UNC Hardening Not Working with DFS File Share

Alex Rourke 21 Reputation points
2023-01-24T20:13:42.14+00:00

Per this guide, we are attempting to enable hardening on our file shares and are having some issues. For background:

We are using the group policy Computer Configuration > Administrative Templates > Network > Network Provider > Hardened UNC Paths.

  • Our file server is running Windows Server 2022 and the clients we are testing on are all running Windows 11 or Windows 10 with up-to-date builds. For the sake of this discussion, lets say the file server is called FS-VM and the domain is domain.local. The file share is called "FileShare"
  • We use DFS namespaces to host our file shares and map to these namespace. The namespace for the file shares is \\domain.local\Files.
  • The DFS share for "FileShare" is called "FileShare". It only has one target, "\\FS-VM\FileShare". Via DFS, this share is accessible at \\domain.local\Files\FileShare.
  • This file share is mapped to a drive letter using Group Policy Preference Drive Maps.
  • We are using the UNC hardening group policy mentioned in the article above. Here are the "Hardened UNC Paths" we have set up in the group policy object. All of these are set up with the value "RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1":
    • \\FS-VM
    • \\FS-VM.domain.local
    • \\domain.local\Files\FileShare

The policy is applying to the client computers and, when navigating to the file share directly in File Explorer (\\FS-VM\FileShare) and opening a file, I can see (in Wireshark) that all SMB traffic is encrypted, exactly like we expect.

However, if I navigate to the same share through its DFS link (\\domain.local\Files\FileShare), I can see in Wireshark that none of the traffic is encrypted as if the UNC Hardening policy is not applying at all. This is the case whether I navigate through the mapped drive or directly using the network path above. You'll notice for the sake of testing we also tried adding the DFS path to the group policy to no avail.

I tried changing the DFS path of the file server from FS-VM to FS-VM.domain.local, just to see if this would make a difference and it did not.

I tried various other entries for the policy as well:

  • \\domain.local\Files*
  • \\domain.local\Files
  • \*\Files
  • \*\Files\FileShare
  • \\domain.local\Files\FileShare
  • \\FS-VM*

I can't find any documentation anywhere that indicates that the UNC Hardening group policy doesn't work DFS shared folder paths, so I don't understand what the problem is here.

Does anyone know what I'm doing wrong? Why doesn't UNC hardening work with DFS shared folders? Is this by design?

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,462 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,668 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,678 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 43,966 Reputation points
    2023-01-25T19:11:37.0066667+00:00

    Hi,

    Thank you for posting your query.

    Kindly follow the steps provided below to resolve your issue.

    We have a topic with a problem similar to yours, I recommend you see the article below:

    https://social.technet.microsoft.com/Forums/en-us/7ff4bafa-a65a-4741-83a2-b9e0cf1e36b3/hardened-unc-path-gpo-question?forum=winserverGP

    Go to this link for your reference and other troubleshooting procedures https://learn.microsoft.com/en-us/answers/questions/569202/gpo-unc-hardening-with-privacy-not-working-when-ho

    Do not hesitate to message us if you need further assistance.

    If the answer is helpful kindly click "Accept as Answer" and up vote it.