Windows Server 2008 Administrator Lesson 7 - 12 Review
Terms in this set (118)
The ability of an application to maintain its own availability by detecting outdated, corrupted, or missing files and automatically correcting the problem.
In network load balancing, a process in which a server is excluded from the cluster after it fails to generate five consecutive heartbeat messages.
DNS Round Robin
A load-balancing technique in which you create an individual resource record for each terminal server in the server farm using the server's IP address and the name of the farm (instead of the server name). When clients attempt to establish a Terminal Services connection to the farm, DNS distributes the incoming name resolution requests among the IP addresses.
A collection of redundant servers configured to perform the same tasks so that if one server fails, another server can take its place almost immediately.
In network load balancing, messages exchanged by cluster nodes to indicate their continued operation.
network load balancing (NLB)
A clustering technology in which a collection of identical servers run simultaneously, sharing incoming traffic equally among them.
A Windows feature that enables client computers to maintain copies of server files on their local drives. If the computer's connection to the network is severed or interrupted, the client can continue to work with the local copies until network service is restored, at which time the client synchronizes its data with the data on
A collection of identical servers used to balance a large incoming traffic load.
A Windows Server 2008 feature that maintains a library containing multiple versions of selected files. Users can select a version of a file to restore as needed.
terminal server farm
A group of at least two servers running the Terminal Services role, working together to share a client load.
TS Session Broker
A Terminal Services role service that maintains a database of client sessions and enables a disconnected client to reconnect to the same terminal server.
Windows Installer 4.0
A Windows Server 2008 component that enables the system to install software packaged as files with a .msi extension.
In failover clustering, a shared storage medium that holds the cluster configuration database.
the most common type of high availability technology currently in use.
Windows Server 2008 supports ____ as its only parity-based data availability mechanism.
Duplicate servers (Failover Clusters Requirements)
The computers that will function as cluster nodes should be as identical as possible in terms of memory, processor type, and other hardware components.
Shared storage (Failover Clusters Requirements)
All of the cluster servers should have exclusive access to shared storage, such as that provided by a Fibre Channel or iSCSI storage area network. This shared storage will be the location of the application data so that all of the cluster servers have access to it. The shared storage can also contain the witness disk, which holds the cluster configuration database. This too should be available to all of the servers in the cluster.
Redundant network connections
Connect the cluster servers to the network in a way that avoids a single point of failure. You can connect each server to two separate networks or build a single network using redundant switches, routers, and network adapters.
access control entries (ACEs)
An entry in an object's access control list (ACL) that grants permissions to a user or group. Each ACE consists of a security principal (the name of the user, group, or computer being granted the permissions) and the specific permissions assigned to that security principal. When you manage permissions in any of the Windows Server 2008 permission systems, you are creating and modifying the ACEs in an ACL.
access control list (ACL)
A collection of access control entries that defines the access that all users and groups have to an object.
A group of technologies that enable computers to identify individuals based on physiological characteristics, such as fingerprints.
BitLocker Drive Encryption
A Windows Server 2008 feature that can encrypt entire volumes, to prevent intruders from accessing their data.
A security model in which all of the servers on a network rely on a single authority to authenticate users.
A security model in which each server maintains its own list of users and their credentials.
A password penetration technique in which a list of common passwords is encrypted, and the results compared with captured ciphertext.
A software routine that acts as a virtual barrier between a computer and the attached network. A firewall is essentially a filter that enables certain types of incoming and outgoing traffic to pass through the barrier, while
blocking other types.
A combination of allowed, denied, inherited, and explicitly assigned permissions that provides a composite view of a security principal's functional access to a resource.
A ticket-based authentication protocol used by Windows computers that are members of an Active Directory domain. Unlike NTLM, which involves only the IIS7 server and the client, Kerberos authentication involves an Active Directory domain controller as well.
Key Distribution Center (KDC)
A Windows Server 2008 component, part of the Kerberos authentication protocol, that maintains a database of account information for all security principals in the domain.
In TCP/IP communications, the code numbers embedded in transport layer protocol headers that identify the applications that generated and will receive a particular message. The most common firewall rules use port numbers to specify the types of application traffic the computer is allowed to send and receive.
In Windows Firewall, a method for opening a communications port through the firewall. When you create a program exception, the specified port is open only while the program
is running. When you terminate the
program, the firewall closes the port.
public key encryption also (PKI)
A security relationship in which participants are issued two keys: public and private. The participant keeps the private key secret, while the public key is freely available in the digital certificate. Data encrypted with the private key can be decrypted only using the public key and data encrypted with the public key can be decrypted only using the private key.
secret key encryption
A cryptographic system in which one character is substituted for another.
Security Accounts Manager
enables them to maintain a list of local users and groups that function as a decentralized authentication system. When you log on to a Windows computer for the first time, you use the local Administrator account, which the computer authenticates using its own SAM.
security identifiers (SIDs)
A unique value assigned to every Active Directory object when it is created.
