Details
Google Chrome can be set to run the remote assistance host in a process with uiAccess permissions. This allows remote users to interact with elevated windows on the local user’s desktop.
If this setting is disabled, the remote assistance host will run in the user’s context. Furthermore, remote users cannot interact with elevated windows on the desktop.
The recommended state for this setting is: Disabled (0)
Rationale:
Remote users shall not be able to escalate privileges.
Impact:
None – This is the default behavior.
Solution
To establish the recommended configuration via Group Policy, set the following UI path to Disabled:
Computer ConfigurationPolicesAdministrative TemplatesGoogleGoogle ChromeRemote accessAllow remote users to interact with elevated windows in remote assistance sessions
Default Value:
Unset (Same as Disabled, but user can change)
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.