Term
CHP 5 - Routing and Remote Access and Wireless Ntwking
Switch |
|
Definition
Switch
examines the destination and source address of incoming data frame and fwds to appropriate dest port according to dest address. Operate on layer 2, data link layer |
|
|
Term
CHP 5 - Routing and Remote Access and Wireless Ntwking
HUB |
|
Definition
HUB
also called mulitport repeater
operates at Open Systems Interconnection (OSI) reference model layer 1 (Physical layer)
organizes data into bits
receives signal and recreates for transmission on ports |
|
|
Term
CHP 5 - Routing and Remote Access and Wireless Ntwking
3 routing protocols that can be added to the Routing and Remote Access service |
|
Definition
- RIP v2
- IGMP Router and proxy (for multicast fwding)
- DHCP Relay Agent |
|
|
Term
CHP 5 - Routing and Remote Access and Wireless Ntwking
127.0.0.0 |
|
Definition
|
|
Term
CHP 5 - Routing and Remote Access and Wireless Ntwking
224.0.0.0 |
|
Definition
|
|
Term
CHP 5 - Routing and Remote Access and Wireless Ntwking
cmd line entries for RRAS |
|
Definition
route print - displays routing table
route add - add route to table
route change
route delete - for specific route |
|
|
Term
CHP 5 - Routing and Remote Access and Wireless Ntwking
Demand-Dial routing
or
dial-on-demand routing |
|
Definition
In RRAS when rtr receives packet, can use demand-dial to initiate connection to a remote site. Connection only active when data sent to remote site. Link disconnected when no data sent over link for specific amount of time.
Used in low traffic situations, and can use existing dial-up phone lines instead of leased lines so cheaper.
configure demand-dial interface on server with demand-dial interface wizard after RRAS configured, in General Tab of RRAS properties |
|
|
Term
CHP 5 - Routing and Remote Access and Wireless Ntwking
NAT |
|
Definition
NAT - Network Address Translation
Server 2008 can be config'd as a NAT device, which allows internal network clients to connect to the internet using a shared single IP address. |
|
|
Term
CHP 5 - Routing and Remote Access and Wireless Ntwking
Dial-Up Networking (DUN) |
|
Definition
Dial-Up Networking (DUN)
creates a physical connection bw a client and a remote access server using a dedcated device - analog or ISDN modem. Eg. Laptop with modem installed, which client uses to dial phone number of remote access server.
Uses a dedicated physical connection, often unencrypted traffic |
|
|
Term
CHP 5 - Routing and Remote Access and Wireless Ntwking
Virtual Private Network - VPN |
|
Definition
Virtual Private Network - VPN
creates a secure pt-to-pt connection across either private ntwk or public such as internet. Rely on secure TCP/IP based protocols "tunneling protocols" to be secure.
logical connection bw VPN client and VPN server over public network. Data must be encrypted to secure data. |
|
|
Term
CHP 5 - Routing and Remote Access and Wireless Ntwking
When not to use VPN |
|
Definition
- when performance at any price is prime concern
- when most traffic synchronous - voice and video
- when using application with unusual protocols not compatible with TCP/IP |
|
|
Term
CHP 5 - Routing and Remote Access and Wireless Ntwking
components in a VPN connection in Server 2008 |
|
Definition
- VPN Server
- VPN client
- VPN connection (portion of connection where data encrypted)
- VPN tunnel (portion of connection where data is encapsulated)
|
|
|
Term
CHP 5 - Routing and Remote Access and Wireless Ntwking
the 2 tunneling protocols for VPN |
|
Definition
- Point-to-Point tunneling protocol (PPTP)
supports the 128-bit RC4 encryption algorithm
- Layer Two Tunneling Protocol (L2TP)
IETF standard used to encapsulate Pt-to-Pt protocol frames over ntwks. Combines best features of PPTP and Layer 2 fwding. can use with IPSec for secure encrypted VPN connection. |
|
|
Term
CHP 5 - Routing and Remote Access and Wireless Ntwking
accounting |
|
Definition
accounting
After authentication and authorization, accounting keeps track of what resources a user has accessed or attempted to access. |
|
|
Term
CHP 5 - Routing and Remote Access and Wireless Ntwking
remote access permission for user account levels |
|
Definition
- control access through NPS Network Policy *DEFAULT
specifies that the users access permissions be determined by first matching the NPS ntwk policy applied to the connection.
