Microsoft has unveiled a noteworthy security enhancement in its latest preview version of Windows, designed to fortify local administrator privileges and significantly reduce the risk of privilege escalation exploits by cybercriminals. This new feature, termed Administrator Protection, transforms the process of elevating privileges from an unrestricted capability into a more controlled “just-in-time” event, thereby narrowing its scope.
The evolution of this feature marks a pivotal shift in how Windows manages administrator permissions. Previously reliant on a split-token model governed by the User Account Control (UAC) prompt, the new approach employs an isolated, shadow environment overseen by the system. This ephemeral shadow administrator account vanishes once the designated task is completed, complicating any attempts by cyberattackers to misuse elevated privileges for malicious purposes.
Rudy Ooms, a technical content creator at Patch My PC, elaborates on the implications of this feature. “The old legacy concept is that you have a split token, and it’s not that secure,” he explains. “With the new Administrator Protection, things change, and it completely reimagines this approach by eliminating the direct use of the split tokens, and replacing it with a hidden system-managed account.” This transition is expected to significantly hinder cyberattackers employing living-off-the-land techniques to escalate their privileges and commandeer administrator access on compromised systems.
Historically, post-compromise, attackers have leveraged common applications—such as PowerShell and system services—alongside administrative privileges to navigate laterally within networks. The introduction of Administrator Protection represents a strategic advancement in the ongoing effort by software firms to eradicate outdated trust models. This feature stands in stark contrast to the notorious Pass the Hash attacks, where attackers could gain elevated privileges without needing the administrator’s credentials. While attackers can still attempt to use the administrator’s credentials for privilege escalation, the window of opportunity has been significantly reduced.
Jason Soroko, a senior fellow at certificate management firm Sectigo, emphasizes the impact of this new feature on cyberattack strategies. “Attackers have to rethink all their old tricks,” he notes. “It impacts the ability for an attacker to be able to walk around as the administrator, and so ‘living off the land’ is less of a threat, because organizations have a lot of tools that are installed that are of great usage to the attacker.”
Administrators’ Split Personalities on Windows
Currently, Microsoft’s method for managing elevated privileges involves assigning administrator accounts a “split token.” By default, these accounts are treated as standard users, utilizing the same token, “TokenElevationTypeDefault,” which limits their privileges. When an action requiring administrative privileges is initiated, users must elevate their token to “TokenElevationTypeFull” via the User Account Control (UAC) feature. While the split token approach is beneficial, it is not without its vulnerabilities, as Ooms points out.
“The problem here is this approach keeps admin rights relatively hidden, but not inaccessible,” he explains. “Once the elevated admin token is activated, any malware running in the background can potentially hijack it and perform malicious actions. Essentially, while split tokens are better than running as an ‘always on’ admin, they are still vulnerable to those kinds of attacks.” With the implementation of Administrator Protection, users elevating their privileges will transition to an isolated, managed system administrator account, thereby safeguarding the administrator token.
“In my opinion, it will increase the security posture a lot because it reduces the attack surface,” Ooms adds, highlighting the potential benefits of this innovative feature.
Purpose-Built Accounts, Better Monitoring
While Microsoft has refrained from commenting extensively on the feature, a spokesperson indicated that further details will be shared during the upcoming Microsoft Ignite technology conference in November. In the release notes for its Windows Preview, the company stated: “Administrator protection is an upcoming platform security feature in Windows 11, which aims to protect free-floating admin rights for administrator users allowing them to still perform all admin functions with just-in-time admin privileges.” It is worth noting that this feature is disabled by default and requires activation via group policy.
The introduction of this feature not only enhances system security but also provides a significant advantage for organizations monitoring account activity. Soroko notes, “If you’re monitoring privileged accounts, then your ability to monitor these short-lived privileged accounts and ensure they’re not engaging in unauthorized actions is much better. You are able to contextualize what that account was created for, so there’s now new opportunities for people who are defending.” This dual benefit of increased security and improved monitoring capabilities positions Administrator Protection as a crucial advancement in the realm of cybersecurity.
