Kerberos. The Kerberos v5 protocol defines the steps a client must take to be authenticated for gaining access to network services or resources.
Stands for Knowledge Consistency Checker, a feature of the Active Directory directory service that ensures that directory replication properly takes place.
See Also Knowledge Consistency Checker (KCC)
Stands for K Desktop Environment, a graphical user interface for Linux.
See Also K Desktop Environment (KDE)
A graphical user interface (GUI) for Linux.
Overview
K Desktop Environment (KDE) provides users with an integrated, graphical, open-source working environment suitable for Linux workstations. KDE is comparable in many ways to the power and functionality of the Microsoft Windows and Mac OS user interfaces. The latest version, KDE2, incorporates a number of applications and utilities that include
Konqueror: A combination file manager and Web browser that features a two-pane tree-and-view similar to Windows Explorer on the Windows platform.
Koffice: A suite of office productivity tools that includes word processing, spreadsheet, presentation, and drawing applications.
Prospects
Although Linux has established itself in the server side of the enterprise market, it has made little headway until now on the desktop. The KDE Project's aim is to promote the use of Linux in the desktop environment especially. KDE is one of two main GUI environments for Linux, the other being Gnu Object Modeling Environment (GNOME). KDE currently has about 70 percent of the Linux market, and the KDE League is an industry consortium dedicated to promoting KDE on the Linux desktop.
For More Information
Find out more about KDE at www.kde.org
See Also GNU Object Modeling Environment (GNOME) ,Linux
A feature of Hypertext Transfer Protocol (HTTP) version 1.1 that minimizes the number of connections that Web browsers need to make to access content on Web servers.
Overview
When a Web browser that supports keepalives (such as Microsoft Internet Explorer 4 or higher) makes an HTTP GET request to a Web server that supports keepalives (such as Microsoft Internet Information Services [IIS]), the Web browser includes a new "Connection: Keep- Alive" header in the list of HTTP headers that it sends to the Web server in the request. The Web server responds by giving the client the file it requested (usually a Hypertext Markup Language [HTML] page or an image file). After the server sends the file to the client, instead of closing the Transmission Control Protocol/Internet Protocol (TCP/IP) socket, it keeps the socket open for a period of time in case the client wants to download additional files. A typical Web page might include a dozen images, and normally up to four sockets are kept open for transferring files between the client and the server.
Keepalives, which are also known as persistent connections, are supported by both Microsoft Internet Information Services (IIS) and Internet Explorer. Note that keepalives do not work unless both the Web browser and the Web server support them.
Notes
The term keepalives also refers to special packets used to keep a TCP connection open on a TCP/IP internetwork.
See Also Hypertext Transfer Protocol (HTTP) ,Internet Explorer ,Internet Information Services (IIS)
A security protocol used for securing access to network services.
Overview
Kerberos was developed in the early 1980s at the Massachusetts Institute of Technology (MIT) by Project Athena, the same group responsible for the X Windows system for the UNIX platform. Kerberos is based on the Data Encryption Standard (DES) and uses security tickets to manage the authentication of users and applications on a network. The Kerberos protocol is defined by RFC 1510 and the security tickets it employs are covered by RFC 1964. The current version of Kerberos (Kerberos v5, or version 5) was developed in 1993.
Kerberos has been used in the UNIX world for some time, and Kerberos v5 is the default authentication protocol used by the Microsoft Windows 2000 network operating system platform. Kerberos is a powerful authentication method that allows mutual authentication of both client and server during an authentication session. This is unlike the earlier Windows NT LAN Manager (NTLM) authentication protocol used on the Windows NT platform. NTLM authenticated clients only; Kerberos is thus more secure, as it authenticates both the client and the server.
Kerberos is a strong authentication protocol suited for implementation in a distributed processing environment. Kerberos also supports delegation, in which one machine can contact another machine on behalf of a client request for authentication. Kerberos shifts the processing load for authentication from the server to the client, making it an efficient authentication method for large enterprises. Kerberos is also a cross-platform standard and can be implemented in heterogeneous networks where multiple operating system platforms are present.
Architecture
Kerberos is named after the mythical three-headed dog (Kerberos in Greek mythology, Cerberus in Roman mythology) that guarded the gates of Hades. This name was chosen because Kerberos requires three different entities to be present in order to operate:
Kerberos clients: These are users, applications, or machines that need to be authenticated in order to access network resources.
