Abstract: Some embodiments of the invention are directed to techniques for determining whether a process on a computer system that is sending or receiving data, or is attempting to send or receive data, with another computer system is executing in kernel mode or user mode and providing an indicator of this determination to a security engine. In some embodiments, such an indication is provided to a security engine (e.g., a firewall) that implements a security policy based at least in part on whether the sending or receiving process is in kernel mode or user mode, and filter communications based on a process' operating mode. This enables a security engine to maintain security policies of greater specificity and thus improve security of a computer system.

Abstract: Methods, systems, and computer-storage media for performing a method of facilitating utilization of datagram-based protocols are provided. In embodiments, the method includes initiating a connection with a datagram socket to establish a pathway using a datagram-based protocol. Thereafter, the datagram-based protocol can be used to communicate data to a virtual private network server. Upon recognizing that a virtual private network interface has been idle for a predetermined period of time, a connection with a connection socket is initiated to establish a pathway using a connection-based protocol.

Abstract: A restricted transmogrifying driver platform is described herein. In one or more implementations, a platform is provided that enables a restricted execution environment for virtual private network (VPN) drivers and other transmogrifying drivers. The platform may be implemented as an operating system component that exposes an interface through which drivers may register with the platform and be invoked to perform functions supported by the platform. The restricted execution environment places one or more restrictions upon transmogrifying drivers that operate via the platform. For instance, execution may occur in user mode on a per-user basis and within a sandbox. Further, the platform causes associated drivers to run as background processes with relatively low privileges. Further, the platform may suspend the drivers and control operations of the driver by scheduling of background tasks. Accordingly, exposure of the transmogrifying drivers to the system is controlled and limited through the platform.

Abstract: A software firewall that may be configured using rules specified for types of network interfaces rather than individual network interfaces. The network types may be specified with type identifiers that have a readily understandable meaning to a user, facilitating ease of configuring the firewall. The network types could include, for example, wired, wireless and remote access. A rule specified based on a network type can be implemented for network interfaces of that network type. The implementation may be performed automatically and may be updated based on network location awareness information.

Abstract: Techniques to provide an improved representation of remote network access for a network administrator managing and controlling access to resources on an enterprise network. The representation indicates resources accessed by a remote computer or by a user of that computer and provides associated information useful for managing remote network access. To create the representation, multiple security associations formed between a remote client computer and resources on the enterprise network are associated with entity sessions, based on identical session identifiers generated for each security association within an entity session. The entity sessions may be aggregated into a DirectAccess “connection” between the remote client computer and the enterprise network, based on an identity of the remote client computer. Resources accessed over the connection may be identified using a session identifier of each entity session so that security associations in that entity session may be matched with the resources.

Abstract: A software firewall that may be configured using rules specified for types of network interfaces rather than individual network interfaces. The network types may be specified with type identifiers that have a readily understandable meaning to a user, facilitating ease of configuring the firewall. The network types could include, for example, wired, wireless and remote access. A rule specified based on a network type can be implemented for network interfaces of that network type. The implementation may be performed automatically and may be updated based on network location awareness information.

Abstract: Some embodiments of the invention are directed to techniques for determining whether a process on a computer system that is sending or receiving data, or is attempting to send or receive data, with another computer system is executing in kernel mode or user mode and providing an indicator of this determination to a security engine. In some embodiments, such an indication is provided to a security engine (e.g., a firewall) that implements a security policy based at least in part on whether the sending or receiving process is in kernel mode or user mode, and filter communications based on a process' operating mode. This enables a security engine to maintain security policies of greater specificity and thus improve security of a computer system.

Abstract: Versioning management provides for efficient and effective handling of varying policy versions, client versions and client platform versions in one system. Software version negotiation provides for simplified, secure policy management in an environment supporting varying versions of the same software product. In conjunction with parameter stripping, which resolves differences among varying minor versions of a software policy, software version negotiation allows for management tools of one version to manage client software, clients and/or client platforms of another version. Policy schema translation, in conjunction with parameter stripping as needed, provides a mechanism for converting policies that normally would be impossible to interpret on varying clients and/or client platforms to policy versions that can be understood by these clients and/or client platforms.

