48.4 (L1) Ensure 'MSI Allow user control over installs' is set to 'Disabled'

Information

This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user.

The recommended state for this setting is: Disabled

In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled :

Microsoft App Store\MSI Allow user control over installs

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/16853

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(10)

Plugin: Windows

Control ID: 187f841036f47b07964ea34cd6e2429d572d60f85b0aea34dccb90b41fed3894