[Forgot Password]
Login  Register Subscribe












Paid content will be excluded from the download.

Download | Alert*
view XML


Platform: win2016Date: (C)2017-08-03   (M)2019-05-13

"Always install with elevated privileges" Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers. If you disable this setting or do not configure it, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: Skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. Vulnerability: Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities. Counter Measure: Configure the "Always install with elevated privileges" setting to "Disabled." Potential Impact: Windows Installer will apply the current user's permissions when it installs programs, this will prevent standard users from installing applications that affect system-wide configuration items.

Parameter: AlwaysInstallElevated

Technical Mechanism: Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Installer (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer!AlwaysInstallElevated


Resource IdReference
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:40221

OVAL    1
XCCDF    5

© SecPod Technologies