In discretionary access control lists, specifies the permissions given to a single user or group to access an object. In system access control lists, specifies security events the operating system will audit for a user or group.

Contains access control entries (ACEs) that administrators use to control access to or audit an object. An object's ACL is a list of users and groups that have permission to access the object. The two types of ACLs are discretionary access control lists (DACLs), which give permissions to users and groups; and system access control lists (SACLs), which specify security events that the operating system will audit.

The directory service in Microsoft Windows 2000 Server. A directory service stores information about objects on the network—much like a telephone book—in an intuitive hierarchical organization and provides both users and administrators access to this information. Users easily locate network resources, and administrators have a single interface to administer network resources.

A user who is usually a member of the Administrators group and has full control of a computer or network domain. Local administrators manage the local computer and network administrators manage the domain.

A user account that includes membership in the local Administrators group on a computer or in a domain, providing administrative access to services and resources.

A specification that defines power management for a wide range of computers (mobile, desktop, and server) and peripherals. In Microsoft Windows 2000 Professional, ACPI is the heart of power management and Plug and Play. Your computer must be ACPI-compliant to take full advantage of either feature. If you're not sure whether your computer is compliant, check its documentation. Note that some computers require a BIOS upgrade to work properly with Windows 2000 Professional.

A standard for a single-byte, character-encoding scheme that represents text on a computer. Standard 7-bit ASCII allows 128 characters, including uppercase and lowercase letters, numbers, punctuation marks, and other control characters. Extended 8-bit ASCII allows 256 characters and includes some foreign-language letters and symbols.

Predefined functions, usually packaged as dynamic link libraries, which provide services to applications.

Encryption that uses two encryption keys that are mathematically related—one private and one public. The private key is confidential, whereas the public key is given to anyone with to which whom you correspond. Only the private key can decrypt data encrypted by the public key. The public key can verify data that's digitally signed by the private key. Another name for asymmetric encryption is public key encryption.

Communication that occurs without regard for timing, one character at a time. Analog modems are asynchronous devices that send and receive data at irregular intervals.

A high-speed, connection-oriented protocol for transporting different types of traffic on a network. ATM is an up-and-coming standard that will be in more common use in the future.

A process that records selected security events in the security log. The audit policy determines which events the operating system records.

The process of validating users' credentials, their names, and passwords. After authenticating their credentials, the operating system gives users access to the computer per the rights and permissions assigned to their accounts and the groups they belong to. When users log on to the local computer, Windows 2000 Professional authenticates their credentials. When they log on to a domain, a server in that domain validates their credentials.

The process of verifying users' rights or permissions to access a resource locally or in a domain. Each time users open a file, for example, the operating system authorizes the user by checking its ACL for the permissions given to the user.

Application Programming Interface; a set of predefined routines that a programmer can use to accomplish low-level tasks.

A local or global group with rights to back up and restore files and folders, regardless of ownership, permissions, encryption, or audit settings.

A protocol that manages the use of multiple linked lines. Bandwidth Allocation Protocol (BAP) allocates lines when they're required, thus eliminating wasted bandwidth.

The rate a connection can transmit data. Bandwidth is usually expressed as bits per second (bps).

A disk containing primary partitions, extended partitions, and logical drives. In Windows 2000 Professional, basic disks can contain spanned, mirrored, striped, and RAID-5 volumes created by using Microsoft Windows NT 4.0 or earlier. (Basic disks are what you used in MS-DOS.)

The BIOS contains instructions for testing the hardware when the computer starts, starting the operating system, and communicating with devices. It is stored in read-only memory (ROM) and executed when you turn on the computer. You must upgrade the BIOS on many computers in order for Windows 2000 Professional to work properly; check with the computer's manufacturer.

Any volume on a basic disk. Basic disks are primary partitions, extended partitions, and logical drives. Basic volumes can also be spanned, mirrored, or striped. They can be RAID-5 volumes created with Windows NT 4.0 or earlier, but not with Windows 2000 Professional.

A modem's communication speed. Baud rate does not necessarily equal bits per second because as it is the number of times the line condition changes. If one signal corresponds to one bit, however, they're equal.

The number of bits a device transmits each second. Bits per second is the typical measure of a communication device's speed.

