Glossary | MCSA/MCSE Self-Paced Training Kit (Exam 70-214): Implementing and Administering Security in a Microsoft Windows 2000 Network (Pro-Certification)

Glossary

A B C D E F G H I K L M N O P Q R S T U V W X

Access Control Entry (ACE) An entry in an ACL that binds a Security Identifier to a specific type of access. See ACL, SID.

Access Control List (ACL) A list of ACEs attached to an object such as a file, a share, a registry key, or an Active Directory object. See ACE.

access token A data structure passed to every running program that contains all the security identifiers of the user who executed the program. The program passes its Access Token to the Security Reference Monitor each time it accesses a secured object so the SRM can compare the SIDs in the Access token to the SIDs contained in the object's ACL to determine what type of access to allow. See Security Reference Monitor, ACL.

account policies Group Policy settings that affect how user accounts can be used and set limits on passwords and other attributes.

account See user account.

Active Directory (1) A database of security objects such as user accounts, machine accounts, domains, organizational units, Group Policies, and the links between these objects. Active Directory services provide Single Sign-On functionality for Windows 2000 networks. (2) The Windows 2000 directory service that enables management and security for users, computers, and other resources in a single hierarchy.

Active Directory container An Active Directory object that can contain other objects.

Active Directory object A node of the Active Directory hierarchy that represents a resource or a container for organizing resources.

AH See Authenticated Headers.

algorithm A mathematical function implemented as computer code.

anonymous access Access to a service without authentication. Many protocols support both authenticated and anonymous access, such as HTTP, FTP, and SMB, but typically restrict the activities allowed to anonymous users.

asymmetrical An encryption algorithm that uses different keys for the encrypt and decrypt functions.

auditing The process of logging all access to a object so that activities can be reconstructed if a security event occurs.

audit trail Any evidence that can be used to reconstruct a user's activities on a system.

Authenticated Headers (AH) The process of computing a checksum of the data contained in the header of an IP packet to guarantee that the data has not been modified in transit. See IPSec.

authentication The process of verifying user identity prior to establishing a session with a service by providing a key.

Bandwidth Reservation Protocol A TCP/IP protocol used by routers to provide a guaranteed minimum amount of bandwidth to a specific protocol. Implemented by the Quality of Service protocol in Windows.

biometric authentication Authentication using the unique characteristics of a human as the key. See authentication.

brute-force attack An exploit in which a hacker attempts to determine a password or private key by trying all possible values.

buffer overrun attack An exploit in which a data is transmitted to a service that intentionally misrepresents its size, causing the service to allocate less storage space than the data requires, thus overrunning the end of the temporary storage buffer that the service allocated to receive the data. This changes code that the service executes, allowing the attacker to force the service to perform any activity allowed by the operating system.

bug exploit attack A network intrusion method in which a hacker attempts to take advantage of a security-compromising bug in a system, service, or protocol. See also buffer overrun attack, Denial of Service attack.

CA See certificate authority (CA).

certificate A data structure that can contain numerous public keys and digital signatures. Certificates are primarily used to perform trusted third-party authentication.

certificate authority (CA) A service that accepts and completes or revokes certificate requests.

certificate revocation list (CRL) A published list of certificates that are no longer valid.

Certificate Services A Windows 2000 tool that allows users to request and obtain encryption certificates for use by numerous security services.

Certificate Trust List (CTL) A list of root certifier certificates that a computer trusts.

challenge/response An authentication methodology that allows two parties to prove that they both know a secret without transmitting the secret.

Challenge/Response Authentication Protocol (CHAP) An obsolete but widely implemented challenge/response authentication protocol that is obsolete due to its vulnerability to replay attacks.

cipher An encryption algorithm.

circuit layer proxy A TCP layer proxy that accepts sockets on one interface and regenerates them on another. Circuit layer proxies are typically used in firewalls to prevent TCP and IP malformations from reaching the interior of a private network.

cleartext Unencrypted text used in the context of transmission. See plaintext.

computer account A domain account required for each computer that connects to the domain.

converged A functional IPSec connection is said to be converged when IKE is able to negotiate a compatible set of authentication and encryption protocols and successfully transmit data.

crack (n) A software patch designed to circumvent licensing or protection features. (v) To circumvent a software protection.

credentials A user account name and password or secret key. All the information required to prove identity.

cryptanalysis The process of analyzing an encrypted text to determine the key or algorithm used to encrypt it.

