17 P

pack: See disk group.

PackageRegistration object: An Active Directory directory service container that represents a software installation extension setting. The container is an object of class groupPolicyContainer, as specified in [MS-ADSC] section 2.56).

packet marking: The act of filling out a special value, such as a differentiated services code point (DSCP) value, on individual packets, as specified in [RFC2474].

padding: Bytes that are inserted in a data stream to maintain alignment of the protocol requests on natural boundaries.

page description language (PDL): The language for describing the layout and contents of a printed page. Common examples are PostScript and Printer Control Language (PCL).

page file or paging file: A file that is used by operating systems for managing virtual memory.

parent GUID: The GUID of the parent folder that contains a particular file or folder in the replica tree.

parent object: An object is either the root of a tree of objects or has a parent. If two objects have the same parent, they must have different values in their relative distinguished names (RDNs). See also, object.

partial attribute set (PAS): The subset of attributes that replicate to partial naming context (NC) replicas. Also, the particular partial attribute set that is part of the state of a forest and that is used to control the attributes that replicate to global catalog (GC) servers.

partial database synchronization: A mechanism for synchronizing a set of database records on a particular replication partner.

partial replica: A naming context (NC) replica that contains a schema-specified subset of attributes for the objects it contains. A partial replica is not writable as it does not accept originating updates.

partition: (1) In the context of hard disks, a logical region of a hard disk. A hard disk may be subdivided into one or more partitions.

(2) In the context of directory services, a synonym for directory partition and naming context (NC) replica.

partition table: An area of a disk that is used to store metadata information about the partitions on the disk. See also, GUID partitioning table (GPT).

partition type: A value indicating the partition's intended use, or indicating the type of file system on the partition. For example, partition type 0x07 indicates that the partition is formatted with the NTFS file system. Original equipment manufacturers may designate a partition type of 0x12 to indicate that manufacturer-specific data is stored on the partition.

partner: A computer connected to a local computer through either inbound or outbound connections.

password policy: A set of rules that is designed to enhance computer security by encouraging users to employ strong passwords and use them properly.

path: When referring to a file path on a file system, a hierarchical sequence of folders. When referring to a connection to a storage device, a connection through which a machine can communicate with the storage device.

paused: A service that is not available because it has been placed in a suspended state, usually as a result of explicit administrative action.

PDC: See primary domain controller.

PDU: See protocol data unit.

PDU stream: An ordered sequence of RPC and RPC over HTTP protocol data units.

peak rate: A value in a TSpec that is used to specify an aspect of network traffic behavior, as specified in [RFC2212].

peer: (1) The entity being authenticated by the authenticator.

(2) In DirectPlay, a peer refers to a player within a DirectPlay game session that has an established connection with every other peer in the game session, and which is not performing game session management duties. The participant that is managing the game session is called the host.

peer-to-peer mode: A game-playing mode that consists of multiple peers. Each peer has a connection to all other peers in the DirectPlay game session. If there are N peers in the game session, each peer has N–1 connections.

perfect forward secrecy (PFS): A property of key exchange protocols, which holds when session keys from previous communications are not compromised by the disclosure of longer-term keying material. In the context of Internet Protocol security (IPsec), PFS requires a Diffie-Hellman exchange to generate the keys for each quick mode (QM)security association (SA).

permission X on object Y: An access check where the access type is X and the security descriptor is read from object Y's Lightweight Directory Access Protocol (LDAP) attribute securityDescriptor.

phase: A series of exchanges that provide a particular set of security services (for example, authentication or creation of security associations (SAs)).

phase I authentication set: A collection of settings that specifies how Internet Protocol security (IPsec) performs phase I (or main mode) authentication.

phase I cryptographic set: A collection of settings that specifies how Internet Protocol security (IPsec) performs phase I (or main mode) key exchange.

phase I cryptographic suite: One or more phase I cryptographic suites are associated with a phase I cryptographic set. Each phase I cryptographic suite contains a Diffie-Hellman algorithm, an encryption algorithm, and an integrity algorithm.

phase II authentication method: One or more phase I authentication methods are associated with each phase I authentication set. Each phase I authentication method specifies an authentication credential and in some cases additional information about how the authentication credential is used.

phase II authentication set: A collection of settings that specifies how Internet Protocol security (IPsec) performs AuthIP extended mode authentication.

phase II cryptographic set: A collection of settings that specifies how Internet Protocol security (IPsec) performs phase II (or quick mode) data protection.

phase II cryptographic suite: One or more phase II cryptographic suites are associated with each phase II cryptographic set. Each phase II cryptographic suite contains a protocol specifying how the packet is modified by Internet Protocol security (IPsec), an encryption algorithm, an integrity algorithm, and information about how frequently to regenerate the keys used to protect the data.

