| Access control list (ACL) | A mechanism that implements access control for a system resource by listing the identities of the system entities that are permitted to access the resource. | Access control service | A security service that provides protection of system resources against unauthorized access. The two basic mechanisms for implementing this service are ACLs and tickets. |
| Active Directory (AD) | The Windows Server 2003 directory service that replaces the antiquated Windows NT domain structure. Active Directory forms the basis for centralized network management on Windows Server 2003 networks, providing a hierarchical view of network resources. | Active Directory Service Interfaces (ADSI) | A directory service model implemented as a set of COM interfaces. ADSI allows Windows applications to access Active Directory, often through ActiveX interfaces such as VBScript. |
| Active Directory Users and Computers | The primary systems administrator utility for managing users, groups, and computers in a Windows Server 2003 domain, implemented as a Microsoft Management Console (MMC) snap-in. | Advanced Encryption Standard (AES) | A symmetric encryption algorithm accepted by National Institute of Standards and Technology (NIST) as a result of a public contest. Belgian-authored Rijndael algorithm was accepted as AES, which is generally regarded as a successor to the Data Encryption Standard (DES). |
| Algorithm | A finite set of step-by-step instructions for a problem-solving or computation procedure, especially one that can be implemented by a computer. | application data partition | A partitioned section of Active Directory that is replicated only to specified domain controllers. Application data partitions are used by applications to store their application-specific data. |
| assigned applications | Through the Software Installation utility in Group Policy, administrators can assign applications to users and computers. Assigned applications are always available to the user, even if the user attempts to uninstall them. Applications assigned to a computer will automatically be installed on the next restart. | Asymmetric cryptography | Public key cryptography; A modern branch of cryptography in which the algorithms employ a pair of keys (a public key and a private key) and use a different component of the pair for different steps of the algorithm. |
| asynchronous processing | Occurs when one task waits until another is finished before beginning. This is typically associated with scripts, such as a user logon script not running before the computer startup script has completed. This is the default behavior in Windows Server 2003. | attribute | The basic unit of an object, an attribute is a single property contained in the schema that through its values defines the object. For example, an attribute of a standard user account is the account name. |
| auditing | A security process that tracks the usage of selected network resources, typically storing the results in a log file. | authentication | The process by which a user's logon credentials are validated by a server so that access to a network resource can be granted or denied. |
| authorization | The process of granting or denying a user, group, or computer access to network resources through permissions and user rights. | automatic updates services | Enables operating system updates to be downloaded and installed automatically. This ensures that systems stay up-to-date with the latest updates. |
▲Top of page
|
|
| backup domain controller (BDC) | A Windows NT 3.x or 4.0 server that contains a backup read-only copy of the domain security accounts manager (user account and security information). BDCs take the load off the primary domain controller (PDC) by servicing logon requests. Periodic synchronizing ensures that data between the PDC and BDCs remains consistent. | Bandwidth | Commonly used to mean the capacity of a communication channel to pass data through the channel in a given amount of time. Usually expressed in bits per second. |
| baseline | A term associated with performance monitoring, a baseline is the initial result of monitoring typical network and server performance under a normal load, and all future results are measured against the baseline readings. A baseline will typically have performance readings for the processor(s), memory, disk subsystem, and network subsystem. | Bit | The smallest unit of information storage; a contraction of the term "binary digit"; one of two symbols - "0" (zero) and "1" (one) - that are used to represent binary numbers. |
| bridgehead server | The contact point for the exchange of directory information between Active Directory sites. | Browser | A client computer program that can retrieve and display information from servers on the World Wide Web. |
| Brute force | A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one-by-one. | Buffer overflow | A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. By using a specifically crafted data one can change the execution flow of a target program and cause the execution of unauthorized code. |
▲Top of page
|
|
| Byte | A fundamental unit of computer storage; the smallest addressable unit in a computer's architecture. Usually holds one character of information and usually means eight bits. | Cache | Pronounced "cash", a special high-speed storage mechanism. It can be either a reserved section of main memory or an independent high-speed storage device. Two types of caching are commonly used in computers: memory caching and disk caching. The same word is also used to denote a temporary storage of various parameters by network devices, such as DNS cache (used to store name to IP address mapping for a certain time) or ARP cache (used to store associations between hardware or MAC addresses and IP addresses) |
| caching-only server | A form of a DNS server that is not responsible for maintaining or updating any zone information. It simply resolves name requests to IP addresses on behalf of DNS clients and caches the results. | capture filter | Filter configured within Network Monitor to specify the type of traffic that should be captured for analysis. |
| CERT/CC | An organization that studies computer and network INFOSEC in order to provide incident response services to victims of attacks, publish alerts concerning vulnerabilities and threats, and offer other information to help improve computer and network security. | Certificate Authority (CA) | A trusted authority either within a network or a third-party company that manages security credentials such that it guarantees the user object that holds a certificate is who it claims to be. |
| Challenge Handshake Authentication Protocol (CHAP) | An authentication protocol that uses the Message Digest 5 (MD5) hashing scheme to encrypt responses. With CHAP, the server sends a challenge to the client. The client then generates an MD5 hash result and returns it to the server. | checkpoint file | Indicates the location of the last information successfully written from the transaction logs to the database. In a data-recovery scenario, the checkpoint file indicates where the recovery or replaying of data should begin. |
| Checksum | A value that is computed by a function that is dependent on the contents of a data object and is stored or transmitted together with the object, for the purpose of detecting changes in the data. | Cipher | A cryptographic algorithm for encryption and decryption. |
| circular logging | When a log file fills up, it is overwritten with new data rather than a new log file being created. This conserves disk space but can result in data loss in a disaster-recovery scenario. | Client | A system entity that requests and uses a service provided by another system entity, called a "server". In some cases, the server may itself be a client of some other server. |
| Computer Configuration | The portion of a Group Policy Object that allows for computer policies to be configured and applied. | Computer network | A collection of host computers together with the sub-network or inter-network through which they can exchange data. |
| connection object | An Active Directory object stored on domain controllers that is used to represent inbound replication links. Domain controllers create their own connection objects for intrasite replication through the Knowledge Consistency Checker (KCC), whereas only a single domain controller in a site creates connection objects for intersite replication, through the Intersite Topology Generator. | container | An object in Active Directory that is capable of holding other objects. An example of a container would be the Users folder in Active Directory Users and Computers. |
| convergence | The process of stabilization after network changes occur. Often associated with routing or replication, convergence ensures each router or server contains consistent information. | Corruption | A threat action that undesirably alters system operation by adversely modifying system functions or data. |
| counters | The metrics used in performance monitoring, counters are what you are actually monitoring. An example of a counter for a CPU object would be %Processing Time. | Cryptanalysis | The mathematical science that deals with analysis of a cryptographic system in order to gain knowledge needed to break or circumvent the protection that the system is designed to provide. In other words, convert the cipher text to plaintext without knowing the key. |
