Configuring UNC Hardened Access through Group Policy

Configuring UNC Hardened Access through Group Policy

The UNC Hardened Access feature enables specific servers or shares to be “tagged” with additional information to inform MUP and UNC providers of security requirements beyond the UNC provider’s defaults. In particular, the following three security properties are supported:

  • RequireMutualAuthentication=<0|1> – When this property is set to 1, the selected UNC provider requires that the UNC provider can authenticate the identity of the remote server (in addition to the server’s verification of the client’s identity) in order to block spoofing attacks.
  • RequireIntegrity=<0|1> – When this property is set to 1, MUP and the selected UNC provider must use integrity checks in order detect when third parties manipulate requests or responses while in transit between the client and server in order to block tampering attacks.
  • RequirePrivacy=<0|1> – When this property is set to 1, MUP and the selected UNC provider must use a form of encryption in such a way that when third parties see communication between the client and the server, they cannot see any sensitive information that is contained within the communication.

To enable UNC Hardened Access through Group Policy, follow these steps:

  1. Open Group Policy Management Console.
  2. In the console tree, in the forest and domain that contain the Group Policy object (GPO) that you want to create or edit, double-click Group Policy Objects.

    Forest name/Domains/<Domain name>

  3. (Optional) Right-click Group Policy Objects, and then click New.
  4. Type the desired name for the new GPO.
  5. Right-click the desired GPO, and then click Edit.
  6. In the Group Policy Object Editor console, browse to the following policy path:
    Computer Configuration/Administrative Templates/Network/Network Provider
  7. Right-click the Hardened UNC Paths setting, and then click Edit.
  8. Select the Enabled option button.
  9. In the Options pane, scroll down, and then click Show.
  10. Add one or more configuration entries. to do this, follow these steps:
    1. In the Value Name column, type the UNC path that you want to configure. The UNC path may be specified in one of the following forms:
      • \\<Server>\<Share> – The configuration entry applies to the share that has the specified name on the specified server.
      • \\*\<Share> – The configuration entry applies to the share that has the specified name on any server.
      • \\<Server>\* – The configuration entry applies to any share on the specified server.
      • \\<Server> – The same as \\<Server>\*

      Note A specific server or share name must be specified. All-wildcard paths such as \\* and \\*\* are not supported.

    2. In the Value column, type the name of the security property to configure (for example, type RequireMutualAuthentication, RequireIntegrity, or RequirePrivacy) followed by an equal sign (=) and the number 0 or 1.

      Note Multiple properties may be assigned for a single UNC path by separating each “<Property> = <Value>” pair by using a comma (,).

  11. Click OK two times, and then close the GPO editor.
  12. If you created a new GPO earlier, link the GPO to one or more domains. To do this, right-click the desired domain, click Link an Existing GPO, select the newly added GPO, and then click OK.
  13. To test the new or updated GPO, log on to a computer to which the GPO applies, and then run the following command:
    gpupdate /force

    Any configuration errors will reported in the following path in Event Viewer:

    Event Viewer\Applications and Services Logs\Microsoft\Windows\NetworkProvider\Operational

Advanced configuration examples

When more than a single configuration entry applies to an I/O request to a UNC path (for example, because of the use of wildcard entries), properties from the most specific UNC path take precedence.

For example, consider a system that has the following UNC Hardened Access configuration as applied through Group Policy:

Value name Value
\\fileshare.contoso.com\* RequireMutualAuthentication=1, RequireIntegrity=1
\\fileshare.contoso.com\public RequireIntegrity=0
\\fileshare.contoso.com\secret RequirePrivacy=1

In this scenario, all the properties that are specified for \\fileshare.contoso.com\* also apply to the “secret” share. However, the RequireIntegrity property on the “public” share would override the RequireIntegrity configuration for \\fileshare.contoso.com\*. Therefore, the effective UNC Hardening configuration for shares on fileshare.contoso.com that are named public, private, and secret would be as follows:

UNC path Effective UNC Hardening configuration
\\fileshare.contoso.com\public RequireMutualAuthentication=1, RequireIntegrity=0
\\fileshare.contoso.com\private RequireMutualAuthentication=1, RequireIntegrity=1
\\fileshare.contoso.com\secret RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1

 src: https://support.microsoft.com/en-us/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-executi

2 thoughts on “Configuring UNC Hardened Access through Group Policy

Leave a Reply

Your email address will not be published. Required fields are marked *