Slashdot Mirror
Microsoft Employees May Lose Admin Rights
daria42 writes "As Microsoft moves its internal desktop systems to Windows Vista, the company is contemplating whether to change a long running tradition and take away admin rights from its employees in order to improve security." From the article: "'We haven't made that final determination yet. We would like to absolutely look at scenarios where we can look at elements of User Access Control -- that is the feature in Vista -- so that we can start moving in that direction ... It is a tough balance and every company has to decide what is right for them,' said Estberg. However, Estberg said that for the moment, the company will continue to leave the responsibility of installing software with its employees."
they'll probably just install linux instead :-O
From TFA: No wonder:
- and -
Mabye if M$ developers were forced to run as non-privileged users once in a while, they'd realize that there's a lot of problems with trying to get through the day on a non-admin account. With any luck, this will spur them to design a better way of handling applications that fail due to insufficient privileges, as well as get tough on application developers who sloppily code their apps to demand admin rights.
Again from TFA: I'd hardly call an environment where users have full admin rights to their systems an adequate test-bed.
Once more from TFA: Saying that Microsoft is 'not smarter than any other enterprise in terms of knowing how to address security', while technically true, is deeply misleading. Any company that purports to "eat its own dog food", but performs their testing with full admin rights to the box clearly has a dangerous lack of understanding of security...a lack that we all pay the price for every day.
____
~ |rip/\/\aster /\/\onkey
Who better to test and actually use the "User Access Control" than Microsoft's own employees?
Clearly, they weren't "trying out" the Limited User accounts when Windows XP was in its infancy. Otherwise, it might actually be useful to us today.
"Eat your own dog food".
If Microsoft's access rights model isn't good enough for their own purposes, it isn't good enough for the rest of the world either.
If they were truely confident that it works as they claim it does, they should have had their employees in a more secure and restricted environment years ago.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
I don't see why this is a big deal. Average desktop users should not have admin rights -- no?
boxlight
Yes, having the employees run as 'regular' users would be a terrific idea. All the problems that limited user accounts have now would be encountered by those with the most ability to fix them.
Currently, the majority of Microsoft's employees enjoy full admin rights on their desktop PCs, which is an unusual practice in the enterprise space ...
An unusual practice? Where? Most places I know have their users running as admin, because there is still software around that won't function properly if it's not run that way.
If Microsoft forces its employees to run as non-admin users, I think it's a good thing, because maybe it will lessen the amount of crap software that's designed with the assumption that it's going to be run that way.
Unfortunately, that doesn't help the situation with the tons of legacy apps that assume this, and it only takes one important legacy app in a corporate environment to hose the entire security model of non-admin users.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
It happened to me when I mistakenly typed "su" instead of "du".
With a huge percentage of the people being developers, these people need full control over their system.
I don't see how they can even implement this scheme.
May be they can take the admin rights from their Managers computers.
I wonder what made them think about it in the first place... too much Banzai Buddy?
"By the same logic, if he has no good reason for what he says, he is just making noise and we need pay him no attention.
Compare and contrast this approach with Sun. Employees in Sun are all equiped with Javacards which they can insert into a Sun Ray appliance anywhere on the Sun network. AFAIK, only the staff responsible for administering their Sun Ray network have sysadmin credentials within the environment: all other users get a set of applications which are deployed to the user, with no ability to install anything else. And it works - a user can walk out of an office in GB, fly to the USA and plug in their Javacard, resuming their session exactly where it was.
The similarity with Microsoft is that the employees had to cope with some pretty dreadful software a few years ago. Disgruntled colleagues are always a rather special spur to developers, and the Sun Ray technology is now tip top. Perhaps the same will happen to Microsoft
Would this mean that if they switch MS employees to Vista with only user rights, that Vista would be delayed yet another couple of years while they work out the bugs? If it doesn't work for MS employees, it can't possibly work well for anyone else. Surely, they have to make sure it works since its part of securing the system. Right?