| Cryptographic algorithm or hash | An algorithm that employs the science of cryptography, including encryption algorithms, cryptographic hash algorithms, digital signature algorithms, and key agreement algorithms. | Cyclic Redundancy Check (CRC) | Sometimes called "cyclic redundancy code". A type of checksum algorithm that is not a cryptographic hash but is used to implement data integrity validation service where accidental changes to data are expected. |
▲Top of page
|
|
| Daemon | A program which is often started at the time the system boots and runs continuously without intervention from any of the users on the system. The daemon program forwards the requests to other programs (or processes) as appropriate. The term daemon is a UNIX term, but many other operating systems provide support for daemons, though they're sometimes called other names. Windows, for example, refers to daemons as System Agents and services. | Data Encryption Standard (DES) | A widely used method of data encryption using a private (secret) key. There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption keys that can be used. For each given message, the key is chosen at random from among this enormous number of keys. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key. AES succeeded DES as a standard encryption algorithm. |
| DCPROMO | The command-line utility used to promote a Windows Server 2003 system to a domain controller. DCPROMO could also be used to demote a domain controller to a member server. | delegation | The process of off-loading the responsibility for a given task or set of tasks to another user or group. Delegation in Windows Server 2003 usually involves granting permission to someone else to perform a specific administrative task such as creating computer accounts. |
| Denial of service | The prevention of authorized access to a system resource or the delaying of system operations and functions. | Device Manager | A tool included with Windows Server 2003 that can be used to manage hardware as well as troubleshoot hardware problems. |
| DHCP clients | Clients configured to automatically obtain an IP address from a DHCP server. By default, Windows 2000, Windows XP, and Windows Server 2003 clients are configured as DHCP clients. | DHCP database | Database that stores information about client leases. |
| Dictionary attack | An attack that uses a brute-force technique of successively trying all the words in some large, exhaustive list. For example, an attack on an authentication service by trying all possible passwords; or an attack on encryption by encrypting some known plaintext phrase with all possible keys so that the key for any given encrypted message containing that phrase may be obtained by lookup. | Diffie-Hellman | A key agreement algorithm published in 1976 by Whitfield Diffie and Martin Hellman. Diffie-Hellman does key establishment, not encryption. However, the key that it produces may be used for encryption, for further key management operations, or for any other cryptography. |
| Digital certificate | A digital certificate is an electronic "driver's license" that establishes your credentials when doing business or other transactions on the Web. It is issued by a certification authority. It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. | Digital Signature Algorithm (DSA) | An asymmetric cryptographic algorithm that produces a digital signature in the form of a pair of large numbers. The signature is computed using rules and parameters such that the identity of the signer and the integrity of the signed data can be verified. |
| Digital Signature Standard (DSS) | The U.S. Government standard that specifies the Digital Signature Algorithm (DSA), which involves asymmetric cryptography. | directory | A database that contains any number of different types of data. In Windows Server 2003, the Active Directory is a database that contains information about objects in the domain, such as computers, users, groups, and printers. |
| Directory Service (DS) | Provides the methods of storing directory data and making that data available to other directory objects. A directory service makes it possible for users to find any object in the directory given any one of its attributes. | Directory System Agent (DSA) | Makes data within Active Directory accessible to applications that want it, acting as a liaison between the directory database and the applications. |
| disk quota | An administrative disk space limitation set on the server storage space, on a per volume basis, that can be used by any particular user. | display filter | Filter configured within Network Monitor after data has been captured to specify the type of traffic to display. |
| Disruption | A circumstance or event that interrupts or prevents the correct operation of system services and functions. | distinguished name | The name that uniquely identifies an object. A distinguished name is composed of the relative distinguished name, the domain name, and the container holding the object. An example would be CN=WWillis,CN=Inside-Corner,CN=COM. This refers to the WWillis user account in the inside-corner.com domain. |
| Distributed File System (Dfs) | A Windows Server 2003 service that allows resources from multiple server locations to be presented through Active Directory as a contiguous set of files and folders, resulting in more ease of use of network resources for users. | distribution group | An Active Directory group of user accounts, or other groups, that is used strictly for E-mail distribution. A distribution group cannot be used for granting permissions to resources. That type of group is called a security group. |
| domain | A logical grouping of Windows Server 2003 computers, users, and groups that share a common directory database. Domains are defined by an administrator. | domain controller | Computers that are used for storing directory data, user authentication, and directory searches. A computer can be configured as a domain controller by installing Active Directory. |
| domain controller (DC) | A server that is capable of performing authentication. In Windows Server 2003, a domain controller holds a copy of the Active Directory database. | domain functional level | Windows Server 2003 domains can operate at one of four functional levels: Windows 2000 mixed mode, Windows 2000 native mode, the Windows Server 2003 interim level, or the Windows Server 2003 functional level. Each functional level has different trade-offs between features and limitations. |
| domain local group | A domain local group can contain other domain local groups from its own domain, as well as global groups from any domain in the forest. A domain local group can be used to assign permissions for resources located in the same domain as the group. | Domain name | For example, as of this writing, the [delete "domain"] name "http://www.sans.org" locates an Internet address for "sans.org" at IP address 167.216.198.40 and a particular host server named "http://www.sans.org" at IP address65.173.218.106. The "org" part of the name. The "org" part of the domain name reflects the purpose of the organization or entity (in this example, "organization") and is called the top-level domain name. The "sans" part of the domain name defines the organization or entity and together with the top-level is called the second-level domain name. |
| Domain Name System (DNS) | A hierarchical name-resolution system that resolves host names into IP addresses, and vice versa. DNS also makes it possible for the distributed Active Directory database to function, by allowing clients to query the locations of services in the forest and domain. | Domain Naming Master | One of the two forestwide Flexible Single Master Operations (FSMO) roles, the Domain Naming Master's job is to ensure domain name uniqueness within a forest. |
| Dynamic Domain Name System (DDNS) | An extension of DNS that allows Windows 2000 and Windows XP Professional systems to automatically register their A records with DNS at the time they obtain an IP address from a DHCP server. | Dynamic Host Configuration Protocol (DHCP) | A protocol used to dynamically assign IP addresses to devices on a network. It can also be used to provide DHCP clients with optional parameters such as the IP address of the default gateway. DHCP in Windows Server 2003 can be integrated with DNS. |
▲Top of page
|
|
| dynamic update | Feature that enables a DNS client to automatically register and update its own host record with a DNS server. It can be used in conjunction with DHCP so that clients can update their resource records when IP addresses change. | Encapsulation | The inclusion of one data structure within another structure so that the first data structure is hidden for the time being. |
| Encryption | Cryptographic transformation of data (called "plaintext") into a form (called "cipher text") that conceals the data's original meaning to prevent it from being known or used. | enrollment agent certificate | A special certificate issued by a CA that grants the owner of the certificate the authority to enroll users into advanced security and issue certificates on behalf of the users. |
| enrollment station | This station is the physical workstation or server where the enrollment agent certificate is installed and used by the authorized person to enroll users and issue certificates. | Ethernet | The most widely-installed LAN technology. Specified in a standard, IEEE 802.3, an Ethernet LAN typically uses coaxial cable or special grades of twisted pair wires. Devices are connected to the cable and compete for access using a CSMA/CD (Carrier-Sense Multiple-Access / Collision Detect) protocol protocol. |
