SeCreateSymbolicLinkPrivilege missing from W2019 security baselines?

Olli Rajala 1 Reputation point
2021-03-10T20:11:55.297+00:00

Hi,
I've been trying to find out why "SeCreateSymbolicLinkPrivilege = *S-1-5-32-544" setting is still available in W2016 security baselines but not any more in W2019 security baselines, and it's also missing from the later baselines.

I mean the baselines you can download from Microsoft Security Compliance Toolkit 1.0 site at https://www.microsoft.com/en-us/download/details.aspx?id=55319

In W2016 -package this is found in
GPOs{088E04EC-440C-48CB-A8D7-A89D0162FBFB}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf

{088E04EC-440C-48CB-A8D7-A89D0162FBFB} = "SCM Windows Server 2016 - Member Server Baseline - Computer" baseline

And in W2019 policy I've tried to find it under
GPOs{C92CC433-A4EA-47B1-8B24-6FF732940E0E}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf

{C92CC433-A4EA-47B1-8B24-6FF732940E0E} = "MSFT Windows Server 2019 - Member Server" baseline

Have I understood something incorrectly? Or am I looking in wrong place? Or is there something else I've totally missed?

This setting is quite crucial, and recommended in many places. So that's why I am a bit confused.

Thanks for any comments you can give!

-Olli

Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Anonymous
    2021-03-11T06:27:03.113+00:00

    Hello @Olli Rajala ,

    Thank you for posting here.

    As you mentioned, such setting on server 2019 is not defined.

    Maybe there are some differences between server 2016 and server 2019.

    If you need the "SeCreateSymbolicLinkPrivilege = *S-1-5-32-544" setting on server 2019, you can defined it based on your requirements.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let su know.

    Best Regards,
    Daisy Zhou

    0 comments No comments

  2. Olli Rajala 1 Reputation point
    2021-03-11T14:56:29.397+00:00

    Hi,
    Thanks @Anonymous for your reply.

    I dug deeper today, and in the process also gasp actually read the documents.... :) Announcement.docx which is included in the W2019 policy zip file says the following:

    "Removed the configuration of the “Create symbolic links” user rights assignment, as it merely enforced a default, was unlikely to be modified by a misguided administrator or for malicious purposes, and needs to be changed to a different value when Hyper-V is enabled."

    So, case closed. But, I learned more during the process, so not totally worthless exercise. :)


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.