Microsoft wants more desktop business users to be '"standard" by cutting out the number of users with administation privileges.

The next generation of the company's Windows operating system, code-named Longhorn, will allow users to perform more tasks under the standard setting in an effort to reduce the amount of users running software under the administrative setting, said Brad Goldberg, general manager of Microsoft's Windows Client Business Group.

Doing so will reduce "the surface area of vulnerabilities" by limiting users' access to certain capabilities, Goldberg said.

The problem under current settings is that administrators who want to give users a few more capabilities only have the option of opening the door to full privileges.

Currently, under some Windows standard settings, users cannot load new software on a machine or make changes to Internet settings, for example. This prevents them from accidentally downloading malicious programs or opening the network up to attack.

But because of the limitations, around 80 percent of business users run Windows under administrative settings, Goldberg said.

Microsoft wants to reduce this number to around 20 percent under Longhorn by expanding standard users' capabilities while still protecting some functions that are best left in administrators' hands, he said.

For example, standard Longhorn users will be able to load new software onto their machines if they have a password giving them permission, Goldberg said.

"This is certainly a good move. It just means that Microsoft is being more proactive rather than relying on end users," said Mark Litchfield, a security consultant with Next Generation Security Software.
There's nothing you can't do on local machines with administrative privileges in terms of configuration, Litchfield said. By closing off some of these possibilities for desktop users, companies can reduce their exposure to security threats, he added.

New access controls are just one of a number of new security features Microsoft said it is building into Longhorn, due in the second half of 2006. The software maker leaked some details of its plans earlier this week at the Windows Hardware Engineering Conference in Seattle, such as secure startup. If a computer running Longhorn has been tampered with, secure startup protects user data.

But the initial release of Longhorn will not encompass all of the company's previously announced Next-Generation Secure Computing Base (NGSCB) security plans, company executives confirmed this week. NGSCB, which involved measures such as mapping hardware components to software, required too much work from independent software vendors and equipment manufacturers, according to Goldberg.

"They came back to us and said, let's rethink that," Goldberg said. Now the company is working on more software virtualisation, he said.