CCE-43619-6| Platform: cpe:/o:microsoft:windows_10 | Date: (C)2016-09-23 (M)2023-07-04 |
Disable: 'Enumerate administrator accounts on elevation'
By default, all administrator accounts are displayed when you attempt to elevate a running application.
Counter Measure:
Enable this policy.
Potential Impact:
If you enable this policy setting, all local administrator accounts on the machine will be displayed so the user can choose one and enter the correct password. If you disable this policy setting, users will be required to always type in a username and password to elevate.
Parameter:
[enable/disable]
Technical Mechanism:
(1) GPO: Computer ConfigurationAdministrative TemplatesWindows ComponentsCredential User InterfaceEnumerate administrator accounts on elevation
(2) REG: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesCredUIEnumerateAdministrators
| CCSS Severity: | CCSS Metrics: |
| CCSS Score : 7.5 | Attack Vector: NETWORK |
| Exploit Score: 1.6 | Attack Complexity: HIGH |
| Impact Score: 5.9 | Privileges Required: LOW |
| Severity: HIGH | User Interaction: NONE |
| Vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| | Confidentiality: HIGH |
| | Integrity: HIGH |
| | Availability: HIGH |
| | |
References: | Resource Id | Reference |
|---|
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:35292 |