Cryptographic Service Provider (CSP) A set of algorithms which implement a specific type of cryptography and which are implemented and managed as a common library for Windows 2000.

cryptography The study of encryption.

Data Encryption Standard (DES) An early private key data encryption protocol developed under contract to the U.S. government. DES is now considered weak due to its 56-bit key length, and has been superseded by a variant called triple-DES (3DES) that uses 168-bit keys that are three times as long.

decoy server A server specifically installed and configured to attract hacking attempts and seduce hackers away from valid service machines.

decrypt To transform an obscured text into a plain text by using a mathematical function and a key.

demilitarized zone (DMZ) See perimeter network.

Denial of Service (DoS) attack A network intrusion method that attempts to bring a system or service down, usually by overloading it with spurious requests.

Deny ACE An ACE used to explicitly deny access to a SID that may appear in other allow ACEs in a specific ACL. See Also ACE, ACL.

digital signature A method of encrypting identity information, such as contact information, in such a way that anyone can decrypt the information to verify it, but only the originator can encrypt the information.

Discretionary Access Control List (DACL) An ACL used to determine whether or not to allow access. See also ACL, SACL.

domain A group of computers that all share the same database of security accounts.

domain account A user account that allows access to a domain.

domain controller A computer that manages a domain and stores a database of user accounts or Active Directory objects.

Downlevel Any version of software prior to the currently released and supported version.

Encapsulating Security Payload (ESP) An IPSec protocol used to encrypt the data portion of an IP packet. Two modes are available: Transport mode provides encryption only, and tunnel mode encrypts the entire IP packet and places it in another packet as the payload.

encrypt To transform a plain text into an obscured form by using a mathematical function and a key.

Encrypting File System (EFS) A feature of NTFS that provides the ability to encrypt files on demand using a secret key contained in a certificate.

enterprise CA A certificate authority that is part of an enterprise-wide security infrastructure and requires Active Directory.

Exchange Microsoft's e-mail and group messaging service.

Extensible Authentication Protocol (EAP) A protocol that supports various authentication libraries such as smart cards, certificates, and so on.

extranet A private member's only website that is reachable from the Internet by those authorized to do so. Typically used to describe project based web sites set up to support collaboration between business partners rather than consumer to business subscription websites.

factoring attack An attack against a password or key in which all possible values are factored and tested. See brute force attack.

File Transfer Protocol (FTP) An Internet-standard protocol for transferring files between networks.

firewall A router or server used to filter Internet connections to block unauthorized access and malicious attacks.

forensics The process of reconstructing the details of a security event based on remaining evidence such as audit logs and the damage done.

forest A hierarchy of domains stored in an Active Directory database.

gateway A generic term for a computer that receives requests and translates or relays them between networks, such as an e-mail gateway, a security proxy, a firewall, or a router.

Globally Unique Identifier (GUID) An ID number generated using an algorithm that guarantees uniqueness amongst all computers in the world. Sometimes referred to as a Guaranteed Unique Identifier.

GPO See Group Policy Object.

Group Policy The primary configuration management tool for Windows networks. Group Policy determines how users are able to work with client computers and servers in a network, which installed software is available to users, how desktops look, and what operating system features are enabled.

Group Policy Object (GPO) A directory containing all the files that are required to enact a Group Policy.

Guest A user account used across a pool of users whose identities are not important. Guest accounts are typically used in services that do not support anonymous access but where anonymous access is desired.

