Mod 11: Managing and Securing Windows Networks
802.1X Wired
802.1X technology that is used to protect access to Ethernet network switches that support it.
starter GPO
A GPO used to configure settings held under Administrative Templates.
Microsoft Update
A Microsoft service for the Windows family of operating systems, which automates downloading and installing Microsoft Windows software updates over the Internet.
Windows Update
A Microsoft service for the Windows family of operating systems, which automates downloading and installing Microsoft Windows software updates over the Internet.
Update Services tool
A Microsoft tool that assists IT administrators in the effective management of the download and distribution of updates, patches, and hot-fixes released for Microsoft software products to Windows Server operating systems in their network through the use of automation and continuous analyses.
Group Policy Results Wizard
A Microsoft tool that can provide valuable insight into Group Policy processing and application problems.
Certification Authority tool
A Microsoft tool used to manage an enterprise CA on a Windows Server 2019 system.
enterprise CA
A Windows Server 2019 system used to issue certificates automatically to users and computers using certificate templates and Group Policy.
core isolation
A Windows security feature that provides added protection against malware and other attacks by isolating computer processes from your operating system and device.
Group Policy Management Editor
A built-in Windows administration tool that enables administrators to manage Group Policy in an Active Directory forest and obtain data for troubleshooting Group Policy.
certificate template
A certificate template defines the policies and rules that a CA uses when a request for a certificate is received.
Group Policy preferences
A collection of Group Policy client-side extensions that deliver preference settings to domain-joined computers running Microsoft Windows desktop and server operating systems. Preference settings are administrative configuration choices deployed to desktops and servers.
Group Policy Object (GPO)
A collection of settings systems administrators create with the Microsoft Management Console (MMC) Group Policy Editor. The GPO can be associated with one or more of the Active Directory containers, such as sites, domains, or organizational units (OUs).
Windows Internal Database (WID)
A database used by Windows Server Update Services (WSUS). It is used to store information about each software update, such as the computers that have successfully installed it.
wireless router
A device that performs the functions of a router and includes the functions of a wireless access point. It is used to provide access to the Internet or a private computer network. Depending on the manufacturer and model, it can function in a wired local area network, in a wireless-only LAN, or in a mixed wired and wireless network.
checksum
A digit representing the sum of the correct digits in a piece of stored or transmitted digital data, against which later comparisons can be made to detect errors in the data.
memory integrity
A feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy. It uses hardware virtualization and Hyper-V to protect Windows kernel mode processes from the injection and execution of malicious or unverified code.
firewall profile
A firewall profile is a way of grouping settings, such as firewall rules and connection security rules that are applied to the computer depending on where the computer is connected.
CA hierarchy
A hierarchy that typically has a root CA at the top level under which you have one or more intermediate CAs. (Intermediate CAs are also referred to as policy or subordinate CAs.) Beneath each intermediate CA is one or more issuing CAs.
Certificate Revocation List (CRL)
A list of digital certificates that have been revoked by the issuing certificate authority before their scheduled expiration date and should no longer be trusted.
wireless access point (WAP)
A networking hardware device that allows other Wi-Fi devices to connect to a wired network. The AP usually connects to a router as a standalone device, but it can also be an integral component of the router itself.
update
A piece of software that remedies a problem in an application.
digital signature
A process that guarantees that the contents of a message have not been altered in transit. When you, the server, digitally sign a document, you add a one-way hash (encryption) of the message content using your public and private key pair.
enrollment
A process that sends public keys to a trusted third-party computer called a Certification Authority (CA) for endorsement before they are used for secure technologies, such as HTTPS. The process is generally performed immediately after a public/private key pair has been generated.
Wi-Fi Protected Access III (WPA3)
A replacement for WPA2. The new standard uses an equivalent 192-bit cryptographic strength in WPA3-Enterprise mode, and still mandates the use of CCMP-128 as the minimum encryption algorithm in WPA3-personal mode. The WPA3 standard also replaces the Pre-Shared Key exchange with Simultaneous Authentication of Equals as defined in IEEE 802.11-2016, resulting in a more secure initial key exchange in personal mode and forward secrecy. The Wi-Fi Alliance also claims that WPA3 will mitigate security issues posed by weak passwords and simplify the process of setting up devices with no display interface. Protection of management frames as specified in the IEEE 802.11w amendment is also enforced by the WPA3 specifications.
public key infrastructure (PKI)
A set of roles, policies, hardware, software, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.