Defines the information necessary to boot the operating system, such as the location of the operating system files.

The software that makes it possible to view pages presented on the Internet, predominantly in HTML. Both Microsoft's Internet Explorer and Netscape's Navigator are examples of this type of software.

The partition that contains Windows 2000 Professional's system and other files. The boot partition is often the same as the system partition, but this configuration is not required.

A volume on a dynamic disk that contains Windows 2000 Professional's system and related files. The boot volume is often the same as the system volume, but this configuration is not required.

The groups that Windows 2000 Professional provides by default. Built-in groups have useful purposes, such as Power Users, Backup Operators, and Administrators. The best way to give users the rights they need is to assign their user account to the appropriate group. For daily use, assigning a user's account to the Administrators group is not a good idea because it opens the door for viruses that require that level of access to inflict their damage.

A standard defined by the US Government for secure computing systems.

Memory or disk space in which the operating system or a program stores recently-used data to make accessing it quicker. Caches are effective when access to the cache is faster than access to the data's original source, as in the case of caching Web pages to memory instead of reading them from the Web again.

An organization that grants public keys to users and other certificate authorities; it also vouches for a public key's authenticity.

Data that authenticates and secures information on nonsecured networks. Certificates associate public keys with the person holding the private key. Certificate authors digitally sign certificates, allowing the authenticity of those certificates to be verified. ITU-T X.509 defines the most popular format for certificates.

An authentication protocol used for remote access. It allows clients to securely send credentials to servers.

Provides support for the character sets and keyboard layouts of different countries. It's a table that translates keystrokes to character codes and character codes to characters on the display.

A special account that uniquely identifies the computer in the domain. Computer accounts allow secure communication between two computers.

Microsoft Management Console's let pane, which displays items in the console tree; a hierarchy of nodes that have different capabilities.

Users' names, passwords, and other information required to authenticate and authorize them.

An API that allows applications to encrypt or digitally sign data in order to protect users' data. Independent cryptographic service providers (CSPs) provide cryptographic operations.

The user profile that Windows 2000 Professional copies to create new users' profiles.

Both directory information and the services that provide access to that information. Users can search for objects using their attributes.

Using a second disk with its own controller to create a complete copy of the disk to ensure data security.

Using a second disk or partition to create a complete copy of the contents of a disk or partition in order to provide fault tolerance.

A collection of computers in a Windows NT network that share a security account database.

A logical group of networked computers that share a common directory. The name of each domain is unique, and administrators manage domains as a unit.

A computer that's running Windows 2000 Server in a domain and manages users' access to the network's resources. Domain controllers log users on, authenticate their credentials, and authorize access to objects in the directory and shared resources.

In a domain managed by Windows 2000 Server, the name of the domain on the network.

A name service for TCP/IP hosts that translates host names to IP addresses.

A configuration that allows you to start two different operating systems on the same computer.

A physical disk that Disk Management manages. Dynamic disks can contain only dynamic volumes, not basic volumes, such as partitions or logical drives. MS-DOS cannot access dynamic volumes.

A service that dynamically allocates IP addresses and distributes other TCP/IP parameters as required. DHCP manages the IP addresses on a network, preventing conflicts and the hassles involved with statically assigned addresses.

An executable file that contains functions used by other programs. Programs load DLL files when they need the functions they contain.

A volume that Disk Management creates. Dynamic volumes can be simple, spanned, striped, mirrored, or RAID-5. You can create dynamic volumes on dynamic disks only. MS-DOS can't read dynamic volumes.

A disk containing enough information to repair Windows 2000 Professional if it fails. You create an emergency repair disk by using Microsoft Windows Backup.

A file system feature that allows you to encrypt files and folders on NTFS volumes, preventing unauthorized access to them.

Defined by the Expanded Memory Specification (EMS). Supports memory boards that contain RAM, which software can enable or disable.

Memory beyond one megabyte.

Extensions to the Point-to-Point Protocol (PPP) that supports remote authentication using miscellaneous security devices, including token cards, dial-up, Kerberos V5, one-time passwords, and certificates. Remote access, PPTP, and L2TP support EAP as an authentication protocol.

The data table used in the FAT file system to maintain the list of disk clusters and their allocation states.

Program used to transfer files across a TCP/IP connection.

