Information
This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user.
The recommended state for this setting is: Disabled.
Rationale:
In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise.
Impact:
None - this is the default behavior.
Solution
To establish the recommended configuration via GP, set the following UI path to Disabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Installer\Allow user control over installs
Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
Default Value:
Disabled. (The security features of Windows Installer will prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed.)
Additional Information:
This Benchmark Recommendation maps to:
Microsoft Windows Server 2016 Security Technical Implementation Guide:
Version 1, Release 13, Benchmark Date: May 15, 2020
Vul ID: V-73583
Rule ID: SV-88247r1_rule
STIG ID: WN16-CC-000450
Severity: CAT II