Windows Server 2019 administrator accounts must not be enumerated during elevation.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-205714 | SRG-OS-000134-GPOS-00068 | WN19-CC-000240 | SV-205714r958518_rule | 2025-02-25 | 3 |
| Description |
|---|
| Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to type in a username and password to elevate a running application. |
| ℹ️ Check |
|---|
| If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\ Value Name: EnumerateAdministrators Type: REG_DWORD Value: 0x00000000 (0) |
| ✔️ Fix |
|---|
| Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Credential User Interface >> "Enumerate administrator accounts on elevation" to "Disabled". |