A group that can be used in both its own domain and in trusting domains. Global groups allow you to create groups within a domain that can be used within it and trusting domains. Global groups apply only to Windows 2000 Server.

A collection of objects—including users, computers, and other groups—that are used to grant access to resources or create e-mail distribution lists.

A collection of user accounts, each of which has all the permissions given to the group.

A list of computers and devices that Windows 2000 Professional and other versions of windows supports. You find a copy of the list on the Windows 2000 Professional CD-ROM in Support. See http://www.microsoft.com/hwtest/hcl for a more current hardware compatibility list.

A part of the registry that Windows 2000 Professional stores on the disk. The operating system stores hive files in SystemRootSystem32Config and in UserProfile. You edit the registry using Registry Editor, and you can copy hive files only when they're not in use.

A folder on the network in which a user can store documents and programs. Using Active Directory Users and Computers, administrators can assign home directories to a user or a group of users.

The DNS name of the computer on the network. Finding a computer on the network requires that its name be in the Lmhosts file or in the DNS namespace.

A text file that translates the names of computers to IP addresses. On the local computer, SystemRootSystem32DriversEtc is where you find this file. Using Hosts is common on networks that aren't using WINS or DNS to resolve host names.

A recent standard for high-speed serial devices, particularly digital video and audio.

Describes the language in which you want to type. Adding an input locale usually adds a corresponding keyboard layout.

A small program that allows users to enter characters written in Asian languages. It contains an engine that translates keystrokes to phonetic and ideographic characters as well as to a dictionary of common ideographic words. An IME makes it possible to enter thousands of different characters using a standard 101-key keyboard.

The series of networks that create a global information resource.

A protocol, required in every implementation of TCP/IP, which helps two nodes share status and error information.

The part of TCP/IP that addresses and forwards packets on a network such as the Internet. IP does not guarantee delivery.

A Novell NetWare protocol that's similar to IP in that it controls packet addressing and routing. Like IP, it doesn't guarantee delivery. It does route between networks.

Novell NetWare transport protocol that's similar to TCP/IP. Windows 2000's implementation of IPX/SPX is through NWLink.

A folder on a disk that points to data in another location on the disk or to another disk. You create junction points by mounting a disk on a folder.

An open, Internet standard protocol for authenticating users and computers. It encrypts passwords instead of sending them as plain text, and improves authentication and authorization performance.

A table that maps keys on the keyboard to the characters you see on the screen. Keyboard layouts accommodate the special characters and symbols that different languages require. Note that with some layouts, the characters you see on the screen might not correlate to the characters printed on the keys.

An industry-standard tunneling protocol based on Layer 2 Forwarding (L2F) and PPTP that does not require IP connectivity between the client and server computers. L2TP does require a packet-oriented, point-to-point connection. L2TP provides the same features as PPTP, but you can use it over ATM, Frame Relay, and X.25.

A text file that translates the names of computers outside the current subnet to IP addresses. The text file is in SystemRootSystem32DriversEtc on the local computer. Using Lmhosts is common on networks that aren't using WINS or DNS to resolve host names.

A group of computers and other devices connected together to share resources.

The computer that you logged on to using the keyboard, as opposed to a remote computer, which you access via a communications device such as a network adapter or modem. Local programs, local users, local groups, and so on refer to those objects that reside physically on the computer you're using.

On computers running Windows 2000 Professional and Windows 2000 Server as a member server, a group that has rights and permissions on the local computer. On computers that participate in a domain, user accounts and global groups in that domain and trusted domains are local groups.

The user profile that Windows 2000 Professional or Windows 2000 Server creates for users the first time they log on to the computer. By default, user profiles are in the Documents and Settings folder.

Script files (usually batch files) that an administrator associates with a user account. The operating system runs the logon script each time the user logs on to the network. Typical uses for a logon script are to configure the environment, map network drives, run programs, and more. No capability exists to assign logon scripts to groups.

A user profile that users can't permanently change. Windows 2000 Professional downloads the profile from the network each time they log on to the domain, but it never updates the network copy of the profile. Members of the Administrators group are the only users that can update mandatory profiles.

