Glossary | MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)

A

Access Control Entry (ACE) An entry in a Discretionary Access Control List (DACL) that contains a security identifier (SID) and a set of access rights. A process with a matching security ID is either allowed access rights, denied rights, or allowed rights with auditing.

account lockout A security feature in Microsoft Windows 2000 that locks a user account if a number of failed logon attempts occur within a specified amount of time.

ACE See access control entry (ACE).

Active Directory directory service The directory service included with Windows 2000 Server that stores information about objects on a network and makes this information available to users and network administrators.

AH See Authentication Header (AH).

AIA See Authority Information Access (AIA).

ANI See Automatic Number Identification (ANI).

API See application programming interface (API).

AppleTalk The network architecture and network protocols for Apple Computer. Networks with Macintosh clients and a computer running Windows 2000 Server with File Services for Macintosh functions as an AppleTalk network.

application programming interface (API) A set of routines that applications use to request and carry out lower-level services performed by a computer's operating system.

Authentication Header (AH) Provides authentication and integrity services to transmitted data protected by an Internet Protocol Security (IPSec) security association. The AH digitally signs the contents of a data packet to ensure that the contents aren't modified during the transmission of the packet.

Authority Information Access (AIA) The certificate distribution point listing for Certification Authority certificates. Typically, the AIA listing contains URLs for Web-based and Active Directory—based location where a CA's certificate can be retrieved.

Automatic Number Identification (ANI) A telephone function that transmits the billing telephone number of the incoming call.

B

backup domain controller (BDC) A computer running Windows NT Server that receives a copy of the domain's Security Accounts Manager (SAM) database that contains all account and security policy information for the domain. The copy synchronizes periodically with the master copy on the primary domain controller (DC). Windows NT 3.51 and 4.0 BDCs can participate in a Windows 2000 domain when the domain is configured in mixed mode.

BDC See backup domain controller (BDC).

C

CA See certification authority (CA).

CDFS See CD-ROM file system.

CDP See certificate distribution point (CDP).

CD-ROM file system (CDFS) The 32-bit file system that handles CD–ROMs in Windows 2000.

CERN This acronym stands for Conseil Europeén pour la Recherche Nucléaire. CERN is the European Laboratory for Nuclear Research, where the World Wide Web was developed to enhance collaboration on research documents pertaining to particle physics.

certificate A file used for authentication and secure exchange of data on unsecured networks, such as the Internet. A certificate securely binds a public encryption key to the entity that holds the corresponding private encryption key.

certificate distribution point (CDP) The location where a Certification Authority (CA) publishes its Certificate Revocation List (CRL) and Authority Information Access (AIA). The CDP allows the CRLs and certificates for offline CAs to be accessible when the CA isn't available on the network.

Certificate Revocation List (CRL) A document maintained and published by a CA that lists certificates that have been revoked. A CRL is signed with the private key of the CA to ensure its integrity.

certification authority (CA) A server that's responsible for issuing and verifying digital certificates issued to computers, users, or services in an organization.

Challenge Handshake Authentication Protocol (CHAP) A protocol used to authenticate a remote access connection that transmits a hash based on the user's password to a remote access server. The remote access server uses the authenticating user's password from Active Directory to perform the same hash function to determine if the password is correct. If the hashes match, the user is authenticated.

CHAP See Challenge Handshake Authentication Protocol (CHAP).

child domain In Domain Name System (DNS) and Active Directory, a domain located in the namespace tree directly beneath another domain name (the parent domain).

CIFS See Common Internet File System (CIFS).

cluster A set of computers that work together to provide a service. The use of a cluster enhances the availability of the service and the scalability of the operating system that provides the service.

Common Internet File System (CIFS) A protocol and a corresponding API used by application programs to request higher level application services. CIFS was formerly known as SMB (Server Message Block).

computer local groups Computer local groups store their memberships in the local computer's SAM database. Computer local groups can contain global groups and universal groups from the domain to which the computer belongs.

critical path A term used in project planning to define the tasks in a project that, if delayed, will affect the project's release date.

