|Platform: win2016||Date: (C)2017-08-03 (M)2018-04-10|
"Always install with elevated privileges"
Directs Windows Installer to use system permissions when it installs any program on the system.
This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.
If you disable this setting or do not configure it, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer.
Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders.
Caution: Skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure.
Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities.
Configure the "Always install with elevated privileges" setting to "Disabled."
Windows Installer will apply the current user's permissions when it installs programs, this will prevent standard users from installing applications that affect system-wide configuration items.
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Installer
(2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer!AlwaysInstallElevated
|SCAP Repo OVAL Definition||oval:org.secpod.oval:def:40221|