GUID See Globally Unique Identifier.

hacker (1) A malicious user who attempts to gain unauthorized access to a system, circumvent protections, deny access to other users, or destroy data. (2) Someone who is especially skilled at computer operation.

handshake The process of establishing a connection between a client and a server.

honeypot See decoy server.

hotfix A software update designed to correct a single issue and released in between service packs.

HTTP See Hypertext Transfer Protocol.

Hypertext Transfer Protocol (HTTP) An Internet-standard protocol used by Web servers to send requested documents, typically Web pages, to clients.

IAS See Internet Authentication Service.

ICMP See Internet Control Message Protocol.

IETF See Internet Engineering Task Force.

IIS See Internet Information Services.

IKE See Internet Key Exchange.

IMAP See Internet Mail Access Protocol.

impersonation attack A method of network intrusion in which an attacker attempts to use a legitimate user's username and password.

interior The private side of a firewalled network.

Internet The internetwork to which the vast majority of private networks in the world are attached.

Internet Authentication Service (IAS) The Microsoft implementation of the RADIUS standard, which provides network-wide authentication and accounting.

Internet Control Message Protocol (ICMP) An IP protocol used to pass messages between hosts and routers concerning the state of connections and hosts. ICMP is the protocol used by the ubiquitous ping and trace route utilities.

Internet Engineering Task Force (IETF) A collaborative working group of industry and academic professionals who define the standards used on the Internet.

Internet Information Services (IIS) The Web (HTTP) server included with Windows 2000.

Internet Key Exchange (IKE) The protocol used to establish IPSec connections and to exchange Security Associations.

Internet Mail Access Protocol (IMAP) A client-server mail access protocol designed to replace POP3.

Internet Protocol (IP) A packet based message passing network protocol that defines each participant by using a unique hierarchical number. The core protocol of the Internet.

Internet Protocol Security (IPSec) A suite of protocols designed to authenticate or encrypt IP packets.

Internet Security and Acceleration (ISA) Server Microsoft's firewall and proxy service software.

Internet Service Provider (ISP) A commercial provider of Internet service.

intranet A private network based on Internet protocols. Typically used to describe a private web site that is not reachable from the Internet.

IP See Internet Protocol.

IP Security (IPSec) An Internet Engineering Task Force (IETF) body of standards that defines a protocol for authenticating and encrypting IP traffic between hosts on the Internet or within a private IP network.

ISA See Internet Security and Acceleration Server.

ISP See Internet Service Provider.

KDC See Key Distribution Center.

Kerberos An authentication service developed for use in multi-vendor distributed networks that uses session tickets and keys to exchange authentication information.

key A number (sometimes expressed as text or as a password) that is used by an encryption algorithm to transform a plain text into an encrypted text or vice versa.

Key Distribution Center (KDC) An authentication server for Kerberos. In Windows 2000, Domain Controllers perform the KDC role.

LAN Manager The original password authentication protocol used by Microsoft file sharing systems. LAN Manager password encryption is weak because it reduces the set of characters to uppercase only and encrypts passwords in two 7-character chunks rather than a single 14-character chunk.

Layer 2 Tunneling Protocol (L2TP) A modern host-to-gateway VPN protocol used to establish encrypted connections to networks from remote users. L2TP uses IPSec for encryption. The Windows 2000 RRAS service receives L2TP connections.

local account A user account that allows access to a local computer only.

Local Group Policy The Group Policy objects stored on a local computer and used when a domain policy does not apply.

Local Security Authority (LSA) The component of Windows 2000 that authenticates all access to secured objects on each machine. See Security Reference Monitor.

log A list of recorded events.

logon authentication The process of authenticating with a user interactive service.

Mail Application Programming Interface (MAPI) The Microsoft client/server e-mail protocol. Outlook communicates with Exchange using MAPI.

member server A server that is a member of a domain but is not a domain controller.

Message Digest Protocol version 5 (MD5) A popular protocol used for hashing passwords and creating checksums.

Microsoft Challenge Authentication Protocol (MS-CHAP) The Microsoft improved version of CHAP.

Microsoft Management Console (MMC) The standard user interface for service management in Windows 2000. Snap-in modules for MMC provide management consoles for Active Directory and other services.

