Glossary: Windows NT and Windows 2000

SekChek

Windows Systems


Expand all Accounts Policy

The policy settings that set defaults for accounts in Windows Workstations, Servers and Domain controllers. The default settings address password controls and intruder lockout controls.


Active Directory (Windows 200X)

The Active Directory allows a single point of administration for all published resources, which can include files, peripheral devices, host connections, databases, Web access, users, other arbitrary objects, services etc.

It uses the Internet Domain Name Service (DNS) as its locator service, organizes objects in domains into a hierarchy of organizational units (OUs), and allows multiple domains to be connected into a tree structure.

Administration is further simplified because there is no notion of a primary domain controller (PDC) or backup domain controller (BDC) as in Windows NT. The Active Directory uses domain controllers (DCs) only, and all DCs are peers. An administrator can make changes to any DC, and the updates will be replicated on all other DCs.


Audit Policy

Selected activities of users and the system can be tracked by auditing security and other events and then placing entries in a computer's logs. The Audit policy settings determine the types of events that will be logged for the computer.


Backup Domain Controller (Windows NT)

A Backup Domain Controller (BDC) is a computer running Windows NT Server that receives a copy of the domain's security database containing account and security policy information for the domain. The copy is synchronised periodically and automatically with the master copy on the primary domain controller (PDC).

BDCs also authenticate user logons and can be promoted to function as PDCs as needed. Multiple BDCs can exist in a domain. BDCs provide resilience and add to the effectiveness of the logon process, especially in networks where servers and users are geographically dispersed.


BDC

See 'Backup Domain Controller'.


Domain

A domain is a collection of computers defined by the administrator of a Windows Server network that share a common account database and security policy. A domain provides access to the centralised user accounts and group accounts maintained by the domain administrator. Each domain has a unique name.


Domain Controller

For Windows NT, see 'Primary Domain Controller' and 'Backup Domain Controller'.

A Domain Controller (DC), in a Windows 200X domain, is a computer running Windows 200X Server and Active Directory that authenticates domain logons and maintains the security database for a domain.

The DC tracks changes made to accounts, groups, policy and trust relationships in a domain. A Windows 200X domain can have more than one DC. For most management functions all DCs in a Windows 200X domain are equal and information is replicated between DCs.


Domain Trust

A trust relationship is a link between two Windows domains. Trusted Domains are domains that the current domain trusts to use its resources. Trust relationships can only be established between Windows domains.

Trusting domains allow their resources to be used by accounts in trusted domains.

Trusted domain users and selected types of groups can hold rights, resource permissions, and group memberships on the trusting domain.

Trust relationships allow users to access resources on the trusting domain using a single user account and a single password. The trusting domain will rely on the trusted domain to verify the userid and password of users logging on the trusted domain.


Drivers

See 'Services'.


Global Group (Windows NT)

For Windows NT Servers that are Primary or Backup Domain Controllers, a group that can be used in its own domain, member servers, workstations of the domain and trusting domains.

A global group can be granted rights and permissions in the above areas and can be a member of local groups, thus acquiring their rights. However, it can only contain individual user accounts from its own domain. Groups (local or global) cannot be members of global groups. User accounts must belong to at least one global group (their primary group).

Global groups provide a way to group together users with similar access requirements inside the domain. They are available for use both in and out of the domain.

Global groups cannot be created or maintained on Windows NT Workstations or Windows NT Servers that are not Primary or Backup Domain Controllers. However, for Windows NT Workstation or NT Server computers that participate in a domain, domain global groups can be granted rights and permissions at those workstations or servers, and can be members of local groups at those workstations or servers.


Global Group (Windows 200X)

For Windows 200X Servers that are Domain Controllers, a group that can be used in its own domain, member servers, workstations of the domain and trusting domains.

Groups with global scope can have as their members groups and accounts only from the domain in which the group is defined and can be granted permissions in any domain in a domain tree or forest.

In native-mode Windows 200X domains, Global Groups can have, as their members, accounts from the same domain and global groups from the same domain.

In mixed-mode Windows 200X domains, Global Groups can have, as their members, accounts from the same domain but cannot have groups as members.

Global groups cannot be created or maintained on Windows Workstations or Servers, that are not Domain Controllers. However, for Windows Workstations or Server computers that participate in a domain, domain global groups can be granted rights and permissions at those workstations or servers, and can be members of local groups at those workstations or servers.


Local Group (Windows 200X)

Groups with domain local scope can have as their members groups and accounts from Windows 200X or Windows NT domains and can be used to grant permissions only within a domain.

In native-mode Windows 200X domains, Local Groups can have accounts, global groups, and universal groups from any domain, as well as local groups from the same domain, as members.

In mixed-mode Windows 200X domains, Local Groups can have accounts and global groups from any domain as members but cannot have local groups as members.

Groups with domain local scope are typically used to define and manage access to resources within a single domain.

For Windows NT/2000/XP Workstations and Windows NT/200X Servers that are not Domain Controllers, a local group can be granted permissions and rights for the workstation or server only. However, a local group can contain its own user accounts and, if the workstation or server belongs to a domain, user accounts and global groups (not local groups) both from the domain and trusted domains.


Member Server

A computer that runs Windows NT or Windows 200X Server but is not a Windows 200X domain controller or a primary domain controller (PDC) or backup domain controller (BDC) of a Windows NT domain. Member servers do not receive copies of the security database. See also PDC, BDC and Domain Controller.


