Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Employees May Lose Admin Rights

Posted by ryuzaki0 on from the root-to-moot dept.

daria42 writes "As Microsoft moves its internal desktop systems to Windows Vista, the company is contemplating whether to change a long running tradition and take away admin rights from its employees in order to improve security." From the article: "'We haven't made that final determination yet. We would like to absolutely look at scenarios where we can look at elements of User Access Control -- that is the feature in Vista -- so that we can start moving in that direction ... It is a tough balance and every company has to decide what is right for them,' said Estberg. However, Estberg said that for the moment, the company will continue to leave the responsibility of installing software with its employees."

17 of 502 comments (clear)

  1. Eat your own dog food by mwvdlee · · Score: 5, Insightful

    "Eat your own dog food".

    If Microsoft's access rights model isn't good enough for their own purposes, it isn't good enough for the rest of the world either.

    If they were truely confident that it works as they claim it does, they should have had their employees in a more secure and restricted environment years ago.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    1. Re:Eat your own dog food by Anonymous Coward · · Score: 3, Insightful

      I hate to be the MS supporter here (and I rarely do), but Microsofts permission model is just as powerful as UNIX's. It is just harder to learn. But not that much harder.

      If people suddenly switched to UNIX machines we would still have the same problem. The problem isn't that the OS has an insecure permission model (neither UNIX nor Windows NT do), but that noone wants to implement it. For the type of people who use Windows boxes, this will always be a problem. They use Windows *because* they don't want to deal with the details of system administration. If they suddenly switched to UNIX they would still not want to deal with the details of system administration (which is one of the reasons that they don't).

  2. what need admin privs? by boxlight · · Score: 3, Insightful

    I don't see why this is a big deal. Average desktop users should not have admin rights -- no?

    boxlight

  3. Excellent Idea by Whatsisname · · Score: 5, Insightful

    Yes, having the employees run as 'regular' users would be a terrific idea. All the problems that limited user accounts have now would be encountered by those with the most ability to fix them.

  4. "Unusual practice" ... wtf. by Kadin2048 · · Score: 4, Insightful

    Currently, the majority of Microsoft's employees enjoy full admin rights on their desktop PCs, which is an unusual practice in the enterprise space ...

    An unusual practice? Where? Most places I know have their users running as admin, because there is still software around that won't function properly if it's not run that way.

    If Microsoft forces its employees to run as non-admin users, I think it's a good thing, because maybe it will lessen the amount of crap software that's designed with the assumption that it's going to be run that way.

    Unfortunately, that doesn't help the situation with the tons of legacy apps that assume this, and it only takes one important legacy app in a corporate environment to hose the entire security model of non-admin users.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
    1. Re:"Unusual practice" ... wtf. by lgw · · Score: 4, Insightful

      I don't know of a large company that still lets most employees install software, have admin rights, or do anything like that. The desktop PC has to be locked down if you want to manage 100000 desktops on a modern IT budget.

      It would be wonderful if Microsoft did this! The result would be that, at least for Microsoft software, the developers would be forced to care whether their software ran without admin rights.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    2. Re:"Unusual practice" ... wtf. by BVis · · Score: 4, Insightful
      Among normal companies where computers and software are tools for achieving some other goal, it is extremely rare to have admin rights. I'm talking about banks, telecommunications companies, etc. For these firms you either have to use special management software to install software, or you have to request that IT come out and do it.
      I disagree. I've worked at multiple (non-technocentric) Fortune 500 companies where all users have administrative rights to their computers. Why? Because they don't want to hire enough IT staff to do things properly. Users whine and generate support workload far more when they can't install their home printer, or their online poker client (or whatever they might want to put on there) than they do if you just let them do what they want. If you go so far as to tell them they're not allowed to install anything, congratulations! You've officially created a Career Limiting Event. I've worked at places where there was no Acceptable Use Policy because of the costs (both in wages and employee turnover) of enforcing one. (The turnover comes when some poor helpdesk drone doesn't realize that they're speaking to the Vice President Of Things That Begin With H On Alternate Tuesdays, reminds them that what they're doing is against the AUP, and subsequently get fired. Gotta love at-will employment; you can be fired for any reason or no reason at all.)

