers, mess with the registry etc....

Plus as others have noted, the Windows security "model", is less like Jessica Alba and more like Herman Munster. The choice has always been, do we delay the next release, or do we clean up all the security misfeatures, rough edges, questionable defaults? Ballmer always says "Ship it".

Re:Employees may be fungused, but not fungible (0)

Anonymous Coward | more than 7 years ago | (#15387356)

The assumption everyone seems to be making is that MS is only developers. That I doubt is true. I would bet a small percentage is. There are secretaries, doc writers, support people, middle managers, level 1 tech support, packagers, etc...

Lock down should be majority rule in that case. For 'small' teams no lock down works ok (not that its best practice) but it works. For larger orgs consistancy and privleage are the controls to a sane IT world. Perhaps instead of a 'admin' priv we need a 'developer' one?

Makes sense... (1)

Dtyst (790737) | more than 7 years ago | (#15387294)

I work for a very large multinational company (as an administrator but not handling emplyee user-rights). By deafult all (windows using) employees have user rights only. Everyone is allowed to apply for Local admin rights if they really need them (e.g. want to install special software not provided by help desk). I think this system works great as those that most likely do something stupid with their computer are the ones who dosen't care if the have full access or not. Those that apply for to admin rights usually know something about the computers and how to handle them.

Ouch (2, Insightful)

suv4x4 (956391) | more than 7 years ago | (#15387299)

If Microsoft doesn't think Vista's user accounts are usable how did it end up as one of the top features of the whole product :P?

The actual fact they are thinking whether to use it or not makes me fill with doubt. And I really thought they had it right this time (honestly).

Nnngg! Management speak (1)

Nagasta Bagamba (954654) | more than 7 years ago | (#15387303)

We are so excited to be totally looking at how to go forward with this?

What about your filing technique? Is it unstoppable?

People use admin login on windows? (0)

Anonymous Coward | more than 7 years ago | (#15387312)

Who uses the admin login on windows and why do they still work here?

Virtual Machines can help here... (1)

RichardKaufmann (204326) | more than 7 years ago | (#15387314)

Virtual Machines (e.g. Xen) can allow companies to have strictly controlled (e.g. no admin rights) corporate work environments while allowing considerable freedom for developers and personal apps, files, etc.

Imagine a world where you would have a host OS which is a company-standard image. No admin/su rights for the user, no weird apps, no spyware, etc. Guest OS images are used for development and personal stuff:

* There can be a strictly controlled corporate standard OS image, app set, etc. Access to the corporate network (VPNs, direct ethernet, etc.) can be restricted to only allow connections to this OS instance.

* Development can be done in sandboxes that restrict the fallout from any damage. Network connections (and mounted disk images) can be restricted to a subset of the corporate network.

* Folks can install their own junkware on a guest OS image. This partition can be proxied out to the internet (no visibility to the intranet), allowing instant messaging, etc., without putting internal systems at risk. This image would only have access to a single disk partition (which wouldn't be visible to any other image), and would have essentially no access to internal corporate resources.

If done right, the corporate image would be automatically and securely connected to the corporate infrastructure even when connected to an unsecure network. The personal image would be connected to the internet, even when running on the corporate intranet, and development sandboxes would be further restricted to a development network.

All the stuff that's needed to make this works exists today. If Microsoft insisted its own staff worked within such constraints, it would be seamless for the rest of us as well.

It would be a hoot... (1)

i3spanky (191866) | more than 7 years ago | (#15387359)

...if MS ended up releasing a product that would only run properly with the right spyware programs installed.

MS still a PC company if they do this? (1)

Burz (138833) | more than 7 years ago | (#15387370)

PCs have always been about having a bit of computing power under the user's control, which can be molded to projects that the MIS team are too busy/sleepy/detached/uppity to implement on big iron. That is the heart of personal computing in the workplace, and it has much less to do with a specific OS's philosophy than with a workplace's need for flexibility and initiative.

So I question whether Microsoft can take admin rights away from their workers and still claim to be in the PC business.

oh well that needs remote admin as well (3, Insightful)

dindi (78034) | more than 7 years ago | (#15387373)

If in my college years, when I was working for different companies (as support/admin), they had that feature, I maybe wouldn't have become such a windows hater and concentrate only on unix-like systems.

But then again, it is not enought to take away the admin rights from users completely, you will need a decent way of remote administrating those damn machines.

Before people start trolling on me: yes, you can take away admin rights in 2000/XP (to a cenrtain level) and there are remote tools......

Admin rights should completely go away, the user should not have right to install, modify, not even change the screensaver dammit. And not run programs at all, only from a secure pool of programs.

That includes "i-know-it-all" managers, who tend to fsck everything up, because they know it so-well they are playing in the registry, and deleting folders/etc ...

Now on the remote tool: the nightmare of a a support/admin person is a multi-level building, where you keep going for all those machines, instead of ssh-ing into them and fixing/installing remotely ....

Not because they are easy, but they are computer people and not PR monkeys and are probably sick of interacting with all the workers of the companies, who probably do not wash their hands after peeing, and then you have to go and touch 100 keyboars in 100 rooms ....

Oh well ... just a flashback from my early years of computer support :) and I am not doing anything with customer machines anymore ..... but still, I feel it is a problem ...

Ohh, and that's why you have to wear the suit and not cargo pants and something that actually keeps you warm in the server room, or climbing on that roof yagi in the european winter to spot the balloons 5kms away on the rooftop with the compass and the binocular, to re-align the connection ....

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...