- Windows 11 has provided a hardware security baseline for Microsoft, with features that require hardware support (HVCI, TPM etc) to be enabled by default going forward, stating that Windows 10 strategy of off-by-default was a failure.
- Admin accounts are a continued security problem within the Windows ecosystem, so a future version of Windows will be adding a new "Adminless" account model with linux-like just-in-time escalation. This new model intends to provide a secure middle-ground between the frustrations of a standard user account and the security risks of an Admin account. "Adminless" accounts will run as a "less privileged" user by default and prompt users with Windows Hello when an application requires escalation for a given operation, rather than permanently running the account as a standard or admin user.
- Win32 Applications will be bundled under the new Win32 App Isolation model, which provides the security benefits of UWP sandboxing & clean uninstalls without the API limitations of UWP. Developers will be able to specify what privileges an application requires, much like other application platforms. A demo was shown of Notepad++ running under this sandbox model with minimal modification.
-TPMs within the ecosystem are not in a healthy state, with telemetry telling Microsoft that many are running vulnerable firmware due to manufactures not pushing out updates, and some being inoperable due to hardware failures or other issues. Microsoft is working on its Pluton security chip to replace/augment the existing TPM ecosystem and have the ability to push out firmware updates via Windows Update.
- Software/Hardware mitigations are reaching the end of the road in terms of viability. Microsoft is now focused on eliminating classes of security bugs with extensive R&D going into the use of Memory-safe languages (Rust) in areas of the system that exploits often appear in.
> a new "Adminless" account model with linux-like just-in-time escalation
This was the promise of User Account Control, was it not? Or does that just prompt for confirmation for various actions, without actually enforcing a security boundary?
The way I read it, the difference between existing UAC and "Adminless" is that the user is always in the Administrators group and UAC just unlocks an Administrator token/ACL temporarily to bestow the actual powers of the Administrators group. In "Adminless" the user is only a less privileged/low privilege user, a new system-managed Admin User is created, and the new security boundary prompts instead of unlocking a temporary token/ACL are more "runas" the system-managed Admin User. It's similar to Linux sudo sending commands to the root account, where Linux doesn't have a token/ACL model that allows temporarily upgrading the existing user "in place". It's also similar to how Windows Admin security was managed pre-UAC in places that separated standard accounts and Admin accounts, and similar to how many corporations still manage security, with the difference being that the new "Adminless" admin account is system owned (like the various internal service accounts), supposedly does not allow interactive login, has no password only a hardware security key (hence why the new security boundary requires Windows Hello unlocks every time, versus UAC can be as subtle as Yes/No, depending on configuration/group policy).
"Adminless" is a funny name given that there's still an admin account involved, it's just an admin account that is much more than before not a user account but more like a service account.
UAC provides just-in-time elevation. The user belongs to the 'admin' group (aka wheel) and only receives an admin token when performing a task that requires elevation. Once the task is complete, the token is destroyed.
> Once the task is complete, the token is destroyed.
It's less granular than a task though, it's an execution context. If you're running Notepad++ and it wants to update, it requires an elevation. The installer is now running in an admin context and can do whatever it wants, once it's finished installing it usually asks if you want to launch Notepad++ again. At that point the installer running in the admin context can launch Notepad++ within that admin context.
Thus there's a potential for the admin context to persist indefinitely.
In my mind, tasked based elevation is more granular. Something like "I need to write to the program files directory" and not a carte blanche "gimmie admin access to do whatever the hell I want".
Sorry, I'm confused. I can't figure out from your explanation how the new adminless just-in-time elevation is supposed to be different from UAC's just-in-time elevation?
UAC is per-process and monotonic. Once elevated, the entire process stays elevated.
The new model is per-operation. Even if the same process has been allowed to elevate before, it must ask to do it again. I don't know how granular this is, and whether there's a grace period like sudo.
However, the biggest problem with UAC was that it was considered too noisy for the end user, leading to people just blindly accepting every dialog and Microsoft turning down the default level to the much less secure "don't always prompt". I don't know how this new model will address that problem; naively, it seems to be worse on this front.
Huh. In that case, the upthread commenter likening the new model to being more "linux-like" seems confusing.
Given that they didn't mention which Linux security model the new system was like, I presumed they meant the most commonly referenced model for performing administrative tasks: sudo/doas - which elevates a process for its entire runtime.
But if it's a per-operation model, I guess they might have been comparing it to the "desktop portal"/"policykit-dbus" model instead? Which does kind of fit, but I don't think is the security model that most people think of when someone says "linux-like just-in-time escalation"?
> Win32 Applications will be bundled under the new Win32 App Isolation model, which provides the security benefits of UWP sandboxing & clean uninstalls without the API limitations of UWP.
Wow that thing they probably should've been doing in the first place. I'll be curious if it'll end up as a supervisor (AI) model or if each program will have its own scope of a file system. The latter of course will be very tricky with how intertwined legacy software can be for file and registry access.