The first sector on a disk. The MBR contains the code necessary to start the computer and also contains the partition table, which describes primary and extended partitions on the disk. A disk's MBR is frequently a target of viruses, but the BIOS in most computers allows you to protect it.

A system file on NTFS volumes that contains information about each file and folder. The MFT is always the first file on the volume.

A computer running Windows 2000 Server that is not a domain controller. Member servers, which are usually resource servers, don't have a copy of the directory. Administrators can grant permissions to local and domain users and groups.

Developed by RSA Data Security, Inc., an industry-standard 128-bit hashing algorithm for encrypting authentication data. This one-way scheme transforms data into a unique hash value that can't be transformed back into the original data. CHAP is an authentication protocol that uses MD5 to transmit users' credentials without actually sending their passwords.

A framework that hosts one or more administrative tools, each of which is a console. A console can contain a variety of objects, including utilities, folders, Web pages, and so on. Consoles form a hierarchical structure that is in the left pane of MMC and is called the console tree. MMC has two different modes: In authoring mode, MMC provides features for authoring consoles; in user mode, MMC hides the authoring features and possibly the console itself.

An identical copy of a disk that's kept on a separate disk. If one of the disks fails, you can still access the volume's data on the other disk.

A drive mounted to an empty folder. Instead of assigning a letter to the drive, you can assign a name and then access that drive as part of the path to which you mounted it. You must be a member of the Administrators group to mount a drive on a folder or to assign a letter to it using Disk Management.

A computer that contains two or more network adapters—each of which has a unique IP address—or a computer with a single network card that has multiple IP addresses.

Two or more physical communications links combined to create a single logical link that increases the bandwidth available for remote access. In Windows 2000, Multilink is based on RFC 1990, a standard defined by the Internet Engineering Task Force (IETF). Multilink combines analog, digital, or both types of connections.

The set of unique names within a specific scope. In Microsoft Windows Explorer, the namespace contains the names in the left pane of the window. In Microsoft Management Console (MMC), the namespace is the console tree. In Domain Name System, the structure of the domain name tree is its namespace.

An application programming interface (API) that programs use for low-level services such as managing names, conducting sessions, and sending datagrams between network nodes.

On a network, a node is a computer that's connected to the network. In a Microsoft Management Console, a node is any item in a snap-in's console tree.

Memory that the operating system can't page to disk, ensuring that it's always available.

File system designed for and implemented in Windows NT to provide increased security and other features beyond the standard FAT file system. This is the most secure file system in Windows NT.

Any entity that has an access control list and possibly other attributes. Objects are files, folders, printers, or entities in Active Directory.

The user who owns an object and can grant other users permission to access it. Each object has an owner, which is usually the user who created the object.

An interrupt that the CPU generates when a program tries to read from or write to a virtual memory location that is paged to disk and is thus not present.

Virtual memory that can be paged to disk. Paging is the process of moving less frequently used parts of memory to another storage device, such as a disk, making more memory available to programs that the computer has available physically.

The file to which Windows 2000 writes memory that it pages to disk. The file is hidden. The paging file and the computer's physical memory represent the computer's total virtual memory. The operating system pages less-frequently-used memory to disk to make room for new data, logically providing more memory than is actually installed on the computer. Another more common name for a paging file is a swap file.

A rule that defines which users can access an object and exactly what they can do with it. Permissions apply to objects, as opposed to rights, which apply to the computer as a whole.

A set of industry-standard framing and authentication protocols, part of Windows 2000 remote access, which ensures interoperability with other remote access software. PPP negotiates configuration parameters for networking protocols such as TCP/IP, IPX, and AppleTalk. Point-to-Point Protocol is also called PPP.

An industry-standard tunneling protocol that enables users to create a private, secure network connection through public, unsecure network connections such as the Internet. PPTP can tunnel IP, IPX, or NetBEUI inside IP packets.

The feature that administrators use to automatically configure client computers when users log on to the network. With Windows 2000, policy refers to Group Policy or a setting in a Group Policy object; with Windows NT 4.0, it refers to policies set using System Policy Editor.

One of the two keys used with public key encryption. The private key is secret and is used to decrypt data that's encrypted with the public key or to digitally sign data. The public key verifies data signed with the public key.

A number that uniquely identifies a process as it runs. You can view each process' process identifiers (PIDs) in Task Manager.

