none
Group Policy and MS15-011 - default domain or default domain controller policy?

    Question

  • In conjunction with patch MS15-011, it is recommended to configure "hardened UNC paths" as shown below:

    Note: if you require more background information on the subject, Darren Mar-Elia wrote this blog post:

    https://sdmsoftware.com/group-policy-blog/security-related/understanding-jasbug-vulnerability-group-policy/

    ---

    Here is my question:

    Since the NETLOGON and SYSVOL shares only exist on domain controllers, can we simply...

    1. Modify the default domain controllers policy (or)

    2. Create another GPO and apply it to the domain controllers OU

    (OR)

    Would there be a reason to apply these settings to ALL the servers and client machines in the domain?

    -

    We are speculating that perhaps the values have to set on both ends for the solution to be effective (???).

    Even though (and counter-intuitively), only domain controllers will have NETLOGON and SYSVOL shares.

    I understand one might also want to harden other shares. But for the time being, I am addressing the NETLOGON and SYSVOL shares.

    Thank you in advance!


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Monday, January 11, 2016 4:05 PM

Answers

  • > 1. Modify the default domain controllers policy (or)
     
    No.
     
    > 2. Create another GPO and apply it to the domain controllers OU
     
    No.
     
    > Would there be a reason to apply these settings to ALL the servers and
    > client machines in the domain?
     
    Yes. The hardening is a client side thing, not a server side thing. You
    are not hardening the shares themselves, but the clients that are
    accessing them.
     
    Monday, January 11, 2016 4:15 PM

All replies

  • > 1. Modify the default domain controllers policy (or)
     
    No.
     
    > 2. Create another GPO and apply it to the domain controllers OU
     
    No.
     
    > Would there be a reason to apply these settings to ALL the servers and
    > client machines in the domain?
     
    Yes. The hardening is a client side thing, not a server side thing. You
    are not hardening the shares themselves, but the clients that are
    accessing them.
     
    Monday, January 11, 2016 4:15 PM
  • So either add the setting to the default domain policy or create a new GPO and apply at domain level?

    Usually, I avoid "messing" with the default domain policy too much, but I suppose that is an option.

    Otherwise, thanks for the input.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.


    Monday, January 11, 2016 5:04 PM