Network servers: These are Kerberos-enabled servers hosting the network resources that the Kerberos clients want to access.
Key Distribution Center (KDC): This is a special server that's trusted by both Kerberos clients and network servers and is responsible for issuing Kerberos tickets to clients.
Kerberos uses a ticket-based method for granting a user access to a network service. When a Kerberos-enabled client wants to request a network service (such as network logon) from a Kerberos-enabled server, the client must first contact an authentication server (AS) to receive a ticket and an encryption key. The encryption key, called the session key, is generated using symmetric key encryption and is used to unlock communication between the client and the server and thereby authenticate that communication. The initial ticket, often called the ticket-granting ticket (TGT), contains a copy of the session key and an identity, which is a randomly generated number. The AS passes the TGT and the identity back to the client, which stores the ticket in its ticket cache. When the client wants to access a particular service, it sends the ticket to a ticket-granting server (TGS). (The TGS and AS are usually the same machine.) The TGS gives the client a ticket that securely identifies the client to the service it's requesting. Finally, the client presents the ticket to the network service it's trying to access and is granted access to the resource as many times as desired until the ticket expires. When the client sends a ticket, the ticket is always accompanied by an authenticator message that's encrypted with the session key. This authenticator includes a time stamp, which is used to ensure that the ticket is legitimate.
Kerberos. The Kerberos v5 protocol defines the steps a client must take to be authenticated for gaining access to network services or resources.
Implementation
In the Windows 2000 implementation of Kerberos, each domain controller has the Kerberos v5 service running on it. Kerberos client software is also built into each server and workstation running Windows 2000. The Kerberos service maintains encrypted user passwords and identities in the Active Directory directory service database. When a user logs on to a domain controller, the initial Kerberos authentication enables the user to access available resources anywhere in the enterprise because authentication credentials issued by the Kerberos services of one domain are accepted by all domains within a domain tree or a domain forest.
The Kerberos service issues an initial ticket for the logon domain when a user logs on to a Windows 2000 workstation. Any server running Windows 2000 can then validate the client's ticket without having to contact the domain Kerberos service. It can do this because servers running Windows 2000 share the encryption key that the Kerberos service uses to encrypt tickets. This encryption key is called the server key.
If a Windows 2000 client in one domain requests access to a resource in a remote domain that's part of the same domain tree or forest, the Kerberos service in the local domain issues a referral ticket that the client presents to the Kerberos service in the remote domain. The Kerberos service in the remote domain then issues an initial ticket that's valid for its own domain and identifies the domain. Using this ticket, the client can then access resources in the remote domain.
See Also authentication protocol ,Data Encryption Standard (DES) ,Windows NT Challenge/Response Authentication
The core of an operating system.
Overview
In most operating systems, the kernel is the part that's responsible for low-level (essential) activities such as multitasking, scheduling processes and threads, handling interrupts from devices, memory management, error handling, and managing input/output (I/O) operations. The kernel interfaces with other components of the operating system through system calls, which provide a standard interface to kernel functions. The kernel runs within protected mode memory in order to ensure the operating system's stability.
The term kernel is more often used in a UNIX environment and is contrasted with the term shell , which describes the outer portion of the operating system that's exposed to the user and provides a user interface for entering commands and receiving output. In Microsoft Windows operating systems, the shell is known as the desktop.
Architecture
The Windows 2000 kernel uses a microkernel architecture. This means that the kernel is a small component with limited functionality that loads other components such as drivers and services into memory only as required to complete requested system tasks. By contrast, a kernel constructed using a monolithic architecture has device drivers and services built right into it (Berkeley Software Distribution [BSD] UNIX follows this architecture).
The kernel for Windows 2000, Windows XP, and Windows .NET Server, called Ntoskrnl.exe, is located in the \Winnt\System32 directory in Windows 2000 and the \Windows\System32 directory in Windows XP and Windows .NET Server. It runs in nonpageable memory, which means that it's always resident in memory. The kernel is responsible for thread scheduling and dispatching threads to processors on a symmetric multiprocessing (SMP) platform. The kernel code itself is not preemptive-that is, no other thread or process can preempt the kernel's operations. Each thread is assigned a priority level from 0 to 31 by the kernel, as follows:
Levels 0 through 15 indicate dynamic priority and are assigned to application and user threads.
