Microsoft Debates Reducing Employee Admin Rights

First Microsoft made limited access the standard in Windows Vista, and now the company may choose to begin limiting its own employees' access to their PCs.

News spread quickly that the director of Microsofts internal security told a reporter at the AusCERT conference May 23 that Microsoft is considering limiting employees full admin rights to their desktop PCs.

Microsoft has always given the majority of its employees full admin rights on their desktop PCs, though this is unusual; most companies IT departments limit access in order to more easily manage the workstations under their jurisdiction.

"Were looking at what sort of permissions you have when doing certain things on computers," a Microsoft spokesperson told eWEEK. "You dont need full permissions to use the Web or to check your Hotmail."

The access standard the company is considering for its employees is related to one Microsoft is already planning to apply to its customers.

/zimages/4/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Expected to come as a built-in security advance in Vista, a feature called UAC (User Account Control) ensures that dangerous software cannot be involuntarily installed onto a system when a user runs the computer under a lesser privileged account.

"User Account Control makes it possible for organizations to deploy a more manageable and secure desktop in which end users can run as standard users (not administrators) and still be productive. The reality is most end users wont notice a difference when doing everyday tasks," a Microsoft spokesperson told eWEEK.

What were "limited" user accounts in Windows XP have become Windows Vistas "standard" accounts, though it is too soon to tell how Vista users will respond to the change.

The UAC feature, referred to in previous versions of Windows as User Access Protection, non-admin rights, minimum rights or the Least-Privileged User Account setting, is often overlooked by Windows users, despite its security advantages.

By working under a non-admin account, users can dodge attacks from those rootkits, keyloggers, spyware and viruses that can only latch on to an account with admin privileges. However, experts say the user adoption remains "frighteningly low."

In Vista, when a user attempts to install software, a prompt appears requesting the users admin credentials. This appears to be an improvement over Windows XP, which often went to an error screen when users lacked the proper credentials to complete a task.

Yet, some still object to standardizing limited user access because of the long list of programs that do not function without admin rights enabled.

"Ultimately, customers have a choice about how they want to use UAC in their organization in a way that best meets their needs," said a Microsoft spokesperson.

/zimages/4/28571.gifCheck out eWEEK.coms for Microsoft and Windows news, views and analysis.