Slashdot Mirror
Microsoft Employees May Lose Admin Rights
daria42 writes "As Microsoft moves its internal desktop systems to Windows Vista, the company is contemplating whether to change a long running tradition and take away admin rights from its employees in order to improve security." From the article: "'We haven't made that final determination yet. We would like to absolutely look at scenarios where we can look at elements of User Access Control -- that is the feature in Vista -- so that we can start moving in that direction ... It is a tough balance and every company has to decide what is right for them,' said Estberg. However, Estberg said that for the moment, the company will continue to leave the responsibility of installing software with its employees."
they'll probably just install linux instead :-O
From TFA: No wonder:
- and -
Mabye if M$ developers were forced to run as non-privileged users once in a while, they'd realize that there's a lot of problems with trying to get through the day on a non-admin account. With any luck, this will spur them to design a better way of handling applications that fail due to insufficient privileges, as well as get tough on application developers who sloppily code their apps to demand admin rights.
Again from TFA: I'd hardly call an environment where users have full admin rights to their systems an adequate test-bed.
Once more from TFA: Saying that Microsoft is 'not smarter than any other enterprise in terms of knowing how to address security', while technically true, is deeply misleading. Any company that purports to "eat its own dog food", but performs their testing with full admin rights to the box clearly has a dangerous lack of understanding of security...a lack that we all pay the price for every day.
____
~ |rip/\/\aster /\/\onkey
Now maybe Media Player will work properly on non-admin machines, or do they all use winamp?
An Education is the Font of All Liberty
Who better to test and actually use the "User Access Control" than Microsoft's own employees?
Clearly, they weren't "trying out" the Limited User accounts when Windows XP was in its infancy. Otherwise, it might actually be useful to us today.
"Eat your own dog food".
If Microsoft's access rights model isn't good enough for their own purposes, it isn't good enough for the rest of the world either.
If they were truely confident that it works as they claim it does, they should have had their employees in a more secure and restricted environment years ago.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
That should give 'em their "root" fix.
I don't see why this is a big deal. Average desktop users should not have admin rights -- no?
boxlight
would be if they'd remove admin rights from friggin Outlook
Nothing great was ever achieved without enthusiasm
Yes, having the employees run as 'regular' users would be a terrific idea. All the problems that limited user accounts have now would be encountered by those with the most ability to fix them.
Currently, the majority of Microsoft's employees enjoy full admin rights on their desktop PCs, which is an unusual practice in the enterprise space ...
An unusual practice? Where? Most places I know have their users running as admin, because there is still software around that won't function properly if it's not run that way.
If Microsoft forces its employees to run as non-admin users, I think it's a good thing, because maybe it will lessen the amount of crap software that's designed with the assumption that it's going to be run that way.
Unfortunately, that doesn't help the situation with the tons of legacy apps that assume this, and it only takes one important legacy app in a corporate environment to hose the entire security model of non-admin users.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
It happened to me when I mistakenly typed "su" instead of "du".
It hints that with Vista it should be possible to actually do some meaningful work without Admin privileges.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
With a huge percentage of the people being developers, these people need full control over their system.
I don't see how they can even implement this scheme.
May be they can take the admin rights from their Managers computers.
I wonder what made them think about it in the first place... too much Banzai Buddy?
"By the same logic, if he has no good reason for what he says, he is just making noise and we need pay him no attention.
There's so many poorly designed apps out there that demand admin rights to run, even though they don't actually need that level of access,
Unless you have actually tried to configure a ton of apps, you have no authority to make this claim. This was true with NT because is was a fundamentally new OS, but with Windows 2000 and beyond, only the lamest of developers (ie not serving the enterprise space) would distribute an app that requires admin rights to *run*. Installs need admin rights, because of where they write files and keys, but not to run.
Compare and contrast this approach with Sun. Employees in Sun are all equiped with Javacards which they can insert into a Sun Ray appliance anywhere on the Sun network. AFAIK, only the staff responsible for administering their Sun Ray network have sysadmin credentials within the environment: all other users get a set of applications which are deployed to the user, with no ability to install anything else. And it works - a user can walk out of an office in GB, fly to the USA and plug in their Javacard, resuming their session exactly where it was.
The similarity with Microsoft is that the employees had to cope with some pretty dreadful software a few years ago. Disgruntled colleagues are always a rather special spur to developers, and the Sun Ray technology is now tip top. Perhaps the same will happen to Microsoft
Would this mean that if they switch MS employees to Vista with only user rights, that Vista would be delayed yet another couple of years while they work out the bugs? If it doesn't work for MS employees, it can't possibly work well for anyone else. Surely, they have to make sure it works since its part of securing the system. Right?
Support NYCountryLawyer RIAA vs People
They will need to go to the administrors...Aha! No more firefox and opera from M$ campus.