- Deny Access
- Allow Access |
|
|
Term
CHP 5 - Routing and Remote Access and Wireless Ntwking
RADIUS |
|
Definition
RADIUS
Remote Authentication Dail-In User Service
a server that can provide authentication, authorization and accounting for access to ntwk resources |
|
|
Term
CHP 5 - Routing and Remote Access and Wireless Networking
3 compontents of NPS Ntwk policy
|
|
Definition
conditions
constraints
settings |
|
|
Term
CHP 5 - Routing and Remote Access and Wireless Ntwking
authentication protocols supported by RRAS |
|
Definition
- EAP-TLS
cert based authentication used with smart cards. Supports authentication data and connection data. Not supported by stand alone servers, and server must be domain member.
- MS-CHAPv2
mutual authentication method with encryption of authentication and connection data. new cryptographic key for each connection and transmission direction.
- MS-CHAPv1
one way authenticatioin method with encryption of authent and conn data. Same cryptographic key for all connections
- EAP-MD5 CHAP
"Extensible Authentication Protocol-Msg Digest 5 CHAP"
- CHAP
Challenge Handshake Authentication Protocol
- Shiva pswd authentication protocol (SPAP)
- Pswd Authentication Protocol (PAP)
- Unauthenticated success |
|
|
Term
CHP 5 - Routing and Remote Access and Wireless Ntwking
802.1X standard for Network Access Control |
|
Definition
port based, can allow or deny access on basis of physical port or logical port.
provides security through 3 components:
Supplicant- device that is seeking access to ntwk (laptop)
Authenticator - component that requests authentication creds from supplicants, fwds supplicants creds to Authentication Server (AS)
Authentication Server (AS) - verifies the supplicants authentication creds, and tells authenticator to allow or deny access to port. AS role can be performed by Server 2008 computer with Ntwk policy server role or any 3rd party RADIUS server |
|
|
Term
CHP 6 - Configuring File Services
Factors for planning file sharing on a lg ntwk |
|
Definition
- Scalability
- Navigation
- Protection
- Abuse
- Diversity
- Fault Tolerance
Avaliability
Snails Never Pack Art Down Flying Ants |
|
|
Term
CHP 6 - Configuring File Services
Server 2008 storage limitations |
|
Definition
Max basic volume size - 2 Terabytes
Max dynamic volume size (simple & mirrored) - 2 TB
Max dynamic volume size (spanned & striped) - 64 TB - 2 TB per disk, max 32 disks
Max dynamic volume size (RAID 5) - 64 TB - 2 TB per disk, max 32 disks, 2 TB for parity info
Max NTFS volume size - 2 to power of 32 clusters minus 1 cluster - if default 4 KB cluster size, max is 16 TB, with max 64 KB cluster, max volume 256 TB
max # of clusters on NTFS volume - 2 to power of 23
Max NTFS file size - 2 to power of 44 (16 TB) minus 64KB
Max # of volumes on server - approx 2000 (1000 dynamic volumes and the rest basic) |
|
|
Term
CHP 6 - Configuring File Services
tasks to do when installing additional storage on server |
|
Definition
- select partitioning style
Master Boot Record (MBR) or GUID (globally unique identifier) partition table (GPT)
- Select disk type (basic and dynamic)
- Divide disk into partitions/volumes (partition for basic, volume for dynamic)
- format partitions/volumes with a file system (NTSF or FAT) |
|
|
Term
CHP 6 - Configuring File Services
partitions on basic disk |
|
Definition
- system partition - contains hwdr related files used to boot
- boot partitions - contains the OS files
- can create up to 4 primary partitions (each can have OS)
- 4th partition can be made an extended partition (no OS)
- extended partition can hold unlimited logical drives |
|
|
Term
CHP 6 - Configuring File Services
dynamic disk volume types |
|
Definition
Simple volume
space from single disk
Spanned volume
space from 2 - 32 physical dynamic disks. Combines space from multiple disks to single lg volume. Not fault tolerance.
