How to Enable Hardened UNC Path?

By John Gates, on September 5th, 2022

UNC (Universal Naming Convention) identifies servers, printers, and other resources in the UNIX/Windows Community. The name of a computer is anteceded in a UNC path by double slashes or backslashes. Local disk or directories UNC paths are separated by a single slash or backslash.

UNIX //servername/path
DOS/WINDOWS \\servername\path

 

How to harden your UNC path?

Default Value:

By default, this policy is Disabled.

 

Policy Path:

Computer Configuration\Policies\Administrative Templates\Network\Network Provider\Hardened UNC Paths

 

The group mentioned above policy path is not present by default. To access this path, an additional Group Policy template is required, which is:

NetworkProvider.admx/adml

 

Make sure that the UI path is set as ‘Enabled’ and the following paths are configured:

\\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1

\\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1

Registry Settings:

The following registry settings back up this group policy setting:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths: \\*\NETLOGON

 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths: \\*\SYSVOL

 

GPO guide

 

Hardening UNC path without causing downtime:

It is essential to ensure no application or function is dependent on the UNC path since every policy change can impact your production.

 

There are two approaches to Enabling Hardened UNC Path:

 

  1. Manual approach: this approach is most relevant to small-size infrastructures. If choosing this approach, you’ll be needing to build a test environment that will simulate your production accurately, so you’ll see the impact of this policy change. Since this task can become highly complex when dependencies become tangled, we recommend organizations with medium or larger infrastructures choose an automated approach for this task.

 

2. Automated approach: this is relevant to organizations with over 200 machines in their infrastructure. Choosing an automated method will require you to use a ‘Hardening Automation Tool’ that will save you the need in performing lab testing. This tool will indicate the change’s impact automatically by learning your production. Using such a tool can make the difference between a hardened and non-hardened infrastructure and is crucial for medium size organizations and above.