| Event Viewer | The tool used to view the contents of the Windows Server 2003 log files. | Exposure | A threat action whereby sensitive data is directly released to an unauthorized entity. |
| Extensible Authentication Protocol (EAP) | A framework that supports multiple, optional authentication mechanisms for PPP, including clear-text passwords, challenge-response, and arbitrary dialog sequences. | Extensible Storage Engine (ESE) | The Active Directory database engine, ESE is an improved version of the older Jet database technology. The ESE database uses the concept of discrete transactions and log files to ensure the integrity of Active Directory. Each request to the DSA to add, modify, or delete an object or attribute is treated as an individual transaction. As these transactions occur on each domain controller, they are recorded in a series of log files that are associated with each Ntds.dit file. |
▲Top of page
|
|
| external trust | A trust relationship created between a Windows Server 2003 Active Directory domain and a Windows NT 4 domain, or between Active Directory domains in different forests. | File Replication Service (FRS) | A service that provides multimaster replication between specified domain controllers within an Active Directory tree. |
| File Transfer Protocol (FTP) | A TCP/IP protocol specifying the transfer of text or binary files across the network. FTP uses two communication channels called command and data channels. TCP port 21 is assigned to FTP. | Finger | A protocol to lookup user information on a given host. A UNIX program that takes an e-mail address as input and returns information about the user who owns that e-mail address. On some systems, finger only reports whether the user is currently logged on. Other systems return additional information, such as the user's full name, address, and telephone number. Finger can also be used to retrieve the information on currently logged in users. Of course, the user must first enter this information into the system. Many e-mail programs now have a finger utility built into them. |
| Fingerprinting | Sending strange packets to a system in order to gauge how it responds to determine the operating system. | Firewall | A logical or physical discontinuity in a network to prevent unauthorized access to data or resources based on a security policy. |
| firewall | A hardware and software security system that functions to limit access to network resources across subnets. Typically a firewall is used between a private network and the Internet to prevent outsiders from accessing the private network and limiting what Internet services users of the private network can access. | flat namespace | A namespace that cannot be partitioned to produce additional domains. Windows NT 4 and earlier domains were examples of flat namespaces, as opposed to the Windows Server 2003 hierarchical namespace. |
| Flexible Single Master Operations (FSMO) | Five roles that are required by Windows Server 2003 not to follow the typical multimaster model, and instead are hosted on only a single domain controller in each domain, in the case of the Infrastructure Master, PDC Emulator, and RID Master, or on only a single domain controller in the forest, in the case of the Domain Naming Master and the Schema Master. | Flooding | An attack that attempts to cause a failure in (especially, in the security of) a computer system or other data processing entity by providing more input than the entity can process properly. |
| Folder Redirection | A Windows Server 2003 feature that allows special folders, such as My Documents, on local Windows XP Professional system hard drives to be redirected to a shared network location. | forest | A grouping of Active Directory trees that have a trust relationship between them. Forests can consist of a noncontiguous namespace and, unlike domains and trees, do not have to be given a specific name. |
| forest functional level | The three forest functional levels are Windows 2000, Windows Server 2003 interim, and Windows Server 2003. The default forest functional level is Windows 2000. When the forest functional level is raised to Windows Server 2003 interim or Windows Server 2003, advanced forestwide Active Directory features are available. | forest root | The first domain created in a forest. |
| forest trust | A trust relationship established between two Active Directory forests. | forward lookup query | A DNS name-resolution process by which a hostname is resolved to an IP address. |
| forward lookup zone | A forward lookup zone maps hostnames to IP addresses. When a client needs the IP address of a hostname, the information is retrieved from the forward lookup zone. | Fragmentation | The process of storing a data file in several "chunks" or fragments rather than in a single contiguous sequence of bits in one place on the storage medium. The term is also used to describe the splitting of network packets into smaller chunks to transmit over media supporting only smaller packet sizes. |
| fully qualified domain name (FQDN) | A DNS domain name that unambiguously describes the location of the host within a domain tree. An example of an FQDN would be the computer www.inside-corner.com. | functional level | A concept first introduced in Windows Server 2003 that determines what level of features and interoperability with other Windows operating systems is available in a domain or forest. In Windows 2000, functional levels were referred to as nodes. |
▲Top of page
|
|
| Global Catalog (GC) | Contains a partial replica of every Windows Server 2003 domain object within the Active Directory, enabling users to find any object in the directory. The partial replica contains the most commonly used attributes of an object, as well as information on how to locate a complete replica elsewhere in the directory, if needed. | Global Catalog server | The Windows Server 2003 server that holds the Global Catalog for the forest. |
| global group | A global group can contain users from the same domain that the global group is located in, and global groups can be added to domain local groups in order to control access to network resources. | globally unique identifier (GUID) | A hexadecimal number supplied by the manufacturer of a product that uniquely identifies the hardware or software. A GUID is in the form of eight characters, followed by three sets of four characters, followed by 12 characters. For example, { 15DEF489-AE24-10BF-C11A-00BB844CE637} is a valid format for a GUID (braces included). |
| Glossary | authentication | GNU | GNU is a project to create a UNIX-like operating system that comes with source code that can be copied, modified, and redistributed. The GNU project was started in 1983 by Richard Stallman and others, who formed the Free Software Foundation. The project has produced many system utilities and application software used mainly on other UNIX systems. |
| gpresult | A command-line utility that displays information about the current effect Group Policy has had on the local computer and logged-in user account. | Group Policy | An administrative tool that can be used to administer various aspects of the client computing environment, from installing software to applying a standardized desktop. |
| Group Policy Editor | The Microsoft Management Console (MMC) snap-in that is used to modify the settings of a Group Policy Object. | Group Policy Object (GPO) | A collection of policies that apply to a specific target, such as the domain itself (Default Domain Policy) or an Organizational Unit (OU). GPOs are modified through the Group Policy Editor to define policy settings. |
▲Top of page
|
|
| Hash function | An algorithm that computes a value based on a data object thereby mapping the data object to a smaller data object. | hierarchical namespace | A namespace, such as with DNS, that can be partitioned out in the form of a tree. This allows great flexibility in using a domain name because any number of subdomains can be created under a parent domain. |
| Hijack attack | A form of active wiretapping in which the attacker seizes control of a previously established communication association. | Honey pot | Programs that simulate one or more network services on a computer's ports. An entire machine containing such services is also called a honeypot. An attacker assumes that vulnerable services are running, which can be used to break into the machine. A honey pot can be used to log access attempts to those ports including the attacker's keystrokes. This could give you advanced warning of a more concerted attack. |
| Host | A computer system that is accessed by a user from a remote location, or a computer that is connected to a TCP/IP network, including the Internet. | HTTPS | When used in the first part of a URL (the part that precedes the colon and specifies an access scheme or protocol), this term specifies the use of HTTP enhanced by a security mechanism, which is usually SSL. The communication over HTTPS is encrypted. |
| Hybrid encryption | An application of cryptography that combines two or more encryption algorithms, particularly a combination of symmetric and asymmetric encryption. Hybrid encryption is used as part of SSL. | Hyperlink | In hypertext or hypermedia, an information object (such as a word, a phrase, or an image; usually highlighted by color or underscoring) that points (indicates how to connect) to related information that is located elsewhere and can be retrieved by activating the link. |
