What is creating symbolic links
The create symbolic links user right determines the users ability to create a symbolic link within Windows from the device they’re logged on to. These links point to other files or folders, just like regular shortcuts, but works in a more advanced way.
Symbolic links help maintain organization and flexibility while minimizing potential security risks by giving the ability to create a link in one folder that points to a file in a different folder, making it seem like the file exists in both places.
Symbolic links are also able to aid in the migration and application compatibility with UNIX operating systems.
Explanation of a symbolic link
Whereas shortcuts are mainly used within graphical user interfaces, Windows treats symbolic links as if they are the actual files or directories they point to, allowing seamless access and manipulation by both the user and applications. This makes symbolic links more powerful and flexible, especially for system-level tasks.
What is the difference between a shortcut and a symbolic link
A shortcut is a simple file that acts as a pointer to another file or folder. It is typically used to provide quick access to programs, files, or directories from different locations, such as the desktop or start menu. Symbolic links (or symlink) are a more advanced type of link that acts as a direct reference to another file or folder. The operating system treats it almost as if it were the actual file or folder it points to.
If for example a user opens a shortcut on a desktop to a file somewhere else on the system, the operating system will go through the path to the correct folder and open it, saving the user time. If a user were to open a symbolic link, the file will open up as if it were actually saved on the desktop itself.
While both shortcuts and symbolic links are used to point to files or folders, symbolic links offer more powerful and transparent integration with the file system, making them suitable for more complex file management tasks.
Use case for symbolic links
A symbolic link can be placed in multiple locations, pointing to the actual files location. This allows for the data to be kept in one place but easily accessed from multiple programs or people when needed. This is useful when data files are moved, the symbolic links can be updated ensuring all programs can still find the necessary data without additional changes.
Another use case for symbolic links can be developers working with multiple versions of a software library, as they allow quick switching between versions without relocating files. They also prevent file duplication across different systems, maintaining organization and efficiency.
How to create a symbolic link
To create a symbolic link you can use command-line tools such as mklink in Windows or ln -s in Unix/Linux systems. Symbolic links do not have a specific file extension.
To learn more about creating symbolic links, check out – The Complete Guide to Creating Symbolic Links (aka Symlinks) on Windows by Chris Hoffman & Nick Lewis.
The downside to symbolic links
As useful as symbolic links are, they should only be given to trusted users because they can potentially expose security vulnerabilities in applications that aren't designed to handle them.
By default, only administrators have the right to create symbolic links, but it can be granted to other users if needed. If a malicious actor gains the ability to use symbolic links, they can create malicious symbolic links that appear to be genuine files or folders but actually link to harmful programs. Symbolic link attacks also include changing file permissions, corrupting or destroying data and DoS attacks.
How to establish a symlink file system
You can use the fsutil command to establish a symlink file system setting that controls the kind of symlinks that can be created on a computer. For more information about fsutil and symbolic links, type fsutil behavior set symlinkevaluation /? at an elevated command prompt.
Constant
Constant: SeCreateSymbolicLinkPrivilege
Possible values
User-defined list of accounts
Not Defined
Default value
Administrators.
Recommended setting
The recommended state for this setting is: Administrators.
The recommended state for this setting is: Administrators and (when the Hyper-V Role is installed) NT VIRTUAL MACHINE\Virtual Machines.
Best practices
It is recommended to assign symbolic links only to trusted users or administrators in order to stay secure and reduce the risk of exposure to vulnerabilities. If this setting or any other of the hundreds within Windows is improperly configured it increases the overall risk of unauthorized access.
Another way to reduce the vulnerabilities is through server hardening. Server hardening brings peace of mind, eliminating the human error factor across all devices on the network.