Levels 16 through 31 indicate real-time priority and are assigned only to key operating system threads.
The kernel adjusts priority levels for threads to ensure that no thread is starved and that each receives proper attention, with threads having a higher priority level getting the greater share of processor resources.
The kernel does its job by managing two classes of objects:
Control objects, which control the operation of the kernel and include processes, interrupts, asynchronous procedure calls, and profiles
Dispatcher objects, which manage thread dispatching and synchronization and include events, threads, timers, semaphores, mutants, and mutexes
The kernel communicates with the hardware abstraction layer (HAL) to interact with hardware and communicates with the Executive and its components for higher-level operating system functions. The kernel loads when the screen turns blue during the boot process.
Another example of a microkernel architecture is found in the Linux operating system, which uses device drivers that can be loaded into memory and unloaded from memory as required.
Notes
In Windows 95 and Windows 98, the kernel file is Kernel32.dll, and it's located in the \Windows\System directory. If the kernel is corrupt or missing, you can expand the file from the distribution CD and replace the damaged or missing file on your hard disk (as long as you can access that drive in a way that does not involve this file, such as through MS-DOS).
See Also desktop , hardware abstraction layer (HAL) , shell
A privileged mode of operation in which processes can execute within the Microsoft Windows 2000 operating system.
Overview
Kernel mode processes include components of the operating system that directly manage resources on the computer, such as the following:
Windows 2000 executive, which contains operating system modules that manage objects, processes, security, memory, and devices
The kernel, which manages core operating system services
The hardware abstraction layer (HAL), which isolates operating system code from hardware differences
Kernel mode. Kernel mode of the Windows 2000 operating system architecture.
Notes
Kernel mode is also known as supervisor mode, protected mode, or Ring 0.
See Also user mode
A device that can be plugged into the keyboard port of a server to emulate the presence of a connected keyboard.
Overview
When a power outage causes the server to reboot, the server detects the presence of a keyboard and the reboot is allowed to occur. This is important when administrators are off site when servers need to be rebooted, because computers normally do not boot unless a keyboard is attached.
A keyboard emulator is used as a security device when the presence of an attached keyboard is not desirable, such as when the servers are in an unlocked room or can be tampered with in some other fashion. By removing the keyboard and installing a keyboard emulator, you can prevent unauthorized users from attempting a local logon to a server.
A device that allows several computers to be controlled from a single keyboard, mouse, and monitor.
Overview
Keyboard Video Mouse (KVM) switches are typically employed in the enterprise to managed server farms, which are collections of rack-mounted servers grouped together for various purposes. They are also used in help desk environments and in data centers where large numbers of computers need to be centrally managed by a few people.
Using a KVM switch to control multiple computers has several advantages over using a separate keyboard, mouse, and monitor for each machine, specifically:
Savings on the cost of additional keyboards, mice, and monitors. This includes both purchase costs and the cost of electricity to operate the monitors.
Lessening the chance of equipment failure by reducing the amount of heat generated through elimination of unnecessary monitors (and thus also lowering air conditioning costs in equipment rooms).
Preventing equipment clutter in already crowded server rooms.
KVMs typically support two, four, eight, or more computers and can often be daisy-chained to support hundreds-or even thousands-of computers.
Types
The simplest KVMs are manual switches that employ push buttons for switching between different computers. These analog switches are cheap, but the peripherals tend to become unsynchronized with the computers, often requiring a reboot to correct things.
More commonly, commercial KVMs employ electronics to switch between different machines, typically by using keyboard shortcuts or through an on-screen menu. The menu may also include some form of password protection for each computer and a master password that grants access to all computers attached to the switch. The switch is typically connected to the keyboard, mouse, and video ports on the computers using proprietary cables purchased with the switch. A single keyboard, mouse, and monitor are then connected to the switch to control the various machines. KVM switches generally send analog signals all the time to all connected computers in order to give each computer the illusion that it has a directly connected keyboard, monitor, and mouse. Keyboard signals are most important, for Intel PCs in particular require a keyboard signal in order to reboot.
