Navigate

Check: WN12-CC-000118

Microsoft Windows Server 2012/2012 R2 Member Server STIG: WN12-CC-000118 (in versions v3 r7 through v2 r7)

Title

Nonadministrators must be prevented from applying vendor-signed updates. (Cat III impact)

Discussion

Uncontrolled system updates can introduce issues to a system. This setting will prevent users from applying vendor-signed updates (though they may be from a trusted source).

Check Content

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Microsoft\Windows\Installer\ Value Name: DisableLUAPatching Type: REG_DWORD Value: 1

Fix Text

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> "Prohibit non-administrators from applying vendor signed updates" to "Enabled".

Additional Identifiers

Rule ID: SV-225392r852224_rule

Vulnerability ID: V-225392

Group Title: SRG-OS-000362-GPOS-00149

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-001812	The information system prohibits user installation of software without explicit privileged status.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
CM-11 (2)	Prohibit Installation Without Privileged Status