Microsoft User Authentication Module (MS-UAM) An authentication module for Macintoshes that provides NTLM version 2 support for encrypted passwords.

MMC See Microsoft Management Console.

MS-CHAP See Microsoft Challenge Authentication Protocol.

NAT See Network Address Translation.

NetBIOS The Microsoft client server session control protocol used to support file and print sharing. NetBIOS is widely supported but no longer necessary in Windows 2000.

Network Address Translation (NAT) A service that allows multiple computers on a local network to share a public IP address by translating between public and private addresses.

nonce A random number that is encrypted with an encrypted password to ensure that the encrypted password is not revealed during transit over a network.

NTLM A strengthened version of the LAN Manager authentication protocol that hashes passwords using the full 14-character length supported by Windows NT.

organizational unit (OU) A container object in Active Directory that can be used to group users or other resources.

Outlook The Microsoft popular e-mail and personal information management application. Outlook can operate as a client to standard Internet e-mail servers as well as Microsoft Exchange.

passthrough authentication The process of a server re-using a clients encrypted credentials to establish a connection to a third server. Passthrough authentication allows sessions to be established in the proper user context rather than in the context of the server performing the connection.

password A secret key memorized by a human.

patching The process of applying changes to a program to fix bugs.

perimeter network A security zone created by firewalls between the public Internet and a private network where machines that must be protected but must also serve public protocols are placed.

permissions The access control mechanism used in Windows 2000 to secure access to various types of resources, such as files and Active Directory objects.

Personal Identification Number (PIN) A short numerical password used to unlock credentials stored on a smart card. PINs are used to confirm that the person using a smart card is the owner and that the smart card has not been stolen.

PKI See public key infrastructure.

plaintext An unencrypted file.

Point-to-Point Tunneling Protocol (PPTP) An obsolete protocol used to create Host-to-Gateway VPN connections for remote users. PPTP is essentially an encrypted extension of PPP, and has been replaced by L2TP which uses much stronger authentication and encryption.

policy A set of rules that define how a system can be used.

port A number that identifies which service a specific TCP or UDP packet

Post Office Protocol version 3 (POP3) The most commonly used client/server mail delivery protocol on the Internet.

proxy server A gateway designed to terminate and reestablish connections forwarded through it so that it can filter each protocol specifically for inappropriate content.

public key encryption An encryption method that uses two keys, a publicly distributed encryption key and a private held decryption key.

public key infrastructure (PKI) The system of certificate authorities and certificate-based services that provide secure trust throughout an enterprise.

Qchain A utility available from Microsoft that allows multiple hotfixes to be installed on a computer without rebooting. Qchain is not required for newer hotfixes since they have this functionality built in.

RADIUS See Remote Authentication Dial-In User Service.

realm A group of computers that share the same Kerberos KDC. Analogous to a domain in Windows.

registry The central configuration database for Windows and most software installed on a Windows-based computer. Internally, the registry is viewed as a hierarchical structure of keys and values.

Remote Authentication Dial-In User Service (RADIUS) A standard for servers that provide network-wide authentication and accounting services. IAS (Internet Authentication Service) is the RADIUS server included with Windows 2000 Server.

Remote Desktop Protocol (RDP) A Microsoft protocol designed to transport the desktop image to remote users and return their keystrokes and mouse clicks. RDP is implemented by Terminal Services in Windows 2000.

Remote Installation Services (RIS) A Windows 2000 service that stores an operating system image and allows the installation of a client's operating system across the network.

replay attack An impersonation attack in which encrypted credentials are not decrypted, but are simply recorded and then re-used later to gain access to a server. Challenge/Response protocols were developed to counter replay attacks.

RDP See Remote Desktop Protocol.

Resource Reservation Setup Protocol (RSVP) See Bandwidth Reservation Protocol

RIS See Remote Installation Services

Rivest's Cipher #2 (RC2) A common block encryption protocol typically used for encrypting files and originally designed as a drop-in replacement for DES.

