See
A feature of Hypertext Transfer Protocol (HTTP) version 1.1 that minimizes the number of connections that Web browsers need to make to access content on Web servers. Keepalives, which are also known as persistent connections, are supported by both Microsoft Internet Information Services (IIS) and Microsoft Internet Explorer.
How It Works
When a Web browser that supports keepalives (such as Internet Explorer 4) makes an HTTP GET request to a Web server that supports keepalives (such as IIS 4), the Web browser includes a new “Connection:Keep-Alive” header in the list of HTTP headers that it sends to the Web server in the request. The Web server responds by giving the client the file it requested (usually an HTML page or an image file). After the server sends the file to the client, instead of closing the TCP/IP socket it keeps the socket open for a period of time in case the client wants to download additional files. A typical Web page might include a dozen images, and normally up to four sockets are kept open for transferring files between the client and the server.
NOTE
The term “keepalives” also refers to special packets used to keep a TCP connection open on a TCP/IP internetwork.
TIP
Keepalives do not work unless they are supported by both the Web browser and the Web server.
A method of securely authenticating users’ requests for access to services on a network. It was developed by the Massachusetts Institute of Technology (MIT), which based it on the Data Encryption Standard (DES). Kerberos is the primary security protocol for Microsoft Windows 2000 domains and is used by domain controllers to verify the identity of the user and the integrity of data during a session. Kerberos has also been implemented on several UNIX platforms including OpenBSD.
How It Works
Kerberos uses a ticket-based method for granting a user access to a network service. When a Kerberos-enabled client wants to request a network service (such as network logon) from a Kerberos-enabled server, the client must first contact an authentication server (AS) to receive a ticket and an encryption key. The encryption key, called the session key, is used to unlock communication between the client and the server and thereby authenticate that communication. The initial ticket, often called the ticket-granting ticket (TGT), contains a copy of the session key and an identity, which is a randomly generated number. The AS passes the TGT and the identity back to the client, which stores the ticket in its ticket cache. When the client wants to access a particular service, it sends the ticket to a ticket-granting server (TGS). (The TGS and AS are usually the same machine.) The TGS gives the client a ticket that securely identifies the client to the service it is requesting. Finally, the client presents the ticket to the network service it is trying to access and is granted access to the resource as many times as desired until the ticket expires. When the client sends a ticket, the ticket is always accompanied by an authenticator message that is encrypted with the session key. This authenticator includes a time stamp, which is used to ensure that the ticket is legitimate.
Graphic K-1. The protocol defines the steps a client must take to gain access to network services or resources.
In the Windows 2000 implementation of Kerberos, each domain controller has the Kerberos v5 services running on it, and a Kerberos client is built into each server and workstation running Windows 2000. The Kerberos services maintain encrypted user passwords and identities in Active Directory. When a user logs on to a domain controller, the initial Kerberos authentication enables the user to access available resources anywhere in the enterprise because authentication credentials issued by the Kerberos services of one domain are accepted by all domains within a domain tree or a domain forest.
The Kerberos service issues an initial ticket for the logon domain when a user logs on to a Windows 2000 workstation. Any server running Windows 2000 can then validate the client’s ticket without having to contact the domain Kerberos service. It can do this because servers running Windows 2000 share the encryption key that the Kerberos service uses to encrypt tickets. This encryption key is called the server key.
If a Windows 2000 client in one domain requests access to a resource in a remote domain that is part of the same domain tree or forest, the Kerberos service in the local domain issues a referral ticket that the client presents to the Kerberos service in the remote domain. The Kerberos service in the remote domain then issues an initial ticket that is valid for its own domain and identifies the domain. Using this ticket, the client can then access resources in the remote domain.
The implementation of Kerberos in Windows 2000 is an industry-standard version that is compliant with Request for Comments (RFC) 1510.
Some of the benefits of Kerberos authentication include the following:
Two-way transitive trusts between domains
Mutual authentication of both client and server during an authentication session
Delegated authentication for multitier client/server interactions
On the Web
•
RFC 1510 : http://www.ietf.org/rfc/rfc1510.txt
The core services within an operating system. The term “kernel” is most often used in a UNIX environment and is contrasted with the term shell, which describes the outer portion of the operating system that is exposed to the user and provides a user interface for entering commands and receiving output. (In Microsoft Windows operating systems, the shell is the desktop.)
The kernel generally interfaces with other components of the operating system through system calls, which provide a standard interface to kernel functions. In many operating systems, the kernel is primarily responsible for scheduling processes and threads and for handling interrupts from devices. The kernel also typically manages input/output (I/O) operations and memory management.
How It Works
In Windows NT and Windows 2000, the kernel (called ntoskernl.exe and commonly referred to as the microkernel) is located in the \Winnt\System32 directory and runs in nonpageable memory (which means that it is always resident in memory). The kernel is responsible for thread scheduling and dispatching threads to processors on a symmetric multiprocessing (SMP) platform. The kernel code itself is not preemptive—that is, no other thread or process can preempt the kernel’s operations. Each thread is assigned a priority level from 0 to 31, as follows:
Levels 0 through 15 indicate dynamic priority and are assigned to application and user threads.