The user, group, or computer to which an administrator assigns permissions.
single sign-on (SSO)
An environment in which users can access all network resources with a single set of credentials.
A credit card-sized device that contains memory and embedded circuitry that enables it to store data, such as a public encryption key.
is a term used to describe the process of circumventing security barriers by persuading authorized users to provide passwords or other sensitive information. In many cases, users are duped into giving an intruder access to a protected system through a phone call in which the intruder claims to be an employee in another department, a customer, or a hardware vendor.
An element providing a security principal with a specific
degree of access to a resource.
A common combination of special permissions used to provide a security principal with a level of access to a resource.
ticket granting tickets (TGTs)
In Kerberos authentication, a credential issued by the Authentication Service that supplies valid authentication credentials. Whenever the client requires access to a new network resource,
it must present its TGT to the Key
Trusted Platform Module
A dedicated cryptographic processor chip that a Windows Server 2008 computer uses to store the BitLocker encryption keys.
In Active Directory, relationships between domains that enable network resources in one domain to authorize users in another.
A networking technique in which one protocol is encapsulated within another protocol. In virtual private networking (VPN), an entire client/server session is tunneled within another protocol. Because the internal, or payload, protocol is carried by another protocol, it is protected from most standard forms of attack.
A security procedure in which a client application automatically issues a certificate enrollment request and sends it to a certification authority (CA), after which the CA then evaluates the request and issues or denies a certificate. When everything works properly, the entire process is invisible to the end user.
certificate revocation list (CRL)
A document maintained and published by a certification authority that lists certificates that have been revoked
Sets of rules and settings that define the format and content of a certificate based on the certificate's intended use.
certification authority (CA)
A software component or a commercial service that issues digital certificates. Windows Server 2008 includes a CA as part of the Active Directory Certificate Services role.
An authentication protocol that uses MD5 hashing to encrypt user passwords, but does not support the encryption of connection data. The passwords it uses must also be stored in a reversibly encrypted format. As a result, CHAP provides relatively weak protection when compared to MS-CHAPv2.
Cryptographic Service Provider
A Windows Server 2008 component that generates public and private encryption keys for certificate requests.
Shorter lists of certificates that have been revoked since the last full certificate revocation list was published.
An electronic credential, issued by a certification authority (CA), which confirms the identity of the party to which it is issued.
The process by which a client requests a certificate and a certification authority generates one.
A certification authority that is integrated into the Windows Server 2008 Active Directory environment.
A component used by a certification authority to determine how it should make new certificates available to their applicants
A shell protocol that provides a framework for the use of various types of authentication mechanisms.
Extensible Authentication Protocol-Transport Level Security (EAP-TLS)
An authentication method that enables a server to support authentication with smart cards or other types of digital certificates.
Certification authorities that do not issue certificates to end users or computers; they issue certificates only to other subordinate CAs below them in the certification hierarchy.
Certification authorities that provide certificates to end users and computers.
layer 2 Tunneling Protocol
A virtual private networking protocol that relies on the IP security extensions (IPsec) for encryption.
Handshake Authentication Protocol Version 2 (MS- CHAPv2)
An authentication protocol that uses a new encryption key for each connection and for each direction in which data is transmitted. MS-CHAPv2 is the strongest password-based authentication method supported by Windows Server 2008 Remote Access, and is selected by default.
Password Authentication Protocol (PAP)
The least secure of the authentication protocols supported by Windows Server 2008 because it uses simple passwords for authentication, and transmits them in clear text.
Point-to-Point Protocol (PPP)
The data-link layer protocol used by Windows computers for remote access connections.
A virtual private networking protocol that takes advantage of the authentication, compression, and encryption mechanisms of PPP, tunneling the PPP frame within a Generic Routing Encapsulation (GRE) header and encrypting it with Microsoft Point-to-Point Encryption (MPPE), using encryption keys generated during the authentication process.
A set of rules that a certification authority uses to determine whether it should approve the request, deny it, or mark it as pending for later review by an administrator
Protected EAP (PEAP)
An authentication protocol that uses Transport Level Security (TLS) to create an encrypted channel between a wireless client and an authentication server. The use of PEAP is not supported for remote
access clients in Windows Server 2008
Remote Authentication Dial In
User Service (RADIUS)
A centralized authentication service frequently used in organizations with multiple remote access servers.
Secure Socket Tunneling
A new virtual private networking protocol in Windows Server 2008 and Windows Vista that encapsulates PPP traffic using the Secure Sockets Layer (SSL) protocol.
A certification authority that does not use certificate templates or Active Directory. It stores its information locally.
The parent certification authority that issues certificates to the subordinate CAs beneath it. If a client trusts the root CA, it must also trust all the subordinate CAs that have been issued certificates by the root CA.
A certification authority
that has been issued a certificate by a root CA, which stands above it in the certification hierarchy.
In a certification authority (CA) hierarchy, enables clients that trust the root CA to also trust certificates issued by any other CAs subordinate to the root.
virtual private network (VPN)
A technique for connecting to a network at a remote location using the Internet as a network medium.
