What is a Hardened UNC Path?
Hardened UNC Path is a Group Policy Object present at:
| Computer Configuration > Policies > Administrative Templates > Network > Network Provider |
This policy can be applied to the systems that are joined via the domain and it is not applicable for standalone systems. To get secure access to the UNC paths this policy must be configured.
The recommended state for this policy is: Enabled, there are some pre-requisites:
- Requires Mutual Authentication set for all NETLOGON and SYSVOL shares
- Requires Integrity set for all NETLOGON and SYSVOL shares
If this policy is enabled then specific UNC paths are allowed to be accessed from Windows after following the pre-requisites. If we have Windows 8.0 / Windows Server 2012 or some newer systems exclusively in the environment then Server Message Block (SMB) privacy setting encryption may also be set to enabled. The paths that are targeted and which cannot be accessed by older operating systems can be rendered using SMB encryption. So, proceed with caution while using this additional option of SMB encryption.
How to Enable Hardened UNC Path?
UNC Hardening Default Value:
By default, this policy is Disabled.
Policy Path:
| Computer Configuration\Policies\Administrative Templates\Network\Network Provider\Hardened UNC Paths |
The above-mentioned group policy path is not present by default. To get this path an additional Group Policy template is required which is:
NetworkProvider.admx/adml
Make sure that the UI path is set as 'Enabled' and the following paths are configured:
| \\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1
\\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 |
Registry Settings:
The following registry settings back up this group policy setting:
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths: \\*\NETLOGON
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths: \\*\SYSVOL |
Creating UNC paths should rely on mapped network drive credentials to control access rather than enabling access directly via hidden root admin shares. Properly hardened UNC paths will restrict permissions through access control lists tied to Windows Explorer identities and domain credentials in order to prevent exploitation of network resources.
Applying limits and auditing to UNC access using tools like command prompt utilities, network infrastructure rules, and even guidelines borrowed from hardening UNIX systems can help strengthen defenses.
Will Hardening UNC Path cause issues?
UNC (Universal Naming Convention) is used to identify devices such as servers, printers, and other resources in the UNIX/Windows Community.
Hardening UNC paths is a security best practice that aligns with industry recommendations. It’s a proactive step to protect against a variety of cyber threats, including credential-based attacks
UNC Path Security Recommendations
CIS Benchmarks recommendation- Ensure ‘Hardened UNC Paths’ is set to ‘Enabled, with “Require Mutual Authentication” and “Require Integrity” set for all NETLOGON and SYSVOL shares’
To mitigate the remote code execution vulnerability in Group Policy, the following steps must be followed:
- New security update installation
- Specific group policy settings must be deployed to all the systems on the domain from Windows Server 2008 to later one's
Use Automation Tools to Harden UNC Path
Every policy change, including configuration updates, can impact your production environment. That’s why it’s critical to verify that no application or function relies on the UNC path before making changes.
Using a hardening automation tool eliminates the need for extensive lab testing by analyzing your production environment and automatically identifying the potential impact of configuration changes. This approach ensures your infrastructure is effectively hardened, which is especially important for medium-sized organizations and larger ones.
