SeCreateSymbolicLinkPrivilege missing from W2019 security baselines?

Olli Rajala 1 Reputation point
2021-03-10T20:11:55.297+00:00

Hi,
I've been trying to find out why "SeCreateSymbolicLinkPrivilege = *S-1-5-32-544" setting is still available in W2016 security baselines but not any more in W2019 security baselines, and it's also missing from the later baselines.

I mean the baselines you can download from Microsoft Security Compliance Toolkit 1.0 site at https://www.microsoft.com/en-us/download/details.aspx?id=55319

In W2016 -package this is found in
GPOs{088E04EC-440C-48CB-A8D7-A89D0162FBFB}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf

{088E04EC-440C-48CB-A8D7-A89D0162FBFB} = "SCM Windows Server 2016 - Member Server Baseline - Computer" baseline

And in W2019 policy I've tried to find it under
GPOs{C92CC433-A4EA-47B1-8B24-6FF732940E0E}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf

{C92CC433-A4EA-47B1-8B24-6FF732940E0E} = "MSFT Windows Server 2019 - Member Server" baseline

Have I understood something incorrectly? Or am I looking in wrong place? Or is there something else I've totally missed?

This setting is quite crucial, and recommended in many places. So that's why I am a bit confused.

Thanks for any comments you can give!

-Olli

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,073 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,715 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2021-03-11T06:27:03.113+00:00

    Hello @Olli Rajala ,

    Thank you for posting here.

    As you mentioned, such setting on server 2019 is not defined.

    Maybe there are some differences between server 2016 and server 2019.

    If you need the "SeCreateSymbolicLinkPrivilege = *S-1-5-32-544" setting on server 2019, you can defined it based on your requirements.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let su know.

    Best Regards,
    Daisy Zhou

    0 comments
  2. Olli Rajala 1 Reputation point
    2021-03-11T14:56:29.397+00:00

    Hi,
    Thanks @Daisy Zhou for your reply.

    I dug deeper today, and in the process also gasp actually read the documents.... :) Announcement.docx which is included in the W2019 policy zip file says the following:

    "Removed the configuration of the “Create symbolic links” user rights assignment, as it merely enforced a default, was unlikely to be modified by a misguided administrator or for malicious purposes, and needs to be changed to a different value when Hyper-V is enabled."

    So, case closed. But, I learned more during the process, so not totally worthless exercise. :)