How To Enable UNC Hardened Access to Prevent JASBUG (MS15-011/KB3000483 & MS15-014/KB3004361)

Feb
25
2015

I didn’t write this. But fellow GPanswers.com Team Member Charles Palmer did !

But, I did have the LEAD GUY at Microsoft (name withheld) check out this post and give it a once-over for accuracy. Got the THUMBS UP, so here’s the how-to.

Thanks Charles and also Microsoft.

Microsoft released these two updates in Feb 2015. You can read more about them here:

http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx

with an additional FAQ here:

http://blogs.technet.com/b/askpfeplat/archive/2015/02/23/guidance-on-deployment-of-ms15-011-and-ms15-014.aspx

In addition to the two KB’s above, KB3004375 is installed at the same time as KB3000483 as they work together.

KB3000483 also requires additional configuration in Group Policy. The details of those steps can be found here:

http://support.microsoft.com/kb/3000483

There is an oversight in the above article in that it doesn’t take into account a central store for your Policy definitions.

Using the information in that article, the following are the default steps:

  1. Open Group Policy Management Console.
  2. In the console tree, in the forest and domain that contain the Group Policy object (GPO) that you want to create or edit, double-click Group Policy Objects.

Forest name/Domains/<Domain name>

  1. (Optional) Right-click Group Policy Objects, and then click New.
  2. Type the desired name for the new GPO.
  3. Right-click the desired GPO, and then click Edit.
  4. In the Group Policy Object Editor console, browse to the following policy path:

Computer Configuration/Administrative Templates/Network/Network Provider

NOTE: Until you update your central policy store, you will not see the above Network Provider key

  1. Right-click the Hardened UNC Paths setting, and then click Edit.
  2. Select the Enabled option button.
  3. In the Options pane, scroll down, and then click Show.
  4. Add one or more configuration entries. To do this, follow these steps:
  • In the Value Name column, type the UNC path that you want to configure. The UNC path may be specified in one of the following forms: \\<Server>\<Share> – The configuration entry applies to the share that has the specified name on the specified server.

\\*\<Share> – The configuration entry applies to the share that has the specified name on any server.

\\<Server>\* – The configuration entry applies to any share on the specified server.

\\<Server> – The same as \\<Server>\*

NOTE: A specific server or share name must be specified. All-wildcard paths such as \\* and \\*\* are not supported.

  • In the Value column, type the name of the security property to configure (for example, type RequireMutualAuthentication, RequireIntegrity, or RequirePrivacy) followed by an equal sign (=) and the number 0 or 1.

NOTE: Multiple properties may be assigned for a single UNC path by separating each “<Property> = <Value>” pair by using a comma (,).

 

11. Click OK two times, and then close the GPO editor.

12. If you created a new GPO earlier, link the GPO to one or more domains. To do this, right-click the desired domain, click Link an Existing GPO, select the newly added GPO, and then click OK

13. To test the new or updated GPO, log on to a computer to which the GPO applies, and then run the following command:

               gpupdate /force

Additional Steps:

To make it work, you will need to complete the following steps:

  1. On a Windows 8.1 or Server 2012R2 computer that has the update installed, browse to C:\Windows\PolicyDefinitions (hereafter Source)
  2. Find NetworkProvider.admx and copy it
  3. Open your central PolicyDefinitions folder: \\<Domain>\SYSVOL\<Domain>\Policies\PolicyDefinitions (hereafter Destination)

4. Paste NetworkProvider.admx into the Destination

5. In your Source folder, open the en-US folder

6. Find NetworkProvider.adml and copy it

7. Paste NetworkProvider.adml into the Destination\en-US folder

8. Repeat for any additional language files you may desire

9. Allow PolicyDefinitions to replicate around to the other domain controllers

10. You may now create your desired policy as the Network Provider key will be available