[Forgot Password]
Login  Register Subscribe

23631

 
 

126224

 
 

98250

 
 

909

 
 

79281

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CCE
view XML

CCE-47225-8

Platform: win2016Date: (C)2017-08-03   (M)2017-10-16



"Always install with elevated privileges" Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers. If you disable this setting or do not configure it, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: Skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. Vulnerability: Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities. Counter Measure: Configure the "Always install with elevated privileges" setting to "Disabled." Potential Impact: Windows Installer will apply the current user's permissions when it installs programs, this will prevent standard users from installing applications that affect system-wide configuration items.


Parameter: AlwaysInstallElevated


Technical Mechanism: Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Installer (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer!AlwaysInstallElevated

References:

Resource IdReference
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:40221


OVAL    1
oval:org.secpod.oval:def:40221
XCCDF    3
xccdf_org.secpod_benchmark_general_Windows_Server_2016
xccdf_org.secpod_benchmark_NIST_800_171_R1_Windows_Server_2016
xccdf_org.secpod_benchmark_PCI_3_2_Windows_Server_2016

© 2013 SecPod Technologies