← Back to Microsoft Windows 11 Security Technical Implementation Guide

V-253359

CAT II (Medium)

Run as different user must be removed from context menus.

Rule ID

SV-253359r958478_rule

STIG

Microsoft Windows 11 Security Technical Implementation Guide

Version

V2R7

CCIs

CCI-000381

Discussion

The "Run as different user" selection from context menus allows the use of credentials other than the currently logged on user. Using privileged credentials in a standard user session can expose those credentials to theft. Removing this option from context menus helps prevent this from occurring.

Check Content

If the following registry values do not exist or are not configured as specified, this is a finding.
The policy configures the same Value Name, Type and Value under four different registry paths.

Registry Hive: HKEY_LOCAL_MACHINE
Registry Paths: 
\SOFTWARE\Classes\batfile\shell\runasuser\
\SOFTWARE\Classes\cmdfile\shell\runasuser\
\SOFTWARE\Classes\exefile\shell\runasuser\
\SOFTWARE\Classes\mscfile\shell\runasuser\

Value Name: SuppressionPolicy

Type: REG_DWORD
Value: 0x00001000 (4096)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Remove "Run as Different User" from context menus" to "Enabled".

This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.