RTFM – Installing the update doesn’t automatically fix the vulnerability

Recently I was going through my vulnerability scan report and noticed one of the top 5 plugins was in regards to MS15-011.  Reading through the report it mentioned that the patch KB3000483 was installed but UNC Hardened Access was not enabled via Group Policy.  After further reading of the KB article, I realized what needed to be done.  Microsoft was nice to give some recommendations and such.  So I enabled the UNC Hardened Access on the SYSVOL and NETLOGON shares for the domain.  I did not do it for the file shares as we tend to use multiple OS platforms.  Though I would recommend doing so if you are running in a single platform environment (All Windows).

As part of our patch management process, we should try to read each of the KB Articles for at least the higher priority patches.  Just because you installed a patch, doesn’t mean you fixed the vulnerability.  Not all Microsoft patches directly fix the problem, what they do is enable the ability to fix it.  This is most likely done because simply enabling it for you may break lots of things.  This particular patch enabled some advanced security features for file shares that utilize a UNC path (ie: \\FILESERVER\SHARE\).  So yes, if not properly implemented, this could break some stuff in a more complex network.

This brings up another point regarding the patch management process.  If I was not running regular authenticated scans against my network, I probably would have never found this issue.

Leave a Reply