System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links)

Applies to

Describes the best practices, location, values, policy management and security considerations for the System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) security policy setting.

Reference

This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Windows maintains a global list of shared system resources such as MS-DOS device names, mutexes, and semaphores. By using this list, processes can locate and share objects. Each type of object is created with a default DACL that specifies who can access the objects with what permissions. Enabling this policy setting strengthens the default DACL and allows users who are not administrators to read, but not to modify, shared objects that they did not create.

Possible values

• Enabled
• Disabled
• Not defined

Best practices

• It is advisable to set this policy to Enabled.

Location

Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options

Default values

The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.

Server type or GPO	Default value
Default Domain Policy	Not defined
Default Domain Controller Policy	Not defined
Stand-Alone Server Default Settings	Enabled
DC Effective Default Settings	Enabled
Member Server Effective Default Settings	Enabled
Client Computer Effective Default Settings	Enabled

Policy management

This section describes features and tools that are available to help you manage this policy.

Restart requirement

None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.

Security considerations

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Vulnerability

This policy setting is enabled by default to protect against a known vulnerability that can be used with hard links or symbolic links. Hard links are actual directory entries in the file system. With hard links, the same data in a file system can be referred to by different file names. Symbolic links are text files that provide a pointer to the file that is interpreted and followed by the operating system as a path to another file or directory. Because symbolic links are a separate file, they can exist independently of the target location. If a symbolic link is deleted, its target location remains unaffected. When this setting is disabled, it is possible for a malicious user to destroy a data file by creating a link that looks like a temporary file that the system automatically creates, such as a sequentially named log file, but it points to the data file that the malicious user wants to eradicate. When the system writes the files with that name, the data is overwritten. Enabling System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) prevents an attacker from exploiting programs that create files with predictable names by not allowing them to write to objects that they did not create.

Countermeasure

Enable the System objects: Strengthen default permissions of global system objects (for example, Symbolic Links) setting.

Создание символических ссылок Create symbolic links

Область применения Applies to

В этой статье описываются лучшие методики, расположение, значения, управление политиками и вопросы безопасности для параметра политики безопасности «Создание символических ссылок». Describes the best practices, location, values, policy management, and security considerations for the Create symbolic links security policy setting.

Справочные материалы Reference

Это право пользователя определяет, могут ли пользователи создать символьную ссылку на устройстве, на которое они вошли. This user right determines if users can create a symbolic link from the device they are logged on to.

Символьная ссылка — это объект файловой системы, который указывает на другой объект файловой системы. A symbolic link is a file-system object that points to another file-system object. Объект, на который указывает объект, называется целевым объектом. The object that’s pointed to is called the target. Символические ссылки прозрачны для пользователей. Symbolic links are transparent to users. Ссылки отображаются как обычные файлы или каталоги, и к этим ссылкам может действовать точно так же пользователь или приложение. The links appear as normal files or directories, and they can be acted upon by the user or application in exactly the same manner. Символические ссылки предназначены для помощи в миграции и совместимости приложений с UNIX операционными системами. Symbolic links are designed to aid in migration and application compatibility with UNIX operating systems. Корпорация Майкрософт реализовала символические ссылки для работы так же, как UNIX ссылки. Microsoft has implemented symbolic links to function just like UNIX links.

Предупреждение: Эта привилегия должна быть предоставлена только доверенным пользователям. Warning: This privilege should only be given to trusted users. Символьные ссылки могут привести к уязвимостям безопасности в приложениях, которые не предназначены для их обработки. Symbolic links can expose security vulnerabilities in applications that aren’t designed to handle them. Константа: SeCreateSymbolicLinkPrivilege Constant: SeCreateSymbolicLinkPrivilege

Возможные значения Possible values

• Определяемый пользователей список учетных записей User-defined list of accounts
• Не определено Not Defined

Рекомендации Best practices

• Только доверенные пользователи должны получить это право. Only trusted users should get this user right. Символьные ссылки могут привести к уязвимостям безопасности в приложениях, которые не предназначены для их обработки. Symbolic links can expose security vulnerabilities in applications that are not designed to handle them.

Location Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Значения по умолчанию Default values

По умолчанию это право имеют члены группы «Администраторы». By default, members of the Administrators group have this right.

В следующей таблице приведены фактические и действующие значения по умолчанию для этой политики. The following table lists the actual and effective default policy values. Значения по умолчанию также можно найти на странице свойств политики. Default values are also listed on the policy’s property page.

Тип сервера или объект групповой политики Server type or GPO	Значение по умолчанию Default value
Default Domain Policy Default Domain Policy	Не определено Not Defined
Политика контроллера домена по умолчанию Default Domain Controller Policy	Не определено Not Defined
Параметры по умолчанию для автономного сервера Stand-Alone Server Default Settings	Не определено Not Defined
Действующие параметры по умолчанию для контроллера домена Domain Controller Effective Default Settings	Администраторы Administrators
Действующие параметры по умолчанию для рядового сервера Member Server Effective Default Settings	Администраторы Administrators
Действующие параметры по умолчанию для клиентского компьютера Client Computer Effective Default Settings	Администраторы Administrators

Управление политикой Policy management

В этом разделе описываются различные функции и средства, которые помогут вам управлять этой политикой. This section describes different features and tools available to help you manage this policy.

Перезапуск устройства не требуется для того, чтобы этот параметр политики был эффективным. A restart of the device is not required for this policy setting to be effective.

Изменения прав пользователя вступают в силу при его следующем входе в учетную запись. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.