Striped Volume
space from 2 to 32 disks. System writes data 1 stripe at time to each successive disk in volume. Not fault tolerant
Mirrored volume
2 disks. system does read and write operations on both disks at same time to provide fault tolerance.
RAID-5 volume
3 or more physical disks. the system stripes data and parity info across all disks, if 1 fails missing data can be recreated using parity info. |
|
|
Term
CHP 6 - Configuring File Services
Disk Management MCC snap in |
|
Definition
| used to select partition type, volume type and file system for disks. can initialize, select partition style, convert basic to dynamic |
|
|
Term
CHP 6 - Configuring File Services
Disk Management views |
|
Definition
- can show 2 at time.
- disk list
- volume list
- graphical view |
|
|
Term
CHP 6 - Configuring File Services
snap in for sharing folders and other |
|
Definition
- Shared Folders snap-in
- to see shares, Network Discovery and File Sharing settings must be turned on in the Network and Sharing Center ctrl panel |
|
|
Term
CHP 6 - Configuring File Services
Permission systems |
|
Definition
- Share permissions
ctrl access to folders over a network
- NTSF Permissions
ctrl access to files and folders stored on disk volumes formatted with NTFS
- Registry permissions
ctrl access to specific parts of windows registry
- Active Directory Permissions
ctrl access to specific parts of Active Directory Hierarchy |
|
|
Term
CHP 6 - Configuring File Services
Share permissions |
|
Definition
- by default the Everyone special id receives the Allow Read share permission
Full Ctrl
change file permissions
take ownership of files
performs all tasks in Change permission
Change
create/delete folders
add, change, delete files
change file attributes
all actions permitted by Read permission
Read
displays folder/file names, file data, attributes
executes program files
access other folders w/i shared folder |
|
|
Term
CHP 6 - Configuring File Services
Server service |
|
Definition
service under the file services role
enables computer to share files with ntwk users |
|
|
Term
CHP 6 - Configuring File Services
Dirstibuted File System (DFS) |
|
Definition
implemented in file services role
include DFS namespaces and Replication
- simplify process of locating files
- ctrl amount of traffic passing over WAN links
- provide users at remote sites local file server access
- config ntwk to survive WAN link failure
- facilitate consistent backups |
|
|
Term
CHP 6 - Configuring File Services
Targets |
|
Definition
| actual shared folders referred to as targets of virtual folders in namespace |
|
|
Term
CHP 6 - Configuring File Services
DFS replication |
|
Definition
| multiple master replication engine that can create and maintain copies of shared folders on different servers throughout an enterprise |
|
|
Term
CHP 6 - Configuring File Services
Multiple Master Replication |
|
Definition
| technique in which duplicate copies of a file are all updated on a regular basis, no matter which copy changes. |
|
|
Term
CHP 6 - Configuring File Services
alternative to multiple master replication |
|
Definition
single master replication
Changes that users make to one copy of a file are propagated, in one direction only to the other copies |
|
|
Term
CHP 6 - Configuring File Services
Unified services from DFS replication and namespaces |
|
Definition
data distribution
users can access files from local server, minimizing internetwork traffic and delays. All users can browse same directory tree
Load balancing
because file is replicated on different file servers, DFS distros access requests amoung them, preventing any one server from shouldering entire traffic load
data collection
admins can replicate data from remote file servers to a central location for backups. DFS uses protocol called RDC to conserve bandwidth use and time needed for replication |
|
|
Term
CHP 6 - Configuring File Services
RDC |
|
Definition
Remote Differential Compression
Protocol which conserves ntwk BW by detecting changes in files and transmitting only the modified data to dest. |
|
|
Term
CHP 6 - Configuring File Services
Two basic types of namespaces |
|
Definition
|
|
Term
CHP 6 - Configuring File Services
Stand-Alone namespace |
|
Definition
- path to namespace \\server\root
- server name exposed
- namespace can contain upto 50,000 folders
- can be domain ctroller, member server in domain or standalone server
- namespace stored in system registry and memory cache
- supports use of only 1 namespace server for a single namespace
- no Active Dir domain services required
- supports DFS replication of folders when namespace server is joined to AD domain
- can be part of a server cluser |
|
|
Term
CHP 6 - Configuring File Services
Domain based Namespace
(Windows Server 2008)
|
|
Definition
- path to namespace \\domain\root
- server name hidden
- can contain up to 50,000 folders
- must be domain controller or member server of domain hosting namespace
- namespace stored in AD and memory cache on each namespace server
- supports use of multiple namespace servers in same domain for single namespace
- requires AD using server 2008 domain functional level
- supports DFS replication of folders
- namespace c/n be clustered resource, but namespace server can be part of cluster |
|
|
Term
CHP 6 - Configuring File Services
Client Failback |
|
Definition
ability of DFS clients to revert to targets that were previously unavailable, when they become available again and are of lower cost that the target the client is using.