CRL See Certificate Revocation List (CRL).

Cryptographic Service Provider (CSP) The code that performs cryptography operations such as secret key exchange, digital signing of data, and public key authentication. Any Windows 2000 service or application can request cryptography operations from a CSP.

cryptography The science and process of information security. Cryptography provides con-fidentiality, integrity, authentication, and nonrepudiation.

CSP See Cryptographic Service Provider (CSP).

D

DACL See Discretionary Access Control List (DACL).

daemon A UNIX program that sits in the background ready to perform an operation when required.

datagram An unacknowledged packet of data sent to another network destination.

DC See domain controller (DC).

Demilitarized Zone (DMZ) Also known as a perimeter network. A barrier between the Internet and an organization's intranet. A DMZ is a subnet that contains a firewall and proxy server, which can be in separate servers or in one server. The firewall connects to an external firewall on the Internet side, which may be at the Internet Service Provider's (ISP) location and is often called a "boundary router." The double firewall architecture adds an extra measure of security for the intranet.

DHCP See Dynamic Host Configuration Protocol (DHCP).

digital signature A public key technology that protects a mail message from modification during transmission. The digital signature creates a message digest that protects the original message from modification during transmission.

Discretionary Access Control List (DACL) The part of an object's security descriptor that grants or denies specific users and groups permission to access the object. Only the owner of an object can change permissions granted or denied in a DACL; access to the object is thus at the owner's discretion.

distribution groups Used for collecting users and groups for nonsecurity related applications such as e-mail distribution lists. Distribution groups cannot be placed in DACLs or SACLS.

DMZ See Demilitarized Zone (DMZ).

DNS See Domain Name System (DNS).

domain A collection of computers which share a common directory database. Forms the core unit of the logical structure in Active Directory. Has a unique name and provides access to the centralized user accounts and group accounts maintained by the domain administrator.

domain controller (DC) A Windows 2000 server that authenticates domain logons and maintains the security policy and the Active Directory database for a domain.

domain local group A Windows 2000 group that exists only in native mode domains. A domain local group can contain other domain local groups, universal groups, global groups and users or computers. Domain local groups are typically used to assign permissions to resources.

Domain Name System (DNS) A hierarchical naming system used for locating domain names on the Internet and on private Transmission Control Protocol/Internet Protocol (TCP/IP) networks. DNS is used as the locator service in a Windows 2000 network.

Dynamic Host Configuration Protocol (DHCP) A networking protocol that provides safe, reliable, and simple TCP/IP network configuration and offers dynamic configuration of IP addresses for computers.

E

EAP See Extensible Authentication Protocol (EAP).

EFS See Encrypting File System (EFS).

Encapsulating Security Payload (ESP) Provides encryption, authentication, integrity, and anti-replay services to IPSec-transmitted data.

Encrypting File System (EFS) A method of encrypting files stored on an NTFS volume that allows only the person who encrypted the file and a defined recovery agent to view the contents of the files.

Enterprise CA A CA that stores its database in Active Directory and issues certificates based on certificate templates.

ESP See Encapsulating Security Payload (ESP).

Extensible Authentication Protocol (EAP) An extension of Point-to-Point Protocol (PPP) that provides remote access user authentication by means of other security devices.

F

File Transfer Protocol (FTP) An Internet protocol that defines how to transfer files from one computer to another; also the client/server application that moves files using this protocol.

firewall A combination of hardware and software that provides a security system, usually to prevent unauthorized access from outside to an internal network or intranet.

forest A collection of domains that share a common schema, configuration, and global catalog. All domains in a forest are connected using transitive trust relationships.

FTP See File Transfer Protocol (FTP).