| Hypertext Markup Language (HTML) | The set of markup symbols or codes inserted in a file intended for display on a World Wide Web browser page. | Hypertext Transfer Protocol (HTTP) | The protocol in the Internet Protocol (IP) family used to transport hypertext documents across an internet. TCP port 80 is assigned to the HTTP protocol. |
▲Top of page
|
|
| IMAP | IMAP (Internet Message Access Protocol) allows a client workstation to dynamically access a mailbox on a server host to retrieve mail messages that the server has received, create and manage multiple E-mail folders on the server, search in the remote mail folders and other functions. IMAP is a clear-text protocol. | Infrastructure Master | The FSMO role that is responsible for receiving replicated changes from other domains within the forest and replicating these changes to all domain controllers within its domain. There is one Infrastructure Master per domain, and it also is responsible for tracking what Active Directory container an object is located in. |
| inheritance | The process by which an object obtains settings information from a parent object. | Internet | A term to describe connecting multiple separate networks together |
| Internet Authentication Server (IAS) | Microsoft's version of a RADIUS server. To ease the administrative overhead of managing multiple RAS servers, you can implement a RADIUS server to centralize the authentication of remote access clients and the storage of accounting information. | Internet Protocol (IP) | The method or protocol by which data is sent from one computer to another on the Internet. |
| Internet Protocol security (IPsec) | A developing standard for security at the network or packet processing layer of network communication. IPSec provides support for integrity, confidentiality and non-repudiation of network communication. | Internet Standard | A specification, approved by the IESG (The Internet Engineering Steering Group)and published as an RFC, that is stable and well-understood, is technically competent, has multiple, independent, and interoperable implementations with substantial operational experience, enjoys significant public support, and is recognizably useful in some or all parts of the Internet. |
| Intersite Topology Generator (ISTG) | The Windows Server 2003 server that is responsible for evaluating and creating the topology for intersite replication. | Intranet | A computer network, especially one based on Internet technology, that an organization uses for its own internal, and usually private, purposes and that is closed to outsiders. |
| Intrusion detection System (IDS) | A security management system for computers and networks. An IDS gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization). | IP address | A computer's inter-network address that is assigned for use by the Internet Protocol and other protocols. An IP version 4 address is written as a series of four 8-bit numbers separated by periods. |
| IP flood | A denial of service (DoS) attack that sends a host more ICMP (such as "ping"), UDP or TCP (such as SYN) packets than the protocol implementation can handle. | IP routing | Routing is the process of sending a packet from the source address to the destination address. Because all IP packets have a source and destination IP address, it is possible to deliver them to the proper location. |
| IP Security Monitor | Tool that can be used to validate that communications between hosts are indeed secure. It provides information such as which IPSec policy is active and whether a secure communication channel is being established between computers. | IP spoofing | The technique of making network communication look as if it originated at a different IP address. |
| IPSec | A set of protocols used to support the secure exchange of data at the IP layer using encryption. In Transport mode, only the data portion or payload is encrypted. In Tunnel mode, both the header and the payload are encrypted. | iterative query | With an iterative query, the DNS server uses zone information and its cache to return the best possible answer to the client. If the DNS server does not have the requested information, it can refer the client to another DNS server. |
▲Top of page
|
|
| Just-In-Time (JIT) | Technology that allows software features to be updated at the time they are accessed. Whereas in the past missing application features would need to be manually installed, JIT technology allows the features to be installed on the fly as they are accessed, with no other intervention required. | Kerberos | A system developed at the Massachusetts Institute of Technology that depends on passwords and symmetric cryptography(DES) to implement ticket-based, peer entity authentication service and access control service distributed in a client-server network environment. |
| Kernel | The essential center of a computer operating system, the core that provides basic services for all other parts of the operating system. A synonym is nucleus. A kernel can be contrasted with a shell, the outermost part of an operating system that interacts with user commands. Kernel and shell are terms used more frequently in UNIX and some other operating systems than in IBM mainframe systems or Windows systems | Knowledge Consistency Checker (KCC) | A Windows Server 2003 service that functions to ensure consistent database information is kept across all domain controllers. It attempts to ensure that replication can always take place. |
| latency | The delay that occurs in replication from the time a change is made to one replica and to the time that change is applied to all other replicas in the directory. | Layer 2 Tunneling Protocol (L2TP) | An extension of the Point-to-Point Tunneling Protocol used by an Internet service provider to enable the operation of a virtual private network over the Internet. |
| lease | DHCP clients can be assigned an IP address from a DHCP server. The lease duration determines the amount of time a client can use an IP address assigned from a DHCP server before it must be renewed. The default lease time in Windows Server 2003 is eight days. | Lightweight Directory Access Protocol (LDAP) | The Windows Server 2003 protocol that allows access to Active Directory. LDAP is an Internet standard for accessing directory services. |
| linked policy | A Group Policy that exists in one object and is linked to another object. Linked policies are used to reduce administrative duplication in applying the same policies to multiple OUs. | local area network (LAN) | A network where all hosts are connected over fast connections (4MBps or greater for Token Ring; 10MBps or better for Ethernet). LANs typically do not involve any outside data carriers (such as Frame Relay lines or T1 circuits) and are generally wholly owned by the organization. |
| local group | A security group that exists on a local workstation or server and is used for granting permissions to local resources. Typically, global groups from a domain are placed inside a local group to gain access to resources on a local machine. | Local Group Policy Objects | Objects that exist on the local Windows Server 2003 system. Site-, domain-, and OU-applied GPOs all take precedence over local GPOs. |
▲Top of page
|
|
| MAC address | A physical address; a numeric value that uniquely identifies that network device interface from every other device on the planet. The MAC address is given to each network adapter card. The SAN fibre-interface version of the MAC address is the World Wide Name (WWN). | Malware (Malicious Software) | A generic term for a number of different types of malicious code, such as viruses (self-replicating code), worms, Trojans, logic bombs, etc. |
| Masquerade attack | A type of attack in which one system entity illegitimately poses as (assumes the identity of) another entity. | member server | A server that is a member of a domain but is not a domain controller. A Windows Server 2003 domain can have Windows NT, Windows 2000, and Windows Server 2003 member servers, regardless of the domain functional level. |
| Microsoft Management Console (MMC) | An extensible management framework that provides a common look and feel to all Windows Server 2003 utilities. | multihomed | A server that has two or more network cards is said to be multihomed. This allows a server either to function as a router or to belong to more than one subnet simultaneously. Alternatively, multiple network adapters can be used for load balancing or fault tolerance. |
| multimaster replication | A replication model in which any domain controller will replicate data to any other domain controller. This is the default behavior in Windows Server 2003. It contrasts with the single-master replication model of Windows NT 4, in which a PDC contained the master copy of everything and BDCs contained backup copies. | name resolution | The process of resolving a hostname into a format that can be understood by computers. This is typically resolving a DNS name or NetBIOS name to an IP address but could also be a MAC address on non-TCP/IP networks. |
| Multifactor Authentication | A combination of 2 or more mechinisms for authentication. e.g. a smart card and a password. | | |
