48.5 (L1) Ensure 'MSI Always install with elevated privileges' is set to 'Disabled'

Information

This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system.

Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders.

Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure.

The recommended state for this setting is: Disabled

Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled :

Microsoft App Store\MSI Always install with elevated privileges

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/16852

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(9), CSCv7|4.3

Plugin: Windows

Control ID: ab01f93ca294a7820fdb32c6afe0bb166eb30835552d2e2f7e18bedb488cad00