Recently at work, we have been making sure all our servers are fully patched and have no known vulnerabilities in them. We use a tool called Nessus, that scans the servers for any known vulnerabilities. And they were all coming back saying the needed MS15-011 KB3000483.
Our team made sure that this patch was installed on all the affected servers and it was.
After some time, I found out that we needed to actually add a new group policy to harden the UNC paths for \\*\SYSVOL and \\*\NETLOGON.
To do this I first made sure I had a central store for my Group Policies. Follow this guide to create a central store.
Next, I needed to add the NetworkProvider.admx and the NetworkProvider.adml to my central store. You should be able to find the Network Provider Template files in the Local GPO ADMX store at C:\Windows\PolicyDefinitions
1. Go to c:\Windows\PolicyDefinitions on a machine with KB3000483 installed and copy NetworkProvider.admx to the corresponding directory in the central store. \\FQDN\SYSVOL\FQDN\Policies\PolicyDefinitions
2. Next go to c:\windows\PolicyDefinitions\EN-US on the same machine and copy NetworkProvider.adml to the corresponding directory in the central store. \\FQDN\SYSVOL\FQDN\Policies\PolicyDefinitions\EN-US
3. Open Group Policy Management and create a new GPO (you can use an existing one)
4. Right-click on the Chosen GPO and select edit.
5. Navigate to: Computer Configuration > Policies > Administrative Templates > Network > Network Provider > Hardened UNC Paths
6. Set the policy to Enabled and click Show from the options and set the following values in the Value name and Value fields.
Value name Value
\\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1
\\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1
Link the Group Policy to either the whole domain or OU you want to apply the settings to and that should be all you need to do.