Title

Windows Server 2019 must disable the Windows Installer Always install with elevated privileges option. (Cat I impact)

Discussion

Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain full control of a system.

Check Content

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Type: REG_DWORD Value: 0x00000000 (0)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Always install with elevated privileges" to "Disabled".

Additional Identifiers

Rule ID: SV-205802r852503_rule

Vulnerability ID: V-205802

Group Title: SRG-OS-000362-GPOS-00149

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.