[gsnedders]

> a new "Adminless" account model with linux-like just-in-time escalation

This was the promise of User Account Control, was it not? Or does that just prompt for confirmation for various actions, without actually enforcing a security boundary?

[WorldMaker]

The way I read it, the difference between existing UAC and "Adminless" is that the user is always in the Administrators group and UAC just unlocks an Administrator token/ACL temporarily to bestow the actual powers of the Administrators group. In "Adminless" the user is only a less privileged/low privilege user, a new system-managed Admin User is created, and the new security boundary prompts instead of unlocking a temporary token/ACL are more "runas" the system-managed Admin User. It's similar to Linux sudo sending commands to the root account, where Linux doesn't have a token/ACL model that allows temporarily upgrading the existing user "in place". It's also similar to how Windows Admin security was managed pre-UAC in places that separated standard accounts and Admin accounts, and similar to how many corporations still manage security, with the difference being that the new "Adminless" admin account is system owned (like the various internal service accounts), supposedly does not allow interactive login, has no password only a hardware security key (hence why the new security boundary requires Windows Hello unlocks every time, versus UAC can be as subtle as Yes/No, depending on configuration/group policy).

"Adminless" is a funny name given that there's still an admin account involved, it's just an admin account that is much more than before not a user account but more like a service account.

[p_ing]

UAC provides just-in-time elevation. The user belongs to the 'admin' group (aka wheel) and only receives an admin token when performing a task that requires elevation. Once the task is complete, the token is destroyed.

[cptskippy]

> Once the task is complete, the token is destroyed.

It's less granular than a task though, it's an execution context. If you're running Notepad++ and it wants to update, it requires an elevation. The installer is now running in an admin context and can do whatever it wants, once it's finished installing it usually asks if you want to launch Notepad++ again. At that point the installer running in the admin context can launch Notepad++ within that admin context.

Thus there's a potential for the admin context to persist indefinitely.

In my mind, tasked based elevation is more granular. Something like "I need to write to the program files directory" and not a carte blanche "gimmie admin access to do whatever the hell I want".

[Karellen]

Sorry, I'm confused. I can't figure out from your explanation how the new adminless just-in-time elevation is supposed to be different from UAC's just-in-time elevation?

[kbolino]

As far as I can tell, the difference is this:

UAC is per-process and monotonic. Once elevated, the entire process stays elevated.

The new model is per-operation. Even if the same process has been allowed to elevate before, it must ask to do it again. I don't know how granular this is, and whether there's a grace period like sudo.

However, the biggest problem with UAC was that it was considered too noisy for the end user, leading to people just blindly accepting every dialog and Microsoft turning down the default level to the much less secure "don't always prompt". I don't know how this new model will address that problem; naively, it seems to be worse on this front.

[Karellen]

Huh. In that case, the upthread commenter likening the new model to being more "linux-like" seems confusing.

Given that they didn't mention which Linux security model the new system was like, I presumed they meant the most commonly referenced model for performing administrative tasks: sudo/doas - which elevates a process for its entire runtime.

But if it's a per-operation model, I guess they might have been comparing it to the "desktop portal"/"policykit-dbus" model instead? Which does kind of fit, but I don't think is the security model that most people think of when someone says "linux-like just-in-time escalation"?