SCM2790f666953049c2bb1327728db1ee16

Monitor_SCM2790f666953049c2bb1327728db1ee16 (UnitMonitor)

This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system.

Knowledge Base article:

External

http://go.microsoft.com/fwlink/?LinkId=243138

Element properties:

Target

Microsoft.KnowledgeServices.SCM.Windows.Server.2008.R2.Security

Parent Monitor

System.Health.ConfigurationState

Category

Alert

Enabled

True

Alert Generate

True

Alert Severity

Error

Alert Priority

Normal

Alert Auto Resolve

True

Monitor Type

Microsoft.KnowledgeServices.Library.PowerShellMonitorEx

Remotable

True

Accessibility

Public

Alert Message

User Account Control: Only elevate UIAccess applications that are installed in secure locations

<Details>
<Content>This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\Program Files\, including subfolders - …\Windows\system32\ - …\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.

Consideration:
UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: To set the foreground window. To drive any application window using SendInput function. To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. To set journal hooks. To uses AttachThreadInput to attach a thread to a higher integrity input queue.

Impact:
If the application that requests UIAccess meets the UIAccess setting requirements, Windows Vista starts the application with the ability to bypass most of the UIPI restrictions. If the application does not meet the security restrictions, the application will be started without UIAccess rights and can interact only with applications at the same or lower privilege level.

Recommendation:
Enable the User Account Control: Only elevate UIAccess applications that are installed in secure locations setting.

Group Policy Path:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate UIAccess applications that are installed in secure locations</Content>
<CollectedInformation>
<Info>
<Name>Recommended Value</Name>
<Value>Enabled</Value>
</Info>
<Info>
<Name>Actual Value</Name>
<Value>{0}</Value>
</Info>
</CollectedInformation>
</Details>

RunAs

Default

Comment

SupportTopic=TBD;VersionNumber=1.0.0.1;

Source Code:

<UnitMonitor ID="Monitor_SCM2790f666953049c2bb1327728db1ee16" Comment="SupportTopic=TBD;VersionNumber=1.0.0.1;" Accessibility="Public" Enabled="true" Target="MicrosoftKnowledgeServicesSCMLibrary!Microsoft.KnowledgeServices.SCM.Windows.Server.2008.R2.Security" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="KnowledgeServicesLibrary!Microsoft.KnowledgeServices.Library.PowerShellMonitorEx" ConfirmDelivery="true">

  <Category>Alert</Category>

  <AlertSettings AlertMessage="MonitorMessage2790f666953049c2bb1327728db1ee16">

    <AlertOnState>Error</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Error</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Data/Context/Property[@Name='ActualValue']$</AlertParameter1>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="Success" MonitorTypeStateID="Success" HealthState="Success"/>

    <OperationalState ID="Error" MonitorTypeStateID="Error" HealthState="Error"/>

  </OperationalStates>

  <Configuration>

    <ScriptName>SCM2790f666953049c2bb1327728db1ee16.ps1</ScriptName>

    <Parameters>

      <Parameter>

        <Name>ActualValue</Name>

        <Value>$Target/Property[Type="MicrosoftKnowledgeServicesSCMLibrary!Microsoft.KnowledgeServices.SCM.Windows.Server.2008.R2.Security"]/UserAccountControlOnlyelevateUIAccessapplicationsthatareinstalledinsecurelocations$</Value>

      </Parameter>

    </Parameters>

    <ScriptBody><Script>





param($ActualValue)



$ErrorActionPreference = "Stop"



# Set up the arguments

$scriptargs = new-object psobject

$scriptargs | add-member NoteProperty "ActualValue" $ActualValue



# Set up the output

$global:scriptoutput = new-object psobject

$scriptoutput | add-member NoteProperty "ActualValue" ""

$unit = $null

$valueToFriendlyName = $null

$valueToFriendlyName += @{"" = "[Setting Not Present]"}

$valueToFriendlyName += @{"0" = "Disabled"}

$valueToFriendlyName += @{"1" = "Enabled"}



function AdvisorRule($scriptargs, $scriptoutput)

{

	$ActualValue = $scriptargs.ActualValue



	if ($unit -ne $null)

	{

		$scriptoutput.ActualValue = $ActualValue + $unit

	}

	else

	{

		$scriptoutput.ActualValue = $valueToFriendlyName.$ActualValue

	}

}



AdvisorRule $scriptargs $scriptoutput



# set the output

$mom = new-object -comobject "MOM.ScriptAPI"

$bag = $mom.CreatePropertyBag()



if ($scriptoutput.ActualValue -ne $null)

{

	$bag.AddValue("ActualValue", $scriptoutput.ActualValue)

}



$bag



</Script></ScriptBody>

    <SnapIns/>

    <TimeoutSeconds>300</TimeoutSeconds>

    <Schedule>14403</Schedule>

    <ErrorExpression>

      <SimpleExpression>

        <ValueExpression>

          <Value Type="Integer">$Target/Property[Type="MicrosoftKnowledgeServicesSCMLibrary!Microsoft.KnowledgeServices.SCM.Windows.Server.2008.R2.Security"]/UserAccountControlOnlyelevateUIAccessapplicationsthatareinstalledinsecurelocations$</Value>

        </ValueExpression>

        <Operator>NotEqual</Operator>

        <ValueExpression>

          <Value Type="Integer">1</Value>

        </ValueExpression>

      </SimpleExpression>

    </ErrorExpression>

    <SuccessExpression>

      <Not>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <Value Type="Integer">$Target/Property[Type="MicrosoftKnowledgeServicesSCMLibrary!Microsoft.KnowledgeServices.SCM.Windows.Server.2008.R2.Security"]/UserAccountControlOnlyelevateUIAccessapplicationsthatareinstalledinsecurelocations$</Value>

            </ValueExpression>

            <Operator>NotEqual</Operator>

            <ValueExpression>

              <Value Type="Integer">1</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </Not>

    </SuccessExpression>

  </Configuration>

</UnitMonitor>