none
Hardened UNC Path GPO Question

    Question

  • I'm looking to implement the recommended group policy settings to harden UNC access to SYSVOL and NETLOGON. But, I'm must be missing some .adm/.adml files. When I edit a new group policy and try to configure UNC Hardened Access  in Computer Configuration, Administrative Templates, Network, Network Provider (Enable the Hardened UNC Path setting), I can't find the Network Provider settings folder.

    My Group Policy Management Console is running on a Windows 8.1 system and the policy definitions from the Central Store are at the level of Windows Server 2012 R2. The system with the GPMC has already had MS15-011 and MS5-014 installed. I must be missing something easy but I'm not sure where to look. Any suggestions?

    Thursday, February 12, 2015 11:14 PM

Answers

  • Martin is correct, this worked for me.

    Here are the steps I followed to add this to the central store on the domain controller.  This was on a 2008 R2 Server, and assumes that the OS is installed on the C partition, as well as having English (US) set as the language.  After the appropriate Security Updates are installed and the server reboots, do the following:

    1. Find the Network Provider template files in the Local GPO ADMX store at C:\Windows\PolicyDefinitions
    2. Locate the NetworkProvider.admx file, as well as the NetworkProvider.adml file that is contained within the en-US subdirectory; these files will need to be copied to the corresponding directories in the Central Store
    3. Go to the Group Policy Central Store at C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions
    4. Copy the NetworkProvider.admx into the Central Store PolicyDefinitions directory, and then copy NetworkProvider.adml into the Central Store PolicyDefinitions\en-US directory
    5. Right click on your desired GPO in Group Policy Management, select Edit, and then you will find the Hardened UNC Path setting under Computer Configuration/Policies/Administrative Templates/Network/Network Provider

    If necessary, additional information on creating and configuring a Central Store can be found here: https://msdn.microsoft.com/en-us/library/bb530196.aspx

    • Proposed as answer by A113 Tuesday, February 17, 2015 7:12 PM
    • Marked as answer by TPotter Tulsa Tuesday, February 24, 2015 9:15 PM
    Friday, February 13, 2015 5:13 PM
  • > UNC Hardened Access  in *Computer Configuration*, *Administrative
    > Templates*, *Network*, *Network Provider (*Enable the *Hardened UNC
    > Path* setting), I can't find the Network Provider settings folder.
     
    Update your Central store from a system where the Patches are installed.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    • Proposed as answer by AJuza Friday, February 13, 2015 5:13 PM
    • Marked as answer by TPotter Tulsa Tuesday, February 24, 2015 9:16 PM
    Friday, February 13, 2015 10:58 AM

All replies

  • I, too, am having the same problem.

    I was hoping that installing the appropriate Security Updates (KB3004375, KB3031432, KB3000483) would have updated whatever needed to be done in order for the Network Provider folder and other pertinent settings appear, but no luck.

    Friday, February 13, 2015 2:47 AM
  • > UNC Hardened Access  in *Computer Configuration*, *Administrative
    > Templates*, *Network*, *Network Provider (*Enable the *Hardened UNC
    > Path* setting), I can't find the Network Provider settings folder.
     
    Update your Central store from a system where the Patches are installed.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    • Proposed as answer by AJuza Friday, February 13, 2015 5:13 PM
    • Marked as answer by TPotter Tulsa Tuesday, February 24, 2015 9:16 PM
    Friday, February 13, 2015 10:58 AM
  • Martin is correct, this worked for me.

    Here are the steps I followed to add this to the central store on the domain controller.  This was on a 2008 R2 Server, and assumes that the OS is installed on the C partition, as well as having English (US) set as the language.  After the appropriate Security Updates are installed and the server reboots, do the following:

    1. Find the Network Provider template files in the Local GPO ADMX store at C:\Windows\PolicyDefinitions
    2. Locate the NetworkProvider.admx file, as well as the NetworkProvider.adml file that is contained within the en-US subdirectory; these files will need to be copied to the corresponding directories in the Central Store
    3. Go to the Group Policy Central Store at C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions
    4. Copy the NetworkProvider.admx into the Central Store PolicyDefinitions directory, and then copy NetworkProvider.adml into the Central Store PolicyDefinitions\en-US directory
    5. Right click on your desired GPO in Group Policy Management, select Edit, and then you will find the Hardened UNC Path setting under Computer Configuration/Policies/Administrative Templates/Network/Network Provider

    If necessary, additional information on creating and configuring a Central Store can be found here: https://msdn.microsoft.com/en-us/library/bb530196.aspx

    • Proposed as answer by A113 Tuesday, February 17, 2015 7:12 PM
    • Marked as answer by TPotter Tulsa Tuesday, February 24, 2015 9:15 PM
    Friday, February 13, 2015 5:13 PM
  • Just an FYI if you have any 2003 servers you need to install KB3004361 or gpupdate process will consume the machine.
    Wednesday, February 18, 2015 6:25 PM
  • Thanks for the write-up. I neglected to copy the NetworkProvider.admx and .adml files to the Central Store. I have my new GPO now.
    Tuesday, February 24, 2015 9:16 PM
  • If you apply the Windows 10 1511 ADMX download to your Central Store you will have the NetworkProvider admx/adml policy as well as other new and updated admx/adml policies.

    Windows10_Version_1511_ADMX.msi

    https://www.microsoft.com/en-us/download/details.aspx?id=48257

    Friday, December 18, 2015 3:02 PM