Patents by Inventor Praerit Garg
Praerit Garg has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20050066202Abstract: Methods and arrangements are provided for use in multiple user computing environments. These methods and arrangements can be configured to allow for a plurality of separate and concurrent desktops and workspaces within the shared computing environment. One method includes creating a separate desktop thread for each user that is authenticated during a logon process, creating a separate desktop associated with each desktop thread, and maintaining a list of desktop threads that are created. In this manner, several users can be logged on simultaneously. In certain implementations, the method further includes establishing a separate user environment associated with each desktop and launching a separate user shell associated with each desktop. The list of desktop threads allows for selective and/or automatic switching from a first desktop to a second desktop without terminating a desktop thread associated with the first desktop. The methods and arrangements are also applicable to remote process logon and switching.Type: ApplicationFiled: October 15, 2004Publication date: March 24, 2005Applicant: Microsoft CorporationInventors: Christopher Evans, Giampiero Sierra, Victor Tan, Praerit Garg, David Matthews, Reiner Fink, Paul Hellyar
-
Publication number: 20040230639Abstract: A process determines a role that a target server will perform. The process also identifies at least one security policy associated with the role. The target server is then configured to implement the identified security policies.Type: ApplicationFiled: May 14, 2003Publication date: November 18, 2004Applicant: MICROSOFT CORPORATIONInventors: Kirk Soluk, Praerit Garg, Vishnu A. Patankar, Jin Huang, Xiaohong Wu
-
Patent number: 6807666Abstract: Methods and arrangements are provided for use in multiple user computing environments. These methods and arrangements can be configured to allow for a plurality of separate and concurrent desktops and workspaces within the shared computing environment. One method includes creating a separate desktop thread for each user that is authenticated during a logon process, creating a separate desktop associated with each desktop thread, and maintaining a list of desktop threads that are created. In this manner, several users can be logged on simultaneously. In certain implementations, the method further includes establishing a separate user environment associated with each desktop and launching a separate user shell associated with each desktop. The list of desktop threads allows for selective and/or automatic switching from a first desktop to a second desktop without terminating a desktop thread associated with the first desktop. The methods and arrangements are also applicable to remote process logon and switching.Type: GrantFiled: May 17, 2000Date of Patent: October 19, 2004Assignee: Microsoft CorporationInventors: Christopher A. Evans, Giampiero M. Sierra, Victor Tan, Praerit Garg, David Andrew Matthews, Reiner Fink, Paul S. Hellyar
-
Publication number: 20040193911Abstract: A flexible way of expressing trust policies using, for example, XML. Multiple statement types may be expressed for a single authority type. Statement types may include less than all of the statements made by an authority type. Authority types may be defined using any manner interpretable by the computing system using the trust policy. In addition, trust policies may be updated as trust levels change. Even multiple trust policies may be used with reconciliation between the multiple trust policies being accomplished by using the more restrictive trust policy with respect to an assertion.Type: ApplicationFiled: March 31, 2003Publication date: September 30, 2004Inventors: Christopher G. Kaler, John P. Shewchuk, Giovanni M. Della-Libera, Praerit Garg, Brendan W. Dixon
-
Publication number: 20040181557Abstract: Described is a system and method for replicating each of a set of resources to a subject computer in a replica set prior to making use of a resource in the set of resources. The set of resources includes resources that are dependent upon each other for a proper functioning of the group. A manifest file that identifies each resource in a group of interrelated resources is used. The manifest file is generated at one computer in the replica set (typically the computer at which a modification to one of the interrelated resources occurred). When the modification occurs to one of the set of resources, the manifest file is transmitted (e.g., itself replicated) to each computer in the replica set. The manifest file includes an indicator that identifies the manifest file as a special file. When received at another computer in the replica set, a service evaluates the manifest file to identify whether the appropriate versions of the identified resources exist at the receiving computer.Type: ApplicationFiled: March 24, 2004Publication date: September 16, 2004Applicant: Microsoft CorporationInventors: David A. Orbits, Praerit Garg, Sudarshan A. Chitre, Balan Sethu Raman
-
