Recently at work, we have been making sure all our servers are fully patched and have no known vulnerabilities in them. We use a tool called Nessus, that scans the servers for any known vulnerabilities. And they were all coming back saying the needed MS15-011 KB3000483.
Our team made sure that this patch was installed on all the affected servers and it was.
After some time, I found out that we needed to actually add a new group policy to harden the UNC paths for \\*\SYSVOL and \\*\NETLOGON.
To do this I first made sure I had a central store for my Group Policies. Follow this guide to create a central store.
Next, I needed to add the NetworkProvider.admx and the NetworkProvider.adml to my central store. You should be able to find the Network Provider Template files in the Local GPO ADMX store at C:\Windows\PolicyDefinitions
1. Go to c:\Windows\PolicyDefinitions on a machine with KB3000483 installed and copy NetworkProvider.admx to the corresponding directory in the central store. \\FQDN\SYSVOL\FQDN\Policies\PolicyDefinitions
2. Next go to c:\windows\PolicyDefinitions\EN-US on the same machine and copy NetworkProvider.adml to the corresponding directory in the central store. \\FQDN\SYSVOL\FQDN\Policies\PolicyDefinitions\EN-US
[su_note note_color=”#eeeeee” text_color=”#333333″ radius=”3″ class=””]FQDN is fully qualified domain name[/su_note]
3. Open Group Policy Management and create a new GPO (you can use an existing one)
4. Right-click on the Chosen GPO and select edit.
5. Navigate to: Computer Configuration > Policies > Administrative Templates > Network > Network Provider > Hardened UNC Paths
6. Set the policy to Enabled and click Show from the options and set the following values in the Value name and Value fields.
Value name Value
\\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1
\\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1
Link the Group Policy to either the whole domain or OU you want to apply the settings to and that should be all you need to do.
3 Comments
matt · May 25, 2018 at 12:12 pm
You have just created a GPO for hardened policies, you have not linked the GPO to any computers/Servers. So its not doing anything.
Pixel Robots. · May 25, 2018 at 12:18 pm
Good shout! I will update the post and add that the gpo needs to be linked. Thanks for the feedback.
Matthew Kunkel · December 19, 2018 at 6:50 pm
Thanks for the walkthrough, but what is the actual change this is affecting? I’m trying to determine what the repercussions of “RequireMutualAuthentication=1, RequireIntegrity=1” might be.