Harden UNC Paths


Fully Optimized
Parents Basement...Still
Earlier this year, Microsoft released a couple updates to address Remote Code Execution.

The MS15-014 update addresses an issue in Group Policy update which can be used to disable client-side global SMB Signing requirements, bypassing an existing security feature built into the product. MS15-011 adds new functionality, hardening network file access to block access to untrusted, attacker controlled shares when Group Policy refreshes on client machines.
MS15-011 & MS15-014: Hardening Group Policy - Security Research & Defense - Site Home - TechNet Blogs

The above TechNet Blog posting explains in detail what it mitigates.
In a nutshell, it enables authentication between your clients (which are workstations and servers) and the file share they are trying to access.

The first shares recommended to be secured are your SYSVOL and NETLOGON shares from the DC's. This is to ensure when attempting to get a GPO or refresh, they are not hijacked.

It's also recommended to enable this on your sensitive shares.

MS15-11 KB can also give you more detail.

*Note: The "privacy" switch is ONLY available for Server 2012 and Windows 8 clients (and above). If you use this on a Windows 7/2008 domain, you will have issues. So leave this switch out if you're not fully migrated!!!
Top Bottom