Enable Hardened UNC Paths – What Why and How?

By Keren Pollack, on December 28th, 2021

UNC (Universal Naming Convention) identifies servers, printers, and other resources in the UNIX/Windows Community. The name of a computer is anteceded in a UNC path by double slashes or backslashes. Local disk or directories UNC paths are separated by a single slash or backslash.

UNIX //servername/path
DOS/WINDOWS \\servername\path

 

This blog post will try to answer the following questions:

  1. what is a hardened UNC path?
  2. What are UNC paths’ vulnerabilities?
  3. What can you do to secure UNC paths?
  4. How to harden a UNC path?
  5. Hardening UNC path without risking in downtime.

 

What is a Hardened UNC Path?

The Hardened UNC Path is a Group Policy Object present at:

Computer Configuration > Policies > Administrative Templates > Network > Network Provider

 

You can apply this policy to the systems in the domain, but it is not applicable for standalone systems. To secure access to the UNC paths, you must configure this policy. The recommended state for this policy is: Enabled; there are some pre-requisites mentioned below:

  1. Requires Mutual Authentication set for all NETLOGON and SYSVOL shares
  2. Requires Integrity set for all NETLOGON and SYSVOL shares

 

After following the pre-requisites, you can access specific UNC paths from Windows if you enable this policy. If we have Windows 8.0 / Windows Server 2012 or some newer systems exclusively in the environment, then Server Message Block (SMB) you may also set privacy setting encryption to enabled. The targeted paths older operating systems cannot access can be rendered using SMB encryption. So, proceed with caution while using this additional option of SMB encryption.

 

UNC Path Vulnerability:

In Microsoft Windows, a remote code execution vulnerability is present for how connection data is received and applied by the Group Policy when a system joined via domain is connected to a domain controller. If an attacker successfully exploits this vulnerability, you can compromise the complete control of the affected system. After this, the attacker can view, delete, modify data, install programs, create user accounts with full privileges.

 

UNC Path Security Recommendations:

CIS Benchmarks recommendation- Ensure ‘Hardened UNC Paths’ is set to ‘Enabled, with “Require Mutual Authentication” and “Require Integrity” set for all NETLOGON and SYSVOL shares’

 

 So, to mitigate the remote code execution vulnerability in Group Policy, Microsoft in February 2015 revealed a new control mechanism as an update (MS15-011 / MSKB 3000483). To mitigate the risk, you must follow the following steps:

  1. New security update installation
  2. Specific group policy settings must be deployed to all the systems on the domain from Windows Server 2008 to later one’s

 

How to harden your UNC path?

Default Value:

By default, this policy is Disabled.

 

Policy Path:

Computer Configuration\Policies\Administrative Templates\Network\Network Provider\Hardened UNC Paths

 

The group mentioned above policy path is not present by default. To access this path, an additional Group Policy template is required, which is:

NetworkProvider.admx/adml

 

Make sure that the UI path is set as ‘Enabled’ and the following paths are configured:

\\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1

\\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1

Registry Settings:

The following registry settings back up this group policy setting:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths: \\*\NETLOGON

 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths: \\*\SYSVOL

 

Hardening UNC path without causing downtime:

Every policy change may have an impact on your production. Therefore, it is essential to ensure no application or function is dependent on the UNC path.

 

To understand what will be the impact of Enabling’ Hardened UNC Path’, you can choose one of two approaches:

  1. Manual approach- this approach is most relevant to small-size infrastructures. If choosing this approach, you’ll be needing to build a test environment that will simulate your production accurately, so you’ll see the impact of this policy change. Since this task can become highly complex when dependencies become tangled, we recommend organizations with medium or larger infrastructures choose an automated approach for this task.
  2. The automated approach is relevant to organizations with over 200 machines in their infrastructure. Choosing an automated method will require you to use a ‘Hardening Automation Tool’ that will save you the need in performing lab testing. This tool will indicate the change’s impact automatically by learning your production. Using such a tool can make the difference between a hardened and non-hardened infrastructure and is crucial for medium size organizations and above.

Hardening Tools 101 [updated:2021]