A process by which clients submit certificate enrollment requests to a CA and receive the issued certificates using a Website created for that purpose.
The rightmost pane found in most preconfigured Microsoft Management Console windows, which contains context sensitive controls for the object(s) selected in the other panes.
Background Intelligent Transfer
Service (BITS) peer-caching
A Windows Server 2008 component that enables computers to share their updates with each other on a peer-to-peer basis, rather than download them all from a WSUS server.
An instance of the Microsoft Management Console application with one or more snap-ins installed.
Delegation of Control Wizard
A tool in the Active Directory Users and Computers console that assigns permissions based on common administrative tasks.
The middle or right pane of the Microsoft Management Console interface that displays the contents of the item selected in the scope pane.
Microsoft Management Console modules that provide additional functionality to specific standalone snap-ins
Initial Configuration Tasks
The window that appears when you start a Windows Server 2008 computer for the first time after installing the operating system. This window presents a con- solidated view of the post-installation tasks that, in previous Windows Server versions, you had to perform using various interfaces presented during and after the OS setup process.
Microsoft Management Console (MMC)
A Windows shell application that loads snap-ins that you can use to manage the local server or any other server on the network running the same role or feature.
Network Level Authentication (NLA)
A Terminal Services feature that confirms the user's identity with the Credential Security Service Provider (CredSSP) protocol before the client and server establish the Terminal Services connection.
A limited Terminal Services implementation included with all Windows Server 2008 products that enables the computer to support up to two administrative connections.
Remote Desktop Connection
A program running on a desktop computer that establishes a connection to a terminal server using Remote Desktop Protocol (RDP) and displays a session window
containing a desktop or application.
The leftmost pane found in a Microsoft Management Console window, used for navigation between snap-ins, nodes, or folders.
Application modules that plug into the Microsoft Management Con- sole interface, which you can use to configure operating system settings, applications, and services.
A single tool that you can install directly into an empty Microsoft Management Console window. Standalone snap-ins appear in the first level directly beneath the console root in the console's scope pane.
Windows Server Update
A program that downloads updates from the Microsoft Update Website and stores them for administrative evaluation. An administrator can then select the updates to deploy and computers on the network down- load them using a reconfigured Automatic Updates client.
The process by which administrators can track specific security related events on a Windows Server 2008 computer.
In Performance Monitor, a set of readings, captured under normal operating conditions, which you can save and compare to readings taken at a later time.
Occurs when a component is not providing an acceptable level of performance compared with the other components in the system.
In Event Viewer, a separate log devoted to a particular Windows component.
data collector set
In the Reliability and Performance Monitor console, a method for capturing counter data over a period of time, for later evaluation.
The fundamental unit of information that Windows uses to package information about system activities as they occur.
Microsoft Management Console snap-in that provides access to the logs maintained by the Windows Server 2008 operating system.
The result of a program allocating memory for use but not freeing up that memory when it is finished using it.
A tool in the Reliability and Performance Monitor con- sole that displays system performance statistics in real time.
Reliability and Performance snap-in
A Microsoft Management Console module that displays system information on a continuous, real-time basis.
A tool in the Reliability and Performance snap-in that automatically tracks events that can have a negative effect on system stability and uses them to calculate a stability index.
A screen in the Reliability and Performance Monitor console that contains four real-time line graphs that display information about four of the server's main hardware components.
A file system attribute that backup software programs use as a marker to determine whether to back up a file.
A restoration of the Active Directory database that over- writes existing objects and modifications on all domain controllers.
A single hardware device that contains one or more magnetic tape drives, as well as a robotic mechanism that inserts tapes into and removes them from the drives.
A copy of the data on a computer's hard disks, stored on another medium in case a hard drive fails.
In a backup software program, the files, folders, volumes, or disks that a user selects for copying to the backup medium
The amount of time available to perform backups.
A type of backup that saves only the data in the selected components that has changed since the last full backup, without resetting the archive bits.
Directory Services Restore
A Windows Server 2008 boot option that enables backup soft- ware products to perform authoritative restores.
A backup job that copies all files to the storage medium and resets their archive bits.
In backups, a media rotation method in which the terms grandfather, father, and son refer to monthly, weekly, and daily tapes, respectively.
In magnetic tape drives, a method of operation in which the heads are mounted on a rotating drum that records data in diagonal stripes across the tape.
A type of backup that saves only the data in the selected components that has changed since the last full backup, while resetting the archive bits.
In magnetic tape drives, a method of operation in which the drive draws the tape over stationary recording heads.
A restoration of the Active Directory database in which the restored objects and modifications can be overwritten by replication traffic from other domain controllers.
In magnetic tape drives, a condition that occurs when the computer fails to deliver data to the drive at a sufficient rate, causing the unit to repeatedly stop and start the tape, which reduces its speed and its overall storage capacity.
A single hardware device that contains one or more magnetic tape drives, as well as a robotic mechanism that inserts tapes into and removes them from the drives.