InformationThis privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
The recommended state for this setting is: No One.
By modifying the integrity label of an object owned by another user a malicious user may cause them to execute code at a higher level of privilege than intended.
SolutionTo establish the recommended configuration via GP, set the following UI path to No One:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify an object label
None - this is the default behavior.