Thursday, February 12, 2015

MS015-11 Security update for Group Policy

Quickie:
If you've applied MS015-11 http://support.microsoft.com/kb/3000483 in your environment, you HAVE TO make a GPO change to turn the vulnerability protection on.  Specifically, you have to enable the Hardened UNC Paths setting in Group Policy under Computer Configuration/Administrative Templates/Network/Network Provider.  It talks about the specific setting in the KB article.

If you haven't installed the update on your management station you won't have this GPO Administrative Template.  You can get it from a patched machine.  The files are

c:\windows\PolicyDefinitions\NetworkProvider.admx
c:\windows\PolicyDefinitions\en-US\NetworkProvider.adml






(If your server OS isn't "English-US", substitute the correct language code in that.)

If you have a PolicyDefinitions folder on your Sysvol share (and you should), then copy those two files to
\\yourdomain.com\sysvol\policies\yourdomain.com\PolicyDefinitions and
\\yourdomain.com\sysvol\policies\yourdomain.com\PolicyDefinitions\en-US  respectively.

If you don't have a PolicyDefinitions folder, then copy them to the same locations as the original on your management station.

Cheers.

No comments: