User Account Control: Only elevate UIAccess applications that are installed in secure locations

Information

User Account Control: Only elevate UIAccess applications that are installed in secure locations

This security setting will enforce the requirement that applications that request execution with a UIAccess integrity level (via a marking of UIAccess=true in their application manifest), must reside in a secure location on the file system. Secure locations are limited to the following directories:

- \Program Files\, including subdirectories
- \Windows\system32\
- \Program Files (x86)\, including subdirectories for 64 bit versions of Windows

Note: Windows enforces a PKI signature check on any interactive application that requests execution with UIAccess integrity level regardless of the state of this security setting.

The options are:

- Enabled: An application will only launch with UIAccess integrity if it resides in a secure location in the file system.

- Disabled: An application will launch with UIAccess integrity even if it does not reside in a secure location in the file system.

Default: Enabled

Solution

Policy Path: Security Options
Policy Setting Name: User Account Control: Only elevate UIAccess applications that are installed in secure locations

See Also

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1909-and-windows-server/ba-p/1023093

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(8), CSCv6|5.1

Plugin: Windows

Control ID: d035a8de2cf14bad2555f47bec3226500a2eceab7eefd6505ebf6a1fb6eb8ae4