Information
This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application.
The recommended state for this setting is: Disabled.
Rationale:
Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts.
Impact:
None - this is the default behavior.
Solution
To establish the recommended configuration via GP, set the following UI path to Disabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\Credential User Interface\Enumerate administrator accounts on elevation
Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
Default Value:
Disabled. (Users will be required to always type in a username and password to elevate.)
Additional Information:
Microsoft Windows Server 2016 Security Technical Implementation Guide:
Version 2, Release 2, Benchmark Date: May 04, 2021
Vul ID: V-224935
Rule ID: SV-224935r569186_rule
STIG ID: WN16-CC-000280
Severity: CAT II
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1
Control ID: 1e002dfe02c71adbf0a71fcf26f533ccea694be7d50a7a6c6c8caa34b5061c12