2.8.2 Ensure 'Allow remote users to interact with elevated windows in remote assistance sessions' is set to 'Disabled'

Information

Google Chrome can be set to run the remote assistance host in a process with uiAccess permissions. This allows remote users to interact with elevated windows on the local user's desktop.

If this setting is disabled, the remote assistance host will run in the user's context. Furthermore, remote users cannot interact with elevated windows on the desktop.

The recommended state for this setting is: Disabled (0)

Rationale:

Remote users shall not be able to escalate privileges.

Impact:

None - This is the default behavior.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to Disabled:

Computer Configuration\Polices\Administrative Templates\Google\Google Chrome\Remote access\Allow remote users to interact with elevated windows in remote assistance sessions

Default Value:

Unset (Same as Disabled, but user can change)

See Also

https://workbench.cisecurity.org/benchmarks/8691

Item Details

Category: ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-17, 800-53|AC-17(1), 800-53|SC-7, 800-53|SI-4, CSCv7|12.12

Plugin: Windows

Control ID: 6dcd0b86ff4940de668db2f72f3ace4981cf1df6544a084d0d712f62c1206980