Microsoft security function "Administrator Protection" can now be tried out

Microsoft is making a new attempt to improve the security of Windows. This mechanism is called "Administrator Protection" and is designed to allow users to work with the lowest possible rights and thus protect the computer from unwanted consequences due to malicious admin actions. If this sounds familiar, this was originally intended to be achieved by the User Account Control (UAC) feature in Windows Vista, which was later no longer officially classified as a security function by Microsoft and softened to such an extent that admin rights were even granted automatically – occasionally to malware.

Although the new function is similar, it differs significantly in key areas. With User Account Control, Windows asks for confirmation before some admin actions, which leads to an isolated desktop with a dialog and a release and cancel button – thus requests "protected" authorization for the action. The "Administrator Protection" uses heavier artillery: Authentication using Windows Hello is intended to ensure that only authorized persons actively release the admin task. This is therefore an authentication with subsequent authorization of the process.

Tighter controls only part of the protection

According to Microsoft, the stricter controls are intended for all actions that require admin rights: software installation, changing system settings such as the time or changes to the registry as well as access to sensitive data. Administrator Protection is intended to reduce the risk of users mistakenly making changes at system level, Microsoft writes in a tech community blog post. More importantly, the company adds, this helps to prevent malware from making secret and unnoticed changes to the system.

Administrator Protection is designed to implement the principle of least privilege. Users receive a low-privileged user token after logging on to Windows. If admin rights are required, Windows requires authorization for the operation. However, there is now a significant difference to user account control (in addition to authentication instead of just authorization): Windows creates a hidden, system-generated, profile-separated user account in order to generate an isolated admin token. Windows assigns this to the requesting process. Windows destroys the token when the process is terminated. User Account Control (UAC), on the other hand, had simply attached the administrative token to the logged-in account.

Administrator Protection ensures that the admin rights do not remain persistent. The entire process is repeated if users perform other tasks that require administrator rights.

Microsoft summarizes the architecture as follows: Just-in-time rights elevation ensures that users remain unprivileged and admin rights are only granted for the duration of an administrative task. Profile separation ensures that malware at user level cannot compromise the session with elevated rights. In Microsoft's own official words, the elevation of rights thus becomes a security restriction. In addition, there is no automatic elevation of rights; every admin action must be confirmed interactively. Administrators therefore retain full control and admin rights cannot be abused. Integration with Windows Hello further improves security.

Microsoft emphasizes that Administrator Protection is a security feature: "Administrator Protection introduces a new security barrier where we fix all reported security vulnerabilities. It should not be confused with User Account Control (UAC), which is more of a defense-in-depth feature," the Redmond-based company writes in the blog post.

Try out Administrator Protection

Administrator Protection should be easy to activate in the local device settings and with Windows management tools such as Intune for large-scale use in organizations.

The new option can be found in the "Settings" under "Privacy and security", Windows security, Account protection. The switch for "Administrator Protection" can be switched on or off there. The system must then be restarted for the change to take effect. In the group policies, the "User Account Control: Behavior of the elevation prompt for administrators running with Administrator protection" policy is responsible for the configuration; Microsoft wants to set it to "Prompt for credentials" by default. For MDM software such as Intune, Microsoft plans to offer an administrative template with the configuration option in the near future. The Redmond-based company points out that the machines will also require a restart to activate a changed setting.

The function is currently available for Windows Insiders. It is therefore currently limited to the Windows preview versions. It is questionable whether Microsoft will not soften the function again in the future, as it did with User Account Control in the past. In this case, Microsoft had even built in automatic mechanisms that waved through the increase in rights – due to the many dialogs requesting this during "normal work" on the computer. It is possible that more than 15 years later, after the first attempts, the software has been programmed more cleanly so that systems protected in this way can be used without major restrictions.

(dmk)