Microsoft to take away staff admin rights?

As Microsoft moves its internal desktop systems to Windows Vista, it is contemplating whether to change a long-running tradition and take administrator rights away from its employees in order to improve security.

Microsoft installs early builds of its software in its own corporate systems to ensure the products are thoroughly tested in a real-world environment. Vista, the next update of the Windows operating system, is set for launch in January next year.

Currently, the majority of Microsoft's employees enjoy full administrator rights on their desktop PCs. That is an unusual practice in corporations, as it makes it possible for people to install unauthorised software and introduce unwanted pests such as spyware.

Mark Estberg, the director of Microsoft's internal security, told silicon.com sister site ZDNet Australia at the AusCERT conference that a security feature in Vista called User Access Control (UAC) could mean fewer employees have full administrator rights over their PCs.

Estberg said: "We haven't made that final determination yet. We would like to absolutely look at scenarios where we can look at elements of User Access Control - that is the feature in Vista - so that we can start moving in that direction."

He added: "It is a tough balance, and every company has to decide what is right for them."

However, Estberg said that for the moment Microsoft will continue to leave the responsibility of installing software with its employees. "At Microsoft, for a very large population of our employees, we have decided that admin rights is the right balance for us," he said.

When asked what one thing he would change about Microsoft's internal IT systems, Estberg said: "The thing that I would most like to change is driving awareness of security accountability across individuals in the company."

Microsoft's employees provide an excellent test-bed for the company's products, he said. By providing honest feedback, they also have an opportunity to influence future products.

He added: "The product groups obviously talk to customers and get a lot of feedback but we are very fortunate. One of the things that makes my job cool is that I get to talk to the product groups early on and say, 'Look, from my perspective and the job I do for Microsoft, here is what I need'.

"That helps us have a say. So we run all the stuff early but even more importantly, we get to talk to them about what to build. The earlier on the cycle we can get in, the better. It is nice to see things in Vista that we have been talking about with them for a long time."

When it comes to deploying patches, Microsoft's internal IT system does not get any special favours or advance notice, Estberg said.

He said: "We get the patches just like everybody else. There is a programme whereby some Microsoft customers get the patch slightly earlier than the rest of the world. The agreement is... they are not allowed to deploy it broadly... but can provide feedback to Microsoft. We belong to that programme as well."

Estberg believes he has a small advantage over other enterprise security directors because he has the opportunity to learn about and put new products to work before everyone else. However, he claims this does not help protect Microsoft when it comes to the broader threat landscape.

He said: "On the specific technology, we have a little bit of a head start, because we are running the early builds. But with the broader security problem, we are just like everybody else and struggling with the same things."

Estberg added: "We are not smarter than any other enterprise in terms of knowing how to address security. We are in the same boat as everyone else."

Munir Kotadia writes for ZDNet Australia