When talking about matters of Windows security, it’s easy to fall into the trap of thinking there’s really not much positive to say. What with sneaky 2FA bypass attacks, critical vulnerability disclosures, and alerts regarding high-speed password hackers dominating the headlines. So, for a change, it’s nice to be able to inform my readers of a revolutionary update decision that is set to make Windows 11 accounts safer than ever before, without impacting upon usability. Here’s what you need to know.
The Revolutionary Windows 11 Security Update Decision
Revolutionary is a big word; it positively effuses import. “Something markedly new or introducing fundamental change” is the definition I like best, and it’s ideally suited to this latest Microsoft security decision when it comes to Windows 11. For years, security experts have advised users to set up two Windows accounts: an administrator one for when that level of privilege is required and a standard user account for daily use. That advice could soon be defunct. Microsoft has just introduced a new security twist with Windows 11 Insider Preview Build 27774 in the beta testing channel.
The feature involved is called Administrator Protection and the revolutionary decision is to make this available from the Windows Security settings rather than require assistance from IT support in organizations. “It also allows Windows home users to enable Administrator protection via Windows Security settings,” Microsoft said.
OK, so this may not sound like an earth-shattering update, but as someone who is always harping on about the need for security and usability to be treated as equals, I can assure you it is. Administrator protection can now be enabled from Windows Security settings under the Account Protection tab. Sounds so simple, yet it’s so far-reaching from the account security perspective. With account protection activated, you can log in as an administrator, yet your account will only have standard privileges and permissions as the default. Yep, you read that right. The elevated permissions required to perform certain system-level activities that need an admin account to authorize are granted on a just-in-time basis and revoked once that authorization has been completed. Why is this so important? Because it reduces the attack-surface, or rather the time that an attack window is opened. An attacker with access to the admin account would still require further authentication, by way of Windows Hello, to be able to do anything of any criticality.
