UNC (Universal Naming Convention) identifies servers, printers, and other resources in the UNIX/Windows Community. Unlike drive letters used in Windows Explorer, UNC paths specify a network location directly, ensuring a standardized approach across Windows and Unix systems.
In a UNC path, the name of a computer is indicated by double slashes or backslashes (\). Local disk or directories in UNC paths are separated by a single slash or backslash (/ or ).
| UNIX | //servername/path |
| DOS/WINDOWS | \\servername\path |
This blog post will try to answer the following questions:
- What is a hardened UNC path?
- What are UNC path vulnerabilities?
- What can you do to secure UNC paths?
- How to harden a UNC path?
- Hardening UNC path without risking in downtime
What is a Hardened UNC Path?
The Hardened UNC Path is a Group Policy Object present at:
Computer Configuration > Policies > Administrative Templates > Network > Network Provider
You can apply this policy to the systems in the domain, but it is not applicable for standalone systems. To secure access to the UNC paths, you must configure this policy. The recommended state for this policy is: Enabled; there are some pre-requisites mentioned below:
- Requires Mutual Authentication set for all NETLOGON and SYSVOL shares
- Requires Integrity set for all NETLOGON and SYSVOL shares
After following the pre-requisites, you can access specific UNC paths from Windows if you enable this policy. If we have Windows 8.0 / Windows Server 2012 or some newer systems exclusively in the environment, then Server Message Block (SMB) you may also set privacy setting encryption to enabled. The targeted paths older operating systems cannot access can be rendered using SMB encryption. So, proceed with caution while using this additional option of SMB encryption.
UNC Path Vulnerability:
In Microsoft Windows, a remote code execution vulnerability is present for how connection data is received and applied by the Group Policy when a system joined via domain is connected to a domain controller. If an attacker successfully exploits this vulnerability, you can compromise the complete control of the affected system. After this, the attacker can view, delete, modify data, install programs, create user accounts with full privileges.
Here are known vulnerabilities that have affected access, permissions, and general security around UNC file sharing paths in Windows environments:
- CVE 2023-23397 vulnerability presents a critical risk of privilege elevation within Microsoft Outlook on Windows that could allow remote code execution via RPC if successfully exploited.
- CVE-2020-0796 – SMBv3 RCE vulnerability aka CoronaBlue, Wormable credentialed remote code execution
- CVE-2017-0143 – SMBv1 remote code execution vulnerability allowing WannaCry ransomware to spread
- CVE-2023-23397 UNC Path Injection – Malicious code injected into applications through UNC paths.
UNC Path Security Recommendations
CIS Benchmarks recommendation- Ensure ‘Hardened UNC Paths’ is set to ‘Enabled, with “Require Mutual Authentication” and “Require Integrity” set for all NETLOGON and SYSVOL shares’
CIS-CAT Lite – Scans Windows systems against CIS Benchmarks to validate proper access control configurations for network access.
Several tools and libraries have been developed recently to simplify and enhance UNC path management. These include:
PowerShell cmdlets like Get-WmiObject and Get-CimInstance for managing network resources through UNC paths.
- Get-WmiObject can be used to query Windows Management Instrumentation (WMI) class information across remote systems accessed via UNC paths in order to gather management data. For example:
Get-WmiObject -Class Win32_OperatingSystem -ComputerName \remoteserver\c$
Would use the UNC path convention to connect to C:\ drive on the remote server and get OS info via WMI, returned as objects in PowerShell.
- Get-CimInstance is a versatile tool for managing WMI objects and accessing valuable system information in PowerShell. Get-CimInstance can be used with UNC paths in several ways:
- Managing UNC Shares
- Monitoring UNC Access
- Troubleshooting UNC Issues
- Automating UNC Tasks
Open-source tool for hardening
OpenSCAP Base – Validates security settings like SMB signing, auditing, authentication protocols applicable to UNC connections.
So, to mitigate the remote code execution vulnerability in Group Policy, Microsoft in February 2015 revealed a new control mechanism as an update (MS15-011 / MSKB 3000483). To mitigate the risk, you must follow the following steps:
- New security update installation
- Specific group policy settings must be deployed to all the systems on the domain from Windows Server 2008 to later one’s
How to harden UNC path?
Creating UNC paths should rely on mapped network drive credentials to control access rather than enabling access directly via hidden root admin shares. Properly hardened UNC paths will restrict permissions through access control lists tied to Windows Explorer identities and domain credentials in order to prevent exploitation of network resources.
Applying limits and auditing to UNC access using tools like command prompt utilities, network infrastructure rules, and even guidelines borrowed from hardening UNIX systems can help strengthen defenses.
Ensuring access to networked file paths leverages purpose-built identities over open defaults hardens environments against attacks targeting data via UNC share infiltration. Below we explain how to harden UNC path:
Default Value:
By default, this policy is Disabled.
Policy Path:
Computer Configuration\Policies\Administrative Templates\Network\Network Provider\Hardened UNC Paths
The group mentioned above policy path is not present by default. To access this path, an additional Group Policy template is required, which is:
NetworkProvider.admx/adml
Make sure that the UI path is set as ‘Enabled’ and the following paths are configured:
\\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1
\\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1
Registry Settings:
The following registry settings back up this group policy setting:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths: \\*\NETLOGON
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths: \\*\SYSVOL
Harden UNC path without causing downtime
Every policy change may have an impact on your production. Therefore, it is essential to ensure no application or function is dependent on the UNC path.
To understand what will be the impact of Enabling’ Hardened UNC Path’, you can choose one of two approaches:
- Manual approach- this approach is most relevant to small-size infrastructures. If choosing this approach, you’ll be needing to build a test environment that will simulate your production accurately, so you’ll see the impact of this policy change. Since this task can become highly complex when dependencies become tangled, we recommend organizations with medium or larger infrastructures choose an automated approach for this task.
- The automated approach is relevant to organizations with over 200 machines in their infrastructure. Choosing an automated method will require you to use a ‘Hardening Automation Tool’ that will save you the need in performing lab testing. This tool will indicate the change’s impact automatically by learning your production. Using such a tool can make the difference between a hardened and non-hardened infrastructure and is crucial for medium size organizations and above.
