UAC Replacement? Understanding Windows 11's New Administrator Protection Feature

In this real training for free event, I will demonstrate the new Administrator Protection feature in Windows 11 Insider Preview Build 27718 (Canary Channel) and how it replaces the legacy User Account Control. 

This is important because 3 well established facts combine to project a bitter irony on today's cyber security landscape:

1. A significant proportion of attacks begin on end-user workstations
2. A significant proportion of MITRE ATT&CK techniques require local admin authority
3. Most users have admin authority to their local Windows endpoint

This means that as soon as an attacker gains Execution (ATT&CK TA0002) on a user’s endpoint they automatically have a wide array of techniques available to them across the tactical spectrum.

Microsoft realizes this and has tried various ways to address it in Windows to reduce the threat of end-users with admin authority.  For a while they attempted to make Windows privileges more granular to allow you to directly follow least privilege.  In time they abandoned that course and introduced User Account Control (UAC).

With UAC, when a user (who is a member of the local Administrators group) logs on, Windows creates 2 logon sessions instead of just one – in a method called “split token”. 

Background: Each logon session has an internal OS object called an access token (not to be confused with web access tokens in OAuth, et al).  The access token contains the SID of the user account itself and the SID of any local and domain groups to which the user is a member.  This includes the SIDs of any groups to which the user belongs by virtue of group nesting.  Without UAC, the user logs on and gets one logon session and one access token and if they are an admin then the token includes the SID of the Administrators group, and this allows them to directly perform any action requiring such authority.

But with UAC enabled, the user gets 2 logon sessions with access tokens that are identical except for one important difference.  The main logon session lacks the SID of the Administrators group.  When the user attempts to perform a privileged operation, Windows steps in and according to User Account Control policy may prompt the user for consent or credentials (forcing user to re-authenticate). 

The idea is basically to prevent attackers who gain some kind of Execution (ATT&CK TA0002) access to silently perform privileged actions. 

Unfortunately, you can’t always trust users to deny bogus UAC prompts and attackers have found other ways to defeat UAC.

So, Microsoft is introducing a new mode to UAC called Administrator Protection and deprecating the current UAC behavior described above to “legacy”.

If you are running Windows 11 24H2 you can already see this in the Group Policy UI but it’s not functional until canary build 27718.

Administrator Protection in Build 27718

Now Windows creates a system managed administrator account for each user belonging to Administrators.  So, if your normal user account name is John you end up with another account named ADMIN_John.  This system managed admin account shows up in some places and is hidden elsewhere.

Windows uses a more “just-in-time” and more isolated method for switching to this account than in UAC’s legacy mode.  And in this webinar, I’ll dive into the details.  The Windows Security Log is especially helpful in understanding the differences between UAC Legacy and Administrator Protection.

Using build 27718 I will show:

• configuring Administrator Protection
• performing a privileged operation using Administrator Protection
• analyze the logon events before and after
• analyze the account management events associated with the system managed account
• explore other audit events impacted by UAC
• compare all these events to what we are used to seeing in UAC legacy

At the end of the day however, UAC in any mode only gets you so far in addressing the dreadful need to better handle endpoint privilege management.  I believe you will enjoy seeing what a mature EPM solution can do and Sr Solutions Engineer Brian Kelly from our sponsor BeyondTrust will show you how their comprehensive endpoint privilege management solution can help you:

• Reduce attack surface: Limit user privileges and control application access.
• Prevent lateral movement: Secure endpoints across various platforms.
• Enhance security: Protect critical systems and sensitive data.