      Think I'm exaggerating? Why do you think I don't have those jobs anymore?
      --
      Never underestimate the power of stupid people in large groups.
    3. Re:"Unusual practice" ... wtf. by EvilSS · · Score: 5, Insightful

      Are they Microsoft Applications or third party apps? Everyone is quick to blame MS for this but in reality it's usually the fault of the application developers that can't follow Microsoft's guidelines for writing software. 99.9% of the time it is the result of one of the following:

      1. Storing user information in HKEY_LOCAL_MACHINE instead of HKEY_CURRENT_USER (even MS is guilty of this with their TS licenses)
      2. Writing files to the program directory instead of to the user profile, temp, home drive or other user writable location
      3. Writing files to C:\ (this is just inexcusable and lazy)
      4. Some other bonehead move by the developers (such as registering components on run instead of during the install, trying to store files in winnt, using freaking INI files!)

      [insert rant about under-trained programmers and lack of proper software engineers here]

      If the programmers would actually learn how Windows works most of the "x software package requires admin rights" could be avoided.

      --
      I browse on +1 so AC's need not respond, I won't see it.
  5. Won't fly by Utopia · · Score: 5, Insightful

    With a huge percentage of the people being developers, these people need full control over their system.
    I don't see how they can even implement this scheme.

    May be they can take the admin rights from their Managers computers.

  6. Linux Users by omeomi · · Score: 4, Insightful

    It's not uncommon for Linux users (even developers) to use user accounts, because it's very easy to su any administrator tasks. So, maybe Vista will fit this model better, and having developers using user accounts won't be all that ridiculous...

    --
    ZuluPad, the wiki notepad on crack
  7. Give them average-sized monitors too, dammit! by Anonymous Coward · · Score: 5, Insightful

    Hell, make them work in monitors the size the average office supplies -- 15" or 17" where I work.

    I'm so damn tired of apps that open big windows needlessly in the middle of the screen (MSWord's 'find' for example) covering whatever it is you wanted to actually operate on -- because some programmer had a 29" monitor -- or two -- to work in and never thought about fitting stuff into a real user's working screen.

    Open find. Drag stupid window off the text area. Find. Damn, window moved back to the middle. Lather, rinse, repeat.

    Sure, the IT department could supply larger monitors. But those are commodities and they're saving their budget for bells and whistles to impress top management.

  8. Re:Stop perpetuating the myth ... by jacksonj04 · · Score: 3, Insightful

    Windows Media Player 11 *doesn't* need admin rights, hopefully in preparation for Vista.

    At least one application has got the idea, even if it is from the company behind the OS.

    --
    How many people can read hex if only you and dead people can read hex?
  9. Re:Who cares? by Eideewt · · Score: 4, Insightful

    It matters to anyone who was hoping for useful limited user accounts in Vista, because if they have to use them then there's a chance that they'll actually work.

  10. Re:Stop perpetuating the myth ... by debest · · Score: 3, Insightful

    Here's a partial list of programs that require admin rights to run (not merely install): ........

            PowerDVD

    Can't attest to any of the other examples you listed (I don't use WMP, and haven't installed any of the others), but I can attest that I use PowerDVD on my limited-priveleges account just fine, thank you.

    --
    Look at the tomato! Isn't it sad? He can't dance! Poor tomato!
  11. oh well that needs remote admin as well by dindi · · Score: 3, Insightful

    If in my college years, when I was working for different companies (as support/admin), they had that feature, I maybe wouldn't have become such a windows hater and concentrate only on unix-like systems.

    But then again, it is not enought to take away the admin rights from users completely, you will need a decent way of remote administrating those damn machines.

    Before people start trolling on me: yes, you can take away admin rights in 2000/XP (to a cenrtain level) and there are remote tools......

    Admin rights should completely go away, the user should not have right to install, modify, not even change the screensaver dammit. And not run programs at all, only from a secure pool of programs.

    That includes "i-know-it-all" managers, who tend to fsck everything up, because they know it so-well they are playing in the registry, and deleting folders/etc ...

    Now on the remote tool: the nightmare of a a support/admin person is a multi-level building, where you keep going for all those machines, instead of ssh-ing into them and fixing/installing remotely ....