Windows Installer
A software component and application programming interface of Microsoft Windows used for the installation, maintenance, and removal of software.
public key certificate
A system of processes, technologies, and policies that allows you to encrypt and sign data. You can issue digital certificates that authenticate the identity of users, devices, or services. See certificate.
public CA
A third-party entity that issues certificates for a fee after doing the necessary checks on the organization requesting a certificate.
Windows Server Update Services (WSUS)
A tool previously known as Software Update Services. It is a computer program and network service developed by Microsoft Corporation that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers in a corporate environment.
Protected Extensible Authentication Protocol (PEAP)
A version of EAP, the authentication protocol used in wireless networks and Point-to-Point connections. PEAP is designed to provide more secure authentication for 802.11 WLANs (wireless local area networks) that support 802.1X port access control.
Group Policy Management
A way to configure GPOs and provide organizational security.
wireless LAN (WLAN)
A wireless computer network that links two or more devices using wireless communication to form a local area network (LAN) within a limited area such as a home, school, computer laboratory, campus, or office building.
Password Settings Object (PSO)
An Active Directory object. This object contains all password settings that you can find in the Default Domain Policy GPO (password history, complexity, length, etc.). A PSO can be applied to users or groups.
Online Certificate Status Protocol (OCSP)
An Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track.
Microsoft Defender
An anti-malware component of Microsoft Windows.
Windows Defender
An anti-malware component of Microsoft Windows.
man-in-the-middle attack
An attack that occurs when an attacker intercepts communications between two parties either to secretly eavesdrop or modify traffic traveling between the two. Attackers might use man-in-the-middle attack attacks to steal login credentials or personal information, spy on the victim, or sabotage communications or corrupt data.
Certification Authority (CA)
An entity that issues digital certificates.
Windows Defender Firewall with Advanced Security
An important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device.
commercial CA
Another name for a public CA.
controlled folder access
Controlled folder access is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It is especially useful in helping to protect your documents and information from ransomware that can attempt to encrypt your files and hold them hostage.
firewall rule
Firewall rules control how the firewall protects your computer from malicious programs and unauthorized access.
Certificate Templates Console
Microsoft tool used to manage certificates and configure certificate templates.
subordinate CA
One of the CAs that lives between the root and end entity certificates. Their main purpose is to define and authorize the types of certificates that can be requested from the root CA.
connection security rule
Rule that automatically encrypts IP traffic on the network using IPSec.
certificate
Short for public key certificate. A system of processes, technologies, and policies that allows you to encrypt and sign data. You can issue digital certificates that authenticate the identity of users, devices, or services.
802.1X Wireless
Technology where a RADIUS server is used to randomly generate symmetric encryption keys for each mobile client.
administrative template file
Template file that is used by Group Policies to describe where registry-based policy settings are stored in the registry.
WMI filter
The WMI filter is a separate object from the GPO in the directory. A WMI filter consists of one or more queries, and if all queries evaluate to true then the GPO linked to the filter will be applied.
Wi-Fi Protected Access (WPA)
The Wi-Fi Alliance intended WPA as an intermediate measure to take the place of WEP pending the availability of the full IEEE 802.11i standard. WPA could be implemented through firmware upgrades on wireless network interface cards designed for WEP that began shipping as far back as 1999. However, since the changes required in the wireless access points (APs) were more extensive than those needed on the network cards, most pre-2003 APs could not be upgraded to support WPA. The WPA protocol implements much of the IEEE 802.11i standard.
trusted root
The location of the CA's public key.
auto-enrollment
The process of configuring a Windows Server 2019 system as an enterprise CA in your organization that can be used to issue certificates automatically to users and computers using certificate templates and Group Policy.
synchronization
The process of regularly downloading updates from Microsoft Update for each software product that you have in your organization, as well as distributing them to the computers in your organization.
Active Directory Certificate Services
The server role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for an organization.
root CA
The topmost Certificate Authority (CA) in a Certificate Authority (CA) hierarchy.
hash
The transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string. The digital signature in a certificate is a hash of the public key that is encrypted using the private key of the CA.
Wi-Fi Protected Access II (WPA2)
WPA2 replaced WPA. WPA2, which requires testing and certification by the Wi-Fi Alliance, implements the mandatory elements of IEEE 802.11i. In particular, it includes mandatory support for CCMP, an AES-based encryption mode. Certification began in September 2004; from March 13, 2006, WPA2 certification is mandatory for all new devices to bear the Wi-Fi trademark.
