Microsoft may restrict its workers' PC rights

It's considering cutting admin rights on internal desktops, meaning employees wouldn't be able to install any software they like.
Written by Munir Kotadia, Contributor

As Microsoft moves its internal desktop systems to Windows Vista, it is contemplating whether to change a long-running tradition and take administrator rights away from its employees in order to improve security.

Microsoft installs early builds of its software in its own corporate systems to ensure the products are thoroughly tested in a real-world environment. Vista, the next update of the Windows operating system, is set for launch in January next year.

Currently, the majority of Microsoft's employees enjoy full administrator rights on their desktop PCs. That is an unusual practice in corporations, as it makes it possible for people to install unauthorized software and introduce unwanted pests such as spyware.

Mark Estberg, the director of Microsoft's internal security, told ZDNet Australia at the AusCERT conference that a security feature in Vista called User Access Control (UAC) could mean fewer employees have full administrator rights over their PCs.

"We haven't made that final determination yet. We would like to absolutely look at scenarios where we can look at elements of User Access Control--that is the feature in Vista--so that we can start moving in that direction," Estberg said.

"It is a tough balance, and every company has to decide what is right for them," he added.

However, Estberg said that for the moment, Microsoft will continue to leave the responsibility of installing software with its employees.

"At Microsoft, for a very large population of our employees, we have decided that admin rights is the right balance for us," he said.

When asked what one thing he would change about Microsoft's internal IT systems, Estberg said: "The thing that I would most like to change is driving awareness of security accountability across individuals in the company."

Microsoft's employees provide an excellent test-bed for the company's products, he said. By providing honest feedback, they also have an opportunity to influence future products.

"The product groups obviously talk to customers and get a lot of feedback, but we are very fortunate. One of the things that makes my job cool is that I get to talk to the product groups early on and say, 'Look, from my perspective and the job I do for Microsoft, here is what I need,'" Estberg said.

"That helps us have a say. So we run all the stuff early, but even more importantly, we get to talk to them about what to build. The earlier on the cycle we can get in, the better. It is nice to see things in Vista that we have been talking about with them for a long time," he said.

No patch favors
When it comes to deploying patches, Microsoft's internal IT system does not get any special favors or advance notice, Estberg said.

"We get the patches just like everybody else. There is a program whereby some Microsoft customers get the patch slightly earlier than the rest of the world. The agreement is...they are not allowed to deploy it broadly...but can provide feedback to Microsoft. We belong to that program as well," he said.

Estberg believes he has a small advantage over other enterprise security directors because he has the opportunity to learn about and put new products to work before everyone else. However, he claims this does not help protect Microsoft when it comes to the broader threat landscape.

"On the specific technology, we have a little bit of a head start, because we are running the early builds. But with the broader security problem, we are just like everybody else and struggling with the same things," he said.

"We are not smarter than any other enterprise in terms of knowing how to address security. We are in the same boat as everyone else," he added.

Editorial standards