Microsoft considers taking admin rights from employees

As Microsoft moves its internal desktop systems to Windows Vista, the company is contemplating whether to change a long running tradition and take away admin rights from its employees in order to improve security.

Microsoft "eats its own dog food", which means it deploys early builds of its software internally to ensure the products are thoroughly tested in a real world environment.

Currently, the majority of Microsoft's employees enjoy full admin rights on their desktop PCs, which is an unusual practice in the enterprise space as it makes possible for users to install unauthorised software and introduce unwanted pests -- such as spyware.

On the second day of the AusCERT conference on the Gold Coast, the director of Microsoft's internal security, Mark Estberg, told ZDNet Australia that a security feature in Vista called User Access Control (UAC) could mean less employees have full admin rights over their PCs.

"We haven't made that final determination yet. We would like to absolutely look at scenarios where we can look at elements of User Access Control -- that is the feature in Vista -- so that we can start moving in that direction," said Estberg.

"It is a tough balance and every company has to decide what is right for them," said Estberg.

However, Estberg said that for the moment, the company will continue to leave the responsibility of installing software with its employees.

"At Microsoft, for a very large population of our employees, we have decided that admin rights is the right balance for us," he said.

When asked about the one thing he would change about Microsoft's internal IT systems, Estberg said: "The thing that I would most like to change is driving awareness of security accountability across individuals in the company."

According to Estberg, Microsoft's employees provide an excellent test-bed for the company's products and by providing honest feedback, they also have an opportunity to influence future products.

"The product groups obviously talk to customers and get a lot of feedback but we are very fortunate. One of the things that makes my job cool is that I get to talk to the product groups early on and say, 'look, from my perspective and the job I do for Microsoft, here is what I need'.

"That helps us have a say. So we run all the stuff early but even more importantly, we get to talk to them about what to build. The earlier on the cycle we can get in the better. It is nice to see things in Vista that we have been talking about with them for a long time," said Estberg.

Patch Tuesday
When it comes to deploying patches, Microsoft's internal IT system does not get any special favours or advanced notice, according to Estberg.

"We get the patches just like everybody else. There is a program whereby some Microsoft customers get the patch slightly earlier than the rest of the world. The agreement is ... they are not allowed to deploy it broadly ... but can provide feedback to Microsoft -- we belong to that program as well," said Estberg.

Estberg believes he has a small advantage over other enterprise security directors because he has the opportunity to learn about and deploy new products in advance of everyone else. However, he claims this does not help protect the company when it comes to the broader threat landscape.

"On the specific technology we have a little bit of a head start because we are running the early builds but with the broader security problem, we are just like everybody else and struggling with the same things.

"We are not smarter than any other enterprise in terms of knowing how to address security. We are in the same boat as everyone else," he added.