If you enable this policy setting, users are required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism. This means that before entering account and password information to authorize an elevation request, a user first need to press CTRL+ALT+DEL. Countermeasure: Enable this setting. Potential Impact: If you disable or do not configure this policy setting, users can enter Windows credentials within the user's desktop session, potentially allowing malicious code access to the user's Windows credentials.

[enabled/disabled]

(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Credential User Interface\Require trusted path for credential entry (2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI!EnableSecureCredentialPrompting