[Samba] UNC-Hardening, config via group policy
Stefan G. Weichinger
lists at xunil.at
Fri Feb 12 12:37:53 UTC 2021
Am 12.02.21 um 09:53 schrieb L.P.H. van Belle via samba:
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan G.
>> Weichinger via samba
>> Verzonden: donderdag 11 februari 2021 20:48
>> Aan: samba
>> Onderwerp: [Samba] UNC-Hardening, config via group policy
>>
>>
>> I currently try to rollout AV software via a group policy (doesn't
>> matter, which software).
>>
>> A group policy sets a logon script, that one looks for a registry key,
>> and if it isn't there yet it calls a binary.exe from \\somedc\sysvol\
>>
>> I have a GPO in place for years now that trusts
>>
>> \\*\SYSVOL
>>
>> \\*\NETLOGON
>
> I would try, *.yourprimary.dnsdomain.tld
>
>>
>> as found in some howtos online.
>>
>> OK, maybe that one never worked ...
>>
>> But group policies work, so access to these shares works so far.
>>
>> I added lines matching a specific DC etc ... didn't work.
>>
>> I tried to store the exe on another share which is reachable via "W:\"
>> from all clients ... to avoid UNC-path.
>
> Dont depoly from het sysvol\netlogon shares, create a new dedicated share for it.
>
>>
>> Doesn't work.
> Then it should work, using it here.
>
> https://docs.microsoft.com/en-us/troubleshoot/windows-server/group-policy/use-group-policy-to-install-software
>
>>
>> Do I have to look at these IE-Zone stuff? I have a GPO for that as well,
>> but have to check.
> Yes, for some "stupid" reason, even MS is removing IE, we still need to add
> The trusting zones.
> few examples.
>
> trusting only a website with HTTP.
> "http://*.primary.dnsdomain.tld".
>
> The second method would be along the lines of "*://hostname.primary.dnsdomain.tld ".
>
> And the combination of the two would be along the lines of "*://*.primary.dnsdomain.tld ".
>
>>
>> In general: is there maybe something new to configure with latest
>> Windows 10 clients?
> Yes, its all more restrictive.
>
> Still not working.
>
> try adding : acl allow execute always = true to the share.
> if it then works, thens its a problem in the ACL's.
>
> Then you might want to look in here.
> In Internet Explorer, click Tools, and then click Internet Options.
> Click the Security tab, click Local intranet, and then click Sites.
> Clear the Include all network paths (UNC) check box, and then click OK.
> Select the Trusted sites zone, click Sites, type the path for the download server, and then click Add.
>
> Repeat the previous step for every download server that you want to specify as trusted.
>
> Control Panel ?¨ Network and Intranet ?¨ Network and Sharing Center
> Bottom left there is a 'See Also' section, click on 'Internet Options'.
> Select Local intranet zone on the Security tab then click the Sites button
> Click Advanced button, Enter file://[computer name.FQDN]
> Make sure 'Require server verification...' is unticked
>
>
> Last one i saw, i dont use this but it might help others.
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1]
> "*"=dword:00000001
> ":Range"="172.16.200.5-6"
> https://docs.microsoft.com/en-us/troubleshoot/browsers/ie-security-zones-registry-entries
Louis, thanks for the detailled infos.
I tried some of that, but wonder if I'd be quicker to visit the missing
few PCs and install that thing manually :-P
I changed my method now:
let a GPO copy the exe from the fileserver to some TEMPDIR
then execute it locally
Testing that ...
More information about the samba
mailing list