Publication number: 20040088543Abstract: A selective cross-realm authenticator associates an identifier with a request from an entity authenticated in one realm to access a resource associated with a second realm. The identifier indicates that the entity was authenticated in a realm other than the realm associated with the requested resource. A domain controller associated with the resource performs an access check to verify that the authenticated user is authorized to authenticate to the requested resource. Permissions associated with the resource can be used to specify levels of access to be granted to entities authenticated by a domain controller associated with another realm.Type: ApplicationFiled: October 31, 2002Publication date: May 6, 2004Inventors: Praerit Garg, Cliff Van Dyke, Karthik Jaganathan, Mark Pustilnik, Donald E. Schmidt
-
Publication number: 20040088709Abstract: Methods and arrangements are provided for use in multiple user computing environments. These methods and arrangements can be configured to allow for a plurality of separate and concurrent desktops and workspaces within the shared computing environment. One method includes creating a separate desktop thread for each user that is authenticated during a logon process, creating a separate desktop associated with each desktop thread, and maintaining a list of desktop threads that are created. In this manner, several users can be logged on simultaneously. In certain implementations, the method further includes establishing a separate user environment associated with each desktop and launching a separate user shell associated with each desktop. The list of desktop threads allows for selective and/or automatic switching from a first desktop to a second desktop without terminating a desktop thread associated with the first desktop. The methods and arrangements are also applicable to remote process logon and switching.Type: ApplicationFiled: June 26, 2003Publication date: May 6, 2004Inventors: Christopher A. Evans, Giampiero M. Sierra, Victor Tan, Praerit Garg, David Andrew Matthews, Reiner Fink, Paul S. Hellyar
-
Publication number: 20040083367Abstract: A role-based authorization management system maintains an authorization policy store that represents user authorizations to perform operations associated with an application. When a user attempts to perform a function associated with an application, the authorization management system verifies that the user is authorized to perform the requested function. The authorization management system also provides an interface for an application administrator to update role-based user authorization policies associated with one or more applications.Type: ApplicationFiled: October 25, 2002Publication date: April 29, 2004Inventors: Praerit Garg, Cliff Van Dyke, Dave McPherson, Everett McKay
-
Publication number: 20030191953Abstract: Improved intrusion detection and/or tracking methods and systems are provided for use across various computing devices and networks. Certain methods, for example, form a substantially unique audit identifier during each authentication/logon process. One method includes identifying one or more substantially unique parameters that are associated with the authentication/logon process and encrypting them to form at least one audit identifier that can then be generated and logged by each device involved in the authentication/logon process. The resulting audit log file can then be audited along with similar audit log files from other devices to track a user across multiple platforms.Type: ApplicationFiled: April 8, 2002Publication date: October 9, 2003Inventors: Bhalchandra S. Pandit, Praerit Garg, Richard B. Ward, Paul J. Leach, Scott A. Field, Robert P. Reichel, John E. Brezak
-
Patent number: 6625603Abstract: Providing object type specific access control to an object is described. In one embodiment, a computer system comprises an operating system operative to control an application and a service running on a computer. The service maintains a service object having a link to an access control entry. The access control entry contains an access right to perform an operation on an object type. The system further includes an access control module within the operating system. The access control module includes an access control interface and operates to grant or deny the access right to perform the operation on the object.Type: GrantFiled: September 21, 1998Date of Patent: September 23, 2003Assignee: Microsoft CorporationInventors: Praerit Garg, Michael M. Swift, Clifford P. Van Dyke, Richard B. Ward, Peter T. Brundrett
-
Publication number: 20030120948Abstract: An enterprise network architecture has a trust link established between two autonomous network systems that enables transitive resource access between network domains of the two network systems. The trust link is defined by data structures maintained by each of the respective network systems. The first network system maintains namespaces that correspond to the second network system and a domain controller in the first network system, or a first network system administrator, indicates whether to trust individual namespaces. An account managed by a domain in the second network system can request authentication via a domain controller in the first network system. The first network system determines from the trust link to communicate the authentication request to the second network system. The first network system also determines from the trust link where to communicate authorization requests when administrators manage group memberships and access control lists.Type: ApplicationFiled: December 21, 2001Publication date: June 26, 2003Inventors: Donald E. Schmidt, Clifford P. Van Dyke, Paul J. Leach, Praerit Garg, Murli D. Satagopan
