18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'

Information

This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application.

The recommended state for this setting is: Disabled.

Rationale:

Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts.

Impact:

None - this is the default behavior.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Windows Components\Credential User Interface\Enumerate administrator accounts on elevation

Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.

Default Value:

Disabled. (Users will be required to always type in a username and password to elevate.)

See Also

https://workbench.cisecurity.org/benchmarks/14249

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CCE|CCE-35194-0, CSCv7|4.5

Plugin: Windows

Control ID: 0497ad0d4cba89635f560873004c44164c12ed5320ac128e75ac0faddc60433e