Mixed Mode Domain (Windows 200X)

The default mode setting for domains on Windows 200X domain controllers. Mixed mode allows Windows 200X domain controllers and Windows NT backup domain controllers to co-exist in a domain.

Mixed mode does not support the universal and nested group enhancements of Windows 200X. You can change the domain mode setting to Windows 200X native mode after all Windows NT domain controllers are either removed from the domain or upgraded to Windows 200X. See also native mode domain.


Native Mode Domain (Windows 200X)

The condition in which all domain controllers within a domain are Windows 200X domain controllers and an administrator has enabled native mode operation (through Active Directory Users and Computers). See also mixed mode domain.


PDC

See 'Primary Domain Controller'.


Primary Domain Controller (Windows NT)

The Primary Domain Controller (PDC), in a Windows NT Server domain, is the computer running Windows NT Server that authenticates domain logons and maintains the security database for a domain. The PDC tracks changes made to accounts, groups, policy and trust relationships in a domain. It is the only computer to receive these changes directly. A domain has only one PDC.


RAS

RAS (Remote Access Service) allows users to access the system or domain remotely via modems, ISDN etc.


Registry

The Windows NT registry is a database repository for information about a computer’s configuration. It is organized in a hierarchical structure, and is comprised of subtrees and their keys, hives, and value entries. The Registry is a central repository which stores configuration information on things such as hardware, software and user accounts.


SEK2KF.SCK

The filename given by SekChek to the set of compressed and encrypted Scan files extracted from an Active Directory domain that have been encrypted using SekChek's 'Public Key Encryption'. SCK files are encrypted with SekChek’s Public Key using industry-standard algorithms, such as RSA and 3-DES. They can only be decrypted at SekChek’s premises with the corresponding non-exportable Private Key.

SCK files are created when the ‘Public Key Encryption’ option is enabled in the SekChek Client software on your PC. This is the recommended option.


SEK2KF.ZIP

The filename given by SekChek to the set of compressed and encrypted Scan files extracted from an Active Directory domain.

For improved security, we recommend that you encrypt this file using SekChek's 'Public Key Encryption'. Refer to the definition of SEK2KF.SCK files for more information.


SEKWIR.SDE

The filename given by SekChek to the set of compressed and encrypted files containing your SekChek reports. SDE files are symmetrically encrypted with industry-standard algorithms, such as DES.


SEKNTF.SCK

The filename given by SekChek to the set of compressed and encrypted Scan files extracted from a Windows server that have been encrypted using SekChek's 'Public Key Encryption'. SCK files are encrypted with SekChek’s Public Key using industry-standard algorithms, such as RSA and 3-DES. They can only be decrypted at SekChek’s premises with the corresponding non-exportable Private Key.

SCK files are created when the ‘Public Key Encryption’ option is enabled in the SekChek Client software on your PC. This is the recommended option.


SEKNTF.ZIP

The filename given by SekChek to the set of compressed and encrypted Scan files extracted from a Windows server.

For improved security, we recommend that you encrypt this file using SekChek's  'Public Key Encryption'. Refer to the definition of SEKNTF.SCK files for more information.


Server

In general, refers to a computer that provides shared resources to network users. See also 'Member Server'.


Services

A service is an executable object that is installed in a registry database maintained by the Service Control Manager. The executable file associated with a service can be started at boot time by a boot program or by the system, or the Service Control Manager can start it on demand. The two types of service are Win32 services and driver services.

A Win32 service is a service that conforms to the interface rules of the Service Control Manager. This enables the Service Control Manager to start the service at system start-up or on demand and enables communication between the service and service control programs. A Win32 service can execute in its own process, or it can share a process with other Win32 services.

A driver service is a service that follows the device driver protocols for Windows rather than using the Service Control Manager interface.


Shares

A share is a folder or printer resource on the local system that is accessible from a remote machine on the network.

Once a resource is shared, you can restrict its availability over the network to certain users. These restrictions, called share permissions, can vary from user to user.


Trusted Domain

See 'Domain Trust'.


Trusting Domain

See 'Domain Trust'.


Universal Group (Windows 200X)

Groups with universal scope can have as members groups and accounts from any Windows 2000/2003/2008 domain in the domain tree or forest and can be granted permissions in any domain in the domain tree or forest.

In native-mode Windows 2000/2003/2008 domains, Universal Groups can have, as their members, accounts from any domain, global groups from any domain and universal groups from any domain.

In mixed-mode Windows 2000/2003/2008 domains, groups with universal scope cannot be created.

Groups with universal scope can be used to consolidate groups that span domains. For example, global groups from different domains can be nested in universal groups. Using this strategy, any membership changes in the groups having global scope do not affect the group with universal scope.


User Rights

Define a user's access to a computer or domain and the actions that a user can perform on the computer or domain. User rights permit actions such as logging onto a computer or network, adding or deleting users in a workstation or domain.


Workgroup

A workgroup is a collection of computers that are grouped for browsing purposes and sharing of resources. Each workgroup is identified by a unique name. A workgroup is not a domain and does not have centralised user accounts or a common security policy. Each computer in the workgroup maintains its own set of accounts, groups and security policy.


Workstation

Any networked PC using server resources. See also 'Member Server', ‘Domain Controller’, 'Primary Domain Controller' and 'Backup Domain Controller'.