A recent article over at ZDNet raised some interesting questions. I always take articles like this with a pinch of salt, but it doesn’t seem too far from what’s probably going.
First thing – Microsoft provides admin rights to the majority of users right across the enterprise. Flies in the face of security rule #1, that one. Very few users should actually need admin rights in my opinion, and it’s not hard work to develop structured GPO’s that provide the flexibility users require. If they’re requiring admin rights to install apps that otherwise don’t provide a valid MSI to install without privileged user rights, is that something you really want on the network? I wouldn’t.
Yes, for those in the development environment I can see the reasoning, but most others shouldn’t. Even I don’t log in with admin rights – maybe 5% of the time I log in with a dedicated admin account, then back to my normal, everyday account. How have they fully tested Vista’s User Access Control (UAC) on a large scale without even deploying it themselves? Would I be happy implementing such access control lists knowing Microsoft haven’t used them extensively? No. Seems a case of “Do as we say, not as we do”.
The second bit that stands out – their internal IT support doesn’t get advance warning of security patches and vulnerabilites. Is communication so lacking they don’t give their own boys a shout when problems arise? Especially in an environment where goodness knows what is being installed by your users, I would have thought patching vulnerabilities would be pretty important, and I’m amazed they don’t get early releases.
There’s still the argument of “Well, we set time aside each month to roll out security updates rather than delivering them as soon as they’re available”, but again, how can Microsoft ensure they aren’t going to break something by releasing fixes without patching large portions of their own network? Hands up who can name 5 security updates that then received updates themselves?
Although I run Linux exclusively on all my home machines, Windows still remains pretty much the only choice in our network environment, primarily because of the extensive control provided by GPO’s and the automatic deployment of OS updates across the network. Seems kinda ironic that Microsoft themselves don’t make as much use of their own major selling points!