G

global catalog A service in a Windows 2000 forest that maintains a partial set of attributes of all objects in Active Directory.

global group A Windows 2000 group typically used to collect users with common business needs. In a native-mode domain, global groups can be members of other global groups, universal groups, and domain local groups. Global groups can only contain users and other global groups from the same domain where the global group exists. In a mixed-mode domain, global groups cannot contain other global groups.

globally unique identifier (GUID) A unique number used to identify a COM object. It is computed by adding the time and date to the network adapter's internal serial number.

Group Policy A security configuration control in Windows 2000 that's used to control the centralized configuration of users and computers in an organization. Group Policy can be applied to sites, domains, or OUs to apply similar security configuration to all objects within the container where the Group Policy is applied.

GUID See globally unique identifier (GUID).

H

Hashing Algorithm "Hash" A mathematical procedure that takes information contained in files and scrambles it to create a fixed-length string of numbers and characters called a hash.

HTML See Hypertext Markup Language (HTML).

HTTP See Hypertext Transport Protocol (HTTP).

HTTPS See Hypertext Transport Protocol Secure (HTTPS).

Hypertext Markup Language (HTML) The document format used on the World Wide Web. Web pages are built with HTML tags that are embedded in the text. HTML defines the page layout, fonts, and graphic elements as well as the hypertext links to other documents on the Web.

Hypertext Transport Protocol (HTTP) The communications protocol used to connect to servers on the World Wide Web. Its primary function is to establish a connection with a Web server and transmit HTML pages to the client browser.

Hypertext Transport Protocol Secure (HTTPS) The protocol for accessing a secure Web server. Using HTTPS in the URL instead of HTTP directs the message to port number 443 rather than the default Web port number of 80.

I

IETF See Internet Engineering Task Force (IETF).

IIS See Internet Information Services (IIS).

IKE See Internet Key Exchange (IKE).

Internet Authentication Service (IAS) The Internet Authentication Service provides authentication and authorization services using the RADIUS protocol for remote users who connect to their corporate network. IAS allows centralized application of remote access policy and single sign-on capabilities to remote access users.

Internet Control Message Protocol (ICMP) A TCP/IP network layer protocol used by routers and TCP/IP hosts for building and maintaining routing tables, adjusting data flow rates, and reporting errors and control messages for TCP/IP network communication. Defined in Request for Comments (RFC) 792.

Internet Engineering Task Force (IETF) An open community of network designers, operators, vendors, and researchers concerned with the evolution of Internet architecture and the smooth operation of the Internet. Technical work is performed by working groups organized by topic areas (such as routing, transport, and security) and through mailing lists.

Internet Explorer Administration Kit (IEAK) An application that allows an administrator to preconfigure Internet Explorer settings before deploying Internet Explorer to all Windows–based computers in an organization.

Internet Information Services (IIS) Web server software from Microsoft that runs under Windows 2000 and supports Web site creation, configuration, and management, along with other Internet functions.

Internet Key Exchange (IKE) A protocol that establishes the security association (SA) and shared keys necessary for two parties to communicate with Internet Protocol Security (IPSec).

Internet Protocol Security (IPSec) A set of industry-standard, cryptography-based protection services and protocols. IPSec protects all protocols in the TCP/IP protocol suite and Internet communications using Layer Two Tunneling Protocol (L2TP).

Internetwork Packet Exchange (IPX) A Novell NetWare communications protocol used to route messages from one node to another. IPX packets include network addresses and can be routed from one network to another.

IPSec See Internet Protocol Security (IPSec).

IPX See Internetwork Packet Exchange (IPX).

K

KDC See Key Distribution Center (KDC).

Kerberos An Internet standard security system developed at MIT that authenticates users. It doesn't provide authorization to services or databases. With Kerberos, passwords sent across network lines are encrypted.

Key Distribution Center (KDC) A network service that supplies both ticket granting tickets (TGTs) and service tickets for Kerberos authentication to users and computers on the network. The KDC service runs only on DCs in a Windows 2000 environment.

L

L2TP See Layer Two Tunneling Protocol (L2TP).

Layer Two Tunneling Protocol (L2TP) A virtual private networking protocol that allows remote users to connect to the network using a tunnel. L2TP provides user authentication and uses IPSec to provide encryption services and machine authentication.

