Disable 'Enumerate administrator accounts on elevation'

Check whether the user needs to provide both the administrator username and password to elevate a running application, or if the system displays a list of administrator accounts to choose from.

Table of Contents

Potential risk

Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user, making attacks easier.

Remediation options

Set the following registry value:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators

To the following REG_DWORD value:
0