Support NYCountryLawyer RIAA vs People
They will need to go to the administrors...Aha! No more firefox and opera from M$ campus.
There is a spark in every single flame bait point.
It's not uncommon for Linux users (even developers) to use user accounts, because it's very easy to su any administrator tasks. So, maybe Vista will fit this model better, and having developers using user accounts won't be all that ridiculous...
ZuluPad, the wiki notepad on crack
If Microsoft can't implement this for their own employees, any CTO looking at Vista would be foolish to think that he could in his company.
Others have given the example of XP, and so true.
If you have to manage Vista the same way you manage XP, that is one less reason to upgrade, and another reason to look at alternatives.
Look at Novell with their internal deployment of Suse. They've had to suffer for a while, but slowly they are starting to show it can be done, and have gained a bunch of knowledge doing so. Novell customers may actually believe them when they suggest they can deploy Suse for some systems instead of Windows. Who believes you can run Windows without adminstrative rights?
Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind. - Dr. Seus
Hell, make them work in monitors the size the average office supplies -- 15" or 17" where I work.
I'm so damn tired of apps that open big windows needlessly in the middle of the screen (MSWord's 'find' for example) covering whatever it is you wanted to actually operate on -- because some programmer had a 29" monitor -- or two -- to work in and never thought about fitting stuff into a real user's working screen.
Open find. Drag stupid window off the text area. Find. Damn, window moved back to the middle. Lather, rinse, repeat.
Sure, the IT department could supply larger monitors. But those are commodities and they're saving their budget for bells and whistles to impress top management.
Windows Media Player 11 *doesn't* need admin rights, hopefully in preparation for Vista.
At least one application has got the idea, even if it is from the company behind the OS.
How many people can read hex if only you and dead people can read hex?
Just so you know, not all of these programs need admin rights to run; they need certain privs on certain folders (usually either write or modify to their program directory).
Are you sure on Windows Media Player? I'm able to run it at work without admin rights. I can rip MP3's with it as well.
It matters to anyone who was hoping for useful limited user accounts in Vista, because if they have to use them then there's a chance that they'll actually work.
They support a few more than 100,000 desktops :)
They make Slashdot every now and then too.
Blar.
If Microsoft doesn't think Vista's user accounts are usable how did it end up as one of the top features of the whole product :P?
The actual fact they are thinking whether to use it or not makes me fill with doubt. And I really thought they had it right this time (honestly).
How will they install Firefox then?
Here's a partial list of programs that require admin rights to run (not merely install): ........
PowerDVD
Can't attest to any of the other examples you listed (I don't use WMP, and haven't installed any of the others), but I can attest that I use PowerDVD on my limited-priveleges account just fine, thank you.
Look at the tomato! Isn't it sad? He can't dance! Poor tomato!
I agree that personal computing enabled everyone to benefit from cheap, ubiquitous computing power, which the mainframes of the day couldn't provide.
Of course, this was back before anyone realised total cost of ownership was far greater than the purchase price of the machine. And viruses and worms hadn't been invented, and you needed to be a guru to change the machine configuration, and they only ran a single application at one time, and we weren't connected to a vast global network filled with script kiddies and criminal hackers.
We aren't really going back to a central processing model. We are trying to regain some of the management and security benefits the old central processing model had by default and that general purpose networked personal computers can only acquire with a lot of hard work.
Frankly, for what most people use their PCs for at work, and given the ubiquitous network, it would be far cheaper for many enterprises to run thin client diskless workstations and actually return to a central processing model, if we hadn't already bought so heavily into the current model.
If in my college years, when I was working for different companies (as support/admin), they had that feature, I maybe wouldn't have become such a windows hater and concentrate only on unix-like systems.
...
....
....
... just a flashback from my early years of computer support :) and I am not doing anything with customer machines anymore ..... but still, I feel it is a problem ...
....