Rivest's Cipher #4 (RC4) A common stream encryption protocol typically used for encrypting network sessions. SSL uses RC4 as it's encryption cipher.

Root CA The topmost certificate authority in a certification hierarchy.

router A special purpose computer designed to forward packets, especially IP packets. Firewalls are routers that filter IP packets.

Routing and Remote Access (RRAS) Service The Windows 2000 component that manages routing between networks and remote access to networks.

RRAS See Routing and Remote Access Service.

RSVP. Resource Reservation Setup Protocol See Bandwidth Reservation Protocol

SACL See System Access Control List

Samba A UNIX implementation of the SMB file sharing protocol that is compatible with Windows file sharing. Samba source code is the basis of a number of Unix based attack programs that attempt to exploit the windows file sharing mechanism.

secret key encryption A reversible method of encryption that uses an algorithm on the original text and a key to create an encrypted message.

Secure Hash Algorithm (SHA1) A United States and IETF standard hashing algorithm that is less common but more secure than MD5.

S/MIME See Secure Multimedia Internet Mail Extensions

Secure Multimedia Internet Mail Extensions (S/MIME) The IETF standard for encrypting e-mail based on public key cryptography.

SSL See Secure Sockets Layer

Secure Sockets Layer (SSL) A standard for encryption of data over a secure HTTP connection using certificates. SSL has also been adapted for use with other common protocols such as FTP, POP3, and IMAP.

SAM See Security Accounts Manager

Security Accounts Manager (SAM) A secure database of user accounts stored in each computer's registry

SA See Security Association

Security Assocation (SA) An IPSec data structure that contains all the information necessary to establish a secure connection to another IPSec enabled host.

security group An object that combines a number of users into a single unit for security management.

SID See security identifier

security identifier (SID) A numeric code that uniquely identifies a security principal throughout the system.

security principal Any Active Directory object, such as a user account, a computer account, or a security group, that can be assigned permissions and rights.

Security Reference Monitor (SRM) The component of the LSA that compares a requesting program's Access Token to a secured object's DACL. See also LSA, Access Token, DACL.

security template A text file that contains numerous policy settings pertaining to computer security, such as password policy and account policy. Templates can be imported and exported to distribute security settings.

self-certified A certificate authority that is not rooted in another certificate authority. All who trust the CA must trust that the CA has authenticated every certificate that it issues.

Server Message Block (SMB) The Windows file sharing protocol. Also referred to as the Common Internet File Service (CIFS) in some documents.

service pack A major software update that includes a large number of bug fixes and enhancements.

session A connection between a client and server that provides continuity of authentication from the original logon until the session is terminated by serializing packets in a manner that is difficult or impossible to spoof.

share A folder that an administrator has published on a network in which users can store and retrieve files.

Shiva Password Authentication Protocol (SPAP) Shiva's extension of the obsolete Password Authentication Protocol. SPAP is slightly more secure, but still vulnerable to replay attacks.

Service Set Identifier (SSID) A unique identifier for a WAP that is used to control which WAPs wireless clients will associate with.

signed Any file that has a digital signature attached to it.

Simple Mail Transfer Protocol (SMTP) The Internet standard for server to server e-mail transmission.

Simple Network Management Protocol (SNMP) The Internet protocol used to query and control network attached devices and computers.

Single Sign-On (SSO) A set of authentication services that allow users to logon once and have that authentication follow them to every device they use, thus providing the illusion of having logged onto the entire network. In Windows, SSO is provided by Kerberos.

slipstreaming The process of including patched files in a Windows installation set so that subsequent installations will be patched up to date upon installation.

Smart Card A device in the form-factor of a credit card containing a microprocessor and nonvolatile memory that is used to create and store public/private key pairs. The private key is held irretrievably within the memory of the device, and the device's microprocessor is used to decrypt content using the key. Smart cards are often used to authenticate users and encrypt data.

SMB See Server Message Block.

