[Samba] UNC-Hardening, config via group policy

L.P.H. van Belle belle at bazuin.nl
Fri Feb 12 08:53:55 UTC 2021

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan G.
> Weichinger via samba
> Verzonden: donderdag 11 februari 2021 20:48
> Aan: samba
> Onderwerp: [Samba] UNC-Hardening, config via group policy
> I currently try to rollout AV software via a group policy (doesn't
> matter, which software).
> A group policy sets a logon script, that one looks for a registry key,
> and if it isn't there yet it calls a binary.exe from \\somedc\sysvol\
> I have a GPO in place for years now that trusts
> \\*\SYSVOL

I would try, *.yourprimary.dnsdomain.tld 

> as found in some howtos online.
> OK, maybe that one never worked ...
> But group policies work, so access to these shares works so far.
> I added lines matching a specific DC etc ... didn't work.
> I tried to store the exe on another share which is reachable via "W:\"
> from all clients ... to avoid UNC-path.

Dont depoly from het sysvol\netlogon shares, create a new dedicated share for it. 

> Doesn't work.
Then it should work, using it here. 


> Do I have to look at these IE-Zone stuff? I have a GPO for that as well,
> but have to check. 
Yes, for some "stupid" reason, even MS is removing IE, we still need to add 
The trusting zones. 
few examples. 

trusting only a website with HTTP. 

The second method would be along the lines of "*://hostname.primary.dnsdomain.tld ".  

And the combination of the two would be along the lines of "*://*.primary.dnsdomain.tld ".

> In general: is there maybe something new to configure with latest
> Windows 10 clients?
Yes, its all more restrictive. 

Still not working. 

try adding : acl allow execute always = true to the share. 
if it then works, thens its a problem in the ACL's.

Then you might want to look in here. 
In Internet Explorer, click Tools, and then click Internet Options.
Click the Security tab, click Local intranet, and then click Sites.
Clear the Include all network paths (UNC) check box, and then click OK.
Select the Trusted sites zone, click Sites, type the path for the download server, and then click Add.

Repeat the previous step for every download server that you want to specify as trusted.

Control Panel ?¨ Network and Intranet ?¨ Network and Sharing Center
Bottom left there is a 'See Also' section, click on 'Internet Options'.
Select Local intranet zone on the Security tab then click the Sites button
Click Advanced button, Enter file://[computer name.FQDN]
Make sure 'Require server verification...' is unticked

Last one i saw, i dont use this but it might help others. 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1]

> thanks

Your welkom.

More information about the samba mailing list