Sysvol and Netlogin Shares

I've been following all the discussion regarding the recent MS15-011 patch that was released. In the KB it discusses at a minimum users should harden NETLOGIN and SYSVOL. Can someone explain what these shares are used for and why Microsoft recommends those be hardened at a minimum. I have an idea, but as a Unix person I'd like to understand their use a little better.



Hi credog,

SYSVOL is an NTFS share on all domain controllers and contains two Essential folders for active directory, Scripts and Policies.
The policies folder contains a copy of all the group policies that are defined in the domain
Scripts is the logon scripts for all the domain users.

Netlogon is the share name of the scripts folder.

Regards

Guy



Hi credog,

SYSVOL is an NTFS share on all domain controllers and contains two Essential folders for active directory, Scripts and Policies.
The policies folder contains a copy of all the group policies that are defined in the domain
Scripts is the logon scripts for all the domain users.

Netlogon is the share name of the scripts folder.

Regards

Guy



Do not harden default security of these TWO folders

These TWO folders created by AD by default
http://social.technet.microsoft.com/wiki/contents/articles/8548.sysvol-and-netlogon-share-importance-in-active-directory.aspx

If you make any changes to security of these folders, it might be possible that nobody will get GPOs

Further more to restore there default security is complex task
https://social.technet.microsoft.com/Forums/windowsserver/en-US/d54c2e41-f827-4db3-8956-1b3d15f5a076/want-to-modify-sysvol-and-netlogon-share-permissions



Microsofts recommended hardening of the share is just making sure domain users only have read access.
Because the vulnerability the MS15-011 patch fixes can enable someone on a remote network unrestricted access to a domain computer, if they could access these shares they could take an entire domain down.

I think Mahesh jumped the gun on you actually stating you were going to do it.



Thanks for the explanation. I guess I'm a little confused though. With the new patch (MS15-011), Microsoft recommends at a minimum hardening the two shares. Are you guys recommending against that? It seems that at long as the systems have gotten the patch, that pushing that change out to domain computers would be a good idea.


Value name Value
\*NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1
\*SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1



No, I'm not recommending against it, I think its a good thing to enable mutual auth,
When I say "making sure domain users only have access" i should have worded "making sure only domain users have access"

Mutual authentication is the best method for this, as the server and guest have to be able to verify each other without swapping information prior to any traffic being sent.

If someone had control of a domain workstation, they would not be able to impersonate a domain user in this way.

I think Mahesh was thinking along the lines of NTFS permissions hardening, or security tab where you assign user access permissions, which can be a big balls up if incorrectly configured.

Share this

Related Posts

There was an error in this gadget