Phase One: The initial phase of a two-phase commit sequence. During this phase, the participants in the transaction are requested to prepare to be committed. This phase is also known as the "Prepare" phase. At the end of Phase One, the outcome of the transaction is known.

Phase Two: The second phase of a two-phase commit sequence. This phase occurs after the decision to commit or abort is determined. During this phase, the participants in the transaction are ordered to either commit or rollback.

Phase Zero: A phase in distributed transaction processing that is composed of one or more Phase Zero waves. At the beginning of a Phase Zero wave, all Phase Zero participants are notified that the transaction has entered Phase Zero. While the participants process the Phase Zero notification, they can continue to marshal the transaction to new participants. Consequently, participating transaction managers can still accept new enlistments during Phase Zero.

Phase Zero enlistment: An enlistment that indicates that the subordinate participant participates in Phase Zero.

Phase Zero participant: A participant with a Phase Zero enlistment.

Phase Zero wave: A discrete stage inside Phase Zero processing in which Phase Zero notifications are sent to all known Phase Zero enlistments. New Phase Zero enlistments that appear during a Phase Zero wave are processed during the next Phase Zero wave. The process is repeated until a Phase Zero wave is processed without the creation of new Phase Zero enlistments.

ping: In the Domain Controller (DC) Locator Protocol, a client sends a ping request to a DC to determine its responsiveness. When a client is actively soliciting the attention of a DC, it is said to be pinging the DC.

ping set: A set of DCOM objects on a particular object server in use by a particular client. The set is grouped in order to maintain the lifetimes of object references collectively for the set rather than individually for each object.

ping set identifier (SETID): A 64-bit number that uniquely identifies a ping set within an object server.

pinging: The process by which a client periodically contacts an object server to maintain the lifetime of its references to objects on that object server.

pipe instance: A request to open a named pipe by a client application. Multiple Server Message Block (SMB) clients can open the same named pipe. Each request to open the same named pipe is a pipe instance.

pipe state: A series of attributes that describe how the pipe interacts with processes for various input/output (I/O) operations and that indicate how much data is currently available to be read from the named pipe.

plaintext: In cryptography, ordinary readable text before it is encrypted into ciphertext, or after it has been decrypted.

player: Represents a person that is playing a computer game. There may be multiple players on a computer participating in any given game session. See also, name table.

plex: See volume plex.

policies path: A domain-based Distributed File System (DFS) path for a directory on the server that is accessible through the Server Message Block (SMB) protocol. This path must be of the form \\<dns domain name>\sysvol\<dns domain name>\policies.

policy: (1) The set of rules that govern the interaction between a subject and an object or resource.

(2) A collection of settings that contains global settings, profile settings, firewall rules, and connection security rules. Together these settings specify how the host firewall and Internet Protocol security (IPsec) behave on the client computer.

policy application: The protocol exchange by which a client obtains all of the Group Policy Object (GPO) and thus all applicable Group Policy settings for a particular policy target from the server, as specified in [MS-GPOL]. Policy application can operate in two modes, user policy and computer policy.

policy setting: A statement of the possible behaviors of an element of a domain member computer's behavior that can be configured by an administrator.

policy target: A user or computer account for which policy settings can be obtained from a server in the same domain, as specified in [MS-GPOL]. For user policy mode, the policy target is a user account. For computer policy mode, the policy target is a computer account.

PostScript: A page description language developed by Adobe Systems that is primarily used for printing documents on laser printers. It is the standard for desktop publishing.

preauthentication: (1) In Kerberos, preauthentication allows a key distribution center (KDC) to demand that the requestor in the Authentication Service (AS) Exchange demonstrate knowledge of the key associated with the account before the KDC will issue a ticket-granting ticket (TGT) as specified in [RFC4120] sections 5.2.7 and 7.5.2.

