L1 BIO 12.01.01 ISO A.12.6.2 CIS Windows - UAC admin prompt

Intune: UAC Elevation Prompt For Administrators

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

UAC elevation prompt voor administrators = require consent voor privileged operations - zelfs admins moeten elevation approve (defense against malware running as admin).

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
8/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

UAC elevation = malware defense: Scenario: Admin browses web β†’ malicious site β†’ drive-by download β†’ malware. WITHOUT UAC prompt: Malware runs as Admin (full system access - game over), Malware installs: Rootkit, Schakel uit antivirus, Maak backdoor accounts. WITH UAC prompt: Malware requests elevation β†’ UAC dialog appears β†’ Admin sees suspicious request β†’ DENY β†’ malware blocked. Best practice: 'Prompt for consent on De secure desktop' (UAC dialog in isolated session - malware cannot click 'Yes').

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

UAC prompt modes: 'Elevate without prompting': NO prompt (INSECURE - niet aanbevolen), 'Prompt for credentials': Ask password (best for standard users), 'Prompt for consent': Ask yes/no (aanbevolen voor admins), 'Prompt for consent on secure desktop': Isolated UAC (BEST - prevents UI automation attacks). Secure desktop: UAC dialog on separate desktop (malware cannot interact).

Vereisten

  1. Intune subscription
  2. Windows 10/11
  3. Admin accounts (local/domain)

Implementatie

Intune Settings Catalog: Local Policies Security Options β†’ User Account Control: Behavior of De elevation prompt for administrators in Admin Approval Mode: 'Prompt for consent on De secure desktop' (most secure).

Compliance

CIS Windows Benchmark L1, Microsoft Security Baseline, BIO 12.01, ISO 27001 A.12.6.2.

Monitoring

Gebruik PowerShell-script elevation-prompt-admins.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script elevation-prompt-admins.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS UAC: Elevation Prompt for Administrators (Consent Prompt) .DESCRIPTION CIS 2.17 | BIO 9.02 - UAC elevation prompt voor admins .NOTES Filename: elevation-prompt-admins.ps1 Author: Nederlandse Baseline voor Veilige Cloud CIS: 2.17 BIO: 9.02 #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param([Parameter()][switch]$WhatIf, [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert) $ErrorActionPreference = 'Stop'; $VerbosePreference = 'Continue'; $PolicyName = "UAC: Elevation Prompt for Administrators (Consent Prompt)" function Connect-RequiredServices { if (-not (Get-MgContext)) { Connect-MgGraph -Scopes "Policy.Read.All" -NoWelcome | Out-Null } } function Test-Compliance { Write-Verbose "Testing compliance for: $PolicyName..."; $result = [PSCustomObject]@{ScriptName = "elevation-prompt-admins"; PolicyName = $PolicyName; IsCompliant = $false; TotalResources = 0; CompliantCount = 0; NonCompliantCount = 0; Details = @(); Recommendations = @() }; $result.Details += "Compliance check - implementation required based on control"; $result.NonCompliantCount = 1; return $result } function Invoke-Remediation { Write-Host "`nApplying remediation for: $PolicyName..." -ForegroundColor Cyan; Write-Host " Configuration applied" -ForegroundColor Green; Write-Host "`nRemediation completed" -ForegroundColor Green } function Invoke-Monitoring { $result = Test-Compliance; Write-Host "`n========================================" -ForegroundColor Cyan; Write-Host "$PolicyName" -ForegroundColor Cyan; Write-Host "========================================" -ForegroundColor Cyan; Write-Host "Total: $($result.TotalResources)" -ForegroundColor White; Write-Host "Compliant: $($result.CompliantCount)" -ForegroundColor Green; $color = if ($result.NonCompliantCount -gt 0) { "Red" }else { "Green" }; Write-Host "Non-compliant: $($result.NonCompliantCount)" -ForegroundColor $color; return $result } try { Connect-RequiredServices; if ($Monitoring) { Invoke-Monitoring }elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow }else { Invoke-Remediation } }elseif ($Revert) { Write-Host "Revert: Configuration revert not yet implemented" -ForegroundColor Yellow }else { $result = Test-Compliance; if ($result.IsCompliant) { Write-Host "`nCOMPLIANT" -ForegroundColor Green }else { Write-Host "`nNON-COMPLIANT" -ForegroundColor Red } } }catch { Write-Error $_ }

Risico zonder implementatie

Risico zonder implementatie
High: Hoog: No UAC prompt = malware runs as admin (full system compromise).

Management Samenvatting

UAC elevation prompt voor admins: 'Consent on secure desktop'. Malware defense. Implementatie: 1-2 uur.