There is a spark in every single flame bait point.
in a sense, it's nice for those working there because i've seen myself how limited one can get in certain situations without some non-standard rights, but from the IT department's point of view, ubiquituous amateur administrators are a real nightmare.
I predict that by this time next year, we will be hearing that Microsoft has started using DeepFreeze or similar to "lock down their systems". =)
Shiny. Let's be bad guys.
I doubt they could leave if they didn't like the new rules. I'm sure they had to sign an non competition agreement so they can't work for another computer/software/network/blah/blah/blah company for the rest of their natural life. It will be interesting to see what comes of this.
It's not uncommon for Linux users (even developers) to use user accounts, because it's very easy to su any administrator tasks. So, maybe Vista will fit this model better, and having developers using user accounts won't be all that ridiculous...
ZuluPad, the wiki notepad on crack
Not only does Microsoft not restrict their own users to unprivileged accounts, but their Director of Internal Security has no qualms about stating that in an interview for the press?
Advertising soft-chewy insides is for candy companies, not computer security experts.
Edith Keeler Must Die
If Microsoft can't implement this for their own employees, any CTO looking at Vista would be foolish to think that he could in his company.
Others have given the example of XP, and so true.
If you have to manage Vista the same way you manage XP, that is one less reason to upgrade, and another reason to look at alternatives.
Look at Novell with their internal deployment of Suse. They've had to suffer for a while, but slowly they are starting to show it can be done, and have gained a bunch of knowledge doing so. Novell customers may actually believe them when they suggest they can deploy Suse for some systems instead of Windows. Who believes you can run Windows without adminstrative rights?
Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind. - Dr. Seus
Hell, make them work in monitors the size the average office supplies -- 15" or 17" where I work.
I'm so damn tired of apps that open big windows needlessly in the middle of the screen (MSWord's 'find' for example) covering whatever it is you wanted to actually operate on -- because some programmer had a 29" monitor -- or two -- to work in and never thought about fitting stuff into a real user's working screen.
Open find. Drag stupid window off the text area. Find. Damn, window moved back to the middle. Lather, rinse, repeat.
Sure, the IT department could supply larger monitors. But those are commodities and they're saving their budget for bells and whistles to impress top management.
Is this going back to a central processing model. The whole reason we have personal computers is because it empowered the end user from the bureaucracy of the main frame. Now we're heading backwards, full steam ahead.
what's a "huge percentage"? when you consider the $hit that the marketdroids put on their machines, and the massive number of them that MS must have, this is a good testbed. The number of actual software devs in the MS org must be surprisingly low...
It matters to anyone who was hoping for useful limited user accounts in Vista, because if they have to use them then there's a chance that they'll actually work.
Plus as others have noted, the Windows security "model", is less like Jessica Alba and more like Herman Munster. The choice has always been, do we delay the next release, or do we clean up all the security misfeatures, rough edges, questionable defaults? Ballmer always says "Ship it".
They support a few more than 100,000 desktops :)
They make Slashdot every now and then too.
Blar.
I work for a very large multinational company (as an administrator but not handling emplyee user-rights). By deafult all (windows using) employees have user rights only. Everyone is allowed to apply for Local admin rights if they really need them (e.g. want to install special software not provided by help desk). I think this system works great as those that most likely do something stupid with their computer are the ones who dosen't care if the have full access or not. Those that apply for to admin rights usually know something about the computers and how to handle them.
If Microsoft doesn't think Vista's user accounts are usable how did it end up as one of the top features of the whole product :P?
The actual fact they are thinking whether to use it or not makes me fill with doubt. And I really thought they had it right this time (honestly).
We are so excited to be totally looking at how to go forward with this?
What about your filing technique? Is it unstoppable?
Who uses the admin login on windows and why do they still work here?
Virtual Machines (e.g. Xen) can allow companies to have strictly controlled (e.g. no admin rights) corporate work environments while allowing considerable freedom for developers and personal apps, files, etc.
Imagine a world where you would have a host OS which is a company-standard image. No admin/su rights for the user, no weird apps, no spyware, etc. Guest OS images are used for development and personal stuff:
* There can be a strictly controlled corporate standard OS image, app set, etc. Access to the corporate network (VPNs, direct ethernet, etc.) can be restricted to only allow connections to this OS instance.
* Development can be done in sandboxes that restrict the fallout from any damage. Network connections (and mounted disk images) can be restricted to a subset of the corporate network.
* Folks can install their own junkware on a guest OS image. This partition can be proxied out to the internet (no visibility to the intranet), allowing instant messaging, etc., without putting internal systems at risk. This image would only have access to a single disk partition (which wouldn't be visible to any other image), and would have essentially no access to internal corporate resources.
If done right, the corporate image would be automatically and securely connected to the corporate infrastructure even when connected to an unsecure network. The personal image would be connected to the internet, even when running on the corporate intranet, and development sandboxes would be further restricted to a development network.