(2) In Active Directory Federation Services (AD FS), preauthentication enforces authentication of a user on the edge of a protected network boundary.

PREDEFINED_KEY: Root keys that can be referenced by using well-known names and conforms to the tree structure.

prefix table: A data structure that is used to translate between an object identifier (OID) and a compressed representation for OIDs.

primary disk group: In the context of dynamic disk, it is the disk group whose disks are online, which means they are accessible for input/output (I/O) and configuration. Each machine may have only one primary disk group. Disks on the machine belonging to other disk groups are referred to as "foreign disks" and their disk group is referred to as a "foreign disk group".

primary domain: A domain (identified by a security identifier (SID)) that the server is joined to. For a domain controller (DC), the primary domain is that of the domain itself.

primary domain controller (PDC): A master domain controller (DC) that performs authentication on access requests from workstations and other servers, and that manages information concerning network security and resources.

primary domain controller (PDC) role owner: The domain controller (DC) that hosts the primary domain controller emulator FSMO role for a given domain naming context (NC).

primary language identifier: The lower 10 bits of a language identifier. It identifies the user interface human language supported by an application or client computer without regard to variations such as dialect.

primary partition: A type of partition on a master boot record (MBR)-formatted disk.

principal: (1) An authenticated entity that initiates a message or channel in a distributed system.

(2) An ID of such an entity.

(3) In Kerberos, a Kerberos principal.

principal name: The computer or user name that is maintained and authenticated by the Active Directory directory service.

principal self: A well-known security identifier (SID) used to represent the identity of a security principal when that security principal is also the object that is being protected with a security descriptor. Applicable only to directory objects that are representing security principals, the principal self identifier allows the security descriptor on the directory object to grant specific user rights to the principal itself. As an example, a user object for fred@domain.com might have a security descriptor that allowed principal-self:update-shoe-size. The intent is to allow fred to update his own shoe size. The use of the fixed value SID for principal self prevents every user object from needing a unique security descriptor, thus conserving space in the directory database.

principal's secret key: In Kerberos, a symmetric encryption key shared between an entity and the key distribution center (KDC), with a long lifetime and for the purpose of authentication. A password is a common example of a principal's secret key.

print client: The application or user that is trying to apply an operation on the print system either by printing a job or by managing the data structures or devices maintained by the print system.

printer driver: The interface component between the operating system and the printer device. It is responsible for processing the application data into a page description language (PDL) that can be interpreted by the printer device.

print job: The rendered page description language (PDL) output data sent to a print device for a particular application or user request.

print queue: The logical entity to which jobs may be submitted for a particular print device. Associated with a print queue is a print driver, a user's print configuration in the form of a DEVMODE structure, and a system print configuration stored in the system registry.

print server: A machine that hosts the print system and all its different components.

print system: A system component that is responsible for coordinating and controlling the operation of print queues, print drivers, and print jobs.

Printer Control Language (PCL): A page description language (PDL) developed by Hewlett Packard for its laser and ink-jet printers.

printer form: A preprinted blank paper form, or a print job's virtual representation of this form, that enables a printer to position form elements in their physical location on the page.

private key: One of a pair of keys used in public-key cryptography. The private key is kept secret and is used to decrypt data that has been encrypted with the corresponding public key. For an introduction to this concept, see [CRYPTO] section 1.8 and [IEEE1363] section 3.1.

privilege: (1) The right of a user to perform system-related operations, such as debugging the system. A user's authorization context specifies what privileges are held by that user.