LDAP See Lightweight Directory Access Protocol (LDAP).

Lightweight Directory Access Protocol (LDAP) A directory service protocol that is the primary access protocol for Active Directory.

M

Macintosh A family of personal computers from Apple Computer.

message digest The result of a mathematical hashing algorithm used to determine if an object is modified. Typically, the sender and recipient of the data will perform the same hashing algorithm against the data and compare the results of the hashing algorithm. If the results match, the data are identical.

metadirectory A directory that contains information about other directories. It functions as a master directory collecting information from all the other directories.

MIME See Multipurpose Internet Mail Extensions (MIME).

mixed mode The default mode that a new Windows 2000 domain operates in. Mixed mode assumes that Windows NT 3.51 or Windows NT 4.0 BDCs exist in the domain and doesn't implement universal groups or group nesting features. These are only enabled with a switch to native mode.

MS-Chap A dial-up authentication protocol that uses challenge response to authenticate with a Windows 2000—based server running the Routing and Remote Access Service (RRAS).

Multipurpose Internet Mail Extensions (MIME) A common method for transmitting nontext files by Internet e-mail. MIME encodes the files using one of two encoding methods and decodes it back to its original format at the receiving end.

mutual authentication The process by which the calling router authenticates itself to the answering router and the answering router authenticates itself to the calling router. Each end of the connection verifies the identity of the other end of the connection.

N

Name Server (NS) resource record A resource record used in a zone to designate the DNS domain names for authoritative DNS servers for the zone.

NAT See Network Address Translation (NAT).

native mode The condition in which all DCs within a domain are Windows 2000 DCs and an administrator has enabled native mode op-eration (through Active Directory Users And Computers).

NDS See Novell Directory Services (NDS).

nested groups A Windows 2000 feature that allows the creation of groups within other groups when in native mode.

NetBEUI See NetBIOS Extended User Interface (NetBEUI).

NetBIOS See Network Basic Input/Output System (NetBIOS).

NetBIOS Extended User Interface (NetBEUI) A networking protocol developed by IBM and Microsoft in 1985 that is used for workgroup- size local area networks (LANs) with up to 200 workstations. NetBEUI is an extension of the NetBIOS protocol.

Network Address Translation (NAT) A protocol that allows a network with private addresses to access information on the Internet without revealing the private network addressing scheme.

Network Basic Input/Output System (NetBIOS). The native networking protocol in DOS and Windows networks. Provides a programming interface for applications at the session layer.

Network News Transfer Protocol (NNTP) A member of the TCP/IP suite of protocols; used to distribute network news messages on the Internet.

NNTP See Network News Transfer Protocol (NNTP).

Novell Directory Services (NDS) A distributed database on networks running Novell NetWare that maintains information about every resource on the network and provides access to those resources.

NS See Name Server (NS) resource record.

NTFS file system A recoverable file system designed for use specifically with Windows NT and Windows 2000. NTFS uses database, transaction-processing, and object paradigms to provide data security, file system reliability, and other advanced features.

NT LAN Manager (NTLM) authentication A type of authentication available to clients that can't use Kerberos authentication, such as Windows NT 4.0 clients and Windows 95 and Windows 98 clients running the Directory Service client. Also used to authenticate logons to Windows 2000 computers that aren't participating in a domain or when authentication against the local account database of a member server or Windows 2000 Professional computer takes place.

NTLM See NT LAN Manager (NTLM) authentication.

O

object An entity, such as a file, folder, shared folder, printer, or Active Directory object, described by a distinct, named set of attributes.

organizational unit (OU) An Active Directory container object used within domains. Organizational units are logical containers into which users, groups, computers, and other organizational units are placed.

OU See organizational unit (OU).

P

packet filters Individual firewall rules that define what data is allowed to enter and exit the private network. Typically, a packet filter is composed of fields that profile a protocol and identify what action to take if the protocol attempts to pass through the firewall.

