How to Enable Hardened UNC Path

How to Enable Hardened UNC Path

3 Minutes Read Updated on May 21, 2025

What is a Hardened UNC Path?

Hardened UNC Path is a Group Policy Object present at:

Computer Configuration > Policies > Administrative Templates > Network > Network Provider

 

This policy can be applied to the systems that are joined via the domain and it is not applicable for standalone systems. To get secure access to the UNC paths this policy must be configured.

The recommended state for this policy is: Enabled, there are some pre-requisites:

  • Requires Mutual Authentication set for all NETLOGON and SYSVOL shares
  • Requires Integrity set for all NETLOGON and SYSVOL shares

If this policy is enabled then specific UNC paths are allowed to be accessed from Windows after following the pre-requisites. If we have Windows 8.0 / Windows Server 2012 or some newer systems exclusively in the environment then Server Message Block (SMB) privacy setting encryption may also be set to enabled. The paths that are targeted and which cannot be accessed by older operating systems can be rendered using SMB encryption. So, proceed with caution while using this additional option of SMB encryption.

How to Enable Hardened UNC Path?

 

UNC Hardening Default Value:

By default, this policy is Disabled.

Policy Path:

Computer ConfigurationPoliciesAdministrative TemplatesNetworkNetwork ProviderHardened UNC Paths

The above-mentioned group policy path is not present by default. To get this path an additional Group Policy template is required which is:

NetworkProvider.admx/adml

Make sure that the UI path is set as ‘Enabled’ and the following paths are configured:

*NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1

*SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1

Registry Settings:

The following registry settings back up this group policy setting:

HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsNetworkProviderHardenedPaths: *NETLOGON

HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsNetworkProviderHardenedPaths: *SYSVOL

Request a demo to secure your UNC paths without risking disruptions

Learn Enforce Monitor

Creating UNC paths should rely on mapped network drive credentials to control access rather than enabling access directly via hidden root admin shares. Properly hardened UNC paths will restrict permissions through access control lists tied to Windows Explorer identities and domain credentials in order to prevent exploitation of network resources.

Applying limits and auditing to UNC access using tools like command prompt utilities, network infrastructure rules, and even guidelines borrowed from hardening UNIX systems can help strengthen defenses.

Will Hardening UNC Path cause issues?

UNC (Universal Naming Convention) is used to identify devices such as servers, printers, and other resources in the UNIX/Windows Community.

Hardening UNC paths is a security best practice that aligns with industry recommendations. It’s a proactive step to protect against a variety of cyber threats, including credential-based attacks

UNC Path Security Recommendations

CIS Benchmarks recommendation- Ensure ‘Hardened UNC Paths’ is set to ‘Enabled, with “Require Mutual Authentication” and “Require Integrity” set for all NETLOGON and SYSVOL shares’

 To mitigate the remote code execution vulnerability in Group Policy, the following steps must be followed:

  • New security update installation
  • Specific group policy settings must be deployed to all the systems on the domain from Windows Server 2008 to later one’s

 

Use Automation Tools to Harden UNC Path

Every policy change, including configuration updates, can impact your production environment. That’s why it’s critical to verify that no application or function relies on the UNC path before making changes.

Using a hardening automation tool eliminates the need for extensive lab testing by analyzing your production environment and automatically identifying the potential impact of configuration changes. This approach ensures your infrastructure is effectively hardened, which is especially important for medium-sized organizations and larger ones.

Server Hardening Tools Explained

Ben Balkin
Ben Balkin is a professional writer and blogger specializing in technology and innovation. As a contributor to the Calcom blog, Ben shares practical insights, useful tips, and engaging articles designed to simplify complex processes and make advanced technological solutions accessible to everyone. His writing style is clear, insightful, and inspiring, reflecting his strong belief in technology's power to enhance quality of life and empower businesses.

Related Articles

RDP: Do Not Allow COM Port Redirection- The Policy Expert

RDP: Do Not Allow COM Port Redirection- The Policy Expert

June 26, 2023

Do not allow COM port redirection in RDP is the name of a security setting…

Domain Controller: LDAP Server Signing Requirements

Domain Controller: LDAP Server Signing Requirements

April 28, 2020

LDAP signing increases security in communication between LDAP clients and Active Directory domain controllers. LDAP…

Privacy Policy

Privacy Policy

May 11, 2022

Last updated: April 03, 2022 This Privacy Policy describes Our policies and procedures on the…

Ready to simplify compliance?

See automated compliance in action—book your demo today!

Share this article