This Policy Expert post will discuss the recommended setting for Symbolic Links in your servers, since as much as they are useful, Symbolic Links can also be used maliciously to gain access and control in your network.
The Ensure Create Symbolic Link in Windows is set to Administrators (DC only) rule is part of the CIS Benchmarks recommended policy. Securing the configuration of this setting is part of a greater task- server hardening. Server hardening can be a painful procedure. If you're reading this article, you probably know it. Therefore, the best approach to this project is using automation tools to help you implement a robust policy, such as the CIS Benchmarks. Learn how CalCom Hardening Solution can help you harden your entire infrastructure fast, and without damaging production.
This blog post will cover:
1. What are Symbolic Links.
2. Create Symbolic Links policy description.
3. The potential vulnerability in Symbolic Links.
4. Possible countermeasures
5. The potential impact of changing this configuration setting
6. Security risk severity.
7. Create Symbolic Link default value.
8. CalCom's recommended value for this policy.
9. How to change Create Symbolic Links configuration settings.
What are Symbolic Links:
Symbolic links (or Soft Links) are pointers to another file system object, which can be a file, folder, shortcut, or a different symbolic link. The difference between this kind of link and a shortcut is that a shortcut could only work from within the Windows shell. Symbolic Links are designed to aid in the connectivity with UNIX operating systems (OS) by allowing migration and application compatibility between Windows and UNIX OS. Windows Symbolic Links operate just like UNIX links. These links can also refer to NTFS file system objects in Windows Vista.
POLICY DESCRIPTION:
This policy determines who can create symbolic links. Symbolic links can potentially expose security vulnerabilities in applications that are not designed to use them. For this reason, the privilege for creating symbolic links should only be assigned to trusted users. By default, only Administrators can create symbolic links.
POTENTIAL VULNERABILITY – symbolic link (Symlink) attack:
The main risk in allowing users to have the ability to create symbolic links is that users can inadvertently or maliciously use this right to expose your organization to a symbolic link attack. These attacks can be used to change file permissions, corrupt data, destroy data, or as a Denial of Service attack.
Symbolic Link (Symlink) Attack Mechanism:
An attacker with the privilege to position a symbolic link can target a user or application to use his malicious link, assuming they will be redirected to the file with the link’s name. There are two scenarios possible when this is the case:
- The file is output- if the file is output, the machine’s file will be modified, instead of the file in the targeted location. The modification can include appending, overwriting, corrupting, changing file permissions, etc. The attacker will sometimes be able to control what change will occur to the file, and sometimes won’t. This type of attack is especially dangerous since it can eventually result in increased privileges and exposing, damaging sensitive information, and destroying vital systems or application files.
- The file is input – the file may serve as input to the target application. This will allow the attacker to feed the target machine with malformed input, or to make it process different information. The attacker may eventually be able to control the actions of the targeted machine or to get access to information, leveraging the target’s permissions.
COUNTERMEASURES:
Do not assign standard users with the right to Create Symbolic Links. Only allow trusted administrators to use this feature. In addition, you can use ‘fsutil’ command to control what kind of symbolic links can be created on a computer.
Another security measure you should take is to make sure that ‘System objects: Strengthen default permissions of internal system objects’ is enabled. This policy setting determines the strength of the default discretionary access control list (DACL) for objects such as symbolic links. It will allow users who are not administrators to read symbolic links but not to modify any that they did not create.
POTENTIAL IMPACT:
In most cases there will be no impact because this is the default configuration, however, on Windows Servers with the Hyper-V server role installed this user right should also be granted to the special group “Virtual Machines” otherwise you will not be able to create new virtual machines.
SEVERITY:
Setting ‘Create Symbolic Links’ to administrators only is important.
Enabling ‘Strengthen default permissions of internal system objects’ is critical.
DEFAULT VALUE:
The default value of this setting in Windows servers 2008, 2012, 2016, and 2019 is ‘administrators’.
CALCOM'S RECOMMENDED VALUE:
DCs: Administrators
MS: Administrators
Hyper-V: Not defined, NT VIRTUAL MACHINE\Virtual Machines
HOW TO CONFIGURE:
Since this setting is set to ‘Administrators’ by default, you should only make sure no one had changed it.
Inside the Local Security Settings go to Local Policies and to User Rights Assignment. Make sure that ‘Create Symbolic Links’ is set to ‘Administrators’.
