[Samba] improving gpo application security

Rowland Penny rpenny at samba.org
Tue Sep 7 13:25:30 UTC 2021


On Tue, 2021-09-07 at 09:39 -0300, Marcos Ariel Negrini via samba
wrote:
> Grettings:
> 
> First of all, apologise for my English, and I hope you can understand
> my 
> question.
> I have been analysing the security offered by GPO's application, I
> read 
> several articles such as 
> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpol/5143e719-3641-4e1b-b902-4891da014127, 
> and it is clear that the use of GPO's is not intended to distribute 
> critical data.
> I'm trying to improve the security of sysvol (e.g. users without
> special 
> privileges cannot browse and download the content of sysvol or
> netlogon) 

Good luck with that, SYSTEM has full control on Sysvol and
Authenticated Users has read access.

> and the comunication protocol used by the GPO (encrypt from the
> server 
> to the workstation).
> Is there any implementation you recommend that would improve the 
> security of the information stored in sysvol and its comunication 
> between AD servers and workstations?

I don't think you can, the whole idea behind Sysvol is to allow access
to GPO's, any problems and the GPO's don't get applied.

Rowland





More information about the samba mailing list