-
Publication number: 20030046366Abstract: Access to WebDAV (Distributed Authoring and Versioning) servers is provided in a manner that is essentially transparent to applications. A WebDAV redirector and related components support file system I/O requests and network requests directed to WebDAV servers identified by URI (Universal Resource Identifier) names, or by a drive may be mapped to a WebDAV share. An application's create or open I/O requests directed to a WebDAV server are detected, and result in a local copy of the file being downloaded and cached for local access. When closed, the local file is uploaded to the WebDAV server. Network-related requests such as for browsing that are directed to a WebDAV server are also handled transparently. WebDAV files may be locally encrypted and decrypted at the file system level, transparent to applications and the WebDAV server, via an encrypting file system that performs local encryption and decryption at the local file system level.Type: ApplicationFiled: January 17, 2002Publication date: March 6, 2003Inventors: Shishir Pardikar, Rohan Kumar, Yun Lin, Praerit Garg, Jianrong Gu
-
Publication number: 20030033516Abstract: The following subject matter provides for modeling an application's potential security threats at a logical component level early in the design phase of the application. Specifically, in a computer system, multiple model components are defined to represent respective logical elements of the application. Each model component includes a corresponding set of security threats that could potentially be of import not only to the component but also to the application as a whole in its physical implementation. The model components are interconnected to form a logical model of the application. One or more potential security threats are then analyzed in terms of the model components in the logical model.Type: ApplicationFiled: August 8, 2001Publication date: February 13, 2003Inventors: Michael Howard, Praerit Garg, Loren M. Kohnfelder
-
Publication number: 20030023618Abstract: Described is a system and method for replicating each of a set of resources to a subject computer in a replica set prior to making use of a resource in the set of resources. The set of resources includes resources that are dependent upon each other for a proper functioning of the group. A manifest file that identifies each resource in a group of interrelated resources is used. The manifest file is generated at one computer in the replica set (typically the computer at which a modification to one of the interrelated resources occurred). When the modification occurs to one of the set of resources, the manifest file is transmitted (e.g., itself replicated) to each computer in the replica set. The manifest file includes an indicator that identifies the manifest file as a special file. When received at another computer in the replica set, a service evaluates the manifest file to identify whether the appropriate versions of the identified resources exist at the receiving computer.Type: ApplicationFiled: July 26, 2001Publication date: January 30, 2003Inventors: David A. Orbits, Praerit Garg, Sudarshan A. Chitre, Balan Sethu Raman
-
Publication number: 20020166052Abstract: An authorization handle is supported for each access policy determination that is likely to be repeated. In particular, an authorization handle may be assigned to access check results associated with the same discretionary access control list and the same client context. This likelihood may be determined based upon pre-set criteria for the application or service, based on usage history and the like. Once an access policy determination is assigned an authorization handle, the static maximum allowed access is cached for that policy determination. From access check to access check, the set of permissions desired by the client may change, and dynamic factors that might affect the overall privilege grant may also change; however, generally there is still a set of policies that is unaffected by the changes and common across access requests. The cached static maximum allowed access data is thus used to provide efficient operations for the evaluation of common policy sets.Type: ApplicationFiled: May 4, 2001Publication date: November 7, 2002Applicant: Microsoft CorporationInventors: Praerit Garg, Robert P. Reichel, Richard B. Ward, Kedarnath A. Dubhashi, Jeffrey B. Hamblin, Anne C. Hopkins
-