enable for entire namespace by selecting "clients fall back to preferred targets" checkbox on referrals pg of namespace properties sheet.
enable for individual folder by selecting checkbox on referrals tab of folders properties sheet |
|
|
Term
CHP 6 - Configuring File Services
replication groups and members |
|
Definition
collection of servers (members) which each contain target for particular DFS folder.
can have upto 256 members with 256 replicated folders. Each server can be member of upto 256 replication groups, with 256 connection (128 ingoing, 128 out)
Member server can support upto 1 TB of replicated files, up to 8 million replicated files per volume |
|
|
Term
CHP 6 - Configuring File Services
Full Mesh topology |
|
Definition
default topology of replication groups.
every member in group replicates with every other member
good for small DFS deployments |
|
|
Term
CHP 6 - Configuring File Services
Hub/spoke topology |
|
Definition
enables you to limit the replication traffic to specific pairs of members
good for larger installations |
|
|
Term
CHP 7 - Configuring Print Services
Printer components (in order) |
|
Definition
Printer
software interface through which computer communicates with a print device. Can be USB, FireWire, LPT, serial, etc and Internet Printing Protocol (IPP) for printing HTTP traffic
Printer Driver
device driver that converts print jobs into appropriate string of cmds for specific print device.
Print Server
computer or standalone device that receives print jobs and sends to print devices
print device
actual hdwr that prints onto paper. can be local or network interface |
|
|
Term
CHP 7 - Configuring Print Services
interim formates used by printer driver to make job file |
|
Definition
Enhanced Metafile (EMF)
converts application data into EMF file, printer sends to print server, stores in spooler which uses the printer driver on print server to render job into final PCL format for print device
XML Paper Specification (XPS)
new, platform-independent doc format in Server 2008 and Vista. Print jobs use single XPS format for entire journey to print device, rather than being converted first to EMF and then PCL |
|
|
Term
CHP 7 - Configuring Print Services
settings to enable printer sharing |
|
Definition
set in Network and Sharing Center:
enable:
Network Discovery
Printer Sharing |
|
|
Term
CHP 7 - Configuring Print Services
Print permission |
|
Definition
Print
Capabilities:
- connect to printer
- print doc
- pause, resume, restart and cancel users own doc
Special Permissions:
- Print
- Read Permissions
Default Assignments:
Applied to Everyone special identity
|
|
|
Term
CHP 7 - Configuring Print Services
Manage Printer permission |
|
Definition
Manage Printers
Capabilities:
- cancel all docs
- share a printer
- change printer properties
- delete a printer
- change printer permissions
Special Permissions:
- print
- manage printers
- read permissions
- change permissions
- take ownership
Default Assignments:
- Administrators Group |
|
|
Term
CHP 7 - Configuring Print Services
Manage Documents Permission |
|
Definition
Manage Documents
Capabilites:
- Pause, resume, restart, cancel all users docs
- ctrl job settings for all documents
Special Permissions:
- manage docs
- read permissions
- change permissions
- take ownership
Default Assignments:
- Creator Owner special identity |
|
|
Term
CHP 7 - Configuring Print Services
Standard Printer Permissions |
|
Definition
Print
Manage Printers
Manage Documents |
|
|
Term
CHP 7 - Configuring Print Services
LPD service
(in Print Services Role) |
|
Definition
enables UNIX clients running LPR (line printer remote) program to send their print jobs to windows printer
|
|
|
Term
CHP 7 - Configuring Print Services
Internet Printing
(in Print Services Role)
|
|
Definition
system services installed:
- world wide web publishing service
- IIS Admin Service
must install ISS (web server) role
Creates a web site that enables users on the internet to send print jobs to shared windows printers
|
|
|
Term
CHP 7 - Configuring Print Services
Nodes in Print Management console MMC |
|
Definition
Custom Filters
contains composite views of all printers hosted by the print servers listed in the console, regulated by customizable filters
Print Servers
Lists all of the print servers you have added to the console and all of the drivers, forms, ports, and printers for each print server
Deployed Printers
lists all of the printers you have deployed with Group Policy using the console |
|
|
Term
CHP 7 - Configuring Print Services
Custom filters default filters |
|
Definition
- all printers
- all drivers
- printers not ready
- printers with jobs |
|
|
Term
CHP 7 - Configuring Print Services
Group Policy Object |
|
Definition
To use Active Directory to depoly printers to clients, you must config the appropriate policies in a Group Policy Object (GPO)
You can link a GPO to any domain, site, or organizational unit (OU) in the AD tree.
