question

OlliRajala-2967 avatar image
0 Votes"
OlliRajala-2967 asked ·

SeCreateSymbolicLinkPrivilege missing from W2019 security baselines?

Hi,
I've been trying to find out why "SeCreateSymbolicLinkPrivilege = *S-1-5-32-544" setting is still available in W2016 security baselines but not any more in W2019 security baselines, and it's also missing from the later baselines.

I mean the baselines you can download from Microsoft Security Compliance Toolkit 1.0 site at https://www.microsoft.com/en-us/download/details.aspx?id=55319

In W2016 -package this is found in
GPOs{088E04EC-440C-48CB-A8D7-A89D0162FBFB}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf

{088E04EC-440C-48CB-A8D7-A89D0162FBFB} = "SCM Windows Server 2016 - Member Server Baseline - Computer" baseline


And in W2019 policy I've tried to find it under
GPOs{C92CC433-A4EA-47B1-8B24-6FF732940E0E}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf

{C92CC433-A4EA-47B1-8B24-6FF732940E0E} = "MSFT Windows Server 2019 - Member Server" baseline


Have I understood something incorrectly? Or am I looking in wrong place? Or is there something else I've totally missed?

This setting is quite crucial, and recommended in many places. So that's why I am a bit confused.

Thanks for any comments you can give!

-Olli

windows-serverwindows-server-security
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered ·

Hello @OlliRajala-2967,

Thank you for posting here.

As you mentioned, such setting on server 2019 is not defined.

Maybe there are some differences between server 2016 and server 2019.

If you need the "SeCreateSymbolicLinkPrivilege = *S-1-5-32-544" setting on server 2019, you can defined it based on your requirements.

Hope the information above is helpful.

Should you have any question or concern, please feel free to let su know.


Best Regards,
Daisy Zhou

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

OlliRajala-2967 avatar image
0 Votes"
OlliRajala-2967 answered ·

Hi,
Thanks @DaisyZhou-MSFT for your reply.

I dug deeper today, and in the process also gasp actually read the documents.... :) Announcement.docx which is included in the W2019 policy zip file says the following:

"Removed the configuration of the “Create symbolic links” user rights assignment, as it merely enforced a default, was unlikely to be modified by a misguided administrator or for malicious purposes, and needs to be changed to a different value when Hyper-V is enabled."

So, case closed. But, I learned more during the process, so not totally worthless exercise. :)

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @OlliRajala-2967,

Thank you for your update and sharing.

I am very glad that the problem has been solved.

As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!

Best Regards,
Daisy Zhou

0 Votes 0 ·