But then again, it is not enought to take away the admin rights from users completely, you will need a decent way of remote administrating those damn machines.
Before people start trolling on me: yes, you can take away admin rights in 2000/XP (to a cenrtain level) and there are remote tools......
Admin rights should completely go away, the user should not have right to install, modify, not even change the screensaver dammit. And not run programs at all, only from a secure pool of programs.
That includes "i-know-it-all" managers, who tend to fsck everything up, because they know it so-well they are playing in the registry, and deleting folders/etc
Now on the remote tool: the nightmare of a a support/admin person is a multi-level building, where you keep going for all those machines, instead of ssh-ing into them and fixing/installing remotely
Not because they are easy, but they are computer people and not PR monkeys and are probably sick of interacting with all the workers of the companies, who probably do not wash their hands after peeing, and then you have to go and touch 100 keyboars in 100 rooms
Oh well
Ohh, and that's why you have to wear the suit and not cargo pants and something that actually keeps you warm in the server room, or climbing on that roof yagi in the european winter to spot the balloons 5kms away on the rooftop with the compass and the binocular, to re-align the connection
I run Kodak Share on about 40 of our Windows boxes, none of them have admin rights.
I run AutoCAD on all of our Engineer's windows boxes (about 25), only one has admin rights.
I run PowerDVD on over 1,000 windows boxes, less than 20 have admin rights.
I run Windows Media Player on every machine we have, around 1,5000, and only a few have admin rights.
And these machine run the software as well as you can expect windows to work.
I can imagine the msoft managers talk from here: "look, we improved the security model so much you do no need to giv'em admin (cringes from the poor techies)". It's kind of revealing to learn that even msoft people were requiring admin rights. Talk about eating your own medicine. nuff said.
[Pruneau
I used to work nights as a Photoshop guy at a color pre-press shop in the burbs of Chicago. They had an SGI server running IRIX and the people that ran it were two guys that knew a little about computers. One used to be in the sales department, and the other guys dad got him his job there straight out of high school. Neither one had any formal training in IT or even a basic computer course...let alone Unix security. To be fair, I wasn't a computer expert either, but I read a lot and knew a few things...but hardly an IT professional.
Anyway, when I first started there, I offered my help at night since they weren't there and sometimes it got slow in my department. They declined with an attitude of like "pfft....yeah, we're fine guy, just go away". So I did, and I didn't want to ruffle any feathers as I had just started there. But what I DID notice is that everything they did on the server they did in root mode. All the terminals were in root, all the back-ups they did were in root and even just normal maintenance was all done with root! Now, I thought that was basic 101 computer security and SAFETY not to do everything in root. Plus, none of the terminals were locked away in a room...anyone could walk up to any terminal and just start typing away, from the CEO to the janitor. I pointed out this very basic breach of security and again got the attitude of "we know what we're doing, go back to Photoshop"...so I did and kept my mouth shut.
Well, to make a long story longer, they had the whole system hacked into, a guy set up a spam-bot network using their equipment and T1 line....but did they lose their jobs? No, not at all...they actually got promoted later on, but it was pretty funny at the time.
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
I suspect one of the other big reasons for this is it's cheaper to do a bare-bones re-install when the Windows box goes teets up than to have an admin action every user need that is required on a box where the user is actually treated as a user.
Imagine how many real-life admins you might need to handle the hour to hour needs of a company where access rights in Windows were restricted.
This of course applies to no company that does NOT run Windows. Almost any other company would be able to handle that easily.
Talk about hidden costs.
Luck favors the prepared, darling.
The employees instead of typing the admin password will actively look for holes to get the admin rights, spot them and eventually later patch them. Things like "cancel" button in Win98 login screen won't get overlooked :)
Anagram("United States of America") == "Dine out, taste a Mac, fries"
I don't think that can be true. Microsoft would be shooting itself in the foot if its own employees remained in the dark about what's going on in the real world.