When you config a GPO to deploy a printer, all of the users or computers in that domain, site or OU will receive the printer connection when they log on. |
|
|
Term
CHP 7 - Configuring Print Services
What protocol allows users to print docs through a IIS server? |
|
Definition
| Internet Printing Protocol - IPP |
|
|
Term
CHP 9 - Securing Data transmission and Authentication
Checksum |
|
Definition
mathematical value in the header of each UDP or TCP packet, which is used to provide an integrity check for the packet
If data is corrupted while in transit, checksum will alert receiver and packet will be dropped by the receiving computer |
|
|
Term
CHP 9 - Securing Data transmission and Authentication
IPSec |
|
Definition
- suite of protocols intro'd to provide a series of cryptographic algorithms that can be used to provide security for all TCP/IP hosts at the internet layer, regardless of the actual application that is sending or receiving data.
|
|
|
Term
CHP 9 - Securing Data transmission and Authentication
Two goals of IPSec |
|
Definition
- protect contents of IP packets
- provide a defense against ntwk attacks through packet filtering and the reinforcement of trusted communication |
|
|
Term
CHP 9 - Securing Data transmission and Authentication
attack types |
|
Definition
Packet sniffing:
uses an application to monitor and read ntwk packets in transmission. If in clear-text, full view of data can be seen. IPSec uses encryption
Data modification:
Attacker modifies ntwk packet that is in transit with counterfeit data. IPSec uses cryptographic checksum
Identity spoofing:
attacker falsifies the ID of sender or receiver computer with special programs that construct IP packets that apprear to be from trusted ntwks. IPSec uses mutual authentication and cryptography-based keys
Man-in-the-middle Attacks:
attacker btween two computers monitors, captures and controls data transparently. IPSec uses mutual authentication and cryptography-based keys
Denial of Service attacks (DoS)
Prevents normal use of computer or ntwk resources by flooding with traffic. IPSec uses IP Packet filtering to determine if communication allowed, secured or blocked |
|
|
Term
CHP 9 - Securing Data transmission and Authentication
IPSec security features |
|
Definition
- Automatic security associations
- IP Packet filtering
- Network layer security
- Peer authentication
- Data orgin authentication
- Data integrity
- data confidentiality
- anti-replay
- key management
|
|
|
Term
CHP 9 - Securing Data transmission and Authentication
IPSec modes |
|
Definition
Transport mode:
use when require pkt filtering and when require end to end security. both host must support IPSec with same authentication protocols and compatible IPSec filters.
