74.25 (L1) Ensure 'Modify Object Label' is set to 'No One'

Information

This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.

The recommended state for this setting is: No One

By modifying the integrity label of an object owned by another user a malicious user may cause them to execute code at a higher level of privilege than intended.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to (<![CDATA[]]>) which equals No One

User Rights\Modify Object Label

Note: Using (<![CDATA[]]>) to represent a blank value or No One is recommended by Microsoft. However, there is a known issue where an error occurs in Endpoint Manger (Intune) but does not affect the policy setting from being applied to the system properly.

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/16853