Sometimes the computers that need to be controlled are located in another part of the building in a special "clean room" or other secure location. In this case, use an analog KVM switch with a built-in video extender, which amplifies the video signal so that the monitor can be connected to the computer using a cable that's 500 feet (150 meters) or longer. You actually need two video extenders, one at the server end and one at the remote monitor station. Video extenders can often be connected using a single interconnect line of Category 5 (Cat5) cabling.
Keyboard Video Mouse (KVM) switch. Using a KVM switch to control several servers from a single keyboard, monitor, and mouse.
Marketplace
A number of companies make KVM switches for various markets from small businesses to enterprise data centers. Some popular vendors include Avocent Corporation, Black Box Corporation, Rose Electronics, and Tron International.
A recent development is the digital KVM switch, whose operation resembles remote control software such as pcAnywhere but allows you to manage servers running any operating system. Digital KVM switches work by converting analog keyboard, video, and mouse signals into digital signals, which are then packaged in Internet Protocol (IP) packets and transmitted over a network. They can be used to control hundreds of computers at different locations and can even operate over the Internet. Instead of controlling the computers from a keyboard/mouse/monitor combination, they are instead controlled from a central management workstation that has special software installed on it.
When deploying a digital KVM switch, the management workstation controls the remote servers over a standard Ethernet local area network (LAN) or wide area network (WAN) connection, which can be configured in either of two ways:
In-band management: This method employs the existing LAN on which the servers reside for sending control signals to the servers. The disadvantage of this method is that if the network goes down, you have no way of controlling the servers.
Out-of-band management: This method employs a separate maintenance LAN for controlling the servers. The advantage here is that you can manage the servers even when the regular LAN or WAN connection is down, but the disadvantage is that you have to deploy a separate Cat5 wiring infrastructure to make this possible, which can incur considerable extra cost.
The first commercially available digital KVM switch was the DS1800 from Avocent. This market is likely to grow over the next several years, driven by demand mainly from Internet data centers and e-commerce companies.
See Also out-of-band management (OBM) ,switch
A mathematical value used in cryptography for encrypting and signing messages.
Overview
The degree of security of a key depends on the type of mathematical algorithm used with the cryptosystem and the length of the key. Most cryptography algorithms employ transformations that use prime numbers and congruency. Key lengths typically range from 40 bits for the RC2 and RC4 cryptography algorithms to 512 bits for RSA public key systems.
The number of keys used depends on the kind of cryptographic system being employed. In secret (or symmetric) key cryptography, both the sender and the recipient use the same key for encrypting and decrypting messages. By contrast, public key cryptography employs a key pair that consists of the private and public keys of the message sender. In a public key system, these keys are usually obtained from a certificate authority (CA). This is accomplished by having the user submit a key request file, such as one generated by the Key Manager component of Microsoft Internet Information Services (IIS).
See Also encryption , public key cryptography
A column or group of columns used to uniquely identify records in a table of a relational database.
Overview
Two main types of keys are used in relational databases such as Microsoft SQL Server:
Primary keys: These are columns or groups of columns that uniquely identify the rows of a table. Each row has a unique value in the primary key column or columns. Each table in a relational database should have one and only one primary key, and primary keys cannot allow nulls (NN), duplicates (ND), or no changes (NC).
Foreign keys: These are columns or groups of columns in one table that match the primary key of a different table. Foreign keys are used to define relationships between tables and to enforce referential integrity in a database by ensuring that each value in the foreign key column is actually a valid entry in the primary key column of another table.
Note that a column in a database table can be both a primary key for its own table and a foreign key for a different table.
See Also database
A method for managing private keys within a public key infrastructure (PKI).
Overview
Key management is an essential function of any PKI system. This is because private keys issued to users must be kept secure and confidential to protect the PKI system's integrity. Should a user's private key be compromised, various consequences could result, depending on the privileges of the user within the enterprise, including the following:
The user's reputation could be damaged by an impersonator sending harassing mail signed with the user's private key.
Data could be stolen or other damage could be done if the user has high-level privileges on the network.
Agreements could be signed without proper consent should the user have signing authority using his private key.
Implementation
The essential requirement for securely managing users' private keys is to make sure that these keys are stored in only one location and that no copies exist anywhere else. While many PKI implementations are software-based systems in which keys are stored on computers' hard disks, a better solution is hardware-based key management. A good example of this is smart cards, which you can use to store a single existing copy of a user's private key in a tamper-proof format. Besides secure key storage, another important aspect of key management is secure delivery of generated keys to their users.
