Per this guide, we are attempting to enable hardening on our file shares and are having some issues. For background:
We are using the group policy Computer Configuration > Administrative Templates > Network > Network Provider > Hardened UNC Paths.
- Our file server is running Windows Server 2022 and the clients we are testing on are all running Windows 11 or Windows 10 with up-to-date builds. For the sake of this discussion, lets say the file server is called FS-VM and the domain is domain.local. The file share is called "FileShare"
- We use DFS namespaces to host our file shares and map to these namespace. The namespace for the file shares is \\domain.local\Files.
- The DFS share for "FileShare" is called "FileShare". It only has one target, "\\FS-VM\FileShare". Via DFS, this share is accessible at \\domain.local\Files\FileShare.
- This file share is mapped to a drive letter using Group Policy Preference Drive Maps.
- We are using the UNC hardening group policy mentioned in the article above. Here are the "Hardened UNC Paths" we have set up in the group policy object. All of these are set up with the value "RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1":
The policy is applying to the client computers and, when navigating to the file share directly in File Explorer (\\FS-VM\FileShare) and opening a file, I can see (in Wireshark) that all SMB traffic is encrypted, exactly like we expect.
However, if I navigate to the same share through its DFS link (\\domain.local\Files\FileShare), I can see in Wireshark that none of the traffic is encrypted as if the UNC Hardening policy is not applying at all. This is the case whether I navigate through the mapped drive or directly using the network path above. You'll notice for the sake of testing we also tried adding the DFS path to the group policy to no avail.
I tried changing the DFS path of the file server from FS-VM to FS-VM.domain.local, just to see if this would make a difference and it did not.
I tried various other entries for the policy as well:
I can't find any documentation anywhere that indicates that the UNC Hardening group policy doesn't work DFS shared folder paths, so I don't understand what the problem is here.
Does anyone know what I'm doing wrong? Why doesn't UNC hardening work with DFS shared folders? Is this by design?