Vulnerability in Group Policy Fixed with MS15-011 & MS15-014

COG1_thumb.pngToday Microsoft published hotfix MS15-011 and MS15-014 that addressed a potential issues that could allow an man in the middle attack on computer. This vulnerability affected system that could be compromised by a man in the middle or what I like to call a “Coffee Shop Attack”. The summary is that by interfering with the traffic that is being sent to a client a malicious person can force a client to fall back to default weaker security settings. Once this is done it would then be possible to trick a client into running a malicious logon script.

Therefore Microsoft has released two hotfixes to fix this vulnerability:

  • MS015-011 – Microsoft has change the fall back behaviour of security setting if it encounters a corrupt Client Side Extension file.
  • MS015-014 – Microsoft has enable mutual authentication for Group Policy UNC paths meaning that a client cannot be tricked into access the same path using a different protocol such as WebDAV.

Needless to say that this is an important update to Windows and one that particularly changes the behaviour of Group Policy to mitigate the threat.

For a much more detail explanation of this see:

http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx

This update can only be downloaded via Windows Update but you can get more information on the individual patches at:

https://technet.microsoft.com/en-us/library/security/ms15-011

https://technet.microsoft.com/en-us/library/security/ms15-014

10 Comments

  1. Hi there,
    as described in http://support.microsoft.com/kb/3000483, you should set the Policy “Hardened UNC Paths”, located at “Computer Configuration/Administrative Templates/Network/Network Provider”.
    Well…
    I have difficulties to find this Policy. It also cannot be found within reference table WindowsServer2012R2andWindows8.1GroupPolicySettings.xlsx (source: http://www.microsoft.com/en-us/download/details.aspx?id=25250)
    It’s like non-existent.

    • You need to make sure KB3000483 has been installed via Windows Update on the machine you are running Group Policy Management Editor on. This adds the new settings.

  2. Thanks, Sam.
    So Administrative Templates are added/modified. But only at %windir%\PolicyDefinitions.
    A Central Store won’t care about this.
    Would have been nice to read this information at the kb article.

    • Couldn’t agree more. I’ve been trying to figure out what to do for some time. Total lack of documentation.

  3. I’ve just rolled this policy out to my machine for testing and am now unable to access the SYSVOL or NETLOGON shares, so I can’t turn it off again. I’ve not found where the configuration is stored locally either to edit it.

    • We’re on Server 2008 R2 and Windows 7 so enabling the RequirePrivacy option is a very bad plan. I fixed my machine by uninstalling the update from my client machine, rebooting to get the fixed GPO and re-installing the update again.

      I really should have read this bit of the KB page:

      Note SMB Encryption is supported by the SMB client only on Windows 8, Windows Server 2012, and later versions, and then only when communicating with SMB Encryption-capable servers (such as Windows 8, Windows Server 2012 and later versions). If you configure RequirePrivacy=1 on clients that do not support SMB Encryption or for UNC paths hosted by servers that do not support SMB Encryption, you will have a configuration in which the SMB client will be unable to access the specified path.

    • Can you access them by name? tThis is supposed to only affect accessing those shares by name instead of IP address. I set up the GP and was asked for authentication when I tried to access the shares by ip but when I used the name it worked as expected.

Leave a Reply

Your email address will not be published. Required fields are marked *