All the stuff that's needed to make this works exists today. If Microsoft insisted its own staff worked within such constraints, it would be seamless for the rest of us as well.
How will they install Firefox then?
...if MS ended up releasing a product that would only run properly with the right spyware programs installed.
PCs have always been about having a bit of computing power under the user's control, which can be molded to projects that the MIS team are too busy/sleepy/detached/uppity to implement on big iron. That is the heart of personal computing in the workplace, and it has much less to do with a specific OS's philosophy than with a workplace's need for flexibility and initiative.
So I question whether Microsoft can take admin rights away from their workers and still claim to be in the PC business.
If in my college years, when I was working for different companies (as support/admin), they had that feature, I maybe wouldn't have become such a windows hater and concentrate only on unix-like systems.
...
....
....
... just a flashback from my early years of computer support :) and I am not doing anything with customer machines anymore ..... but still, I feel it is a problem ...
....
But then again, it is not enought to take away the admin rights from users completely, you will need a decent way of remote administrating those damn machines.
Before people start trolling on me: yes, you can take away admin rights in 2000/XP (to a cenrtain level) and there are remote tools......
Admin rights should completely go away, the user should not have right to install, modify, not even change the screensaver dammit. And not run programs at all, only from a secure pool of programs.
That includes "i-know-it-all" managers, who tend to fsck everything up, because they know it so-well they are playing in the registry, and deleting folders/etc
Now on the remote tool: the nightmare of a a support/admin person is a multi-level building, where you keep going for all those machines, instead of ssh-ing into them and fixing/installing remotely
Not because they are easy, but they are computer people and not PR monkeys and are probably sick of interacting with all the workers of the companies, who probably do not wash their hands after peeing, and then you have to go and touch 100 keyboars in 100 rooms
Oh well
Ohh, and that's why you have to wear the suit and not cargo pants and something that actually keeps you warm in the server room, or climbing on that roof yagi in the european winter to spot the balloons 5kms away on the rooftop with the compass and the binocular, to re-align the connection
I can imagine the msoft managers talk from here: "look, we improved the security model so much you do no need to giv'em admin (cringes from the poor techies)". It's kind of revealing to learn that even msoft people were requiring admin rights. Talk about eating your own medicine. nuff said.
[Pruneau
I used to work nights as a Photoshop guy at a color pre-press shop in the burbs of Chicago. They had an SGI server running IRIX and the people that ran it were two guys that knew a little about computers. One used to be in the sales department, and the other guys dad got him his job there straight out of high school. Neither one had any formal training in IT or even a basic computer course...let alone Unix security. To be fair, I wasn't a computer expert either, but I read a lot and knew a few things...but hardly an IT professional.
Anyway, when I first started there, I offered my help at night since they weren't there and sometimes it got slow in my department. They declined with an attitude of like "pfft....yeah, we're fine guy, just go away". So I did, and I didn't want to ruffle any feathers as I had just started there. But what I DID notice is that everything they did on the server they did in root mode. All the terminals were in root, all the back-ups they did were in root and even just normal maintenance was all done with root! Now, I thought that was basic 101 computer security and SAFETY not to do everything in root. Plus, none of the terminals were locked away in a room...anyone could walk up to any terminal and just start typing away, from the CEO to the janitor. I pointed out this very basic breach of security and again got the attitude of "we know what we're doing, go back to Photoshop"...so I did and kept my mouth shut.
Well, to make a long story longer, they had the whole system hacked into, a guy set up a spam-bot network using their equipment and T1 line....but did they lose their jobs? No, not at all...they actually got promoted later on, but it was pretty funny at the time.
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
Thinking about this logically, admin rights should only be given when necessary. If they aren't needed, there is no problem with taking them away, and if they have set up their system environment properly, the employees won't miss it at all. Employees that do need some special priveledge can be given limited access (kind of like sudo, etc).
I suspect one of the other big reasons for this is it's cheaper to do a bare-bones re-install when the Windows box goes teets up than to have an admin action every user need that is required on a box where the user is actually treated as a user.
Imagine how many real-life admins you might need to handle the hour to hour needs of a company where access rights in Windows were restricted.
This of course applies to no company that does NOT run Windows. Almost any other company would be able to handle that easily.
Talk about hidden costs.
Luck favors the prepared, darling.
maybe this'll teach them a thing or two about "vunerabilities" ;) after all, necessity is the mother of invention!
They need to lock down their boxes to make sure that their employees don't discover the utility of free software (like firefox).
Oh _that's_ why they are doing it. That figures. Everyone knows, you always give Linux users root access, so they can install all that great free software. And, equally, we know that if you don't have administrator rights on a Windows box, it's impossible to install Firefox.
And someone gave you an 'insightful'. Geez.