Групповая политика Group Policy

Параметры применяются в следующем порядке с помощью объекта групповой политики (GPO), который будет перезаписывать параметры на локальном компьютере при следующем обновлении групповой политики: Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:

• Параметры локальной политики Local policy settings
• Параметры политики сайта Site policy settings
• Параметры политики домена Domain policy settings
• Параметры политики подразделения OU policy settings

Если локальный параметр затеняется, это означает, что в настоящее время этот параметр контролируется GPO. When a local setting is greyed out, it indicates that a GPO currently controls that setting.

Средства командной строки Command-line tools

Этот параметр можно использовать в сочетании с параметром файловой системы символических ссылок, которыми можно управлять с помощью средства командной строки для управления типами ссылок, разрешенных на устройстве. This setting can be used in conjunction with a symbolic link file system setting that can be manipulated with the command-line tool to control the kinds of symlinks that are allowed on the device. Дополнительные сведения введите fsutil behavior set symlinkevaluation /? в командной подсказке. For more info, type fsutil behavior set symlinkevaluation /? at the command prompt.

Вопросы безопасности Security considerations

В этом разделе описывается, каким образом злоумышленник может использовать компонент или его конфигурацию, как реализовать меры противодействия, а также рассматриваются возможные отрицательные последствия их реализации. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Уязвимость Vulnerability

Пользователи, у которых есть право на создание символических ссылок, могут случайно или злонамеренно раскрыть вашу систему для символических атак с ссылками. Users who have the Create symbolic links user right could inadvertently or maliciously expose your system to symbolic link attacks. Символические атаки с использованием ссылок можно использовать для изменения разрешений на файл, для поврежденных данных, для уничтожения данных или в качестве атаки doS. Symbolic link attacks can be used to change the permissions on a file, to corrupt data, to destroy data, or as a DoS attack.

Противодействие Countermeasure

Не назначайте пользователям права «Создание символических ссылок» стандартным пользователям. Do not assign the Create symbolic links user right to standard users. Ограничив это право доверенными администраторами. Restrict this right to trusted administrators. С помощью команды fsutil можно установить параметр файловой системы символических ссылок, который управляет типом символических ссылок, которые можно создать на компьютере. You can use the fsutil command to establish a symbolic link file system setting that controls the kind of symbolic links that can be created on a computer.

Возможное влияние Potential impact

Нет. None. Конфигурация по умолчанию не определена. Not defined is the default configuration.

How to Create Symbolic Links (Symlink) in Windows 10

Symlinks or Symbolic Links is one of the lesser known, yet useful, features in Windows. You can think of symbolic links as the shortcuts you create in Windows. However, symbolic links are much more powerful and helpful than regular shortcuts. Let’s discuss what symbolic links are and how you can easily create them in Windows 10.

What Are Symbolic Links?

When you create a shortcut for a file or folder, all you are doing is pointing it to that specific file or folder, nothing more. Symbolic links are much more than a simple shortcut. They act as a virtual file or folder that links to the actual file or folder.

When you create a symlink for a file, it appears as if it is the actual file when in reality it is redirecting you toward the real file in the background. Besides files, you can also create symlinks for folders. Simply put, a symlink is nothing more than a build of the text string which lets the operating system know that it is just a path for another file or folder.

For instance, most cloud service apps you install will only sync files and folders located in their own folder. But there will be times when you might have a folder in some other drive you want to sync with the cloud storage service.

However, you don’t want to move the folder from its actual location or don’t want to create a copy of the folder. In those situations you can simply create a symlink in the cloud service folder so that you can sync the contents of the target folder without actually moving or copying the real folder.

Since a symlink is just a virtual folder that just acts as a path to the real folder, you don’t have to worry about the symlink consuming your disk space.

Create Symbolic Link Using Link Shell Extension

If you don’t want to faff around in the Command Prompt and are prepared to faff around a little bit by installing a tool that lets you create symlinks to an existing file or directory using the right-click context menu, then try the following. Link Shell Extension is a tool that lets you create hardlinks and symbolic links by right-clicking whatever folder you want to create a link to.

There are a few hoops with the installation. You’ll get a warning that it can’t be downloaded securely, and Windows Defender may warn you that it’s “unsigned.”

We can assure you that the tool is safe. Go ahead and install it. During installation, explorer.exe will restart, so make sure you have important stuff backed up.

Once LSE is installed, right-click the target file or folder you want to create a symlink to, then click “Pick Link Source.”

Next, go to the folder where you want the symlink to appear, right-click it, then select “Drop As -> Symbolic Link.”

Create Symbolic Link Using Mklink

Note: though I’m showing this in Windows 10, the commands shown here are applicable to Windows Vista and up.

Creating symlinks in Windows is pretty easy with the mklink command. To start, press Win + X , then select the option “Command Prompt (Admin)” to open the Command Prompt with admin rights.

Once the command prompt has been opened, use the below command format to create a symlink for a file.

In my case, I want to create a symlink in the E drive for a text file located on the F drive, so the command looks something like this:

The first path you see in the above command is where you will create your symlink. This path is called a “Link.” The second path belongs to the actual file on your disk and is called “Target.”

Once the symlink has been created, this is how it looks in the File Explorer. Though the icon looks like a regular shortcut, it is a symlink.

Along with individual files, you can create symlinks for entire directories. To do that, use the below command. The switch /D allows you to do this.

As soon as you execute the command, the symlink will be created for the target directory. You can use it to access all the files and folders inside the real folder. If you ever want to, you can delete the symbolic link like any other file or folder. Just select the symlink, press the delete key on your keyboard, and you are good to go.

And you’re done! If you want to do more under-the-hood tweaking in Windows 10, see our list of the best registry hacks. Also, check out our guide on how to get Mac-style hot corners in Windows 10.