18.10.56.3.3.1 (L2) Ensure 'Allow UI Automation redirection' is set to 'Disabled'

Information

This policy setting determines whether User Interface (UI) Automation client applications running on the local computer can access UI elements on the server.

UI Automation gives programs access to most UI elements, which allows use of assistive technology products like Magnifier and Narrator that need to interact with the UI in order to work properly. UI information also allows automated test scripts to interact with the UI. For example, the local computer's Narrator and Magnifier clients can be used to interact with UI on a web page opened in a remote session.

The recommended state for this setting is: Disabled

Note: Remote Desktop sessions don't currently support UI Automation redirection.

In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for UI Automation redirection within a Remote Desktop session is rare, and not supported at this time, but it makes sense to reduce the number of unexpected avenues for malicious activity to occur.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled :

Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Allow UI Automation redirection

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template TerminalServer.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).

Impact:

UI Automation clients on the local computer will not be able to interact with remote apps.

See Also

https://workbench.cisecurity.org/benchmarks/16913

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7

Plugin: Windows

Control ID: 0b7e61db5e80b605595d123529624207fad6c94c5f1463a40750e15c56f4690c