×

Windows Administrator Protection – For those who Just. Cant. Accept. Being a Standard user

General blogs

Windows Administrator Protection – For those who Just. Cant. Accept. Being a Standard user

Windows Administrator accounts have the highest level of access and control over the computer system, and are used to manage user accounts, install software, change system settings, and access all files. The power that the Administrator account wields means that they are also the accounts highly-targeted by hackers, and malware. In short, you shouldn’t run a PC as Administrator UNLESS you are doing administrative tasks, you should always run the PC as a standard user.

Back in the olden days – circa Windows 2000, Windows 98, etc. If you were logged-on to the PC as a standard user and needed to do an admin task, you had to first log off that account, then log on as the admin user – do whatever it was you needed to do, then log off the admin account and finally log back on as the standard user. This was time consuming at best.

As such most home users just simply created an account with Admin rights to save the hassle (corporate systems should never allow standard users to log on as admin, so doesn’t really apply here). Now this causes a problem. When you log on to a Windows PC with Administrator rights, every process run on that PC runs with high-level privileges – meaning that if a hacker gained access, they too would have those same high-level capabilities. If you acquire malware as Admin, then the malware would be able to operate with those same high-level capabilities.

Additionally, if you are signed in with an Admin account, tasks that require elevation can sometimes bypass any confirmation from the user and auto-elevate, which could pose a security risk even if the user knows what they’re doing. Most tasks do prompt the user for consent, but an ill-intended piece of malware could potentially bypass that and become a real threat.

To solve this problem, Microsoft rolled-out User Account Control (UAC) with the release of Windows Vista / Windows Server 2008 – a feature that has helped protect Windows accounts ever since.

With UAC – when a standard user needs to do an admin task – A pop-up appears on the desktop asking for the Admin credentials. Once they have been entered and authenticated, the process requiring higher-level privileges gains those rights whilst all other processes remain running as standard user. Once the task has completed, or the application being used as Admin is terminated, the process returns to running as a standard user.

UAC prompt for Admin credentials

This approach to access rights is much more convenient as no logging off / on is required, but also safer by the fact that only the minimal processes are given Admin rights – thus reducing the effect of any malicious actor if they were to gain access to the PC.

On a modern PC, there really is no excuse to be running as Admin anymore.

But, some people just can’t help themselves. I don’t know whether its a feeling of insecurity not being Admin, or just laziness – but so many people run their PCs under the Administrator account.

It’s really not safe to do this, and Microsoft have finally come up with a solution – Windows Administrator Protection – Or more accurately Administrator Protection for Windows 11.

With this setting enabled, even administrator accounts now run most processes in a restricted manner and only use elevated permissions when necessary.

Administrator Protection turns administrator permissions into single-use tokens created on the spot whenever they are needed. So, when you are signed in with an administrator account, you still have standard permissions for most of the time. When you attempt to do anything that would typically require administrator rights, you will have to provide your credentials (by default) or simple consent to elevate the specified task. An administrator token is generated and used for that specific task and then discarded, which means you’ll need to provide consent again for any other task that requires elevation.

This new feature is also built on the idea of no auto-elevation being available by default. With this setting, any task that requires elevation will now require explicit consent from the user to be elevated, even if the user is already an administrator. That means no tasks should be able to secretly gain elevation without the user approving it.

Sounds good – How do I enable Admin protection?

Administrator protection is slowly being rolled-out to most editions of Windows 11, and at some point, it will be enabled by default. However at time of writing, it’s only available to those users who are on the Windows Insiders track.

You can enable the feature in one of two ways, the easiest is using the Windows Security app.

To do this, simply launch the app (search for Windows Security in the Start menu), and then choose Account protection. If the feature is available to you, you’ll see Administrator protection at the bottom of the page.

Click the option for Administrator Protection and then toggle the service on or off

As an alternative to this (and more importantly for corporate systems) the feature can be enabled via group policy

So, in conclusion – for all those (me included) who just don’t feel right running as a standard user, running as Admin just got a whole lot safer.

Related Posts

You May Have Missed