-----
If you REALLY think they use admin rights on their test beds, you are a moron. You obviously have no idea about test beds for product development. The whole premise of your rambling is based on something preposterous. The fact that you were rated a "5" shows that the slashdot demographic represents the population of IT morons, for actually thinking your incoherant post was somehow "interesting". Test beds would be created in isolation, with thousands of permutations based on access levels, OS versions, etc, etc, etc, etc. Yeah, *sarcasm* - Why dont we make all developers/admins not have admin access to their own boxes so they all know how it feels, Im sure that would make the most sense and produce the best results.
Anon my @zz.
-Anthony
anth_web@yahoo.com
The employees instead of typing the admin password will actively look for holes to get the admin rights, spot them and eventually later patch them. Things like "cancel" button in Win98 login screen won't get overlooked :)
Anagram("United States of America") == "Dine out, taste a Mac, fries"
I'm one of them. Especially in the Dev support and EPS/EMS (Enterprise Platforms Support/Enterprise Messaging Support) spaces. How do you expect anyone to do any kind of repros, or be able to tinker around with an OS that they don't have local admin on?
I will agree that non-technical people don't need local admin, that's for sure.
Mabye if M$ developers were forced to run as non-privileged users once in a while, they'd realize that there's a lot of problems with trying to get through the day on a non-admin account. With any luck, this will spur them to design a better way of handling applications that fail due to insufficient privileges, as well as get tough on application developers who sloppily code their apps to demand admin rights.
Uh...yeah...here's a thought. YOU CAN CREATE NON ADMIN LOCAL ACCOUNTS WITH LOCAL ADMIN FOR TESTING!
Are you really that dense that you don't think that MS developers do this?
I don't think that can be true. Microsoft would be shooting itself in the foot if its own employees remained in the dark about what's going on in the real world.
You are not alone. This is not normal. None of this is normal.
...Microsoft employes do not know how to use (and keep safe) their own products....
That is some great confindence, if a Microsoft employee cannot secure his OS, how can you expect Jane Soccer Mom to keep her computer safe ?
You sir are an idiot. +3 Insightful notwithstanding.
That's a brilliant idea. That way, your essential corporate data will live in virtual Word documents and virtual Exchange databases, and it will only be disclosed to the outside world by virtual spyware running on a virtual machine.
Of course, the bad guys are still very real, as is the damage to your company.
Most large companies do this, up till now MS was one of the few that gave out admin rights. This is not something to bash them on.
I have worked for 3 Fortune 50 companies as a developer and in two it was impossible to get admin rights to your own laptop/pc and in the third you had to find the right reason. In all three it as impossible to get admin rights to the *nix machines we coded on.
Sure, that must be the reason
r table_firefox
:-) )
http://portableapps.com/apps/internet/browsers/po
It comes with me everywhere I go (well, almost
I'm pretty sure, even without having read TFA, that Microsoft doesn't control its employees' computers at home.
English is easier said than done.
Is there any reason not to use some kind of virutalization solution, and allow employees to "admin" their images, while forcing user privelidges for the host operating system?
Except for device driver development (even USB and some other stuff would work correctly in a VM), are there any disadvantages?
Are there any OS developer situations that require the performance of native access at the same time as requiring administrator privlidges?
The only arguments I can think of against this are developers that require close hardware access, but with paravirtualization solutions like Xen even thats not a big issue. Well, except on Windows, of course.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
You don't need admin rights to install Firefox, etc. on Windows. That was his point. This has nothing to do with free software, and everything to do with "Hacked By Chinese" (for those who remember when MS was compromised by Chinese vandals).
Given what has been on /. lately, are you so sure that it isn't the case for some of their staff?
I have nothing to say.
If you look around at the other comments it actually is a really big deal. Finally MS will have to build their software so it works properly for non admin users, and this is a big boost for security. And for admins all over the world, who have tried to apply strict security policies, but failed, because the security lid couldn't be safely fastened on a machine that should do standard tasks.
Own campus is step 1. THE WORLD is step two.
little billy is megalomaniac.
A brisk market in "Got root?" tee-shirts in Redmond.
:-)
Well, I suppose it should be "Got Administrator?", but that could be taken the wrong way
As others have mentioned, it is great to see MS thinking about trying this for themselves. It's years late, but they deserve a tiny bit of credit. When they realize how badly the current situation sucks, it will hopefully lead to usable non-admin logins, someday, that don't require an experienced sysadmin to set up (i.e. something akin to Apple's approach). I'm hoping that Vista will accomplish some of that, but it won't help the 3rd-party stuff much, which I suspect people will "Run As..." Administrator for years to come, leaving plenty of weak spots for malware to try to exploit in the same way.
http://www.theregister.co.uk/2002/06/30/ms_securit y_patch_eula_gives/
Yet.
I think the terms 'Admin Rights', 'Admin Responsibilities', or even just 'Superuser' is a bad way to describe to the non-technical what's really involved and unsecure by granting these accounts this level of access.
