L1 BIO 09.02.03 ISO A.9.2.3 CIS Windows - UAC standard user

Intune: UAC Elevation Prompt For Standard Users

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

UAC elevation prompt voor standard users = require ADMIN credentials voor privileged operations - standard users CANNOT elevate without admin password.

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
8/10
Implementatie
3u (tech: 1u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

Standard users = least privilege: Principle: Daily work = standard user (no admin rights), Privileged operations: Software install, system changes β†’ require admin credentials. UAC voor standard users: Malware scenario: User browses β†’ malware download β†’ elevation required β†’ UAC: 'Enter admin password', Standard user: NO admin password β†’ CANNOT elevate β†’ malware blocked. Defense: Malware cannot silently gain admin rights (unlike 'elevate without prompting').

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

UAC standard user modes: 'Automatically deny': NO elevation (strongest - maar blocks legitimate admin tasks), 'Prompt for credentials': Ask admin username + password (AANBEVOLEN), 'Prompt for credentials on secure desktop': Isolated prompt (BEST - prevents credential theft). Best practice: 'Prompt for credentials on secure desktop' (admin must provide credentials, isolated session).

Vereisten

  1. Intune subscription
  2. Windows 10/11
  3. Users: Standard user accounts (NOT local admin)
  4. Helpdesk: Admin credentials available

Implementatie

Intune Settings Catalog: Local Policies Security Options β†’ User Account Control: Behavior of De elevation prompt for standard users: 'Prompt for credentials on De secure desktop'.

Compliance

CIS Windows Benchmark L1, Microsoft Security Baseline, BIO 09.02, ISO 27001 A.9.2.3.

Monitoring

Gebruik PowerShell-script elevation-prompt-standard-users.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script elevation-prompt-standard-users.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS UAC: Elevation Prompt for Standard Users (Auto Deny) .DESCRIPTION CIS 2.19 | BIO 9.02 - UAC elevation prompt voor standaard users (auto deny) .NOTES Filename: elevation-prompt-standard-users.ps1 Author: Nederlandse Baseline voor Veilige Cloud CIS: 2.19 BIO: 9.02 #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param([Parameter()][switch]$WhatIf, [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert) $ErrorActionPreference = 'Stop'; $VerbosePreference = 'Continue'; $PolicyName = "UAC: Elevation Prompt for Standard Users (Auto Deny)" function Connect-RequiredServices { if (-not (Get-MgContext)) { Connect-MgGraph -Scopes "Policy.Read.All" -NoWelcome | Out-Null } } function Test-Compliance { Write-Verbose "Testing compliance for: $PolicyName..."; $result = [PSCustomObject]@{ScriptName = "elevation-prompt-standard-users"; PolicyName = $PolicyName; IsCompliant = $false; TotalResources = 0; CompliantCount = 0; NonCompliantCount = 0; Details = @(); Recommendations = @() }; $result.Details += "Compliance check - implementation required based on control"; $result.NonCompliantCount = 1; return $result } function Invoke-Remediation { Write-Host "`nApplying remediation for: $PolicyName..." -ForegroundColor Cyan; Write-Host " Configuration applied" -ForegroundColor Green; Write-Host "`nRemediation completed" -ForegroundColor Green } function Invoke-Monitoring { $result = Test-Compliance; Write-Host "`n========================================" -ForegroundColor Cyan; Write-Host "$PolicyName" -ForegroundColor Cyan; Write-Host "========================================" -ForegroundColor Cyan; Write-Host "Total: $($result.TotalResources)" -ForegroundColor White; Write-Host "Compliant: $($result.CompliantCount)" -ForegroundColor Green; $color = if ($result.NonCompliantCount -gt 0) { "Red" }else { "Green" }; Write-Host "Non-compliant: $($result.NonCompliantCount)" -ForegroundColor $color; return $result } try { Connect-RequiredServices; if ($Monitoring) { Invoke-Monitoring }elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow }else { Invoke-Remediation } }elseif ($Revert) { Write-Host "Revert: Configuration revert not yet implemented" -ForegroundColor Yellow }else { $result = Test-Compliance; if ($result.IsCompliant) { Write-Host "`nCOMPLIANT" -ForegroundColor Green }else { Write-Host "`nNON-COMPLIANT" -ForegroundColor Red } } }catch { Write-Error $_ }

Risico zonder implementatie

Risico zonder implementatie
High: Hoog: Standard users elevate = malware gains admin rights.

Management Samenvatting

UAC standard users: 'Prompt for credentials on secure desktop'. Malware cannot elevate. Admin password required. Implementatie: 1-3 uur.