Tunnel Mode:
for site to site communication that cross internet (or other public ntwk). Provides gateway to gateway protection. |
|
|
Term
CHP 9 - Securing Data transmission and Authentication
IPSec protocols |
|
Definition
Authentication Header (AH) protocol
provides authentication, integrity and anti-replay for entire packet (IP Header and data payload). d/n encrypt data. Uses keyed hash algorithms to sign pkt for integrity
encapsulating security payload (ESP) protocol
provides encryption + authentication, integrity and anti-replay for IP payload. In transport mode d/n sign IP header, just payload. can be used alone or w/ AH. |
|
|
Term
CHP 9 - Securing Data transmission and Authentication
Security Association (SA) |
|
Definition
combo of security services, protection mechanisms, and cryptographic keys mutually agreed to by communicating peers. Two types of SA:
- ISAKMP SA (main mode)
- IPSec SA
|
|
|
Term
CHP 9 - Securing Data transmission and Authentication
ISAKMP SA |
|
Definition
main mode SA
used to protect IPSec security negotiations. Created by negotiating sipher suite (collection of cryptographic algorithms for encryption) used for protecting future ISAKMP traffic, etc. When complete, all future SA negotiations for both types protected - known as protected cipher suite negotiation. |
|
|
Term
CHP 9 - Securing Data transmission and Authentication
IPSec SA |
|
Definition
quick mode SA
used to protect data sent b/w IPSec peers. Two IPSec SAs exist for each protocol in use - one for negotiating inbound traffic, one for outboad. Inbound for one peer is outbound for other. IPSec cipher suite negotiation protected by ISAKMP SA for encryption. |
|
|
Term
CHP 9 - Securing Data transmission and Authentication
Internet Key Exchange (IKE) |
|
Definition
| standard that defines a mechanism to establish SAs. IKE combines ISAKMP and Oakley Key Determination Protocol (based on Diffie-Hellman key exchange algorithm) to generate sevret key material. |
|
|
Term
CHP 9 - Securing Data transmission and Authentication
Dynamic Rekeying |
|
Definition
| determination of new keying material through a new Diffie-Hellman exchange on a regular basis. Based on elapsed time, 8 hrs by default, or number of data sessions created with same set of keying material. |
|
|
Term
CHP 9 - Securing Data transmission and Authentication
IPSec policy component:
Tunnel Setting |
|
Definition
| The IP address of the tunnel endpoint (if you are config IPSec tunneling to protect the packet destination.) |
|
|
Term
CHP 9 - Securing Data transmission and Authentication
IPSec policy component:
Network Type |
|
Definition
| type of connection affected by the IPSec policy: all ntwk connections, LAN, or remote access. |
|
|
Term
CHP 9 - Securing Data transmission and Authentication
IPSec policy component:
IP Filter |
|
Definition
A subset of ntwk traffic based on IP address, port and transport protocol. It informs IPSec which inbound and outbound traffic fhould be secured. IP Filter can be mirrored, meaning that traffic defined in 1 direction will also be defined in opposite direction.
IP Filter components:
Source Address:
Filter defined by IP address, specific DNS name, DNS servers, WINS servers, DHCP servers, Default gateway.
Destination address
IP Protocol Type:
any, EGP, HMP, ICMP, TCP, UDP, others...
IP Protocol Port:
from or to specific or any TCP or UDP port |
|
|
Term
CHP 9 - Securing Data transmission and Authentication
IPSec policy component:
IP Filter List |
|
Definition
| the concatenation of one or more IP filters, which define a range or ntwk traffic |
|
|
Term
CHP 9 - Securing Data transmission and Authentication
IPSec policy component:
Filter Action |
|
Definition
| How IPSec should secure ntwk traffic. Predefined filter actions include: Permit, Request Security (opt), Require Security |
|
|
Term
CHP 9 - Securing Data transmission and Authentication
IPSec policy component:
Authentication Method |
|
Definition
one of the security algorithms and types used for authentication and key exchange:
Kerberos v5 protocol
default authent. method used by IPSec policies deployed w/i AD domain.
PKI cert from cert authority (CA)
provides ability to deploy IPSec securely in non AD enviro. |
|
|
Term
CHP 9 - Securing Data transmission and Authentication
Preconfig Connection Security Rules |
|
Definition
- Isolation Rule
- Authentication Exemption rule
- Server-to-server rule
- Tunnel rule |
|
|
Term
CHP 10 - Maintaining Network Health
Public Key Infrastructure |
|
Definition
- provides assurances that you are communicating with the intended internal or external entity w/o hacker intrusion.