PAP See Password Authentication Protocol (PAP).

Password Authentication Protocol (PAP) A protocol used to authenticate a remote access Point- to-Point Protocol (PPP) connection. PAP is considered insecure because it transmits the user credentials and password information using plaintext.

PDC See Primary Domain Controller (PDC).

personal identification number (PIN) A secret identification code that's used to protect smart cards from misuse. The PIN is similar to a password and is known only to the owner of the card. The smart card can be used only by someone who possesses the smart card and knows the PIN.

PGP See Pretty Good Privacy (PGP).

PIN See personal identification number (PIN).

ping A tool that verifies connections to one or more remote hosts. The ping command uses the Internet Control Message Protocol (ICMP) echo request and echo reply packets to determine whether a particular IP system on a network is functional.

PKI See Public Key Infrastructure (PKI).

plaintext Data that isn't encrypted. Also called clear text.

Point-to-Point Protocol (PPP) An industry standard suite of protocols for the use of point-to-point links to transport multiprotocol datagrams. PPP is documented in RFC 1661.

Point-to-Point Tunneling Protocol (PPTP) A tunneling protocol that encapsulates Point-to-Point Protocol (PPP) frames into IP datagrams for transmission over an IP-based internetwork, such as the Internet or a private intranet.

PPP See Point-to-Point Protocol (PPP).

PPTP See Point-to-Point Tunneling Protocol (PPTP).

Pretty Good Privacy (PGP) A protocol that provides the ability to encrypt and digitally sign e-mail messages by using private and public keys. PGP isn't managed by a central standard organization.

Primary Domain Controller (PDC) A Win-dows NT 4.0 and 3.51 DC that's the first one created in the domain; stores the writable copy of the SAM database.

private key The secret half of a cryptographic key pair that's used with a public key algorithm. Private keys are typically used to digitally sign data and to decrypt data that's been encrypted with the corresponding public key.

protocol A set of rules and conventions by which two computers pass messages across a network. Networking software usually implements multiple levels of protocols layered one on top of another. Windows 2000 includes the NetBEUI, TCP/IP, and Internetwork Packet Exchange/ Sequenced Packet Exchange (IPX/SPX)— compatible protocols.

Public Key Infrastructure (PKI) The laws, policies, standards, and software that regulate or manipulate certificates and public and private keys. In practice, it's a system of digital certificates, certification authorities, and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction.

Q

QoS See Quality of Service (QoS).

Quality of Service (QoS) A set of quality assurance standards and mechanisms for data transmission; implemented in Windows 2000.

R

RADIUS See Remote Authentication Dial-In User Service (RADIUS).

referral ticket A ticket granting ticket (TGT) issued to a user in a Kerberos environment to authenticate with a different domain in the forest.

registry In Windows 2000, Windows NT, and Windows 98, a database for information about a computer's configuration. The registry is organized in a hierarchical structure and consists of subtrees and their keys, hives, and entries.

remote access policy A set of conditions and connection parameters that define the characteristics of the incoming connection and the set of constraints imposed on it. These conditions must be met in order to allow remote access connectivity to the network. Remote access polices determine whether a specific connection attempt is authorized to be accepted. You can decide to allow or deny connectivity for each condition listed in a remote access policy.

Remote Authentication Dial-In User Service (RADIUS) A service used by remote access servers to provide centralized authentication, accounting, and remote access policy application. Windows 2000 provides RADIUS services through Internet Authentication Services (IAS).

remote procedure call (RPC) A message-passing facility that allows a distributed application to call services available on various computers on a network. Used during remote administration of computers.

Request for Comments (RFC) A document that defines a TCP/IP standard. RFCs are published by the IETF and other working groups.

resource record Information in the DNS database used to process client queries.

RFC See Request for Comments (RFC).

Root Certification Authority The most trusted CA, which is at the top of a certification hierarchy. The root CA has a self-signed certificate.

router A network server that provides connectivity to LANs and WANs. Routers can link LANs that have different network topologies.

routing The process of forwarding a packet based on the destination IP address.

