WinSecWiki > Security Settings > Local Policies > Security Options > System Objects > Strengthen Default Permissions of Internal System Objects (e.g. Symbolic Links)

System Objects: Strengthen Default Permissions of Internal System Objects (e.g. Symbolic Links)

MS help says that this setting "strengthens" the ACL of share objects including DOS device names and thread synchronization objects called mutexes and semaphores that multithreaded applications use to keep from walking over each other. Specifically it changes the permissions so that non administrators only have read access instead of modify.

This setting also strengthens ACLs on something hard links in NTFS. I only know of one vulnerability that this policy address and it relates to hard links. Hard links are like shortcuts but integrate with the guts of the file system. While shortcuts are .lnk files, hard links are actual directory entries in NTFS. Hard links allow you to, in essence, put the same file into many different folders at once but there only be one real copy of the data.

There is exploit method where you can destroy a data file by creating a hard link that looks like a temporary file but points to the data file. Enabling this policy prevents an attacker from this vulnerability.

Bottom line

I run with this policy configured and haven’t experienced any problems. Therefore, I recommend enabling this setting as a standard policy.

Back to top

 

Additional Resources