Levels 16 through 31 indicate real-time priority and are assigned only to key operating system threads.
The kernel adjusts priority levels for threads to ensure that no thread is starved and that each receives proper attention, with threads having a higher priority level getting the greater share of processor resources.
The kernel does its job by managing two classes of objects:
Control objects, which control the operation of the kernel and include processes, interrupts, asynchronous procedure calls, and profiles
Dispatcher objects, which manage thread dispatching and synchronization and include events, threads, timers, semaphores, mutants, and mutexes
The Windows NT kernel communicates with the hardware abstraction layer (HAL) to interact with hardware and communicates with the Windows NT executive and its components for higher-level operating system functions. The kernel loads when the screen turns blue during the boot process.
NOTE
In Windows 95 and Windows 98, the kernel file is kernel32.dll, and it is located in the \Windows\System directory. If the kernel is corrupt or missing, you can expand the file from the distribution CD and replace the damaged or missing file on your hard drive (as long as you can access that drive in a way that doesn’t involve this file, such as through MS-DOS).
A privileged mode of operation in which processes can execute within the Microsoft Windows NT and Windows 2000 operating systems. Processes running in kernel mode can access system memory and hardware. Kernel mode processes include components of the operating system that directly manage resources on the computer, such as the following:
Windows NT executive, which contains operating system modules that manage objects, processes, security, memory, and devices
The kernel, which manages core operating system services
The hardware abstraction layer (HAL), which isolates operating system code from hardware differences
Graphic K-2. Kernel mode of the Windows NT and Windows 2000 architectures. (User mode is shown in light gray.)
See also user mode
A device that can be plugged into the keyboard port of a server to emulate the presence of a connected keyboard. When a power outage causes the server to reboot, the server detects the presence of a keyboard and the reboot is allowed to occur. This is important when administrators are off site when servers need to be rebooted, because computers normally do not boot unless a keyboard is attached.
A keyboard emulator is used as a security device when the presence of an attached keyboard is not desirable, such as when the servers are in an unlocked room or can be tampered with in some other fashion. By removing the keyboard and installing a keyboard emulator, you can prevent unauthorized users from attempting a local logon to a server.
A column (attribute) or group of columns (attributes) used to uniquely identify records in a table of a relational database such as those created and managed by Microsoft SQL Server. There are two main types of database keys:
Primary keys, which uniquely identify the rows of a table. Each row has a unique value in the primary key column or columns. Each table in a relational database should have one and only one primary key, and primary keys cannot allow nulls (NN), duplicates (ND), or no changes (NC).
Foreign keys, which are columns or groups of columns within a table that match the primary key of a different table. Foreign keys are used to define relationships between tables and to enforce referential integrity in a database by ensuring that each value in the foreign key column is actually a valid entry in the primary key column of another table.
NOTE
A column in a database table can be both a primary key for its own table and a foreign key for a different table.
A mathematical entity used in cryptography for the encryption of messages and for signing messages with digital signatures. In secret key (or symmetric key) cryptography, both the sender and the recipient use the same key for encrypting and decrypting messages. Public key cryptography uses a key pair that consists of the private and public keys of the sender. The degree of security of a key depends on the type of mathematical algorithm used with the cryptosystem and the length of the key. Most cryptography algorithms make use of transformations using prime numbers and congruency. Key lengths range from 40 bits for the RC2 and RC4 cryptography algorithms to 512 bits for RSA public key systems. You obtain keys from certificate authorities (CAs) by submitting a key request file, such as one generated by the Key Manager component of Internet Information Services (IIS).
See also public key cryptography
A registry item that can contain subkeys and values. Keys are used for organizing the registry into a hierarchical structure and for naming and identifying collections of registry values.
Keys are thus analogous to directories in a file system as displayed using Microsoft Windows Explorer, and keys are in fact displayed by the Registry Editor as folders. The screen capture shows the Control key being displayed, which contains value entries (in the right pane) and subkeys (the series of items under it in the left pane). The Control key itself is a subkey of the CurrentControlSet key.
Graphic K-3. The Control key in the Windows NT and Windows 2000 RegistryEditor (regedt32.exe).
A component of Microsoft Exchange Server version 5.5 that provides encryption and digital signature services for secure messaging. Key Management Server (KMS) enables you to send secure mail using Secure/Multipurpose Internet Mail Extensions (S/MIME) algorithms such as DES, 3DES, RC2-40, RC2-64, and RC2-128, and monitors all security functions for Microsoft Exchange. KMS is implemented as a Microsoft Windows NT service and requires that Microsoft Certificate Server be installed on a machine in your enterprise to issue user certificates. KMS uses Certificate Server for generating digital certificates and key pairs. Once KMS is installed and configured in an Exchange organization, security can be administered using two objects in the Exchange directory hierarchy displayed in the Exchange Administrator tool:
Certificate authority (CA), a directory object for configuring security for users
Site Encryption, a directory object for configuring security for sites
TIP
Only one KMS can be installed in an Exchange organization. Service Pack 1 and later for Exchange Server 5.5 includes additional enhancements and fixes for KMS, so it’s recommended that you install the service pack before using KMS.