Routing and Remote Access Service (RRAS) A Window 2000 service that provides dial-up and virtual private networking services to a network.

RPC See remote procedure call (RPC).

RRAS See Routing and Remote Access Service (RRAS).

Runas A command that allows you to run programs in the security context of a different user account.

S

SA See security association (SA).

SACL See system access control list (SACL).

SAM See Security Accounts Manager (SAM).

Samba A NetBIOS server service for UNIX that allows NetBIOS clients to use resources stored on the UNIX server using SMB communications.

schema A catalog of all classes and attributes that can be used within a Windows 2000 forest. The write-enabled copy of the schema is maintained on the schema operations master.

SCTS See Security Configuration Tool Set (SCTS).

Secedit A Windows 2000 command-line tool that's used to analyze, configure, and refresh Windows 2000—based computer security configuration.

Secure/Multipurpose Internet Mail Extensions (S/MIME) An extension of MIME to support secure mail. It enables message originators to digitally sign e-mail messages to provide proof of message origin and data integrity. It also enables messages to be transmitted in encrypted format to provide confidential communications.

Secure Sockets Layer (SSL) A proposed open standard developed by Netscape Communications for establishing a secure communications channel to prevent the interception of critical information, such as credit card numbers.

Security Accounts Manager (SAM) The directory store for Windows NT 3.51 and Windows NT 4.0 domains. Also used to store local account information for Windows 2000 Professional workstations and stand-alone servers.

security association (SA) A set of parameters that defines the services and mechanisms necessary to protect IP security communications.

Security Configuration Tool Set (SCTS) A collection of tools in Windows 2000 used to deploy standardized security configuration to Windows 2000—based computers.

security groups Collections of security principals that are used to define security and object settings for an object. Membership in a security group assigns a security principal all security privileges of the security group.

security identifier (SID) A unique name that identifies a user who is logged on to a Windows NT or Windows 2000 security system. A security identifier can represent an individual user, a group of users, or a computer.

security policy Defines the attitude that the organization will take toward the security of its resources. This includes the value placed on resources held by the company and what the organization deems to be acceptable risk for the protection of those resources.

security template A text file that contains a definition of standardized security configuration for a Windows 2000—based computer. Windows 2000 ships with several predefined security templates, but you can also define custom security templates to meet your organization's security needs.

Sequenced Packet Exchange (SPX) A transport-layer protocol built on top of IPX that provides reliable delivery of packets between a client and a server.

Server Message Block (SMB) A file-sharing protocol designed to allow networked computers to access files that reside on remote systems over a variety of networks.

service (SRV) resource record A resource record used in a zone to register and locate TCP/IP services. The SRV resource record is used in Windows 2000 to locate services in a Windows 2000 network.

service ticket A credential presented by a client to a service in the Kerberos authentication protocol.

Shiva Password Authentication Protocol (SPAP) A reversible encryption method supported by Shiva remote access servers and Windows 2000 remote access servers to authenticate remote access users.

SID See security identifier (SID)

Simple Mail Transfer Protocol (SMTP) An Internet protocol for transferring mail reliably and efficiently. SMTP is independent of the particular transmission subsystem.

Simple Network Management Protocol (SNMP) A TCP/IP protocol that transports management information and commands between a management program run by an administrator and the network management agent running on a host.

smart card A credit card—sized device that is used with a PIN number to enable certificate-based authentication and single sign-on to the enterprise. A smart card reader attached to the computer reads the smart card.

SMB See Server Message Block (SMB).

SMB signing An application-level security method that signs all data transmitted between two computers and provides mutual authentication services. SMB signing is supported only on Windows 98—, Windows NT 4.0—, and Windows 2000—based computers.

S/MIME See Secure/Multipurpose Internet Mail Extensions (S/MIME).

SMTP See Simple Mail Transfer Protocol (SMTP).

sniffer An application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets aren't encrypted, a sniffer provides a full view of the data inside them.