I used to work for a large publication which meant most people ran on Macs. Of course admin access isn't required to just use a Mac under OS X, but many non-technical people and especially the higher-ups saw this as a threat when I mentioned we should force people to run without administrator 'privileges'.
It was only when I started calling it by the term 'Administrator Responsibilities' did people stop insisting that they needed this level of access. They really didn't want the 'responsibility' involved in running a computer, they just wanted to 'use' it. Things went very well (in this regard at least) from then on.
Interesting policy... I wonder how many machines will be domain joined if it is put into place?
You don't need admin rights to install Firefox, etc. on Windows.
In that respect, they're better than a lot of MS products. One thing I wonder is how they're going to run debuggers without admin privs.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
What on earth? Dont they have an enterprise software distribution system? Why are they not using their own product, SMS?
How can they control anything with that many users that just 'install at will'. Sheesh.
Sure they are 'techincal users', but management should be taking a more active roll in what is going on.
---- Booth was a patriot ----
its employees.
Fuck you slashdot. Fuck you anyone who replies to this shit.
Or is Microsoft promising them all new hardware in the balance?
"Hi, here's a new Core 2 Duo for you. Now pretty please will you take Vista as well?"
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Maybe if we looked at in a slightly different context...MS are rolling out Vista and considering if users should stay as admins, in my experience when a large organization is rolling out a new OS they will also bite the bullet and make users non-admins.
...the exception usually being the R&D department, those guys usually have free range to nuke their machines daily :-D
So while you have worked in many companies that allow users admin rights on their boxes I doubt that any of them will allow the users to be admins if/when they roll out Vista, or even XP if they aren't already using it.
If it makes them more efficient overall, then it was the right decision.
If it makes them less efficient, then it will help diminish Microsoft's competitive advantage.
If it makes no difference, then who cares?
If it bothers an employee that much, he should find another job where he is responsible for the equipment he uses. I would recommend he take all that money he got from Microsoft and start a business. Oh, he didn't make that much money?
Just another example of someone with no authority complaining about the people above him.
Get successful. Find yourself in a position to make policy.
Other people did that, and if they are in charge of YOU, YOU are at least partly responsible for that.
Yes, it's hard. Yes, senior positions are limited, and invariably, filled. The last thing I want to hear is someone complaining about that.
It it's not good enough for them what makes it good enough for us?
Don't mind that shooting pain in your ass thet's just stevey B.
Apple remote desktop:
http://www.apple.com/remotedesktop/
Firewire transfer during setup (also available after setup):
http://www.apple.com/macosx/features/setup/
And I don't have a good enough reason to switch to it on my own, although it is supported. Hannover might be able to convince me tho.
Blar.
...but I've been to Microsoft HQ to meet with people involved in developing the various MS websites, and almost every single one had Firefox installed (not necessarily as the default browser). Their favorite extension? Web Developer toolbar.
Posted AC for obvious reasons.
No more iTunes at Microsoft!
Good idea, but flawed from a security perspective:
If the idea of not having Admin rights is to keep virusX off the network, running Admin in a virtual machine just means virusX runs in the virutal machine & infects the virutal machines on the network: Stuff is still borked bacause all those developers have viruses on the virtual machines...
Note: Personally, I don't see developers wanting to develop in User-Mode. I also don't see why at least the non-developer staff is not running in User-Mode. (OK, realistically I do, but thereotically I don't.)
Someone should tip off the BSA that MS may not have their licenses in order.
I could use fast user switching but some options eliminate this ability, which forces me to log out and into the admin account which sucked. I found a way to "sudo" what I wanted. runas is a very handy program provided with Windows XP. It's command line so you drop it in a batch file. Then comes the Control Panel that has no executable associated with it.
To solve this problem, you go and fetch some utility that lets you poke into .dll files for the functions inside. Then you go searching the Windows .dll files. Have fun, it will take a while. Eventually you'll find it. I forget exactly which one and what function. Then you use rundll32 on it and call that function. Control Panel then pops up. Combine this with runas and set it to ask for the password when you invoke the command. When done, make a shortcut on your desktop or wherever that points to the batch file that you set up with the command above. Whenever you click on that shortcut, it asks for your password in a DOS prompt. You can use this step on several little Windows components.
Of course, you could just use Linux which comes all set up properly rather than running around figuring out what files a certain app wants to poke at.
This *may* be the way for Microsoft to finally solve some of their security problems. When their employees constantly are yelling "G*dD#@mn IT", the company might buy a clue-by-four to figure out their *basic* failure in the current security model. As a network security specialist, I was dumfounded to (on my new machine) find that, in addition to the basic administrator account (no default password), there had to be at least one more administrator added. My issue was simple - my user ID should be a "Power User" not "Administrator". Yet, when I attempted to change my usual logon to a PU (I am the only one who uses this machine), I was greeted with a message that "You MUST have at least one administrator". This while logged on to the ACTUAL Administrator account (that name had already been changed). I suppose I could have done the work to logon as "Local Service", but .