You are not alone. This is not normal. None of this is normal.
Here's a partial list of programs that require admin rights to run (not merely install):
/ HallOfShame.html
Here is a more complete list: http://www.pluralsite.com/wiki/default.aspx/Keith
Not running as admin should have been eliminated back when multiple users were first introduced with NT.
But hey, from what I hear this new Vista OS will have new features like using config files instead of the registry, shell scripting, regular updates to keep the thing working via a paid subscription, and other nifty new things.
What's next? A web browser that is not integrated with the entire operating system?
Sure, that must be the reason
r table_firefox
:-) )
http://portableapps.com/apps/internet/browsers/po
It comes with me everywhere I go (well, almost
Is there any reason not to use some kind of virutalization solution, and allow employees to "admin" their images, while forcing user privelidges for the host operating system?
Except for device driver development (even USB and some other stuff would work correctly in a VM), are there any disadvantages?
Are there any OS developer situations that require the performance of native access at the same time as requiring administrator privlidges?
The only arguments I can think of against this are developers that require close hardware access, but with paravirtualization solutions like Xen even thats not a big issue. Well, except on Windows, of course.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Good idea, but flawed from a security perspective:
If the idea of not having Admin rights is to keep virusX off the network, running Admin in a virtual machine just means virusX runs in the virutal machine & infects the virutal machines on the network: Stuff is still borked bacause all those developers have viruses on the virtual machines...
Note: Personally, I don't see developers wanting to develop in User-Mode. I also don't see why at least the non-developer staff is not running in User-Mode. (OK, realistically I do, but thereotically I don't.)
Even in cases where admin rights are necessary, virii and malware can be mitigated by a combination of tools. With Symantec AV, MS Defender, and a good firewall at the perimeter with content control, the only people who cause problems for me are bored users who get to sites that aren't on the content control deny list. Once I explain to their boss that they're paying me +$100 an hour to clean up a mess that could have been avoided if the employee was doing their god damn job instead of jacking off on someone else's time, the problem usually goes away.
When a workstation blows up, a re-image gets things up an running again in an hour or two.
Even though it's possible to work around the 'dangers' of admin rights, I do agree that it is a problem. Microsoft took a step in the right direction with the Windows XP RunAs. I've found that at my clients who have XP and need admin rights for a particular application, setting up a shortcut that uses the RunAs functionality gets the job done most of the time.
Seeing as they have already denied many rights to non-Microsoft people, they were looking for another segment of humans to restrict. It seems they have found it.
That's why we have instated a super-secure system. First of all, our su doesn't sit in /bin/su. Instead the file gets copied to a random place in the file system with a random filename at random intervals. Of course this is not logged, in order to improve security. Also, the only computer where it's possible to get root access at all (we use a special version of the Linux kernel that does not allow local users to become root and immediately detects any attempt to do so on all other computers) sits in an hermetically sealed room with three redundant sets of motion detectors that can only be disabled by the CEO, the CIO and our lawyer, respectively. A fourth set of motion detectors ensures that there is never more than one person in the room. The floor of the room is made up of 2x2" tiles, most of which are pressure sensitive and are not ever to be touched. The touchable tiles are dispersed in a semi-random pattern; the administrator has to know which ones are rigged, dancing a delicate ballet while passing the fifty meters between the door and the computer. Authorization itself requires the use of a special key, a keycard, two passphrases, a fingerprint, a tongue print, a retina scan, a blood sample, a sperm sample and a spoken passphrase, which is a tonguetwister in Frisian, spoken backwards. When in root mode the administrator has to press a key at least every five seconds but not faster than twice per second.
If at any point anything unusual is detected our sensitive corporate data is automatically protected from being compromised as C4 charges in the walls and floors are detonated, immediately annihilating the entire building and everything within ten meters of it.
Some say that our approach might be a bit too proactive, but =%&/(&%/%&$/"$?=(/)&%=/%/)+NO CARRIER
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)