(2) The capability of a security principal to perform a type of operation on a computer system regardless of restrictions placed by discretionary access control.

privilege attribute certificate (PAC): A Microsoft-specific authorization data present in the authorization data field of a ticket. The PAC contains several logical components, including group membership data for authorization, alternate credentials for non-Kerberos authentication protocols, and policy control information for supporting interactive logon.

process identifier (PID): A number used by some operating systems (for example, Windows and UNIX) to uniquely identify a process. For more information, see [PROCESS].

product identifier GUID: A unique identifier in the form of a GUID for the application described by a software installation package. Two such packages with the same product identifier GUID describe the same application.

profile: A grouping of settings that is applied based on the network location of connected interfaces on the client computer. Three profiles are supported by Windows Firewall with Advanced Security: domain (used when connected to a corporate environment, private (used when connected to a home or small business behind a gateway device), and public (used when connected to a public hotspot such as a coffee shop or airport).

profile element: A record that corresponds to a single remote procedure call (RPC) interface and that refers to a server entry, group, or profile. For more information, see [C706-Ch2Intro], "Name Service Attributes".

property: A data field within a Common Information Model (CIM) class definition. This consists of a simple name, a type, and a value.

property set: A set of attributes, identified by a GUID. Granting access to a property set grants access to all the attributes in the set.

protected attribute: A sensitive protected attribute that is not readable outside the Local Security Authority (LSA) running on a domain controller (DC).

protected subsystem: The part of a system that is isolated from the rest of the system such that it cannot be affected by the non-protected parts of the system.

protocol: A set of rules governing the exchange or transmission of data between devices to accomplish a specific task or group of tasks.

protocol data unit (PDU): Information that is delivered as a unit among peer entities of a network and that may contain control information, address information, or data. For more information on remote procedure call (RPC)-specific PDUs, see [C706-Ch12RPC_PDU_Encode].

protocol dialect: A protocol version that is distinct and non-interoperable from other protocol versions from the same group of related protocols.

protocol extension: An addition of new integrated behavior to an existing protocol.

protocol identifier: A numeric value that uniquely identifies an RPC transport protocol when describing a protocol in the context of a protocol tower. For more information, see [C706-AppendixIProtocolID].

protocol role: A class of protocol functionality that is identified as such for the purposes of a specification.

protocol sequence identifier: A numeric value that uniquely identifies an RPC transport protocol when describing a protocol in the context of a protocol tower. For more details, see [C706-AppendixIProtocolID].

protocol state: Information stored by a protocol that affects its behavior.

protocol tower: A protocol sequence along with its related address and protocol-specific information. For more information, see [C706-Ch6RPCCallModel].

protocol type: A special set of standardized rules that the endpoints in a communications connection use when transferring data.

prototype context: A context that is sent as part of an activation request.

proxy: A network node that accepts network traffic originating from one network agent and transmits it to another network agent.

pseudo-random number generator (PRNG): An algorithm that generates values (numbers, bits, and so on) that give the appearance of being random from the point of view of any known test. If initialized with a true random value (called its "seed"), the output of a cryptographically strong PRNG will have the same resistance to guessing as a true random source.

public key: One of a pair of keys used in public-key cryptography. The public key is distributed freely and published as part of a digital certificate. For an introduction to this concept, see [CRYPTO] section 1.8 and [IEEE1363] section 3.1.

public key algorithm: An asymmetric cipher that uses two cryptographic keys: one for encryption, the public key, and the other for decryption, the private key. In signature and verification, the roles are reversed: public key is used for verification, and private key is used for signature generation. Examples of public key algorithms are described in various standards, including Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) in FIPS 186-2 (as specified in [FIPS186]), RSA in PKCS#1 (as specified in [PKCS1]), the National Institute of Standards and Technology (NIST) also published an introduction to public key technology in SP800-32 (as specified in [SP800-32]).

Public Key Cryptography Standards (PKCS): A group of Public Key Cryptography Standards published by RSA Laboratories.

public key infrastructure (PKI): The laws, policies, standards, and software that regulate or manipulate certificates and public and private keys. In practice, it is a system of digital certificates, certification authorities (CAs), and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction. For more information, see [X509] section 6.

public-private key pair: The association of a public key and its corresponding private key when used in cryptography. For an introduction to public-private key pairs, see [IEEE1363] section 3.

published application: An application that should not automatically be installed at computer startup or user logon unless it is a required upgrade of an application that is installed on the computer. However, software maintenance applications on the computer can display information about this software and install or uninstall it, often at the direction of a user.

Punycode: An ASCII Compatible Encoding syntax that transforms strings containing Unicode characters into strings consisting of a limited set of ASCII characters allowable for DNS. Used to transform internationalized domain names. For more details, see [RFC3492].