SNMP See Simple Network Management Protocol (SNMP).

SOA (Start of Authority) resource record See Start of Authority (SOA) resource record.

SPAP See Shiva Password Authentication Protocol (SPAP).

SPX See Sequenced Packet Exchange (SPX).

SQL See Structured Query Language (SQL).

SRV (service) resource record See service (SRV) resource record.

SSL See Secure Sockets Layer (SSL).

stand-alone CA A CA that stores its database in a private database stored on the CA. Typically used for offline CAs in a CA hierarchy.

Start of Authority (SOA) resource record A record that indicates the starting point or original point of authority for information stored in a DNS zone. The SOA resource record contains several parameters used by others to determine how long other DNS servers will use information for the zone and how often updates are required.

stateful inspection A firewall feature that inspects each session and allows response packets to pass through the firewall. The firewall tracks the original ports used by a client application and ensures that the server-side application sends responses only to that port used by the client application.

static address mapping The redirection of incoming traffic to Internet-accessible resources hidden behind the firewall. The resources are advertised on the Internet with publicly accessible IP addresses. When the firewall receives the packets, the firewall translates the destination address to the true IP address of the resource behind the firewall and redirects the data to the resource.

Structured Query Language (SQL) A widely accepted standard database sub-language used in querying, updating, and managing relational databases.

system access control list (SACL) A list that represents part of an object's security descriptor that specifies which events (such as logon attempts and file access) are to be audited per user or group.

T

TCP/IP See Transmission Control Protocol/Internet Protocol.

Telnet A common terminal-emulation protocol used on the Internet to log on to network computers.

TGT See ticket granting ticket (TGT).

ticket granting ticket (TGT) A Kerberos ticket acquired by a user the first time the user authenticates with a KDC; the TGT presented by the user to the KDC when the user requests a service ticket for a network service.

TLS See Transport Layer Security (TLS).

Transmission Control Protocol/Internet Protocol (TCP/IP) A set of Internet networking protocols that provide communications across interconnected networks of computers.

Transport Layer Security (TLS) An application-level security protocol that provides communi-cations privacy, authentication, and message integrity by using a combination of public key and symmetric encryption. TLS is a standards track protocol being developed by the IETF to eventually replace SSL.

tunnel A logical connection over which data is encapsulated. When encapsulation and encryption are performed, the tunnel becomes a private and secure link.

U

UNC See Universal Naming Convention (UNC).

universal groups A collection of global groups, user accounts, and other universal groups from multiple domains created for common security assignments. Universal groups can be members of other universal groups and domain local groups. Universal groups store their memberships in the global catalog to ease searching for members in all domains in the forest.

Universal Naming Convention (UNC) The full Windows 2000 name of a resource on a network containing the server name and the share name.

UPN See user principal name (UPN).

user principal name (UPN) A user logon name and a domain name identifying the domain in which the user account is located. Used for logging onto a Windows 2000 domain.

V

virtual private network (VPN) The extension of a private network that encompasses links across shared or public networks, such as the Internet.

VPN See virtual private network (VPN).

W

WAN See Wide Area Network (WAN).

Wide Area Network (WAN) A communications network connecting geographically separated computers and other devices.

Windows 2000 High Encryption Pack An add-on installation for Windows 2000 that enables strong encryption services. It provides support for 3DES and 128-bit encryption.

Windows Internet Name Service (WINS) A service that dynamically maps IP addresses to computer names. This allows users to access resources by name instead of requiring them to use IP addresses.

Windows Sockets (Winsock) An industry- standard application programming interface used on the Windows operating system that provides a two-way, reliable, sequenced, and unduplicated flow of data.

WINS See Windows Internet Name Service (WINS).

Winsock See Windows Sockets (Winsock).

Z

zone In a DNS database, a contiguous portion of the DNS tree that's administered as a single separate entity by a DNS server. The zone contains resource records for all the names within the zone.