| NetBIOS | An application programming interface (API) used on Windows NT 4 and earlier networks by services requesting and providing name resolution and network data management. | Netmask (network mask) | 32-bit number indicating the range of IP addresses residing on a single IP network/subnet/supernet. This specification displays network masks as hexadecimal numbers. For example, the network mask for a class C IP network is displayed as 0xffffff00. Such a mask is often displayed elsewhere in the literature as 255.255.255.0. |
| Network Address Translation | The translation of an Internet Protocol address used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. | Network Diagnostics | A support utility that can be used to identify and isolate connectivity and network problems. |
| Network Monitor | A tool included with Windows Server 2003 used to monitor and capture network traffic. It is useful for troubleshooting network problems. | network operating system (NOS) | A generic term that applies to any operating system with built-in networking capabilities. All Windows operating systems beginning with Windows 95 have been true network operating systems. |
| non-local Group Policy Objects | GPOs that are stored in Active Directory rather than on the local machine. These can be site-, domain-, or OU-level GPOs. | NSLOOKUP | A TCP/IP utility used in troubleshooting DNS name-resolution problems. |
| NTDSUTIL | A command-line utility that provides a number of Active Directory management functions. | NTFS | The Windows NT/2000 file system that supports a much more robust feature set than either FAT16 or FAT32 (which is used on Windows 9x). It is recommended to use NTFS whenever possible on Windows Server 2003 systems. |
▲Top of page
|
|
| Null session | Known as Anonymous Logon, it is a way of letting an anonymous user retrieve information such as user names and shares over the network or connect without authentication to a Windows machine. It is used by applications such as explorer.exe to enumerate shares on remote Windows servers. | object | A distinct entity represented by a series of attributes within Active Directory. An object can be a user, computer, folder, file, printer, and so on. |
| object identifier | A number that uniquely identifies an object class or attribute. In the United States, the American National Standards Institute (ANSI) issues object identifiers, which take the form of an x.x.x.x dotted decimal format. Microsoft, for example, was issued the root object identifier of 1.2.840.113556, from which it can create further sub-object identifiers. | Octet | A sequence of eight bits. An octet is an eight-bit byte. |
| One-way encryption | Irreversible transformation of plaintext to cipher text, such that the plaintext cannot be recovered from the cipher text by other than exhaustive procedures even if the cryptographic key is known. It is used for the same purpose as a hash function. | One-way function | A (mathematical) function, f, which is easy to compute, but which for a general value y in the range, it is computationally difficult to find a value x in the domain such that f(x) = y. There may be a few values of y for which finding x is not computationally difficult. |
| Open Shortest Path First (OSPF) | A routing protocol that uses the shortest path first or link-state routing algorithm. OSPF routers calculate the shortest path to each host and share that portion of the routing table. | OpenSSH | OpenSSH is a free open-source implementation of SSH client and server, which runs on many platforms. OpenSSH supports all the SSH protocol versions that commercial SSH supports and is fully interoperable with other SSH implementations. |
| Operations Master | A Windows Server 2003 domain controller that has been assigned one or more of the special Active Directory domain roles, such as Schema Master, Domain Naming Master, PDC Emulator, Infrastructure Master, and Relative Identifier (RID) Master. | Organizational Unit (OU) | An Active Directory container object that allows an administrator to logically group users, groups, computers, and other OUs into administrative units. |
▲Top of page
|
|
| package | A collection of software compiled into a distributable form, such as a Windows Installer (.msi) package created with WinInstall. | Packet | A piece of a message transmitted over a packet-switching network. One of the key features of a packet is that it contains the destination address in addition to the data. In IP networks, packets are often called datagrams. |
| Pageant | This is an SSH authentication agent (included with PuTTY SSH client) that will keep your private keys in memory so you do not have to enter your pass phrase in every time you log in to a server. | parent-child trust relationship | The relationship whereby a child object trusts its parent object, and the parent object is trusted by all child objects under it. Active Directory automatically creates two-way transitive trust relationships between parent and child objects. |
| Password sniffing | Passive wiretapping, usually on a local area network, to gain knowledge of passwords. Clear-text protocols such as telnet and FTP can be subject to password sniffing. | patching | The process of modifying or updating software packages. |
| PDC Emulator | The domain-level FSMO role that serves to replicate data with Windows NT 4 BDCs in a domain, in effect functioning as an NT 4 PDC. | Penetration | Gaining unauthorized logical access to sensitive data by circumventing a system's protections. |
| ping | A TCP/IP utility that tests for basic connectivity between the client machine running ping and any other TCP/IP host. | Plaintext | Ordinary readable text before being encrypted into ciphertext or after being decrypted. |
| Plink | This is a command line interface to PuTTY that can be used to create secure connections to SSH servers in scripts. | Point-to-Point Protocol (PPP) | A protocol for communication between two computers using a serial interface, typically a personal computer connected by phone line to a server. It packages your computer's TCP/IP packets and forwards them to the server where they can actually be put on the Internet or any other untrusted TCP/IP network. |
| Point-to-Point Tunneling Protocol (PPTP) | A protocol (set of communication rules) that allows corporations to extend their own corporate network through private "tunnels" over the public Internet or any other untrusted TCP/IP network. | policy | Settings and rules that are applied to users or computers, usually Group Policy in Windows Server 2003 and System Policy in Windows NT 4. |
| Port scan | A port scan is a series of messages sent by someone attempting to break into a computer to learn which computer network services, each associated with a "well-known" port number, the computer provides. Port scanning, a favorite approach of computer crackers, gives the assailant an idea where to probe for weaknesses. Essentially, a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed for weakness. | preferred bridgehead server | Rather than letting the KCC decide what server should be a bridgehead server, you can designate preferred bridgehead servers to be used if the primary goes down. Only one preferred bridgehead server can be active at a time. |
| Pretty Good"! Privacy (PGP) | Trademark of PGP, Inc., referring to a computer program (and related protocols) that uses public key and symmetric cryptography to provide data security for electronic mail and other applications on the Internet and on the host level. | primary domain controller (PDC) | A Windows NT 4 (and earlier) server that contains the master copy of the domain database and the only writable copy of the database. PDCs authenticate user logon requests and track security-related changes within the domain. |
| primary zone | Type of zone that maintains the master writable copy of the zone in a text file. An update to the zone must be performed from the primary zone. | Private addressing | IANA has set aside three address ranges for use by private or non-Internet connected networks. This is referred to as Private Address Space and is defined in RFC 1918. The reserved address blocks are: |
| Public key forward secrecy (PFS) | For a key agreement protocol based on asymmetric cryptography, the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future. | Public Key Infrastructure (PKI) | An industry standard technology that allows for the establishment of secure communication between hosts based on a public key/private key or certificate-based system. |
| published applications | Through the Software Installation utility in Group Policy, administrators can publish applications to users. Published applications appear in Add/Remove Programs and can be optionally installed by the user. | PuTTY | PuTTY is an open source Windows SSH and telnet client distributed under the MIT license and maintained by Simon Tatham. The package contains all of the necessary components required to connect to a machine running OpenSSH and runs on all versions of Windows starting at Windows 95. |
| PuTTYgen | This is a key generation utility that will create RSA1, DSA and RSA public/private key-pairs for authentication with all of the PuTTY components. | PuTTYtel | This is a telnet only client, included with the PuTTY package. |
▲Top of page
|
|
| realm trust | A trust relationship in Windows Server 2003 that is created between an Active Directory domain and a UNIX realm. | recursive query | With a recursive query, the DNS client requires the DNS server to respond with either the IP address of the request or an error message that the requested name does not exist. |
