The short answer is, "it depends".
If you're running the default configuration for the certificate authority then you will probably find your CRL distribution point is also nested under CertEnroll, and there's no good reason to restrict access to CRLs to authenticated clients, as that manifests in other - sometimes hard to identify - issues for non domain-joined machines needing to perform CRL checks.
Also, you have to consider that Enrolment Web Services (as distinct from Web Enrolment services) does not accept anonymous requests in any case, as per the first article below (under the "Authentication Method Considerations" heading). This means you wouldn't deliver any/many benefits even if you affected the change.
If you're looking to tighten up security on this service, have a read of the second and third links below, as this is more relevant.
https://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services...https://msrc.microsoft.com/update-guide/vulnerability/ADV210003https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-director...Cheers,
Lain