More importantly, why does Microsoft ship all Windows products with a password of $NULL?!?. Any self-respecting cracker (THEY ARE NOT HACKERS) knows this. At least use a password generated by the product key entered upon installation. The product key is printed on the documentation along with an admonition not to lose it. It would be TRIVIAL to add an administrator password to the sticker, along with the key.
And ye shall know the truth, and the truth shall make you free.
John 8:32(King James Version)
it is true that applications developers do not strictly need admin rights to develop in windows. But this only works if they need infrequent installs of software packages. Some places this works, particularly if everyone is on same project or same exact development environment. but other places not so well. Also, developers are generally power users. While they may be ok w/ out full admin, they certainly want to be able to install software on their own from time to time. everyone has their favorite utilities & apps, etc... also people want the freedom to try new tools on their own (beta version of visual studio, for example). In UNIX, this freedom is no problem. In windows it is tough to make it work.
Once again, the point is evinced by the fact that MS still has everyone running as admin. that is a security joke! In the internet age, no one should be 'working' as admin except administrators and even then adminstrators should be doing email, browsing, research, etc.. as non-admin user & only switch to admin when making real system changes. It is difficult to pull this off with windows and it shouldn't be.
Even in cases where admin rights are necessary, virii and malware can be mitigated by a combination of tools. With Symantec AV, MS Defender, and a good firewall at the perimeter with content control, the only people who cause problems for me are bored users who get to sites that aren't on the content control deny list. Once I explain to their boss that they're paying me +$100 an hour to clean up a mess that could have been avoided if the employee was doing their god damn job instead of jacking off on someone else's time, the problem usually goes away.
When a workstation blows up, a re-image gets things up an running again in an hour or two.
Even though it's possible to work around the 'dangers' of admin rights, I do agree that it is a problem. Microsoft took a step in the right direction with the Windows XP RunAs. I've found that at my clients who have XP and need admin rights for a particular application, setting up a shortcut that uses the RunAs functionality gets the job done most of the time.
One thing I wonder is how they're going to run debuggers without admin privs.
They should be okay so long as they are members of the usefully named 'debugger' group.
-ccm
Too much Law; not enough Order.
I didnt think it was possible or feasible to run Windows box as any other than as admin. Ive tried and it made setting a whole fileserver up look like a walk in the park. For almost every single app you have to determinate what rights it needs and adjust. Especially when you start using some older software its very time consuming. With Vista the possibility to run as a limited user without demanding one admin per PC is introduced. I think the intention is "eating their own dogfood" and to force this way of thinking into everybodys mind.
Windows XP really sucks hard when i think about it. Vista is a small step forward but still, it really sucks to admin.
HTTP/1.1 400
No text.
http://outcampaign.org/
microsoft doesn't need doing this... game developers need to do this!
several games don't run without admin rights (who knows why...) - if all games worked without admin rights then MAYBE people MIGHT start using their windows systems with user rights making the whole world MUCH safer from attacks...
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
For both companies (one of them is a big name, the other is a startup) I've worked for, they give you admin. It's usual practice.
Gates: "We're wrestling with a security issue whereby our employees are able, due to holes in the desktop OS we're using, to be inundated with all sorts of software we didn't intend for them to run. Suddenly, we're starting to ever...so...slowly...understand what all the security fuss is really about for our customers! Thus, Vista was delayed!"
In a related story, Microsoft employees' bragging rights are pretty much gone.
Result: Operating system that comes closest to mimicking the public school | prison | "insert_government_run_agency_here" system.
Autonomous Retard -- Is your camp safe? UnsafeCamp.com
If only Microsoft product users could lose admin rights and be prevented from easily regaining them (ie no local privileges escalation), the Internet would be a more pleasant place (less spam, less DDoS, etc.).
For an example of the reason Microsoft *should* restrict their employee's (especially development/useability staff), look at the following exchange: Me: It was not a question. If an application requests access far in excess of what it needs, is denied and continues on without problem, the request for access is by definition a LUA bug (it did not need the authorization in able to proceed). If, for example, my application never reads or writes to COM1 but attempts to open it for read/write access, the least I should be guilty of is sloppy coding. However, if I am writing a trojan masquerading as an otherwise useful utility, I would do this to see if I was able to do so. Possible responses: Request denied: Continue with what the user wanted me to do. Request permitted: Deploy destructive payload, then continue with what the user wanted me to do. This scenario is the same whether the request is a registry write, an update/change of system files (libraries, executables, configuration files) or writing to memory (RAM or DISK). Therefore, by definition, any request for services that are not needed to perform the operation is an LUA Bug Answer: Developer from Microsoft (as a result of my comment to his blog): You can choose to define it that way if you want, but it's not a useful definition, and frankly doesn't make any sense to me. For most people, "bug" implies that the object under consideration does not work as designed/desired. For my purposes, I'll stick with my description as posted here: http://blogs.msdn.com/aaron_margosis/archive/2006/ 02/06/525455.aspx
Is there some reason that a "security conscious company" would feel that widespread requests for unneeded access should be permitted? If I came to you and said "I want a key to your house, not because I need it, but because I want it", would you feel comfortable giving me one? Better yet, would you feel comfortable if I went down to the local locksmith asking for a key to 1313 Mockingbird Lane and they gave it to me without any questions??? This is what an employee of Microsoft is describing as working as designed/desired!!!
