Knowledge Center

Recommendations for download credentials when using UNC shares as software repositories in ePolicy Orchestrator
Technical Articles ID:   KB70999
Last Modified:  6/11/2019


McAfee Agent (MA) - all supported versions
McAfee ePolicy Orchestrator (ePO) - all supported versions
McAfee VirusScan Enterprise (VSE) 8.x

For details of MA supported environments, see KB51573.
For details of ePO supported environments, see KB51569.


IMPORTANT: This article applies only to customers who use Universal Naming Convention (UNC) shares as software repositories in ePO. Customers who do not use this feature are not affected by this notice.

When products, such as VirusScan Enterprise, use ePO as the update mechanism, McAfee Agent allows the ability to update from multiple update locations or repository types, including UNC repositories.
Repositories are used to distribute bulk software updates. Generally, repositories are not considered sensitive information and are typically available to anyone. Other activities with sensitive information, such as policy updates, are handled using another mechanism within ePO. It is important to ensure that the UNC sharing system is correctly configured. If the UNC share is incorrectly set up, an attacker could potentially use the UNC share account to gain further access to a network. If the share is correctly set up, there is no additional risk. These details mirror the details in the product documentation; but because a misconfiguration could put a customer site at risk, it is worth restating in a Knowledge Base article.


Proper use of UNC shares as repositories
UNC shares use the Microsoft SMB protocol to create a shared drive. This protocol requires that you specify a user name and password that is allowed to access the share. Because both a user name and password are required, the details must be pushed down to each agent to enable that agent to access the share. The specification of download credentials within ePO is required for the update process on the client computer to download the required update files on a UNC share. To ensure that this task is done safely, the following key points have been documented for you to remember if you choose to use this feature. 
  1. Correctly configure the account – The first step toward safety is to use an account configured correctly for this purpose. Several account options affect the security of the system.
    1. Create the account locally – Create the account on the file share, rather than a domain. Locally created accounts do not grant any rights on other computers in the domain. Remember that if your file share is your domain controller, the account is by definition in the domain.  
    2. Use a specific account – Create an account specifically to share repository data. Do not share this account with multiple functions.
    3. Make the account low privilege – Do not add this account to any groups it does not need, which includes groups such as Administrators or Users.
    4. Disable extraneous privileges – This account does not need to log on to a server at all. It simply is a placeholder to get to the files. Examine the privileges this account has and disable all that are appropriate.
    5. Use a strong password – Use a password with 8–12 characters that include multiple character attributes (lowercase and uppercase letters, symbols, and numbers). Consider using a random password generator to ensure a complex password.
  2. Correctly configure the share – The second step is to ensure that the share itself is correctly configured. 
    1. Grant your account read-only rights – When you set up your share, ensure that the account you created above has read-only rights to the directory and to the share permissions. We suggest you do not grant any remote writing to the share (even for administrators or other accounts). Ideally the only account allowed access of any kind must be the account created above.
    2. Use an alternative placement mechanism – Log on to the server with other methods, for example, another share, RDP, or locally, to write to your repository. Do not mix your repository for reading with writing.
    3. Use a share not on your domain controller – Create a share off your domain controller because a local user on a domain controller is a domain user.
  3. Additional Recommendations:
    1. Firewall your share – Always block traffic not required for the purposes you need. Consider blocking both outgoing and incoming traffic. You can use either a software firewall on the server, or a hardware firewall on the network.
    2. Enable File Auditing – Always enable security audit logs to track access to your network shares, which details who accesses the share, when, and what they did with the access.
    3. Change your passwords – Change your password periodically as a best practice. Ensure that the new password is strong. Remember to update your ePO configuration with the new password after it changes.
    4. Disable the account and share if it is no longer in use – If you move to another mechanism for a repository, remember to disable or delete the account, and close and remove the share.

Rate this document


This article is available in the following languages:

English United States

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.