| Registry | A data repository on each computer that contains information about that computer's configuration. The Registry is organized into a hierarchical tree and is made up of hives, keys, and values. | relative distinguished name (RDN) | The part of a DNS name that defines the host. For example, in the FQDN www.inside-corner.com, www is the relative distinguished name. |
| relative identifier (RID) | The part of the security identifier (SID) that uniquely identifies an account or group within a domain. | Remote Access Service (RAS) | Service that enables remote clients to dial into a Windows Server 2003 server and access network resources as though they were physically attached to the network. |
| replica | A copy of any given Active Directory object. Each copy of an object stored on multiple domain controllers is a replica. | replication | The process of copying data from one Windows Server 2003 domain controller to another. Replication is a process managed by an administrator and typically occurs automatically whenever changes are made to a replica of an object. |
| Request for Comments (RFCs) | Official documents that specify Internet standards for the TCP/IP protocol. | resource records | Standard database record types used in DNS zone database files. Common types of resource records include Address (A), Mail Exchanger (MX), Start of Authority (SOA), and Name Server (NS), among others. |
| Resultant Set of Policy (RSoP) | A Windows Server 2003 Group Policy tool that lets you simulate the effects of Group Policies without actually implementing them. RSoP has two modes: logging mode and planning mode. Logging mode determines the resultant effect of policy settings that have been applied to an existing user and computer based on a site, domain, or Organizational Unit. Planning mode simulates the resultant effect of policy settings that are applied to a user and computer. | return on investment (ROI) | A business term that seeks to determine the amount of financial gain that occurs as a result of a certain expenditure. Many IT personnel today are faced with the prospect of justifying IT expenses in terms of ROI. |
| reverse lookup query | A DNS name-resolution process by which an IP address is resolved to a hostname. | reverse lookup zone | This type of zone allows for reverse queries, or the mapping of an IP address back to a hostname. Reverse queries are often used when troubleshooting with the NSLookup command. |
| RID Master | The domain-level FSMO role that is responsible for managing pools of RIDs and ensuring that every object in the domain gets a unique RID. | Rivest-Shamir-Adleman (RSA) | An algorithm for asymmetric cryptography, invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. |
| Rootkit | A collection of tools (programs) that a hacker uses to mask intrusion and maintain administrator-level access to a computer or computer network after the compromise. Rootkits are most commonly seen on UNIX/Linux machines. | router | A dedicated network hardware appliance or a server running routing software and multiple network cards. Routers join dissimilar network topologies (such as Ethernet to Frame Relay) or simply segment networks into multiple subnets. |
▲Top of page
|
|
| Routing Information Protocol (RIP) | A protocol that allows routers to exchange routing information. It is designed for use with small- to medium-size networks. RIP routers periodically exchange entire routing tables. | S/Key | A security mechanism that uses a cryptographic hash function to generate a sequence of 64-bit, one-time passwords for remote user login. The client generates a one-time password by applying the MD4 cryptographic hash function multiple times to the user's secret key. For each successive authentication of the user, the number of hash applications is reduced by one. |
| scalability | Measurement (often subjective) of how well a resource such as a server can expand to accommodate growing needs. | Scavenging | Searching through data residue (such as a swap file or unallocated disk space) in a system to gain unauthorized knowledge of sensitive data. |
| schema | In Active Directory, a schema is a description of object classes and the attributes that the object classes must possess and can possess. | Schema Master | The Windows Server 2003 domain controller that has been assigned the Operations Master role to control all schema updates within a forest. |
| scope | Determines the pool of IP addresses from which a DHCP server can assign IP addresses. Every DHCP server must be configured with at least one scope. | secondary zones | Zone type that stores a copy of an existing zone in a read-only text file. To create a secondary zone, the primary zone must already exist, and you must specify a master name server. This is the server from which the zone information is copied. |
| secure baseline | Establishes a set of rules or recommendations that outline the minimum acceptable security configuration for new installations. | Secure Shell (SSH) | A protocol for encrypted communication between two computers over a TCP/IP network, typically using TCP port 22. Also, an implementation of a telnet-like program utilizing the SSH protocol. |
| Secure Sockets Layer (SSL) | A protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using public key cryptography together with symmetric cryptography to encrypt data that's transferred over the SSL connection. The most common application of SSL is secure web access (HTTPS). | Security Configuration and Analysis | Windows Server 2003 includes a tool known as the Security Configuration and Analysis tool. Using this tool, you can analyze the current security state of a server or workstation by comparing the existing settings against an existing template. |
| security group | A type of group that can contain user accounts or other groups and can be used to assign levels of access (permissions) to shared resources. | security identifier (SID) | A number that uniquely identifies a user, group, or computer account. Every account is issued one when created, and if the account is later deleted and re-created with the same name, it will have a different SID. Once an SID is used in a domain, it can never be used again. |
| Security policy | A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources. | security templates | Collections of standard settings that can be applied administratively to give a consistent level of security to a system. |
| Server | A system entity that provides a service in response to requests from other system entities called clients. | Session hijacking | Taking over a session that someone else has established. |
| Session key | In the context of symmetric encryption, a key that is temporary or is used for a relatively short period of time. Usually, a session key is used for a defined period of communication between two computers, such as for the duration of a single connection or transaction set, or the key is used in an application that protects relatively large amounts of data and, therefore, needs to be re-keyed frequently. | Shadow password files | A system file in which encrypted user passwords are stored on a UNIX system so that they are only available to the system administrator, i.e. root user. |
| Shell | A UNIX term for the interactive user interface with an operating system. The shell is the layer of programming that understands and executes the commands a user enters. In some systems, the shell is called a command interpreter. A shell usually implies an interface with a command syntax (think of the DOS operating system and its "C:>" prompts and user commands such as "dir" and "edit"), but a graphical user interface might also be called a "shell". | shortcut trust | A Windows Server 2003 trust relationship between two domains within the same forest. Shortcut trusts are used to reduce the path authentication needs to travel by directly connecting child domains. |
| Shutdown Event Tracker | This tool enables an administrator to monitor why users shut down or restart their computers. When Shutdown Event Tracker is enabled, users are prompted to provide a reason as to why they are shutting down or restarting a computer. The information is then recorded in the system log. | Signals analysis | Gaining indirect knowledge of communicated data by monitoring and analyzing a signal that is emitted by a system and that contains the data but is not intended to communicate the data. |
| single-instance store (SIS) | A RIS component that combines duplicate files to reduce storage requirements on the RIS server. | single-master operations | Certain Active Directory operations that are only allowed to occur in one place at any given time (as opposed to being allowed to occur in multiple locations simultaneously). Examples of single-master operations include schema modifications, PDC elections, and infrastructure changes. |
| site | A physical component of Active Directory. Sites are created for the purpose of balancing logon authentication with replication. They can have zero (in planning), one, or multiple IP subnets. These subnets should be well-connected with fast LAN links. | site link | A connection between sites, a site link is used to join multiple locations together. |