And ye shall know the truth, and the truth shall make you free.
John 8:32(King James Version)
"An unusual practice? Where? Most places I know have their users running as admin..."
Personal experience is not a statisical sample. This applies both to the parent and the grandparent. I have no idea which approach is more common in the Fortune 500, but the exereriences of a couple of random Slashdot people, no matter how smart they may be, isn't going to tell us. I've met companies in the Fortune 1000 that do it both ways, FWIW (i.e., nothing).
Now, as far as my current employer goes... I'm the IT Manager for a small manufacturing company. Almost everybody (including IT staff, including myself) use an unprivilaged user account for day-to-day operations. This works reasonably well, all though there are plenty of programs that need a little persaution (sometimes with a large hammer) to be made to work. REGMON and FILEMON from http://www.sysinternals.com/ are great for debugging problems that arise from Windows Programmer Brain Damage. I've only got one program that couldn't be made to work this way, and it's limited to two computers.
I'm fortunate in that management recognizes computer security as important, and backs me up on this.
I have to say that restricting user rights this way (along with a few other things, like WSUS and roaming profiles) go a long way towards making Windows a usable platform. All the support calls from malware/badware vanish. Support calls from things "I installed Napster and now AutoCAD won't work" vanish. People can't tinker with stuff and break it. It's a Good Thing.
I still vastly prefer Linux for any number of reasons (not all of them technical), but if I have to support Windows, I will at least do it right.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Seeing as they have already denied many rights to non-Microsoft people, they were looking for another segment of humans to restrict. It seems they have found it.
I used to work IT at Northrop Grumman and we let all users in the corporate office (~700-800) have default Administrator privileges because it was just easier to re-image a machine then deal with the hassels of poorly designed apps that would crap out if the user lacked admin privleges. It was just easier to tell them to back up their data on a network share and re-image.
That's why we have instated a super-secure system. First of all, our su doesn't sit in /bin/su. Instead the file gets copied to a random place in the file system with a random filename at random intervals. Of course this is not logged, in order to improve security. Also, the only computer where it's possible to get root access at all (we use a special version of the Linux kernel that does not allow local users to become root and immediately detects any attempt to do so on all other computers) sits in an hermetically sealed room with three redundant sets of motion detectors that can only be disabled by the CEO, the CIO and our lawyer, respectively. A fourth set of motion detectors ensures that there is never more than one person in the room. The floor of the room is made up of 2x2" tiles, most of which are pressure sensitive and are not ever to be touched. The touchable tiles are dispersed in a semi-random pattern; the administrator has to know which ones are rigged, dancing a delicate ballet while passing the fifty meters between the door and the computer. Authorization itself requires the use of a special key, a keycard, two passphrases, a fingerprint, a tongue print, a retina scan, a blood sample, a sperm sample and a spoken passphrase, which is a tonguetwister in Frisian, spoken backwards. When in root mode the administrator has to press a key at least every five seconds but not faster than twice per second.
If at any point anything unusual is detected our sensitive corporate data is automatically protected from being compromised as C4 charges in the walls and floors are detonated, immediately annihilating the entire building and everything within ten meters of it.
Some say that our approach might be a bit too proactive, but =%&/(&%/%&$/"$?=(/)&%=/%/)+NO CARRIER
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
and it runs just fine as limited user!
But that stinking QuickBooks2006 is set up to run as admin only. Yes, it pollutes HKLM winnt and other stuff it shouldn't touch. It can run as limited user if you relax permmissions on HKLM and some other keys. It's in an Intuit KB article. Almost nobody knows about this hack.
QB is the app that makes PCs necessary. There's an OS X version, but the payroll module hardly works in it. QB sucks donkey pinkness.
blah, who cares? Microsoft has never 'gotten' it and never will: that is why I use alternatives, such as gnu/linux. Where do i want to go today? Somewhere intelligent: so I opened up a door and closed all the Windows. shut up or walk.
soylentnews.org Go there to enjoy the people!
How sad for them.
Too bad.
Perhaps they might start thinking about using a computer in a secure way once they only have a regular user's access permissions.
Chur Chur
Openoffice, Firefox, Thunderbird... even Linux (as it surfs faster).