Public key cryptographic standards that include certificate request syntax, cryptographic message syntax, Diffie-Hellman key agreement, extended-syntax, password-based encryption, private key information syntax, and RSA encryption. RSA Data Security, Inc. owns and maintains PKCS.

One of the two keys used with public key encryption. The public key is nonsecret and is used to encrypt data that the only the private key can decrypt. It can also verify data that's digitally signed by the private key.

An administrator who can recover data that's encrypted by Encrypting File System (EFS). The recovery agent uses a public key certificate.

A command-line interface that provides limited access to the computer without actually starting Windows 2000. Recovery Console provides a limited number of commands and provides limited access to the file system. Administrators can use it to start and stop services, read and write data in SystemRoot, repair the master boot record (MBR), format drives, and more. Start Recovery Console from the setup disks or by running setup with the /cmdcons command-line option.

The maximum size of the registry. Setting a cap on the size of the registry prevents applications from using up the paged pool with registry data. Adjust the registry size limit by double-clicking the System icon in Control Panel and then clicking Performance Options on the Advanced tab.

A mechanism that allows distributed applications to call services on other computers on the network. Registry Editor and other remote administration tools use RPC.

Documents created by the Internet Engineering Task Force (IETF) that define protocols such as TCP/IP and PPP. IETF identifies RFCs by number. For example, RFC 2284 defines Extensible Authentication Protocol (EAP). You can obtain any RFC from the RFC Web site, http://www.rfc-editor.org.

A user profile that's stored on a server and downloaded to the local computer when the user logs on to the computer. Windows 2000 Professional updates the network copy of the profile when the user logs off the computer. Roaming user profiles are available on any computer running Windows 2000 Professional or Windows 2000 Server when the user logs on to the domain containing the profile. If the local user profile is more current than the network copy, the operating system uses the local user profile instead.

Also called shared secret encryption or symmetric encryption, an encryption algorithm that uses the same secret key to encrypt and decrypt data. Symmetric encryption is faster than asymmetric encryption and is thus frequently used to encrypt large amounts of data.

A 160-bit, one-way hashing scheme that's used to create digital signatures with the Digital Signature Standard's (DSS's) Digital Signature Algorithm (DSA).

A protocol for sending secure e-mail over the Internet. Both the clients must support S/MIME.

A protocol that uses public and secret key tech-nologies to create secure network connections. SSL is common on the Internet.

A unique number that looks similar to S-1-5-21-553393301-1521681255-927750060-1004, plus or minus a few digits; and uniquely identifies a user, group, or computer account. Every account has a unique SID; although the name of the account might change, the SID never changes. Internally, Windows 2000 Professional and Windows 2000 Server refer to an account by its SID and never by its name.

A volume on a dynamic disk that consists of space allocated on a single disk. The space can be contiguous or can contain multiple discontinuous regions that are linked together. You can extend a simple volume on the disk, or you can extend a simple volume onto another disk, creating a spanned volume. You can mirror simple volumes, but they are not fault-tolerant.

A mechanism that allows users with a domain user account to log on to the network one time and access any computer in the domain. Users can log on with a password or a smart card.

Defines a bus standard by which multiple devices can be connected to a computer.

A device that looks similar to a credit or debit card that securely stores public and private keys, passwords, and other personal information. A Smart card requires a smart card reader attached to the computer and a PIN number that unlocks the data on the card. Windows 2000 supports single sign-on with smart cards.

A tool that you can add to a Microsoft Management Console (MMC) console. Add stand-alone snap-ins by themselves. You can only add extension snap-ins to extend the capabilities of other snap-ins.

A volume on a dynamic disk that uses space on more than one physical disk. You can further extend a spanned volume at any time. Spanned volumes are not fault-tolerant and you can't mirror them.

Custom permissions that you define by selecting individual parts that make up the standard permissions. For example, Read Attributes is a permission that's automatically selected when you select Read & Execute permission.

Also known as the Blue Screen of Death (BSOD), a significant error that causes Windows 2000 Professional and Windows 2000 Server to stop rather than continuing and causing data loss. STOP errors are characterized by the white text on a blue background.

