none
Hardening UNC Paths Breaks GPO Access

    Question

  • Hello,

    I am attempting to utilize group policy to harden UNC paths on my two domain controllers.  I have followed along the steps to create a central GPO store, and have created an object in accord with MS15-011.

    I have the following settings:


    Status:  Enabled

    Paths <values>

    \\dc1 <RequireMutualAuthentication=1,RequireIntegrity=1,RequirePrivacy=1>

    \\dc2 <RequireMutualAuthentication=1,RequireIntegrity=1,RequirePrivacy=1>

    Once I apply it to my DC OU, things rapidly go downhill.  Specifically, I am no longer able to view the settings on what appears to be any already-in-place GPOs.  Further, when I attempt to edit any GPO, it claims I don't have permission to do so.

    When I remove the Harden UNC path GPO from the domain controller OU, everything appears to restore either right away or after a GPUPDATE /FORCE.

    I get that the theory is in order to get at shares on these machines (which include the Policies), I'd need better proof of who I am.  Well, I am already accessing the DC1 via Remote Desktop (to the virtual host) and Hyper-V as the Domain Admin.  I didn't really bother to test DC2 since DC1 broke.

    The only thing I could think of off hand is that the certificate on the workstation (somewhere in the chain) is not trusted by the DC, so fails the Mutual Authentication check.  I've thought about re-applying these one by one, but I'm hesitant to go putting things on domain controllers that I know could cause issues.

    Has anyone encountered this before, and if so, what is going on?

    Thanks,

    M.

    Friday, March 25, 2016 1:57 PM

Answers

  • Hi,
     
    Am 25.03.2016 um 14:57 schrieb MEversbergII:
    > I have the following settings:
    > \\dc1 <RequireMutualAuthentication=1,RequireIntegrity=1,RequirePrivacy=1>
    > \\dc2 <RequireMutualAuthentication=1,RequireIntegrity=1,RequirePrivacy=1>
     
    AFAIK: RequirePrivacy=1 needs IPSec to be implemented.
     
    If your DCs are only DCs and no filehosting/printservers, I woult
    recommend to define only
    \\*\NETLOGON = RequireMutualAuthentication=1,RequireIntegrity=1
    \\*\SYSVOL = RequireMutualAuthentication=1,RequireIntegrity=1
     
    use "*" to cover all DCs.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    • Marked as answer by MEversbergII Friday, March 25, 2016 2:52 PM
    Friday, March 25, 2016 2:32 PM

All replies

  • Hi,
     
    Am 25.03.2016 um 14:57 schrieb MEversbergII:
    > I have the following settings:
    > \\dc1 <RequireMutualAuthentication=1,RequireIntegrity=1,RequirePrivacy=1>
    > \\dc2 <RequireMutualAuthentication=1,RequireIntegrity=1,RequirePrivacy=1>
     
    AFAIK: RequirePrivacy=1 needs IPSec to be implemented.
     
    If your DCs are only DCs and no filehosting/printservers, I woult
    recommend to define only
    \\*\NETLOGON = RequireMutualAuthentication=1,RequireIntegrity=1
    \\*\SYSVOL = RequireMutualAuthentication=1,RequireIntegrity=1
     
    use "*" to cover all DCs.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    • Marked as answer by MEversbergII Friday, March 25, 2016 2:52 PM
    Friday, March 25, 2016 2:32 PM
  • Mark,

    Well, that seems to have done it.  It would be the lack of IPSec that breaks everything, I'd assume.  I made those changes above and nothing appears broken.

    Thanks!

    M.

    Friday, March 25, 2016 2:52 PM