That's the reason for this "security" measure, I bet.
my current osvirus is win2k...
:-)
running as a regular user try doing a double click on the clock to get the calender up...you know, iCal, one of the PC's iApps
You get:
You do not have the proper privilage level
to change the system clock.
WTF?
OK, maybe if I actually tried to change the clock..instead of just LOOKING at the calender and then hitting Cancel...but NO. I can't find out the date if I am not Root.
Bah.
So, what do I do?
Well, between the hardware fire wall and the software firewall and the virus checker, all non MS, I still don't really feel safe...so I still run as a regular user.
So, I go to Google, type in Calender, and pick one.
Now my browser is my calender.
Currently I consult inside a bank with >100,000 employees.
How many of those folks get admin rights?
Not too many.
MS, get a grip.
PS, Bill, redeem your self: spend a few $B on Solar powered Sterling Engine grid ready energy.
I wonder how they keep track of software licenses when all of the employees can install whatever they want, whenever they want.
Is not MS a business somewhat like any other company? Not everyone who works at MS is a coder afterall.... I wouldn't want just anyone to have admin rights........
You need a sperm sample to get su access? And we wonder why there are so few women in IT!
know if non admin users capabilities in Vista have been improved? As many of us are aware, limited users are pretty much broken in XP and server 2003 for development purposes. Debugging of ASP .NET and installing of numerous third party applications just won't work without admin access. This is partially the fault of third party developers, who often force installation in the Program Files directory, or who actually check to see if the user is admin before allowing installation, even though this is a totally artificial constraint.
Realistically, many users and developers especially have specialized tools that they must install, from a perl binary to something as innocuous as an instant messaging client. On linux, this is easy since configure scripts almost always allow install directories to be specified, and processes that don't need root access never request it. On windows, many programs assume admin during install, even though they don't need it, and balk if they user tries to install without it. At my school, we get around this by giving everyone admin, but having all the windows dev machines copy their image from a hidden partition on boot.
Developers might get away with this non admin boxes, but it certainly wouldn't fly for test. Testers aren't going to want to call support every time they want to test against a different version of the nvidia drivers...
When I was in school, I worked as 'student support'. :-) He even stored it on a network share, and unfortunately accessed that particular account logged on as himself. He had a nice little talk with the principal while we booted the computer.
We used to have a program named DeepFreeze installed. We would give students admin rights (because a few computers still ran Windows 98), and it worked great. Each time the computer was booted, it would mirror back to the original setup. If a teacher needed a certain program for his/her class, we would just turn off deep freeze, install it on the computer, and run Ghost to get it mirrored. Faster than installing the cd on each computer.
The biggest problem we ever faced was a student that found a pc in the library, which was turned on 24x7. He installed Kazaa and started downloading via the 100 mbit connection.
Neither at home nor in the workplace, actually.
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
We have a couple of people that everyone calls the twins (because they are twins) that administer about 900 XP machines. There really needs to be about 4 more of them if the company is going to keep our computers locked down. Our computers are so secure that they are protected from running the company software properly. Of course, I'm the only one that seems to care. I guess apathy is the only way to stay sane.
Ops, I shuld have usd the prevuwe but in.
One thing I wonder is how they're going to run debuggers without admin privs.
Debuggers? Microsoft has debuggers?
You learn something new every day here.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
If some programs or settings are "shared" for use by "all users", shouldn't the system be architected in such a way that it permits any user to one-off that setting or program for their own account?
Microsoft is taking the wrong approach with Vista (by having the system prompt for admin credentials all over the place). Instead, they should have rearchitected the system so that admin rights aren't needed so much in the first place.
The fundamental problem with Windows security and reliability is that the state management is unnecessarily complex.
It's unnecessary for a program to be "installed" in order to be used -- why should I have to modify the state of the system itself, and wedge crap into the registry and C:\WINDOWS directory, just to run a program? Why should the program have to keep its state in a global database (registry) that is also a core part of the system itself? It's a broken design.
Fixing the architecture to simplify state management would have other added benefits. For example, if a program's last state/settings are stored with the program, all bundled up into some kind of package file, and the program doesn't even have to be "installed" to be run, then it would be easy for users to move a program (plus all its settings) from one machine to another, or to fully backup/restore it, or to carry it across OS upgrades, etc. I've never used OS X, but I've read a little about it and it sounded like that's the approach it takes, which is just common sense.
Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
It is a tough balance and every company has to decide what is right for them,' said Estberg. However, Estberg said that for the moment, the company will continue to leave the responsibility of installing software with its employees.
It's telling that they presume you have to be an administrator to install software. There's no reason why that should be the case. Personally I think it's a great idea to force employees to use user accounts... Maybe then the "user" account will aquire some degree of functionality beyond the ability to login.
https://www.eff.org/https-everywhere
Big companies nowadays will never allow such access. It is simply suicidal.
IANAL but write like a drunk one.