A volume on a dynamic disk that stripes data onto two or more physical disks. The operating system alternates data evenly between each disk. Striped volumes are not fault-tolerant, and you can't mirror or extend them. The primary benefit of striped volumes is that they improve disk performance.

Any key in the registry that's contained within another key. Subkey is also the common term for a path in the registry.

An encryption algorithm that uses a shared secret for encryption and decryption. Other names for symmetric encryption are secret key and shared secret encryption.

Contains access control entries that defines which events the operating system will audit and for which users and groups.

The drive on which you installed Windows 2000 Professional. The default is C. This book uses SystemDrive to represent this drive. Windows 2000 Professional and Windows 2000 Server define this as an environment variable that you can expand in scripts and other places using %SYSTEMDRIVE%.

The folder in which you installed Windows 2000 Professional. The default is C:Winnt. This book uses SystemRoot to represent this folder. Windows 2000 Professional and Windows 2000 Server define this as an environment variable that you can expand in scripts and other places using %SYSTEMROOT%.

The partition that contains the files, such as the boot loader, required to start the computer and load Windows 2000 Professional. Although the system and boot partitions are often the same, they don't have to be.

The volume on a dynamic disk that contains the files, including the boot loader, required to start the computer and load Windows 2000 Professional. The system and boot volumes are often the same, but that is not a requirement.

A directory shared on the server that contains the domain's public files. SYSVOL is replicated across all domain controllers in the domain.

The protocol suite used on the Internet. TCP/IP defines how to connect networks and route traffic to and through them.

A relationship between two domains, in which one domain trusts another's authentications. The first is the trusting domain and the second is the trusted domain. You can give accounts on a trusted domain rights and permissions on the trusting domain, even though the accounts don't exist on the latter.

A standard for a 16-bit, character-encoding scheme that uses two bytes to represent each character. Unicode can represent almost all written languages because 65,536 character codes are available. Currently, 39,000 character codes have been used, with about 21,000 of them used for Chinese ideographs. Unicode was developed by the Unicode Consortium and is the character-encoding scheme used by Windows 2000 Professional and Windows 2000 Server.

The fully-qualified name of any resource on a network. The format of a UNC name is \servernamesharename directoryfilename. Servername is the name of the server sharing the resource, sharename is the name of the share, directory is an optional path, and filename is an optional file name. UNC allows users to access network resources without physically mapping them to drive letters.

A recent hardware standard for a bus that supports Plug and Play and allows users to connect up to 127 devices to a single USB port. USB makes up for a flaw in the PC-compatible architecture that limits the number of devices users can install in a computer due to the finite resources available.

A record that defines a user. Each user account includes the user's name, password, group membership, rights, and permissions. On Windows 2000 Professional and Windows 2000 Server member servers, administrators manage user accounts with Local Users and Groups. On Windows 2000 Server domain controllers, administrators manage user accounts with Active Directory Users and Computers.

The folders and files that define a user's environment. A user's profile includes their settings and a variety of application files, and stores their documents and Internet shortcuts.

Tasks that users can perform on a computer or on a domain. Rights apply to the computer as a whole and not to individual objects. They include backing up files and folders, logging on to the computer locally, and profiling the computer's performance. You can assign rights to individual users or groups of users.

The folder under SystemDriveDocuments and Settings that contains the current user's profile.

A value contained within a subkey in the registry. Values have names, types, and data. Values are commonly called value entries.

Available memory as it appears to the operating system and to programs. Virtual memory is the computer's physical memory combined with the temporary storage to which the operating system swaps out less less-frequently-used memory, the paging file. A computer with four gigabytes of virtual memory might only have only 128 megabytes of physical memory, with the remaining memory stored in a paging file.

A secured connection to a private network through unsecured public networks. VPNs provide remote access to private networks through the Internet.

Any part of a physical disk that appears logically as a separate disk. In Windows 2000 Professional, each volume has its own drive letter.

A program that displays information about the tasks and processes running on the computer and high-level information about the computer's performance. Using Windows Task Manager, you can end processes, create and end new tasks, and observe real-time information about the computer's performance. To open Windows Task Manager, press Ctrl+Shift+Esc.

A group of users who work on a common project or in the same department, and who share resources with each other. Each computer in a workgroup is responsible for providing its own security, as opposed to a domain in which a domain server provides security.