- this is accomplished trhough the use of a public and private key |
|
|
Term
CHP 10 - Maintaining Network Health
Public Key |
|
Definition
| - Derived through math algorithm called public key cryptography and stores the public key w/ each user/computer/etc that uses PKI. Well known and easily obtainable. |
|
|
Term
CHP 10 - Maintaining Network Health
Private Key |
|
Definition
| each computer/user/etc has a private key, known only to individual user/computer, and is hidden and well secured. |
|
|
Term
CHP 10 - Maintaining Network Health
PKI Common Terms:
Certification Authority (CA) |
|
Definition
| Hierarchical structure with an authoritative root CA responsible for all CA's in a ntwk that are subordinate and issuing CA's. Safer to have a standalone offline CA. |
|
|
Term
CHP 10 - Maintaining Network Health
PKI Common Terms:
Digital Certificate |
|
Definition
| digital doc containing id info about a specific user, pc, service, etc. Digital cert contains cert holders name and public key, digital signature of issuing CA and cert's expiry date. |
|
|
Term
CHP 10 - Maintaining Network Health
PKI Common Terms:
Digital Signature |
|
Definition
| created by encrypting data w/ the entity's private key and used to prove the id of a signed doc. Doc then decrypts w/ entity's public key. |
|
|
Term
CHP 10 - Maintaining Network Health
PKI Common Terms:
Certificate Practice Statement (CPS) |
|
Definition
| detailed explaination on how a particular CA manages certs and keys |
|
|
Term
CHP 10 - Maintaining Network Health
PKI Common Terms:
Certificate Revocation List (CRL) |
|
Definition
| ID's certificates that have been revoked or terminated along with corresponding user/pc/service |
|
|
Term
CHP 10 - Maintaining Network Health
PKI Common Terms:
Certificate Template |
|
Definition
| used by CA to simplify the admin and issuance of digital certs. |
|
|
Term
CHP 10 - Maintaining Network Health
PKI Common Terms:
Smart Cards |
|
Definition
| sm physical devices (cc size) that have digital cert installed on them. By using a smart card reader, a physical device attached to wkstn, users authenticate to a AD domain, website, etc |
|
|
Term
CHP 10 - Maintaining Network Health
PKI Common Terms:
Self-Enrollment |
|
Definition
| enables users to request their own PKI certs, usually through web |
|
|
Term
CHP 10 - Maintaining Network Health
PKI Common Terms:
Autoenrollment |
|
Definition
| allows users and computers to automatically enroll for certs based on one or more cert templates, as well as using Group Policy settings in AD. Windows Server 2003 and later |
|
|
Term
CHP 10 - Maintaining Network Health
PKI Common Terms:
Recovery Agents
|
|
Definition
| config w/i a CA to allow 1 or more users (usually admins) in AD enviro to recover private keys for users/comp/services if keys lost. |
|
|
Term
CHP 10 - Maintaining Network Health
PKI Common Terms:
Key Archival
|
|
Definition
| process in which private keys in a AD enviro are maintained by the CA for retrieval by recovery agent. |
|
|
Term
CHP 10 - Maintaining Network Health
Active Directory Certificate Services server role services:
Web Enrollment |
|
Definition
| allows users to connect to Windows Server 2008 CA through web to request cert and obtain up-to-date cert revocation list |
|
|
Term
CHP 10 - Maintaining Network Health
Active Directory Certificate Services server role services:
Online Responder |
|
Definition
| Responds to requests from clients re: the revocation status of a particular cert, sending back a digitally signed response w/ the certs current status. |
|
|
Term
CHP 10 - Maintaining Network Health
Active Directory Certificate Services server role services:
Ntwk Device Enrollment Service (NDES) |
|
Definition
allows devices to enroll for certs w/i a windows server2008 PKI that might not otherwise be able to do so.
