2.1 Transport

The Group Policy: Scripts Extension Encoding transports messages by reading and writing remote files.

The Group Policy: Core Protocol uses Group Policy: Scripts Extension Encoding client-side extension GUID (CSE GUID) and tool extension GUID values to invoke Group Policy: Scripts Extension Encoding only to access GPOs from which messages of this protocol can be generated.

This protocol enables the client to identify scripts and other executable code that it invokes. Therefore, the client must be able to validate that the source of the script's location (that is, the Group Policy server) has not been spoofed by a malicious user. If the source can be spoofed, the malicious user can cause the client to execute arbitrary code using high privileges on the client. This requirement to validate the Group Policy server is the reason mutual authentication is required for this protocol's use of remote file access against the Group Policy server.