New Update Windows 11 Administrator Protection: Enhanced Security and User Considerations (25H2 Preview Feature)

  • Thread starter Thread starter ForgottenSeer 114717
  • Start date Start date
F

ForgottenSeer 114717

Thread author
Windows 11 Administrator Protection: Enhanced Security and User Considerations

1756782599649.png


What to do about those troublesome home users?

1756782707549.png


Other sources:

Enhance your application security with administrator protection
 
  • Like
Reactions: oldschool, RoboMan, anirbandutta01 and 8 others

Security Gains: Theory Meets Practice​

Administrator Protection’s headline advantage is clear—no more “always-on” or “auto-elevated” admin sessions. Microsoft touts several related benefits:
  • Block Unintentional or Malicious Changes: Users (or malware) can’t perform damaging actions without a fresh and deliberate approval step.
  • User Awareness: Frequent prompts, while potentially irritating, heighten awareness of when truly sensitive operations are taking place.
  • Precision Privilege: By ensuring that elevation is tied to specific, time-limited tasks rather than user sessions, the window for privilege escalation attacks is sharply reduced.
  • Malware Resistance: Malware that tries to exploit active admin tokens or piggyback on already-elevated processes will run into a brick wall, as no privileges persist automatically.
Click to expand...

The last point is interesting. If it is true and unbypassable, the DLL injected by malware into an already running system process (like Svchost), will work only for a limited time. If so, then it will be an improvement over the Standard User Account. I would like to see the details to be sure if such a security design cannot be vulnerable to bypasses.
 
  • Like
  • +Reputation
Reactions: oldschool, RoboMan, anirbandutta01 and 6 others
Andy Ful said:
The last point is interesting. If it is true and unbypassable, the DLL injected by malware into an already running system process (like Svchost), will work only for a limited time. If so, then it will be an improvement over the Standard User Account. I would like to see the details to be sure if such a security design cannot be vulnerable to bypasses.
Click to expand...
Token theft and abuse is now one of the leading attack desired outcomes. The protection of tokens is inherently weak throughout the digital product landscape.

I have 25H2 and despite the various online resources that say the feature is available, enabling it with GPO does not correspond to the system protections and changes described in a few of the articles. It appears to me that the feature is not yet fully implemented or implemented to the extent that MIcrosoft wants to make it available in 25H2 yet per its marketing and DevBlog statements.

Just because Microsoft has repeatedly stated that 25H2 will have the feature - and enabled by default - even on Windows Home, does not mean that it will do so when 25H2 is initially released. Microsoft might reverse/remove the future or wait a long while to fully implement it and make it General Availability (GA).

It is quite the challenge of sorting out what is what with Microsoft and its convoluted OS features.

¯\_(ツ)_/¯
 
  • Like
Reactions: Trident, Victor M and simmerskool
Andy Ful said:
The last point is interesting. If it is true and unbypassable, the DLL injected by malware into an already running system process (like Svchost), will work only for a limited time. If so, then it will be an improvement over the Standard User Account. I would like to see the details to be sure if such a security design cannot be vulnerable to bypasses.
Click to expand...
Do you think the Administrator Protection model actually prevents token duplication or impersonation across processes, or is the SMAA token still technically accessible to injected code if the process is alive?

It looks like the protection is more about reducing the time window, rather than truly isolating the token from being reused outside that short-lived context.
 
  • Like
Reactions: oldschool and simmerskool
RoboMan said:
Do you think the Administrator Protection model actually prevents token duplication or impersonation across processes, or is the SMAA token still technically accessible to injected code if the process is alive?

It looks like the protection is more about reducing the time window, rather than truly isolating the token from being reused outside that short-lived context.
Click to expand...
Administrator Protection feature is essentially an OS-level Just-In-Time (JIT) privilege escalation control. The SMAA is hidden and the token is auto-destructed upon completion of the privileged action.

Count on Black Hatters annihilating this new security feature as they discover vulns with it.

Since LLM/AI is little more than just a crawler, aggregator and repackager of information it is able to access or is fed, what is described below might or might not be entirely accurate or complete. The Microsoft team responsible for the creation and development of Administrator Mode have made no detailed statements as to the exact internals, and probably never will. Most everything below is pulled by LLM/AI from third party, unofficial non-Microsoft sources except for the generalized Windows Blog article released by M$ Enhance your application security with administrator protection.

The thing about official Microsoft sources of infos is that they are often high level with a paucity of details, and therefore often inadequate. But that is the Microsoft way when it comes to documnentation.
1756897161205.png
 
  • Like
Reactions: oldschool, simmerskool and harlan4096
bazang said:
Administrator Protection feature is essentially an OS-level Just-In-Time (JIT) privilege escalation control. The SMAA is hidden and the token is auto-destructed upon completion of the privileged action.

Count on Black Hatters annihilating this new security feature as they discover vulns with it.

Since LLM/AI is little more than just a crawler, aggregator and repackager of information it is able to access or is fed, what is described below might or might not be entirely accurate or complete. The Microsoft team responsible for the creation and development of Administrator Mode have made no detailed statements as to the exact internals, and probably never will. Most everything below is pulled by LLM/AI from third party, unofficial non-Microsoft sources except for the generalized Windows Blog article released by M$ Enhance your application security with administrator protection.

The thing about official Microsoft sources of infos is that they are often high level with a paucity of details, and therefore often inadequate. But that is the Microsoft way when it comes to documnentation.
View attachment 290736
Click to expand...
If the SMAA token really is isolated per process and auto-destructs cleanly, I guess it's a solid containment model.
But if there’s any way for injected code to duplicate or impersonate that token before destruction, the JIT model is only shortening the exposure window, not eliminating the class of attack. I guess the big "question" here is whether the token isolation is enforced at the kernel level (like through restricted handles/IPC), or if it’s just relying on lifecycle timing. I suppose that's where a Black Hat would poke first?
 
  • Like
Reactions: oldschool and simmerskool
For now, talking about details is probably useless.
We will see soon if this security layer can be bypassed by modifying the HKLM Registry, Hive, adding Administrator scheduled tasks, replacing system files, etc.
We must remember that it cannot prevent application installations that can often require the above changes.
However, it looks like the attacks via code injections into the Administrative processes will be significantly reduced.
 
Last edited:
  • Like
  • +Reputation
Reactions: Victor M, oldschool, simmerskool and 1 other person
RoboMan said:
If the SMAA token really is isolated per process and auto-destructs cleanly, I guess it's a solid containment model.
But if there’s any way for injected code to duplicate or impersonate that token before destruction, the JIT model is only shortening the exposure window, not eliminating the class of attack. I guess the big "question" here is whether the token isolation is enforced at the kernel level (like through restricted handles/IPC), or if it’s just relying on lifecycle timing. I suppose that's where a Black Hat would poke first?
Click to expand...
It is speculation, but certainly vulns with it will be discovered and exploited.

The feature is typical Microsoft development - release of a paucity of infos by Microsoft, then more infos by third parties, but then those infos don't match what one observes on Insider Builds (its not in the test builds as shown in some articles). The article authors do not list the exact build number or Insider Channel that they are referencing/talking about. Typical online tech "journalism."

¯\_(ツ)_/¯
 
  • Like
Reactions: RoboMan

You may also like...