A component of Internet Information Server version 4 and earlier that generates certificate requests and key pairs for enabling the Secure Sockets Layer (SSL) protocol. You can use Key Manager to do the following:
Create a certificate request file and send it to Microsoft Certificate Server to obtain a digital certificate
Install a server certificate on a virtual server, thus enabling the virtual server for SSL
Generate a key pair for the public key cryptography used in SSL
How It Works
To use Key Manager to obtain a digital certificate from a certificate authority (CA), start Key Manager from the toolbar of Internet Services Manager. Then choose Create New Key from the Key menu. The key request file that is generated is a text file that you can e-mail to a third-party CA such as VeriSign or send directly over the network to Certificate Server if you have it configured as your CA.
NOTE
In Internet Information Services (IIS) 5, Key Manager has been replaced with Certificate Manager.
The public and private keys generated for an entity (individual, system, company, or organization) in a public key cryptography system. Such systems always generate keys in pairs. The private key belongs to the user alone and is kept secret. The public key is available to anyone who requests it. If a message is encrypted with the private key, it can be decrypted using the public key, and vice versa. This is possible because the private and public keys have a specific mathematical relationship.
NOTE
You can use the Certificate Manager component of Internet Information Services (IIS) to generate a key request file. You can then submit the file to a server running Microsoft Certificate Server or to a public certificate authority (CA) such as VeriSign to obtain a key pair and a digital certificate. Once the key pair has been issued to a user, the user can encrypt messages and sign the messages with digital signatures.
See also public key cryptography
See Key Management Server (KMS)
A utility built into the Exchange directory service of Microsoft Exchange Server that ensures consistency within the directory database. The Knowledge Consistency Checker (KCC) automatically checks for directory consistency throughout an Exchange site every three hours, or whenever you modify the directory, to ensure that the directory database is consistent throughout your Exchange organization. If the directories do not match, the KCC initiates directory replication to correct the inconsistencies. The KCC is also involved in replicating directory information between sites.
You can force the KCC manually using the Directory Service object in the Exchange directory hierarchy. This causes all the directories in your Exchange organization to be checked for consistency with one another. You might want to force the KCC to run if you have added new servers to other sites and want to update this information in the directory of your own site, or if you suspect that errors have occurred during directory replication.
NOTE
Active Directory in Microsoft Windows 2000 uses a similar KCC tool for controlling directory replication between domain controllers within a site. The Active Directory KCC logically links a site’s domain controllers to a ring topology, which defines the paths that directory updates use to travel from one domain controller to another. The KCC does this by creating connection objects that represent a unidirectional path from one domain controller to another. These connection objects are located in the NTDS Settings folder, which is in the Active Directory Sites and Services administrative tool. Administrators can also create additional intrasite or intersite connection objects for controlling directory replication, but it is often better to let the KCC do this automatically to ensure better performance.
The ring topology generated by the KCC ensures a minimum of two replication paths between domain controllers so that if one domain controller is down, replication can continue. In this topology, a directory replication update travels from one domain controller to any other domain controller in the same site in three or fewer “hops.” When a domain controller is added to or removed from a site, the KCC generates a new topology.
TIP
Don’t confuse the KCC of the Directory Service object with the DS/IS Consistency Adjuster of the Server object! Running the DS/IS Consistency Adjuster carelessly can yield unexpected results such as rehomed public folders.
A component of Microsoft Site Server that makes it easy for visitors to your site to find information and receive updates when information is added or changed. Knowledge Manager enables users to
Search for information by entering a word or a phrase.
Browse predefined categories of information (similar to Yahoo! categories).
View personal knowledge briefs, which are summaries of information on a specific topic that consist of Uniform Resource Locators (URLs) or saved searches. Users can set up their own personal briefs (called My Briefs) or subscribe to briefs created by experts in the organization. They can receive updates by e-mail, from a briefing channel, or by revisiting the Web page.
Create Shared Briefs for sharing information with colleagues.
View the Channel Center, which lists available channels.
Stands for Keyboard-Video-Mouse switch, an electronic switch that allows one or more keyboards, video monitors, and pointing devices to control a number of computers. You can use KVM switches to cut costs and prevent equipment clutter in server rooms. Cheaper KVMs sometimes use pushbuttons for selecting computers, but more sophisticated KVMs allow you to select a computer by using a keyboard shortcut or by selecting from an on-screen context menu. The menu might also include some form of password protection for each computer and a master password that grants access to all computers attached to the switch. KVMs can support two, four, or eight computers, and some KVMs can be daisy-chained to support many more computers.
Another use for a KVM arises when your servers are in a special “clean room” or secured location and you want to control them from a different room. In this case, the KVM switch must include a built-in video extender, which amplifies the video signal so that the monitor can be connected to the computer using a cable that is 500 feet or longer. In this configuration, you must use two video extenders, one at the server and one at the remote monitor station. Video extenders can often be connected using a single interconnect line of category 5 cabling.
Graphic K-4. KVM switch.
Other, similar types of switches include the following:
KV (Keyboard-Video) switch
KVMM (Keyboard-Video-Mouse-Monitor) switch