| site link bridge | A collection of site links that helps Active Directory work out the cost of replicating traffic from one point to another within the network infrastructure that is not directly connected by a single site link. By default, all site links are bridged, but this can be disabled in favor of manually configured site link bridges. | site link cost | A way for AD to determine what path to replicate traffic over on a routed network. The lower the cost, the more preferable it is for AD to use a particular site link. For example, if you have a T1 and an ISDN site link connecting the same sites, the T1 site link would have a lower cost than the ISDN site link, making it the preferred path for traffic. |
| slow link | A connection between sites that is not fast enough to provide full functionality in an acceptable timeframe. Site connections below 512KBps are defined as slow links in Windows Server 2003. | smartcard | A credit card-sized device that is used with an access code to enable certificate-based authentication and single sign-on to the enterprise. Smartcards securely store certificates, public and private keys, passwords, and other types of personal information. A smartcard reader attached to the computer reads the smartcard. |
| SMTP | Simple Mail Transfer Protocol (SMTP) is used to tranfser email from the sender to receiver. Usually, a workstation connects to an email server over SMTP and transfers the email. Then, the server uses SMTP to send email to its destination. SMTP is a clear-text protocol. | snap-in | A component that can be added or removed from a Microsoft Management Console (MMC) console to provide specific functionality. The Windows Server 2003 administrative tools are implemented as snap-ins. |
| Sniffing | A synonym for "passive wiretapping". | Social engineering | An euphemism for non-technical or low-technology means - such as lies, impersonation, tricks, bribes, blackmail, and threats - used to mislead personnel in order to get access to information systems and other resources. |
| Software | Computer programs (which are stored in and executed by computer hardware) and associated data (which also is stored in the hardware) that may be dynamically written or modified during execution. | Software Installation | A Group Policy component that allows administrators to optionally assign applications to be available to users and computers or publish applications to users. |
| Software Update Services (SUS) | One of the options now available for distributing updates. SUS consists of two components: the server and the client. The server (which can be running Windows 2000 or Windows Server 2003) downloads updates from Microsoft and stores them locally for clients to download without having to retrieve updates themselves from Windows Update servers on the Internet. | Source port | The port that a host uses to connect to a server. It is usually a number greater than or equal to 1024. It is randomly generated and is different each time a connection is made. |
| Spam | Electronic junk mail or junk newsgroup postings. | Split key | A cryptographic key that is divided into two or more separate data items that individually convey no knowledge of the whole key that results from combining the items. Split key is commonly used to avoid giving any single person complete control over the encryption key. |
| Spoof | Attempt by an unauthorized entity to gain access to a system by posing as an authorized user. | static IP address | Also called a static address, this is where a network device (such as a server) is manually configured with an IP address that doesn't change rather than obtaining an address automatically from a DHCP server. |
| Steganography | Methods of hiding the existence of a message or other data. This is different than cryptography, which hides the meaning of a message but does not hide the message itself. An example of a steganographic method is "invisible" ink. | store | Implemented using the Extensible Storage Engine, a store is the physical storage of each Active Directory replica. |
| stub zones | This type of zone is new in Windows Server 2003. A stub zone maintains only a list of authoritative name servers for a particular zone. The purpose of a stub zone is to ensure that DNS servers hosting a parent zone are aware of authoritative DNS servers for its child zones. | subnet | A collection of hosts on a TCP/IP network that are not separated by any routers. A basic corporate LAN with one location would be referred to as a subnet when it is connected by a router to another network, such as that of an Internet service provider. |
| Subnet mask (netmask) | A subnet mask (or number) is used to determine the number of bits used for the subnet and host portions of the address. In IPv4 networks, the mask is a 32-bit value that uses one-bits for the network and subnet portions and zero-bits for the host portion. | Switched network | A communications network, such as the public switched telephone network, in which any user may be connected to any other user through the use of message, circuit, or packet switching and control devices. Any network providing switched communications service. The term is also used to mean a "switch-based LAN" (as opposed to a hub-based shared LAN). |
| Symmetric cryptography | A branch of cryptography involving algorithms that use the same key for two different steps of the algorithm (such as encryption and decryption, or signature creation and signature verification). Symmetric cryptography is sometimes called "secret-key cryptography" (versus public key cryptography) because the entities that share the key must keep it secret. | Symmetric key | A cryptographic key that is used in a symmetric cryptographic algorithm. |
| SYN flood | A denial of service attack that sends a host more TCP SYN packets (request to synchronize sequence numbers, used when opening a connection) than the protocol implementation can handle. Unlike other types of flooding (such as ICMP or UDP flood) a SYN flood exhausts target host resources (in the form of a kernel connection table) and not the network bandwidth, allowing it to deal higher damage with a smaller number of packets. | synchronous processing | Synchronous processing occurs when one task does not wait for another to complete before it begins. Rather, the two run concurrently. This is typically associated with scripts in Windows Server 2003, such as a user logon script running without waiting for the computer startup script to finish. |
| System Information | This tool provides configuration information about the local computer or a remote computer. | System Monitor | A tool included with Windows Server 2003 that can be used to monitor the real-time performance of system components as well as services and applications. System Monitor can be used to collect and view real-time performance data, view data saved in a counter log, and present captured data using various views. |
| System Policies | System Policies are Windows NT 4 Registry-based policy settings that have largely been replaced in Windows Server 2003 by Group Policy. System Policies can still be created using poledit.exe, however, for backward compatibility with non-Windows Server 2003 clients | System Security Officer (SSO) | A person responsible for enforcement or administration of the security policy that applies to the system. |
| Systems Management Server (SMS) | A product in Microsoft's BackOffice server line that provides more extensive software distribution, metering, inventorying, and auditing than what is capable strictly through Group Policy. | SYSVOL | A shared folder on an NTFS partition on every AD domain controller that contains information (scripts, Group Policy info, and so on) that is replicated to other domain controllers in the domain. The SYSVOL folder is created during the installation of Active Directory. |
▲Top of page
|
|
| Tamper | To deliberately alter a system's logic, data, or control information to cause the system to perform unauthorized functions or services. | Task Manager | This tool can be used to view a variety of information about the local computer. Task Manager displays the applications and processes currently running, provides performance and network statistics, and shows any users currently connected to the computer. |
| TCP Wrappers | A software package which can be used to restrict access to certain network services based on the source of the connection on UNIX systems; a simple tool to monitor and control incoming network traffic. | TCP/IP | TCP/IP (Transmission Control Protocol/Internet Protocol) is the standard protocol for communicating on the Internet and is the default protocol in Windows Server 2003. |
| TELNET | A TCP-based, application-layer, clear-text (i.e. unencrypted) Internet Standard protocol for remote login from one host to another. | Threat | A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. |
| Threat vector | The method a threat uses to get to the target. | Time To Live (TTL) | The amount of time a packet destined for a host will exist before it is deleted from the network. TTLs are used to prevent networks from becoming congested with packages that cannot reach their destinations. |
| total cost of ownership (TCO) | A change and control management concept that many IT professionals are being forced to become more aware of. TCO refers to the combined hard and soft costs (initial price and support costs) of owning a given resource. | transitive trust | An automatically created trust in Windows Server 2003 that exists between domain trees within a forest and domains within a tree. Transitive trusts are two-way trust relationships. Unlike with Windows NT 4, transitive trusts in Windows Server 2003 can flow between domains. This way, if Domain1 trusts Domain2, and Domain2 trusts Domain3, Domain1 automatically trusts Domain3. |
