1.3 Glossary

This document uses the following terms:

Active Directory: The Windows implementation of a general-purpose directory service, which uses LDAP as its primary access protocol. Active Directory stores information about a variety of objects in the network such as user accounts, computer accounts, groups, and all related credential information used by Kerberos [MS-KILE]. Active Directory is either deployed as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), which are both described in [MS-ADOD]: Active Directory Protocols Overview.

authentication: The ability of one entity to determine the identity of another entity.

authorization: The secure computation of roles and accesses granted to an identity.

data link protocols: Often called Layer Two protocols, data link protocols exist in the protocol layer just above the physical layer relative to the OSI protocol model. Data link protocols provide communication between two devices. Because there are many different ways to connect devices, there are many different data link protocols. Examples of data link protocols include PPP [2716], PPTP [MS-PTPT], IEEE 802 [IEEE802.1X], Wi-Fi, and IPsec.

DIAMETER: An authentication, authorization, and accounting (AAA) protocol for computer networks and an alternative to RADIUS. The Diameter Base Protocol [RFC3588] defines the minimum requirements for an AAA protocol.

domain controller (DC): The service, running on a server, that implements Active Directory, or the server hosting this service. The service hosts the data store for objects and interoperates with other DCs to ensure that a local change to an object replicates correctly across all DCs. When Active Directory is operating as Active Directory Domain Services (AD DS), the DC contains full NC replicas of the configuration naming context (config NC), schema naming context (schema NC), and one of the domain NCs in its forest. If the AD DS DC is a global catalog server (GC server), it contains partial NC replicas of the remaining domain NCs in its forest. For more information, see [MS-AUTHSOD] section and [MS-ADTS]. When Active Directory is operating as Active Directory Lightweight Directory Services (AD LDS), several AD LDS DCs can run on one server. When Active Directory is operating as AD DS, only one AD DS DC can run on one server. However, several AD LDS DCs can coexist with one AD DS DC on one server. The AD LDS DC contains full NC replicas of the config NC and the schema NC in its forest. The domain controller is the server side of Authentication Protocol Domain Support [MS-APDS].

Dynamic Host Configuration Protocol (DHCP): A protocol that provides a framework for passing configuration information to hosts on a TCP/IP network, as described in [RFC2131].

end-to-end: A transport mechanism where application-specific functions reside on the end nodes or hosts of a network rather than in intermediary nodes, provided that the functions can be implemented completely and correctly in the end hosts.

Group Policy: A mechanism that allows the implementer to specify managed configurations for users and computers in an Active Directory service environment.

Group Policy server: A server holding a database of Group Policy Objects (GPOs) that can be retrieved by other machines. The Group Policy server must be a domain controller (DC).

health state: An abstract notion of the state of a machine that is used to indicate its compliance with network policies. Some examples of such state would include the state of the firewall on the machine, the version of the virus signature files for an antivirus application, and so on.

hop-by-hop: A transport mechanism in which chunks of data are forwarded from node to node in a network by using a store-and-forward manner involving a source node, destination node, and intermediate nodes. Hop-by-hop transport enables data to be forwarded even when the path between the source and destination nodes is not permanently connected during communication.

Internet Protocol security (IPsec): A framework of open standards for ensuring private, secure communications over Internet Protocol (IP) networks through the use of cryptographic security services. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.

Internet Protocol version 4 (IPv4): An Internet protocol that has 32-bit source and destination addresses. IPv4 is the predecessor of IPv6.

NAP client: A computer capable of examining and reporting on its health, and requesting for and using network resources. The NAP client is the set of NAP components installed and running on a Windows client. The NAP client is responsible for executing NAP-related operations on the client side. The NAP client is also responsible for collecting health information on the client, composing the health information into an SoH [TNC-IF-TNCCSPBSoH], and sending the SoH to a NEP.

NAP data link protocol: A NAP-capable protocol that transports NAP information between the NAP client and the NAP enforcement point (NEP). These protocols include [MS-DHCPN], [MS-HCEP], and [MS-TSGU].

NAP enforcement point (NEP): A computer acting as a server that enforces Network Access Protection. Examples of NEPs are VPN Servers, DHCP Servers, Remote Desktop gateways, 802.1x Routers, and Health Registration Authority Servers.

NAP health policy server (NPS): A computer acting as a server that stores health requirement policies and provides health state validation for NAP clients.

network access server (NAS): A computer server that provides an access service for a user who is trying to access a network. A NAS operates as a client of RADIUS. The RADIUS client is responsible for passing user information to designated RADIUS servers and then acting on the response returned by the RADIUS server. Examples of a NAS include: a VPN server, Wireless Access Point, 802.1x-enabled switch, or Network Access Protection (NAP) server.

policy decision point (PDP): The point where policy decisions are made. In the case of NAP, this is the NAP health policy server [RFC2753].

policy enforcement point (PEP): The point where the policy decisions are actually enforced. [RFC2753].

remediation: The act of bringing a non-compliant computer into a compliant state.

remediation server: A server that is responsible for bringing a noncompliant computer back into a compliant state.

Remote Authentication Dial-In User Service (RADIUS): A protocol for carrying authentication, authorization, and configuration information between a network access server (NAS) that prefers to authenticate connection requests from endpoints and a shared server that performs authentication, authorization, and accounting.

Remote Desktop Gateway client (RDG client): A client that facilitates the access of authorized users of remote computers on the private network accessible via the Internet, using Remote Desktop Gateway Server Protocol [MS-TSGU].

restricted network: A network on which noncompliant systems are placed, which prevents their access to compliant systems. The restricted network can contain remediation servers so that noncompliant clients can update their configurations to comply with system health requirements.

SHV: See system health validator (SHV).

statement of health (SoH): A collection of data generated by a system health entity, as specified in [TNC-IF-TNCCSPBSoH], which defines the health state of a machine. The data is interpreted by a Health Policy Server, which determines whether the machine is healthy or unhealthy according to the policies defined by an administrator.

statement of health response (SoHR): A collection of data that represents the evaluation of the statement of health (SoH) according to network policies, as specified in [TNC-IF-TNCCSPBSoH].

system health agent (SHA): The client components that make declarations on a specific aspect of the client health state and generate a statement of health ReportEntry (SoH ReportEntry).

system health validator (SHV): The server counterpart to the system health agent (SHA), which is responsible for verifying the declarations of client health state made by the respective SHA. The SHV generates a statement of health response ReportEntry (SoHR ReportEntry).

VPN server: A server that makes remote resources of another network available in a secure way.

Windows Security Health Agent (WSHA): A utility that reports the system security health state (Windows Security Center) to the Windows Security Health Validator (WSHV), as specified in [MS-WSH].

Windows Security Health Validator (WSHV): A utility that responds to the report received from the Windows Security Health Agent (WSHA). If the status that is reported by the WSHA does not comply with the defined security health policy, the response from the WSHV includes quarantine and remediation instructions as specified in [MS-WSH].