A few weeks ago, I had the pleasure of responding to MS15-011. If you’re not familiar with it, Microsoft released a patch to address a long-time vulnerability in UNC paths. Basically, if your PC connects to an untrusted (or compromised) network, a malicious actor could spoof the UNC path that the domain-joined PC used to get Group Policy updates (or any UNC path, for that matter). The PC would then do whatever the evil GP asked, including running start up scripts. Obviously, the vulnerability was only limited by the scripting ability of the attacker.
Microsoft’s initial release did not contain detailed instructions, and I found many admins as confused as I was when trying to implement this new patch. It contained a new GP setting, and how to configure that new setting was not immediately apparent.
Download and Install the Patch
The first step was to get the patch release to address the issue, KB3000483. The bulletin simply says to install and configure the GP setting, however I immediately found that since this was a brand new group policy, the setting wasn’t available in my GP editor. I had to install the patch on a workstation (mine) and then get the .admx and .adml files (for a detailed explanation of what there files are, see Microsoft) from my workstation to the GP central store at my company.
The .admx and .adml files are located at %systemroot%\policyDefinitions and the language sub-folder in that same directory, respectively.
Configure the Group Policy Setting
While my system was patched, the patch wasn’t doing anything since there wasn’t a Group Policy to configure the new settings. In the GP editor, I entered Microsoft’s minimum recommended configuration (for now):
Computer Configuration/Administrative Templates/Network/Network Provider
Hardened UNC paths
This setting will force your workstations to verify the UNC path and the settings when they are retrieved from the share at startup.
Deploy the Patch
I then worked with our patching team to deploy the patch. You should follow your organization’s critical patching policy and make sure you test, although we experienced no issues with the patch itself or the new setting.
The patch requires a reboot, during which the new policy is pulled down (assuming all goes as planned).
There are a number of variables here, since both the patch and pulling Group Policy require rebooting the workstations. If network connectivity is bad, the patch might succeed, but the new policy might not deploy. You should run a Resultant Set of Policy to make sure some of your workstations are pulling the setting. You could also instruct your users to make sure they shut down their machines over the next few days, rather than sleeping, hibernating, or leaving them on overnight.
Business as Usual
The features added by this patch and GP setting are actually really great. If you didn’t get it from the bulletin, before this patch, domain-joined workstations never verified UNC paths were really located at the server that claimed them, or that the data received was what was sent. This is analogous to not using HTTPS on the internet, and we all know that’s dangerous. I plan on pushing my company to implement UNC hardening on most, if not all, of our other shares (e.g. \\domain.local\*). I would encourage others to do the same.
All in all, this was a fairly simple process, but I felt the bulletin lacked detail. I hope it