CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Rationale:

Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System: LocalAccountTokenFilterPolicy

Remediation:

To establish the recommended configuration via GP, set the following UI path to Enabled :

Computer Configuration\Policies\Administrative Templates\MS Security Guide\Apply UAC restrictions to local accounts on network logons

Note: This Group Policy path does not exist by default. An additional Group Policy template ( SecGuide.admx/adml ) isrequired - it is available from Microsoft at this link.

Impact:

None - this is the default behavior.

Default Value:

Enabled. (UAC token-filtering is applied to local accounts on network logons. Membership in powerful groups such as Administrators and disabled and powerful privileges are removed from the resulting access token.)

References:

1. CCE-35486-0

526 | P a g e