As Microsoft moves its internal desktop systems to Windows Vista, it is
contemplating whether to change a long-running tradition and take administrator
rights away from its employees in order to improve security.
Microsoft installs early builds of its software in its own corporate systems
to ensure the products are thoroughly tested in a real-world environment. Vista,
the next update of the Windows operating system, is set for launch in
January next year.
Currently, the majority of Microsoft's employees enjoy full administrator
rights on their desktop PCs. That is an unusual practice in corporations, as it
makes it possible for people to install unauthorized software and introduce
unwanted pests such as spyware.
Mark Estberg, the director of Microsoft's internal security, told ZDNet
Australia at the AusCERT conference that a security feature in Vista called
User Access Control (UAC) could mean fewer employees have full administrator
rights over their PCs.
"We haven't made that final determination yet. We would like to absolutely
look at scenarios where we can look at elements of User Access Control--that is
the feature in Vista--so that we can start moving in that direction," Estberg
"It is a tough balance, and every company has to decide what is right for
them," he added.
However, Estberg said that for the moment, Microsoft will continue to leave
the responsibility of installing software with its employees.
"At Microsoft, for a very large population of our employees, we have decided
that admin rights is the right balance for us," he said.
When asked what one thing he would change about Microsoft's internal IT
systems, Estberg said: "The thing that I would most like to change is driving
awareness of security accountability across individuals in the company."
Microsoft's employees provide an excellent test-bed for the company's
products, he said. By providing honest feedback, they also have an opportunity
to influence future products.
"The product groups obviously talk to customers and get a lot of feedback,
but we are very fortunate. One of the things that makes my job cool is that I
get to talk to the product groups early on and say, 'Look, from my perspective
and the job I do for Microsoft, here is what I need,'" Estberg said.
"That helps us have a say. So we run all the stuff early, but even more
importantly, we get to talk to them about what to build. The earlier on the
cycle we can get in, the better. It is nice to see things in Vista that we have
been talking about with them for a long time," he said.
No patch favors
When it comes to deploying patches, Microsoft's
internal IT system does not get any special favors or advance notice, Estberg
"We get the patches just like everybody else. There is a program whereby some
Microsoft customers get the patch slightly earlier than the rest of the world.
The agreement is...they are not allowed to deploy it broadly...but can provide
feedback to Microsoft. We belong to that program as well," he said.
Estberg believes he has a small advantage over other enterprise security
directors because he has the opportunity to learn about and put new products to
work before everyone else. However, he claims this does not help protect
Microsoft when it comes to the broader threat landscape.
"On the specific technology, we have a little bit of a head start, because we
are running the early builds. But with the broader security problem, we are just
like everybody else and struggling with the same things," he said.
"We are not smarter than any other enterprise in terms of knowing how to
address security. We are in the same boat as everyone else," he added.