Tim Anderson's ITWriting
![[Valid RSS]](valid-rss.png "Validate my RSS feed")
Tech writing blog
November 18, 2004Microsoft runs with local admin rightsPosted 2115 days ago on November 18, 2004Bob Davis is General Manager, Global Technology Services at Microsoft. "I manage all of our global infrastructure," he explained, in an interview at the IT Forum in Copenhagen. "We have around 60,000 employees and 300,000 devices." I asked Bob how many of Microsoft's staff typically run with local administrator rights on their workstations and laptops. "Almost everybody" was his response. "It's just the business we're in, software developers adding and removing their own software all the time. The only reason we'd move away from it is to demonstrate to other companies that you can. If we locked down the desktop we would not allow our company to be as agile. Especially when by and large the users at Microsoft are highly technical. We are a bit unique - I wouldn't advocate that for everyone." I'm not convinced by this line of reasoning. Let me put the case against. First, security issues are the number one problem faced by Microsoft's customers. In most organizations it is impossible to enforce best practice and to prevent users from opening attachments or clicking malicious web links, so running with limited permissions is critically important as a security measure. However, the Windows culture is against it. It's a culture that goes back to a time when many PCs were not even networked, let alone connected to the Internet. That absolutely has to change. Second, it should not be necessary to run with local admin rights as the norm, even if you are constantly adding and removing software. I'm not suggesting that users should be denied the ability to log on as administrator, or run applications as administrator when they need to. Rather, I'm suggesting that they should normally run with more limited permissions as a matter of fundamental best practice. The fact that someone like Bob Davis thinks this could impair the company's agility suggests that Windows does not make this as easy as it should. Microsoft thrives on being the first and best test environment for all its software; in my opinion, the culture of running with local admin rights will not change outside the company until it first changes within. |
Recent postsUsers plead with Borland to give up .NETIE7 to be released 18th October,... If Microsoft doesn't use UAC, why... Google's unsettling lack of direction Vista security: now prove it |
Re: Microsoft runs with local admin rights
Posted 2115 days ago by Wolfgang • • • ReplyI agree. For once, it would be very nice for Microsoft to acknowledge that Linux did something right: locking down the station. Sure, developers add and remove software from there system on a more regular basis than most other users. But that doesn't mean you have to run as admin all the time. Just elevate your runtime level to admin when you need to install or remove something and run as a normal user the rest of the time. Simple and effective.