Reading Time: 2 minutes
Share:
Twitter
LinkedIn
Facebook
Google+
Reddit
Whatsapp
Follow by Email

Recently at work, we have been making sure all our servers are fully patched and have no known vulnerabilities in them. We use a tool called Nessus, that scans the servers for any known vulnerabilities. And they were all coming back saying the needed MS15-011 KB3000483.

Our team made sure that this patch was installed on all the affected servers and it was.

After some time, I found out that we needed to actually add a new group policy to harden the UNC paths for \\*\SYSVOL and \\*\NETLOGON.

To do this I first made sure I had a central store for my Group Policies. Follow this guide to create a central store.

Next, I needed to add the NetworkProvider.admx and the NetworkProvider.adml to my central store. You should be able to find the Network Provider Template files in the Local GPO ADMX store at C:\Windows\PolicyDefinitions

1.      Go to c:\Windows\PolicyDefinitions on a machine with KB3000483 installed and copy NetworkProvider.admx to the corresponding directory in the central store. \\FQDN\SYSVOL\FQDN\Policies\PolicyDefinitions

2.      Next go to c:\windows\PolicyDefinitions\EN-US on the same machine and copy NetworkProvider.adml to the corresponding directory in the central store. \\FQDN\SYSVOL\FQDN\Policies\PolicyDefinitions\EN-US

FQDN is fully qualified domain name

3.      Open Group Policy Management and create a new GPO (you can use an existing one)

4. Right-click on the Chosen GPO and select edit.

unchard1

5. Navigate to: Computer Configuration > Policies > Administrative Templates > Network > Network Provider > Hardened UNC Paths

unchard2.1

6. Set the policy to Enabled and click Show from the options and set the following values in the Value name and Value fields.

Value name      Value

\\*\SYSVOL      RequireMutualAuthentication=1, RequireIntegrity=1

\\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1

 

Link the Group Policy to either the whole domain or OU you want to apply the settings to and that should be all you need to do.

Share:
Twitter
LinkedIn
Facebook
Google+
Reddit
Whatsapp
Follow by Email

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.

3 Comments

matt · May 25, 2018 at 12:12 pm

You have just created a GPO for hardened policies, you have not linked the GPO to any computers/Servers. So its not doing anything.

    Pixel Robots. · May 25, 2018 at 12:18 pm

    Good shout! I will update the post and add that the gpo needs to be linked. Thanks for the feedback.

Matthew Kunkel · December 19, 2018 at 6:50 pm

Thanks for the walkthrough, but what is the actual change this is affecting? I’m trying to determine what the repercussions of “RequireMutualAuthentication=1, RequireIntegrity=1” might be.

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

*

I agree