[Samba] improving gpo application security
Rowland Penny
rpenny at samba.org
Tue Sep 7 13:25:30 UTC 2021
On Tue, 2021-09-07 at 09:39 -0300, Marcos Ariel Negrini via samba
wrote:
> Grettings:
>
> First of all, apologise for my English, and I hope you can understand
> my
> question.
> I have been analysing the security offered by GPO's application, I
> read
> several articles such as
> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpol/5143e719-3641-4e1b-b902-4891da014127,
> and it is clear that the use of GPO's is not intended to distribute
> critical data.
> I'm trying to improve the security of sysvol (e.g. users without
> special
> privileges cannot browse and download the content of sysvol or
> netlogon)
Good luck with that, SYSTEM has full control on Sysvol and
Authenticated Users has read access.
> and the comunication protocol used by the GPO (encrypt from the
> server
> to the workstation).
> Is there any implementation you recommend that would improve the
> security of the information stored in sysvol and its comunication
> between AD servers and workstations?
I don't think you can, the whole idea behind Sysvol is to allow access
to GPO's, any problems and the GPO's don't get applied.
Rowland
More information about the samba
mailing list