SYSVOL Hardening Interference with Tenable Identity Exposure

SYSVOL is a shared folder located on each Domain Controller (DC) in an Active Directory domain. It stores the folders and files for Group Policies (GPOs). The content of SYSVOL replicates across all DCs, and is accessed via Universal Naming Convention (UNC) paths such as \\<>\SYSVOL or \\<DC_IP_or_FQDN>\SYSVOL.

SYSVOL hardening refers to the use of the UNC Hardened Paths parameter, also known as “UNC hardened access”, “hardened UNC paths”, “UNC path hardening”, or “hardened paths”, etc. This feature came about to respond to the MS15-011 (KB 3000483) vulnerability in Group Policy. Many cybersecurity standards such as CIS Benchmarks mandate the enforcement of this feature.

When you apply this hardening parameter on Server Message Block (SMB) clients, it actually increases the security of the domain-joined machines to ensure that the GPO content they retrieve from SYSVOL is free from tampering by an attacker on the network. But in certain situations, this parameter can also interfere with Tenable Identity Exposure’s operation.

Follow the guidance in this troubleshooting section if you notice that hardened UNC paths are disrupting the connectivity between Tenable Identity Exposure and the SYSVOL share.

Affected environments

The following Tenable Identity Exposure deployment options may experience this issue:

  • On-premises

  • SaaS with Secure Relay

This deployment option is not affected:

  • SaaS with VPN

SYSVOL hardening is a client-side parameter, which means that it operates on the machines that connect to the SYSVOL share and not on the Domain Controllers.

Windows enables this parameter by default, and it can interfere with Tenable Identity Exposure.

Some organizations also want to ensure the activation of this parameter and enforce it by using the related GPO setting or by setting the corresponding registry key directly.

  • You can find the registry keys related to UNC hardened paths under “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths”:

  • You can find the corresponding GPO setting under “Computer Configuration/Administrative Templates/Network/Network Provider/Hardened UNC paths”:

SYSVOL hardening enforcement occurs when a UNC path referring to SYSVOL – for example “\\*\SYSVOL” – has the parameters “RequireMutualAuthentication” and “RequireIntegrity” set to the value “1”.

Signs of SYSVOL Hardening Issues

When you suspect that SYSVOL hardening interferes with Tenable Identity Exposure, check for the following:

  1. In Tenable Identity Exposure, go to System > Domain Management to view the LDAP and SYSVOL initialization status for each domain.

    A domain with normal connectivity shows a green indicator, while a domain with connectivity issues can show a crawling indicator that continues endlessly.

  2. On the Directory Listener or Relay machine, open the logs folder: <Installation Folder>\DirectoryListener\logs.

  3. Open the Ceti log file and search for the string "SMB mapping creation failed" or “Access is denied”. Error logs containing this phrase indicate that UNC hardening is likely in place on the Directory Listener or Relay machine.

Remediation Options

There are two possible remediation options: Switching to Kerberos authentication or Disabling SYSVOL hardening.

Risks When Disabling SYSVOL Hardening

SYSVOL hardening is a security feature and disabling it can raise valid concerns.

  • Non-domain-joined machines — There is no risk in disabling SYSVOL hardening. Since these machines do not apply GPOs, they do not get content from the SYSVOL share to execute it.

  • Domain-joined machines (Directory Listener or Relay machine) which Tenable Identity Exposure does not recommend — If there is a potential risk of having an attacker in a “Man-in-the-Middle” situation between the Directory Listener or Relay machine and the Domain Controllers, it is unsafe to disable SYSVOL hardening. In this case, Tenable Identity Exposure recommends that you switch to Kerberos authentication instead.

The scope of this deactivation is only on the Directory Listener or Relay machine and not other domain computers, and never the Domain Controllers.