Abstract: A method and system for modifying, in a combined computing environment, a machine base image having a personalized desktop environment includes executing an operating system associated with a base disk; intercepting, by a filter driver, an instruction from at least one of a plurality of resources to modify a setting stored in at least one of a file system and a registry, the plurality of resources executing inside an isolation environment; storing, in a delta disk, a copy of the modified setting; restarting the operating system; replacing the setting stored in the at least one of the file system and the registry with the copy of the modified setting stored on the delta disk; and restarting at least one operating system process incorporating the modified setting.

Abstract: The present solution reduces the attack surface of a server by selectively opening a server port for listening when a client has been authenticated/authorized via another machine or process, and directed to connect to the server in question. When not selectively listening on a port, the server does not listen or open ports for connections or otherwise minimizes the number of open ports. By selectively listening for connections, the server reduces the opportunity for hackers to attack the server process, and improves the security of the server. The ability to selectively listen on a port at specific times may be combined with additional meta information—like ticketing and prior authentication information to help further secure the server. The meta information may identify and ensure that only the correct remote endpoint is allowed to connect via the port.

Abstract: A method for presenting an aggregate view of native resources includes the step of enumerating a plurality of system-scoped native resources provided by a system scope. A plurality of application-scoped native resources provided by an application isolation scope are enumerated, some of which correspond to some of the plurality of system-scoped resources. For one of the plurality of system-scoped resources, the existence of a corresponding one of the plurality of application-scoped resources is determined and the corresponding one of the plurality of application-scoped resources is included in an aggregate view of native resources.

Abstract: A method and apparatus for virtualizing access to windows includes a hooking mechanism, a window name virtualization engine, and an operating system interface. A request relating to a window from a process executing in the context of a user account is received, the request including a virtual window name. A determination is made for a literal name for the window, using a scope-specific identifier. A request is issued to the operating system including the determined literal window name. A window handle is associated with the determined virtual window name.

Abstract: A method for moving an executing process from a source isolation scope to a target isolation scope includes the step of determining that the process is in a state suitable for moving. The association of the process changes from a source isolation scope to a target isolation scope. A rule loads in association with the target isolation scope.

Abstract: A method for moving an executing process from a source isolation scope to a target isolation scope includes the step of determining that the process is in a state suitable for moving. The association of the process changes from a source isolation scope to a target isolation scope. A rule loads in association with the target isolation scope.

Abstract: A method for virtualizing access to named system objects includes the step of receiving a request to access a system object from a process executing in the context of a user isolation scope, the request including a virtual name for the system object. A rule associated with the request is determined and a literal name for the system object is formed in response to the determined rule. A request to access the system object is issued to the operating system. The issued request including the literal name for the system object.

Abstract: A method for associating a file type of a file with one or more programs includes the step of receiving a request to store in a configuration store file type association information. From the request, an application program is determined that is to be associated with a file type in the configuration store.

Abstract: A method for isolating access by application programs to native resources provided by an operating system redirects a request for a native resource made by an application program executing on behalf of a user to an isolation environment. The isolation environment includes a user isolation scope and an application isolation scope. An instance of the requested native resource is located in the user isolation scope corresponding to the user. The request for the native resource is fulfilled using the version of the resource located in the user isolation scope. If an instance of the requested native resource is not located in the user isolation scope, the request is redirected to an application isolation scope. The request for the native resource is fulfilled using the version of the resource located in the application isolation scope. If an instance of the requested native resource is not located in the application isolation scope, the request is redirected to a system scope.

Abstract: The present solution reduces the attack surface of a server by selectively opening a server port for listening when a client has been authenticated/authorized via another machine or process, and directed to connect to the server in question. When not selectively listening on a port, the server does not listen or open ports for connections or otherwise minimizes the number of open ports. By selectively listening for connections, the server reduces the opportunity for hackers to attack the server process, and improves the security of the server. The ability to selectively listen on a port at specific times may be combined with additional meta information—like ticketing and prior authentication information to help further secure the server. The meta information may identify and ensure that only the correct remote endpoint is allowed to connect via the port.