Details
This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
The recommended state for this setting is: No One.
Rationale:
By modifying the integrity label of an object owned by another user a malicious user may cause them to execute code at a higher level of privilege than intended.
Impact:
None – this is the default behavior.
Solution
To establish the recommended configuration via GP, set the following UI path to No One:
Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentModify an object label
Default Value:
No one.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Windows.