Publication number: 20020099952Abstract: A system and method that automatically, transparently and securely controls software execution by identifying and classifying software, and locating a rule and associated security level for executing executable software. The security level may disallow the software's execution, restrict the execution to some extent, or allow unrestricted execution. To restrict software, a restricted access token may be computed that reduces software's access to resources, and/or removes privileges, relative to a user's normal access token. The rules that control execution for a given machine or user may be maintained in a restriction policy, e.g., locally maintained and/or in a group policy object distributable over a network. Software may be identified/classified by a hash of its content, by a digital signature, by its file system or network path, and/or by its URL zone. For software having multiple classifications, a precedence mechanism is provided to establish the applicable rule/security level.Type: ApplicationFiled: June 8, 2001Publication date: July 25, 2002Inventors: John J. Lambert, Praerit Garg, Jeffrey A. Lawson
-
Patent number: 6412070Abstract: A method and computing system for extending access control of system objects in a computing environment beyond traditional rights such as read, write, create and delete. According to the invention, a system administrator or user application is able to create control rights that are unique to the type of object. Rights can be created that do not relate to any specific property of the object, but rather define how a user may control the object. A novel object, referred to as a control access data structure, is defined for each unique control right and associates the control right with one or more objects of the computing environment. In order to grant the right to a trusted user, an improved access control entry (ACE) is defined which holds a unique identifier of the trusted user and a unique identifier of the control access data structure.Type: GrantFiled: September 21, 1998Date of Patent: June 25, 2002Assignee: Microsoft CorporationInventors: Clifford P. Van Dyke, Peter T. Brundrett, Michael M. Swift, Praerit Garg, Richard B. Ward
-
Publication number: 20020019935Abstract: A system and method for encryption and decryption of files. The system and method operate in conjunction with the file system to transparently encrypt and decrypt files in using a public key-private key pair encryption scheme. When a user puts a file in an encrypted directory or encrypts a file, data writes to the disk for that file are encrypted with a random file encryption key generated from a random number and encrypted with the public key of a user and the public key of at least one recovery agent. The encrypted key information is stored with the file, whereby the user or a recovery agent can decrypt the file data using a private key. With a correct private key, encrypted reads are decrypted transparently by the file system and returned to the user. One or more selectable encryption and decryption algorithms may be provided via interchangeable cryptographic modules.Type: ApplicationFiled: May 29, 2001Publication date: February 14, 2002Inventors: Brian Andrew, Jianrong Gu, Mark J. Zbikowski, Praerit Garg, Mike K. Lai, Wesley Witt, Klaus U. Schutz
-
Publication number: 20020002577Abstract: A dynamic authorization callback mechanism is provided that implements a dynamic authorization model. An application can thus implement virtually any authorization policy by utilizing dynamic data and flexible policy algorithms inherent in the dynamic authorization model. Dynamic data, such as client operation parameter values, client attributes stored in a time-varying or updateable data store, run-time or environmental factors such as time-of-day, and any other static or dynamic data that is managed or retrievable by the application may be evaluated in connection with access control decisions. Hence, applications may define and implement business rules that can be expressed in terms of run-time operations and dynamic data. An application thus has substantial flexibility in defining and implementing custom authorization policy, and at the same time provides standard definitions for such dynamic data and policy.Type: ApplicationFiled: May 4, 2001Publication date: January 3, 2002Inventors: Praerit Garg, Robert P. Reichel, Richard B. Ward, Kedarnath A. Dubhashi, Jeffrey B. Hamblin, Anne C. Hopkins
-
Patent number: 6308273Abstract: An improved computer network security system and method wherein access to network resources is based on information that includes the location of the connecting user. In general, the less trusted the location of the user, the more the access rights assigned to the user are restricted. A discrimination mechanism and process determines the location of a user with respect to categories of a security policy, such as to distinguish local users, intranet users and dial-up users from one another. Based on information including the location and the user's credentials, an access token is set up that may restrict the user's normal access in accordance with the security policy, such as to not restrict a user's processes beyond the user-based security information in the user's normal access token, while further restricting the same user's access to resources when connecting via a dial-up connection.Type: GrantFiled: June 12, 1998Date of Patent: October 23, 2001Assignee: Microsoft CorporationInventors: Mario C. Goertzel, Susi E. Strom, Praerit Garg, Bharat Shah