    Not because they are easy, but they are computer people and not PR monkeys and are probably sick of interacting with all the workers of the companies, who probably do not wash their hands after peeing, and then you have to go and touch 100 keyboars in 100 rooms ....

    Oh well ... just a flashback from my early years of computer support :) and I am not doing anything with customer machines anymore ..... but still, I feel it is a problem ...

    Ohh, and that's why you have to wear the suit and not cargo pants and something that actually keeps you warm in the server room, or climbing on that roof yagi in the european winter to spot the balloons 5kms away on the rooftop with the compass and the binocular, to re-align the connection ....

  12. Admin rights by Nijika · · Score: 4, Insightful
    I've seen a lot of people comment that they work at large companies and have admin rights on their Windows boxen. I (pretty much) had the same setup at both of the larger companies I worked at where MS was enforced on the desktop (at both places I wouldn't have been able to interact with the work environment without Windows).

    I suspect one of the other big reasons for this is it's cheaper to do a bare-bones re-install when the Windows box goes teets up than to have an admin action every user need that is required on a box where the user is actually treated as a user.

    Imagine how many real-life admins you might need to handle the hour to hour needs of a company where access rights in Windows were restricted.

    This of course applies to no company that does NOT run Windows. Almost any other company would be able to handle that easily.

    Talk about hidden costs.

    --
    Luck favors the prepared, darling.
    1. Re:Admin rights by naelurec · · Score: 4, Insightful

      Your absolutely right. The *nix way:

      1. User needs a particular application. Depending on company policy, the user may be able to install in their own home folder. If not, they could submit a request to suppot.

      2. Support authorizes request, does a remote SSH connection to the users machine, installs the software (while the user is still working) and notifies user that the software was installed.

      3. Software ties into centralized package management system so suppot can keep tabs on security notifications, updates, etc and roll it (easily) into the centralized update mechanism.

      The Windows way:

      1. The user needs software and does not have admin rights. The chances the user can install in their home folder is close to 0%. User requires IT to install.

      2. IT receives the request and approves it. Perhaps IT gets lucky and the software is packaged as an MSI that can be installed via group policy. IT adds the install files to a network share and adjusts group policy. Tells user to restart or wait until next boot to get the update. Most likely the software cannot be installed via MSI (no auto-install MSI exists) and manual installation will happen (lets face it, creating an MSI is a PITA, especially for non-standard software).

      3. IT contacts the user to tell them they will access their system remotely and to log out (no concurrent users in XP). User logs out and IT logs in remotely via RDP rendering the computer inaccessible for the user.

      4. IT installs the software as administrator (via remote share). IT logs out and notifies the user the software was installed.

      5. A little while later, user contacts support that the software does not run properly. Apparently the software needs to be run as admin first time to initiate some files in the program files folder. Admin repeates step 2 and 3 to finalize the software install. Unfortunately, the software refuses to run via RDP. Great. Support has to either have local user login as a temporary admin to run the software or admin has to physically access the machine.

      6. Admin decides to go to the machine to step through the install. Runs the software, logs in as the user account and it still is not operational. Admin then has to pull out regmon/filemon to determine the issues (as the regular user). Once done, admin has to re-acquire admin level rights (ie runas or admin shares) to make file permission changes/registry security changes.

      7. After a debugging session, the software finally works as expected for the user (hopefully). Admin then writes down all the steps required in the event of a software upgrade, future install, etc..

      8. Admin decides to notify software company so hopefully next version is fixed.. software company's support is not interested and state "admin access required". Blech.

      9. There is no central management of the software, so admin has to manually check for updates (along with the myraid of other software). Perhaps in the spare time, the admin writes a script to assist in the installation.

      While I *will* say the _ideal_ corporate installation scenario on Windows is much better (load up MSIs and set a group policy to do auto-installs), there is WAY TOO MUCH software that simply does not fit the mold. Even software that does manage to utilize this method sometimes requires elaborate step-by-step (slipstream, etc..) to make it function right (ie MS Office 2003) in this scenario.

      I'd honestly be happy with the sudo equivilent. Allow specific software to run via sudo w/o password (transparent to the user). This could solve the legacy issue while forcing future software development to test against regular user accounts.