UNC (Universal Naming Convention) identifies servers, printers, and other resources in the UNIX/Windows Community. The name of a computer is anteceded in a UNC path by double slashes or backslashes. Local disk or directories UNC paths are separated by a single slash or backslash.
How to harden your UNC path?
By default, this policy is Disabled.
Computer Configuration\Policies\Administrative Templates\Network\Network Provider\Hardened UNC Paths
The group mentioned above policy path is not present by default. To access this path, an additional Group Policy template is required, which is:
Make sure that the UI path is set as ‘Enabled’ and the following paths are configured:
\\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1
\\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1
The following registry settings back up this group policy setting:
Hardening UNC path without causing downtime:
It is essential to ensure no application or function is dependent on the UNC path since every policy change can impact your production.
There are two approaches to Enabling Hardened UNC Path:
- Manual approach: this approach is most relevant to small-size infrastructures. If choosing this approach, you’ll be needing to build a test environment that will simulate your production accurately, so you’ll see the impact of this policy change. Since this task can become highly complex when dependencies become tangled, we recommend organizations with medium or larger infrastructures choose an automated approach for this task.
2. Automated approach: this is relevant to organizations with over 200 machines in their infrastructure. Choosing an automated method will require you to use a ‘Hardening Automation Tool’ that will save you the need in performing lab testing. This tool will indicate the change’s impact automatically by learning your production. Using such a tool can make the difference between a hardened and non-hardened infrastructure and is crucial for medium size organizations and above.