Microsoft Previews New Windows Feature to Limit Admin Privileges

Microsoft has introduced a significant security upgrade in its latest preview edition of Windows that aims to lock down local administrator privileges, making it much harder for cyberattackers to exploit privilege escalation issues.

The feature, Administrator Protection, changes the ability to elevate privileges from a free-floating capability to a "just-in-time" event that is much more limited in scope. The coming feature shifts the way Windows handles administrator permissions, moving from a split-token model gated by the User Account Control (UAC) prompt to an isolated, shadow environment managed by the system. This shadow administrator account disappears as soon as the designated task is completed, making it much harder for a cyberattacker to abuse the administrator's elevated privileges for malicious actions.

The feature will limit the scope of an elevation of privileges for administrator-enabled accounts, says Rudy Ooms, a technical content creator at Patch My PC, who published a technical analysis of the feature.

"The old legacy concept is that you have a split token, and it's not that secure," Ooms says. "With the new Administrator Protection, things change, and it completely reimagines this approach by eliminating the direct use of the split tokens and replacing it with a hidden system, managed account."

The feature should make it much harder for cyberattackers using living-off-the-land techniques to elevate their privileges and co-opt administrator access on compromised systems. Post-compromise, most attackers use common applications — such as PowerShell and system services — paired with administrative privileges to move laterally.

The Administrator Protection feature is the latest tactic in software firms' push toward eliminating poor trust models in their software. It's also a dramatic improvement from the days of pass-the-hash attacks, where attackers could gain elevated privileges without knowing the administrator's credentials. With this new feature, attackers can still use the administrator's credentials to try to escalate privileges, but the window to do so is much smaller.

"Attackers have to rethink all their old tricks," says Jason Soroko, a senior fellow at certificate management firm Sectigo. "It impacts the ability for an attacker to be able to walk around as the administrator, and so living off the land is [less of a threat] because organizations have a lot of tools that are installed that are of great usage to the attacker."

Administrators' Split Personalities on Windows

Microsoft's current approach to handling elevated privileges is to give administrator accounts a "split token." The user account will by default be treated as a standard user — and with the same token, "TokenElevationTypeDefault" — limiting privileges. When a user attempts an action requiring administrative privileges, they must use the UAC feature to elevate their token to "TokenElevationTypeFull."

The split-token concept is a good approach, but it has problems, says Ooms.

"The problem here is this approach keeps admin rights relatively hidden but not inaccessible," he says. "Once the elevated admin token is activated, any malware running in the background can potentially hijack it and perform malicious actions. Essentially, while split tokens are better than running as an 'always-on' admin, they are still vulnerable to those kinds of attacks."

If Administrator Protection is enabled, users who elevate their privilege will switch to an isolated, managed system administrator account that protects the administrator token, according to Ooms's technical analysis.

"In my opinion, it will increase the security posture a lot because it reduces the attack surface," he says.

Purpose-Built Accounts, Better Monitoring

Microsoft declined to comment on the feature, but a spokesperson says the company plans to share more information at its Microsoft Ignite technology conference in November.

In the release notes for its Windows Preview, the company stated: "Administrator protection is an upcoming platform security feature in Windows 11, which aims to protect free floating admin rights for administrator users allowing them to still perform all admin functions with just-in-time admin privileges. This feature is off by default and needs to be enabled via group policy."

While the feature will significantly improve system security, the instantiation and destruction of a shadow administrator account for specific tasks is also a boon to companies monitoring account activity, says Sectigo's Soroko.

"If you're monitoring privileged accounts, then your ability to monitor these short-lived privileged accounts and make sure they're not walking around doing something that they shouldn't [is much better]," he says. "You are able to contextualize what that account was created for, there's now new opportunities for people who are defending."