Create symbolic links
|ID: oval:org.secpod.oval:def:36491||Date: (C)2016-08-05 (M)2018-07-10|
|Class: COMPLIANCE||Family: windows|
This privilege determines if the user can create a symbolic link from the computer he is logged on to.
WARNING: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them.
This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.
Do not assign the Create Symbolic Links user right to standard users. Restrict this right to trusted administrators. You can use the fsutil command to establish a symlink file system setting that controls the kind of symlinks that can be created on a computer. For more information about fsutil and symbolic links, type fsutil behavior set symlinkevaluation /? at an elevated command prompt.
In most cases there will be no impact because this is the default configuration, however, on Windows Servers with the Hyper-V server role installed this user right should also be granted to the special group 'Virtual Machines' otherwise you will not be able to create new virtual machines.
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create symbolic links
(2) REG: ###
(3) WMI: root\rsop\computer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeCreateSymbolicLinkPrivilege' and precedence=1
|Microsoft Windows 10|