SMTP See Simple Mail Transfer Protocol.

sniffer A computer (or device) used to receive all traffic on a network segment, rather than just the traffic addressed to it. Sniffers allow administrators to confirm that network protocols are operating correctly and to troubleshoot them. Sniffers are also used by hackers to inspect information and glean passwords. The Network Monitor in Windows is an example of a sniffer built into Windows 2000, but it is limited to inspecting traffic on the local machine unless you use the version included in SMS Server.

SNMP See Simple Network Management Protocol.

spam Unwanted un-requested e-mail, usually a commercial offer.

SPAP See Shiva Password Authentication Protocol.

SRM See Security Reference Monitor

SSID See Service Set Identifier.

SSO See Single-Sign On.

stand-alone CA A certificate authority that is separate from Active Directory and can issue certificates for intranet or extranet use.

subordinate CA A certificate authority that requires a CA certificate from a root CA.

symmetric encryption Any encryption algorithm which uses the same key for both the encrypt and decrypt functions.

SYN Flood A common type of Denial of Service attack wherein a large number of connection requests are transmitted to a server and immediately abandoned, causing the server to allocate resources waiting for replies from clients.

System Access Control List (SACL) An ACL that determines whether attempts to access an object are recorded in the audit log.

target-of-opportunity A victim discovered by chance rather than specifically searched for.

TGS See ticket granting service.

TGT See ticket granting ticket.

ticket An encrypted set of credentials used to prove to a server that the client has been authenticated by a KDC and has the right to access the server. In Windows 2000, Tickets contain the user's SID and the global security group SIDs that the user belongs to.

ticket granting service (TGS) The service in Kerberos that issues tickets.

ticket granting ticket (TGT) A special type of ticket that proves that the client has authenticated with the Kerberos authentication service, which is used to request subsequent tickets for use on other servers.

Trojan horse A program designed to trick users into installing it and then invisibly listen for connections from hackers.

trust The decision to place confidence in an entity to authenticate third parties.

trust relationship A defined relationship for permissions management between two domains. Security principals from a trusted domain can be given permissions for objects in a trusting domain.

tunnel A session established between routers through which typical network layer TCP/IP traffic is sent. Tunnels are typically encrypted to create a VPN.

UAM See User Authentication Module.

UDP See User Datagram Protocol.

user account A combination of username, password, and other attributes that define a single user's access to the network. User accounts are stored in Active Directory.

user authentication The process of determining the identity of the person accessing the computer so that the operating system can enforce security restrictions appropriate for that person.

User Authentication Module (UAM) A Macintosh operating system component written by Microsoft which enables Macintoshes to authenticate with a Windows domain using encrypted passwords. The latest version supports NTLM version 2.

User Datagram Protocol (UDP) A peer protocol to TCP that does not provide sessions, guaranteed delivery, or ordering of packets. UDP is used for simple single packet messages or protocols where reliability is less important than timing.

user rights Properties that control a user's ability to perform operations that affect the system as a whole, such as shutting the computer down.

Virtual Private Network (VPN) A method for connecting nodes of a private network over a public network such as the Internet by using a tunneling protocol to encapsulate private data.

WAN See Wide Area Network.

WAP See Wireless Access Point.

war driving The attempt to locate unsecured wireless access points by driving around with a wireless receiver.

WEP See Wired Equivalency Protocol.

Wide Area Network (WAN) A private internetwork that is connected by long-distance circuits or a VPN.

Windows Internet Name Service (WINS) An obsolete windows-name to IP address lookup service.

Wired Equivalency Protocol (WEP) A security protocol that encrypts wireless data using a fixed secret key.

Wireless Access Point (WAP) A bridge between a wired network and wireless clients.

Wireless Local Area Network (WLAN) A network constructed using radio transceivers rather than cables for each client.

worm A combination of a virus and a Trojan horse that is capable of automatically exploiting a host using a common vulnerability, and then using that host to propagate itself to others. Successful worms cause more damage than any other type of hacking activity due to their wide and rapid spread.

X.509 An IETF standard that specifies the data structure of certificates.