Uses Simple Certificate Enrollment Protocol (SCEP) |
|
|
Term
CHP 10 - Maintaining Network Health
2 types of CA |
|
Definition
standalone CA
not integrated w/ AD, relies on admin intervention to respond to cert requests. Can be both root and subordinate CA. Can be taken offline for security.
enterprise CA
integrates w/ AD domain and can use cert templates to allow autoenrollment of digital certs, and can store certs w/i AD database. Can use as root or subordinate |
|
|
Term
CHP 10 - Maintaining Network Health
CA administrator |
|
Definition
| role responsible for overall management of a CA, inc' the ability to delegate all other roles to additional users and groups. |
|
|
Term
CHP 10 - Maintaining Network Health
Certificate Managers
|
|
Definition
| tasked with issuing and managing certs, inc' approving certificate enrollment and revocation requests. |
|
|
Term
CHP 10 - Maintaining Network Health
Backup Operators |
|
Definition
| able to backup and restore the OS files/folders |
|
|
Term
CHP 10 - Maintaining Network Health
Auditors |
|
Definition
| able to manage and read security logs on a computer running the AD Cert Services role |
|
|
Term
CHP 10 - Maintaining Network Health
Network Access Protection - NAP |
|
Definition
| controls access to corporate ntwk resources based on the id of a computer attempting to connect to the resource, and the connecting computers compliance w/ corporate policies and standards. |
|
|
Term
CHP 10 - Maintaining Network Health
NAP enforcement methods:
DHCP enforcement |
|
Definition
| uses DHCP config info to ensure that NAP clients remain in compliance. If not complient, NAP will get DHCP server to limit client ntwk access until is complient |
|
|
Term
CHP 10 - Maintaining Network Health
NAP enforcement methods:
IPSec enforcement |
|
Definition
| uses IPSec that has been secured by specially config PKI certs called Health Certificates, issued to clients that meet defined compliance standards. Only clients with health certs can be in IPSec secured traffic. |
|
|
Term
CHP 10 - Maintaining Network Health
NAP enforcement methods:
VPN enforcement |
|
Definition
| restricts level of ntwk access that a remote access client can obtain, based on the health info that the clients presents when the VPN connection is made. |
|
|
Term
CHP 10 - Maintaining Network Health
NAP enforcement methods:
802.1X enforcement |
|
Definition
| uses 802.1X-aware ntwk access points, such as ntwk switches or wireless access points, to restrict ntwk access of noncompliant resources. |
|
|
Term
CHP 10 - Maintaining Network Health
NAP enforcement methods:
Terminal Services Gateway (TS Gateway) enforcement |
|
Definition
| integrates w/ new Terminal Services functionality that allows authorized remote users to connect to resources on an internal corporate or private ntwk, from any Internet connected device. NAP can restrict connection attempts by TS Gateway clients. |
|
|
Term
CHP 10 - Maintaining Network Health
System Health Agents (SHAs) |
|
Definition
| component of NAP that maintains info and reporting on one or more elements of NAP client health. To indicate health status of a SHA, will create a Statement of Health (SOH) that it transmits to NAP agent |
|
|
Term
CHP 10 - Maintaining Network Health
NAP Agent |
|
Definition
| Maintains info about the health of a NAP client computer and transmits info between NAP enforcement clients and the System Health Agents. NAP agent combines SOH from each SHA into a single System Statement of Health (SSOH) which it then passes onto enforcement clients. |
|
|
Term
CHP 10 - Maintaining Network Health
Enforcement point |
|
Definition
| A server that operates the NAP enforcement Server components is referred to as a NAP enforcement point. |
|
|
Term
CHP 10 - Maintaining Network Health
Health Registration Authority (HRA) |
|
Definition
| can obtain health certs from clients when the IPSec enforcement method is used. |
|
|
Term
CHP 10 - Maintaining Network Health
Statement of Health Response (SOHR) |
|
Definition
| When the client NAP agent transmits a SSOH to NAP server components, the System Health Validators (SHVs) will return a Statement of Health Response, to instruct the client side SHA if any action required to bring client into compliance. |
|
|
Term
CHP 10 - Maintaining Network Health
NAP Administration Server |
|
Definition
manages the NAP Server side components
- obtains the SSOH for a NAP client from the relevant NAP enforcement service.
- distros each SOH w/i a the SSOH to the appropriate system health validator for analysis and action
- collects the SOHR from each SHV and passes info onto Network policy server (NPS) service. |
|
|
Term
CHP 10 - Maintaining Network Health
System Statement of Health Response SSOHR |
|
Definition
| NPS service combines each SOHR into a SSOHR which indicates whether the NAP client is complient to NAP policies. |
|
|
