Policy Expert

How to Enable Hardened UNC Path

Reading time: 3 Minutes Read
Roy Ludmir
Updated on: March 10, 2026
How to Enable Hardened UNC Path

The Universal Naming Convention (UNC) enables network file sharing, albeit at the risk of man-in-the-middle attacks and credential theft. In this article, we explain UNC paths and demonstrate how to secure them.

What You Will Learn

  • What UNC paths are and why they are used in network file sharing.
  • UNC path security risks
  • How hardened UNC paths improve security
  • Steps to harden UNC paths
  • Security guidance

What is a Hardened UNC Path?

Universal Naming Convention (UNC) paths enable file sharing across networks. Hardening UNC paths enhances authentication and integrity, ensuring sensitive data is protected against tampering or unauthorized access while adhering to security best practices. To get secure access to the UNC paths, this policy must be configured.

The Hardened UNC Path is a Group Policy Object present at:

Computer Configuration > Policies > Administrative Templates > Network > Network Provider

This policy does not apply to a standalone system.

The recommended state for this policy is: Enabled. There are some prerequisites:

  • Requires Mutual Authentication set for all NETLOGON and SYSVOL shares
  • Requires Integrity set for all NETLOGON and SYSVOL shares

Now, only specific UNC paths are accessible. From Windows 8.0 / Windows Server 2012, the Server Message Block (SMB) privacy setting encryption is enabled by default. Older operating systems cannot access these paths unless they support SMB encryption. Therefore, proceed with caution when using this additional SMB encryption option.

How to Enable Hardened UNC Path?

UNC Hardening Default Value: Disabled

Policy Path:

Computer ConfigurationPoliciesAdministrative TemplatesNetworkNetwork ProviderHardened UNC Paths

By default, the group policy path is not available. You must add this Group Policy template:

NetworkProvider.admx/adml

Make sure that the UI path is set as ‘Enabled’ and the following paths are configured:

*NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1

*SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1

Registry Settings:

The following registry settings back up this group policy setting:

HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsNetworkProviderHardenedPaths: *NETLOGON

HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsNetworkProviderHardenedPaths: *SYSVOL

For a complete walkthrough of CIS-recommended Windows Server settings, download our Windows Server Hardening Guide.

Learn Enforce Monitor

Creating UNC paths relies on mapped network drive credentials to control access rather than enabling access directly via hidden root admin shares. Properly hardened UNC paths will restrict permissions through access control lists tied to Windows Explorer identities and domain credentials, preventing the exploitation of network resources.

Applying limits and auditing to UNC access using tools such as command prompt utilities and network infrastructure rules strengthens defenses.

Will hardening the UNC Path cause issues?

UNC (Universal Naming Convention) identifies devices, such as servers, printers, and other resources. Hardening UNC paths aligns with industry recommendations to protect against a variety of cyber threats, including credential-based attacks.

UNC Path Security Recommendations

CIS Benchmarks recommends:

‘Hardened UNC Paths’ is set to ‘Enabled, with “Require Mutual Authentication” and “Require Integrity” set for all NETLOGON and SYSVOL shares’

To mitigate the remote code execution vulnerability in Group Policy, the following steps must be followed:

  • New security update installation
  • Specific group policy settings must be deployed to all the systems on the domain from Windows Server 2008 to later versions.

Hardened UNC paths are just one of many CIS-recomended controls. See how CIS compliance automaion can help you enforce them all.

Key Takeaways

  • UNC paths are widely used for sharing files over a network.
  • They are high-value targets for attackers.
  • Unhardened UNC paths expose systems to potential attacks.
  • Hardened UNC paths strengthen security.
  • Compliance and security benchmarks recommend enabling hardening.

CalCom’s Automation Tools Harden UNC Paths

Every policy change, including configuration updates, impacts your production environment. Before making changes, it’s critical to verify no application or function relies on the UNC path.

CalCom’s hardening automation tool eliminates the need for extensive lab testing. It analyzes your production environment and automatically identifies the potential impact of configuration changes. This approach effectively hardens your infrastructure. This is especially important for medium-sized organizations and larger ones.

FAQs

What are UNC paths?
Universal Naming Convention (UNC) paths share files and folders across a network
Why are UNC paths a security risk?
Attackers intercept traffic, steal credentials, or tamper with data with UNC Paths
How can you harden UNC paths?
Use integrity checks and enforce authentication.
Who requires UNC path hardening?
CIS Benchmarks and other frameworks best practices recommend you harden UNC paths
How can CalCom help?
CalCom Hardening Suite (CHS) automates the configuration and enforcement of hardened UNC paths, ensuring secure policies without impacting production systems.
Roy Ludmir
Roy Ludmir is a cybersecurity entrepreneur and CEO with over 15 years of experience driving product innovation and sales growth in the security industry. He is highly skilled in CIS Benchmarks, baseline hardening, and vulnerability management, helping organizations strengthen defenses and meet compliance requirements. With a unique blend of executive leadership and deep technical expertise, he bridges business strategy with practical security solutions.

Related Articles

Ensure ‘Store passwords using reversible encryption’ is set to ‘Disabled’
Policy Expert

Ensure ‘Store passwords using reversible encryption’ is set to ‘Disabled’

Reading time: 3 Minutes Read
Denial Of Service vulnerabilities
News

Denial Of Service vulnerabilities

Reading time: 9 Minutes Read
Netlogon Service Configuration in Active Directory and Member Servers
Policy Expert

Netlogon Service Configuration in Active Directory and Member Servers

Reading time: 3 Minutes Read

About Us

Established in 2001, CalCom is the leading provider of server hardening solutions that help organizations address the rapidly changing security landscape, threats, and regulations. CalCom Hardening Suite (CHS) is a security baseline hardening solution that eliminates outages, reduces operational costs, and ensures a resilient, constantly hardened, and monitored server environment.

More about us
Background Shape
About Us

Our Solutions to Strengthen Your Security Posture

CalCom Hardening Suite (CHS)
CalCom Hardening
Suite (CHS)
Secure IIS Server Hardening with CSS
Secure IIS Server
Hardening with CSS
Server Audit & Compliance Analysis Software
Server Audit & Compliance
Analysis Software

Stay Ahead with Our Newsletter

Get the latest insights, security tips, and exclusive resources straight to your inbox every month.

    Explore More Insights & Solutions

    Visit Our Resource Center
    Visit Our Resource Center

    In-depth guides, reports & webinars

    Read Our Latest Blog Posts
    Read Our Latest Blog Posts

    Stay updated with industry insights

    Ready to simplify compliance?

    See automated compliance in action—book your demo today!

    Get a Demo