See Also key (cryptography) ,public key cryptography ,public key infrastructure (PKI) ,smart card
A pair of keys generated for an individual, system, or organization within a public key cryptography system.
Overview
Public key systems always generate keys in pairs that consist of a private and a public key. The private key belongs to the user alone and must be kept secret and carefully guarded. Should a user's private key be compromised, it must immediately be revoked. Otherwise, the user's identity could be forged for e-mail, document signing, and other purposes, damaging the user's reputation and hurting the company.
By contrast, a user's public key is available to anyone who requests it. If a message is encrypted with someone's private key, it can be decrypted by the message recipient using the sender's public key. This is possible because each pair of private and public keys is bound together by a specific mathematical relationship.
See Also encryption , public key cryptography
An entity within the Microsoft Windows registry that can contain subkeys and values.
Overview
Registry keys are used to name and identify collections of registry values and to organize the registry into a hierarchical structure. Registry keys are thus analogous to directories in a file system; in fact, keys are displayed as folders by the Registry Editor just as directories are displayed in Windows Explorer.
Key (registry). The Control key as displayed by the Windows 2000 Registry Editor (Regedt32.exe).
The screen capture shows the Control key being displayed, which contains value entries (in the right pane) and subkeys (the series of items under it in the left pane). The Control key itself is a subkey of the CurrentControlSet key.
See Also hive ,registry
Stands for knowledge management, a business strategy for using software to make all the knowledge contained in an enterprise easily accessible.
See Also knowledge management (KM)
A feature of Active Directory directory service that ensures that directory replication takes place properly.
Overview
The Knowledge Consistency Checker (KCC) is an Active Directory process running on each domain controller within a Microsoft Windows 2000 network. The KCC generates a map of the replication topology for the network, enabling domain controllers to find and replicate with each other efficiently in order to ensure that information within Active Directory is up-to-date everywhere throughout the enterprise.
Implementation
The KCC is implemented as a dynamic-link library (DLL) that runs in the background every 15 minutes to generate and maintain the replication topology. Should a domain controller become unavailable for any reason, the KCC detects this change and modifies the topology to ensure that replication still takes place effectively and all domain controllers in the forest are properly synchronized.
The KCC manages the replication topology by creating connection objects between domain controllers. Replication topology is established at two different levels: forest-wide and domain-wide. Although the KCC runs automatically in the background and has no user interface, you can manually force the KCC to update the replication topology by using the Active Directory Sites and Services console. You might do this, for example, when you take down a DC for maintenance.
See Also Active Directory ,Active Directory Sites and Services ,directory replication (Windows 2000 and Windows .NET Server) ,domain controller
A business strategy for using software to make all the knowledge contained in an enterprise easily accessible.
Overview
Knowledge management (KM) is used to refer both to a business goal and to various software applications used to reach this goal. KM's goal is to provide mechanisms for searching, retrieving, and analyzing all the different kinds of information found in today's commercial enterprise. These sources of information can include relational databases, file servers, e-mail servers, intranet and corporate Web sites, Enterprise Resource Planning (ERP) applications, Customer Relationship Management (CRM) applications, and other repositories of business information.
The first applications that performed limited KM functions were corporate portals, which focused mainly on consolidating databases, documents, and Web pages to make them easily accessible. Over the last few years, these portals have evolved into a new type of tool, the Enterprise Information Portal (EIP), which provides access to information stored in ERP and CRM systems. EIPs, however, have difficulty managing unstructured data such as documents stored on file servers and e-mail servers. As a result, a new type of portal has evolved called the Enterprise Knowledge Portal (EKP), which not only can consolidate information from both structured and unstructured sources but also can employ user profiles to dynamically push data to users who need it. EKPs employ Business Intelligence (BI) software that can turn raw corporate data into helpful knowledge upon which companies can base business decisions.
See Also Enterprise Information Portal (EIP) ,Enterprise Knowledge Portal (EKP) ,enterprise resource planning (ERP) ,intranet ,portal ,Web server
Stands for Keyboard Video Mouse switch, a device that allows several computers to be controlled from a single keyboard, mouse, and monitor.
See Also Keyboard Video Mouse (KVM) switch
