CCE-10684-9Platform: cpe:/o:microsoft:windows_server_2008:r2 | Date: (C)2012-03-13 (M)2023-07-04 |
This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
The options are:
- Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
- Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
Countermeasure:
Enable the User Account Control: Run all users, including administrators, as standard users setting.
Potential Impact:
Users and administrators will need to learn to work with UAC prompts and adjust their work habits to use least privilege operations.
Parameter:
[enabled/disabled]
Technical Mechanism:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Run all administrators in Admin Approval Mode
(2) REG: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System!EnableLUA
CCSS Severity: | CCSS Metrics: |
CCSS Score : 8.8 | Attack Vector: LOCAL |
Exploit Score: 2.0 | Attack Complexity: LOW |
Impact Score: 6.0 | Privileges Required: LOW |
Severity: HIGH | User Interaction: NONE |
Vector: AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | Scope: CHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:8762 |