Title

Domain users must be required to elevate when setting a networks location. (Cat III impact)

Discussion

Selecting an incorrect network location may allow greater exposure of a system. Elevation is required by default on nondomain systems to change network location. This setting configures elevation to also be required on domain-joined systems.

Check Content

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\ Value Name: NC_StdDomainUserSetLocation Type: REG_DWORD Value: 1

Fix Text

Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> "Require domain users to elevate when setting a network's location" to "Enabled".

Additional Identifiers

Rule ID: SV-225318r569185_rule

Vulnerability ID: V-225318

Group Title: SRG-OS-000134-GPOS-00068

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.