| Transmission Control Protocol (TCP) | A set of rules (protocol) used along with the Internet Protocol to send data in the form of message units between computers over the Internet. While IP takes care of handling the actual delivery of the data, TCP takes care of keeping track of the individual units of data (called packets) that a message is divided into for efficient routing through the Internet. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent. | Transport Layer Security (TLS) | A protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL). |
| tree | A collection of Windows Server 2003 domains that are connected through transitive trusts and share a common Global Catalog and schema. Domains within a tree must form a contiguous namespace. A tree is contained within a forest, and there can be multiple trees in a forest. | Triple DES | A block cipher, based on DES, that transforms each 64-bit plaintext block by applying the data encryption algorithm three successive times, using either two or three different 56-bit keys, for an effective key length of 112 or 168 bits. |
| Triple-wrapped | S/MIME usage: Data that has been signed with a digital signature, and then encrypted, and then signed again. | Trojan | Software (e.g., Trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious code. |
| Trojan horse | A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. | Tunnel | A communication channel created in a computer network by encapsulating a communication protocol's data packets in (on top of) a second protocol that normally would be carried above, or at the same layer as, the first one. Most often, a tunnel is a logical point-to-point link - i.e., an OSI layer 2 connection - created by encapsulating the layer 2 protocol in a transport protocol (such as TCP), in a network or inter-network layer protocol (such as IP), or in another link layer protocol. Tunneling can move data between computers that use a protocol not supported by the network connecting them. |
▲Top of page
|
|
| Uniform Resource Locator (URL) | The global address of documents and other resources on the World Wide Web. The first part of the address indicates what protocol to use, and the second part specifies the IP address or the domain name where the resource is located. For example, http://www.pcwebopedia.com/index.html. | universal group | An Active Directory security group that can be used anywhere within a domain tree or forest, the only caveat being that universal groups can only be used when an Active Directory domain has been converted to native mode. |
| universal group caching | A feature that can be used once a domain has been raised to the Windows Server 2003 functional level, universal group caching allows users in universal groups to log on without the presence of a GC server. | UNIX | A popular multi-user, multitasking operating system developed at Bell Labs in the early 1970s. Created by just a handful of programmers, UNIX was designed to be a small, flexible system used exclusively by programmers, but quickly grew to worldwide acceptance. |
| Update Sequence Number (USN) | A 64-bit number that keeps track of changes as they are written to copies of the Active Directory. As changes are made, this number increments by one. Every attribute in Active Directory has a USN value. | UPN suffix | The part of the user principle name (UPN) that comes after the @ symbol and is typically the domain name for a user account. Alternate UPN suffixes can be created to allow for improved logon security or simply shorter UPNs for users. |
| User | A person, organization entity, or automated process that accesses a system, whether authorized to do so or not. | user configuration | The portion of a Group Policy Object that allows for user policy settings to be configured and applied. |
| User Datagram Protocol (UDP) | A communications protocol that, like TCP, runs on top of IP networks. Unlike TCP/IP, UDP/IP provides very few error recovery services, offering instead a direct way to send and receive datagrams over an IP network. It's used primarily for broadcasting messages over a network. UDP uses the Internet Protocol to get a datagram from one computer to another but does not divide a message into packets (datagrams) and reassemble it at the other end. Specifically, UDP doesn't provide sequencing of the packets that the data arrives in so that the messages might arrive out of order. | user principle name (UPN) | The full DNS domain name of an Active Directory user account that could be used for authentication purpose. An example of a UPN would be wwillis@inside-corner.com. |
| user profile | Contains settings that define the user environment, typically applied when the user logs on to the system. | Virtual Private Network (VPN) | A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network. For example, if a corporation has LANs at several different sites, each connected to the Internet by a firewall, the corporation could create a VPN by (a) using encrypted tunnels to connect from firewall to firewall across the Internet and (b) not allowing any other traffic through the firewalls. A VPN is generally less expensive to build and operate than a dedicated real network, because the virtual network shares the cost of system resources with other users of the real network. |
| Virus | A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting -i.e., inserting a copy of itself into and becoming part of - another program. A virus cannot run by itself; it requires that its host program be run to make the virus active. | Vulnerability | A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy. |
▲Top of page
|
|
| Web server | A software process that runs on a host computer connected to the Internet to respond to HTTP requests for documents from client web browsers. | well-connected network | A network that contains only fast connections between domains and hosts. The definition of "fast" is somewhat subjective and may vary from organization to organization. |
| wide area network (WAN) | Multiple networks connected by slow connections between routers. WAN connections are typically 1.5MBps or less. | Windows 2000 mixed mode | Allows Windows NT 4 domain controllers to exist and function within a Windows Server 2003 domain. This is the default setting when Active Directory is installed, although it can be changed to native mode. |
| Windows 2000 native mode | The mode in which all domain controllers in a domain have been upgraded to Windows Server 2003 and there are no longer any NT 4 domain controllers. An administrator explicitly puts Active Directory into native mode, at which time it cannot be returned to mixed mode without removing and reinstalling Active Directory. | Windows Internet Naming System (WINS) | A dynamic name-resolution system that resolves NetBIOS names to IP addresses on Windows TCP/IP networks. With Windows Server 2003, WINS is being phased out in favor of DNS, but it will be necessary to keep WINS in place as long as any legacy clients or applications on the network use it. |
| Windows Management Instrumentation (WMI) | A Windows Server 2003 management infrastructure for monitoring and controlling system resources. | Windows Script Host | Enables the running of VBScript or JavaScript scripts natively on a Windows system, offering increased power and flexibility over traditional batch files. |
| Windows Server 2003 functional level | The highest functional level of either the domain or forest in Windows Server 2003, this functional level implements all the new features of Windows Server 2003 Active Directory but at the expense of some backward compatibility. | WinInstall | An optional utility that ships with Windows Server 2003 and can be used to create Windows Installer packages. |
| WinSCP, WinSCP2 | WinSCP and WinSCP2 are free Windows implementations of a secure copy program. They allow to easily and securely copy files between computers, such as from a UNIX ssh or OpenSSH server to a Windows workstation. | Wiretapping | Monitoring and recording data that is flowing between two points in a communication system. |
| workgroup | A group of workstations and servers that are not networked within the concept of a domain. In other words, each machine maintains its own local accounts database and can be difficult to administer as the number of computers in the workgroup grows. | World Wide Web ("the Web", WWW, W3) | The global, hypermedia-based collection of information and services that is available on Internet servers and is accessed by browsers using Hypertext Transfer Protocol and other information retrieval mechanisms. |
| Worm | A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively. | Wrap | To use cryptography to provide data confidentiality service for a data object. |
| WScript | The Windows interface to Windows Script Host (WSH). | X.500 | A set of standards developed by the International Standards Organization (ISO) that defines distributed directory services. |
| zone | A database file that contains the resource records for a single domain or a set of domains. There are three types of zones in DNS: a forward lookup zone for mapping names to IP addresses, a reverse lookup zone for mapping IP addresses to domain names, and a stub zone for determining which DNS servers are authoritative for a zone. | | |
▲Top of page
|
|
