2.9.2 External Security

Group Policy protocols use the encryption mechanisms provided by the LDAP and file access transports to ensure that the data is protected against tampering. Group Policy relies on the authentication mechanisms provided by the underlying protocols to establish user and computer identities. These security mechanisms include the following:

  • LDAP and file access protocol signing, for setting and retrieving policy data.

  • Kerberos [RFC4120] authentication for application of computer policy, as described in [MS-AUTHSOD] section 3.3.

  • SPNEGO authentication for application of user policy, as described in [MS-GPOL] section 5.

The Group Policy protocols do not define any additional external security beyond what is described in the specifications of the protocols listed in section 2.2.