samba - Sep 2021 - improving gpo application security

Grettings:

First of all, apologise for my English, and I hope you can understand my 
question.
I have been analysing the security offered by GPO's application, I read 
several articles such as 
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpol/5143e719-3641-4e1b-b902-4891da014127,
and it is clear that the use of GPO's is not intended to distribute 
critical data.
I'm trying to improve the security of sysvol (e.g. users without special 
privileges cannot browse and download the content of sysvol or netlogon) 
and the comunication protocol used by the GPO (encrypt from the server 
to the workstation).
Is there any implementation you recommend that would improve the 
security of the information stored in sysvol and its comunication 
between AD servers and workstations?

Thank you very much.

Regards

On Tue, 2021-09-07 at 09:39 -0300, Marcos Ariel Negrini via samba
wrote:
> Grettings:
> 
> First of all, apologise for my English, and I hope you can understand
> my 
> question.
> I have been analysing the security offered by GPO's application, I
> read 
> several articles such as 
>
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpol/5143e719-3641-4e1b-b902-4891da014127,
> and it is clear that the use of GPO's is not intended to distribute 
> critical data.
> I'm trying to improve the security of sysvol (e.g. users without
> special 
> privileges cannot browse and download the content of sysvol or
> netlogon) 
Good luck with that, SYSTEM has full control on Sysvol and
Authenticated Users has read access.
> and the comunication protocol used by the GPO (encrypt from the
> server 
> to the workstation).
> Is there any implementation you recommend that would improve the 
> security of the information stored in sysvol and its comunication 
> between AD servers and workstations?
I don't think you can, the whole idea behind Sysvol is to allow access
to GPO's, any problems and the GPO's don't get applied.

Rowland