Abstract: Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices. A firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts.

Abstract: Techniques to provide an improved representation of remote network access for a network administrator managing and controlling access to resources on an enterprise network. The representation indicates resources accessed by a remote computer or by a user of that computer and provides associated information useful for managing remote network access. To create the representation, multiple security associations formed between a remote client computer and resources on the enterprise network are associated with entity sessions, based on identical session identifiers generated for each security association within an entity session. The entity sessions may be aggregated into a to DirectAccess “connection” between the remote client computer and the enterprise network, based on an identity of the remote client computer. Resources accessed over the connection may be identified using a session identifier of each entity session so that security associations in that entity session may be matched with the resources.

Abstract: A firewall helps a user make a decision regarding network access for an application executing on a computing device by providing “hints” to the user about an appropriate network access policy. If at least one previously set firewall policy for the application exists in a context different from a current context, the user may be presented with information based on a previously set firewall policy. The information may be prioritized based on a source of the previously set firewall policy and other factors, to provide the user with a hint that facilitates making the decision appropriate in the current context. A programming interface to the firewall allows third party applications to specify a format in which hints are provided to the user.

Abstract: Embodiments of the invention described herein are directed to a mechanism for determining whether at least one operation will be effective in view of at least one security policy. In exemplary implementations, determining whether at least one operation will be effective in view of at least one security policy may comprise determining a merged security policy for a computer system by merging security policies for the computer system from two or more sources. The security policies may be security policies set by a user and/or an administrator of the computer system, may be security policies of a computer network to which the computer system is connected, or may be security policies of one or more other computer systems that are above the computer system in a computer network hierarchy.

Abstract: Techniques to provide an improved representation of remote network access for a network administrator managing and controlling access to resources on an enterprise network. The representation indicates resources accessed by a remote computer or by a user of that computer and provides associated information useful for managing remote network access. To create the representation, multiple security associations formed between a remote client computer and resources on the enterprise network are associated with entity sessions, based on identical session identifiers generated for each security association within an entity session. The entity sessions may be aggregated into a to DirectAccess “connection” between the remote client computer and the enterprise network, based on an identity of the remote client computer. Resources accessed over the connection may be identified using a session identifier of each entity session so that security associations in that entity session may be matched with the resources.

Abstract: Per process networking capability techniques are described. In one or more implementations, a determination is made as to whether access to a network capability is permitted for a process that is executed on the computing device based on a token that is associated with the process. The token has one or more security identifiers that reference one or more network capabilities described in a manifest. The access to the network capability is managed based on the determination.

Abstract: A software firewall that may be simply configured using rules specified for types of network interfaces rather than individual network interfaces. The network types may be specified with type identifiers that have a readily understandable meaning to a user, facilitating ease of configuring the firewall. The network types could include, for example, wired, wireless and remote access. A rule specified based on a network type can be translated to firewall filters for network interfaces of that network type. The translation may be performed automatically and may be updated based on network location awareness information.

Abstract: A host firewall can determine and consider whether unsolicited traffic is inbound from beyond the edge of the network and allow or block such traffic based at least in part upon this characteristic. In one implementation, an edge traversal parameter can be set on a host firewall rule, which typically includes other parameters such as port, protocol, etc. If the unsolicited traffic received via an edge traversal interface matches a host firewall rule that has the edge traversal criterion, then the firewall does not block the traffic. On the other hand, if the unsolicited traffic received via an edge traversal interface fails to satisfy the edge traversal criterion on any firewall rule, then the firewall blocks the traffic.

Abstract: Some embodiments of the invention are directed to techniques for determining whether a process on a computer system that is sending or receiving data, or is attempting to send or receive data, with another computer system is executing in kernel mode or user mode and providing an indicator of this determination to a security engine. In some embodiments, such an indication is provided to a security engine (e.g., a firewall) that implements a security policy based at least in part on whether the sending or receiving process is in kernel mode or user mode, and filter communications based on a process' operating mode. This enables a security engine to maintain security policies of greater specificity and thus improve security of a computer system.

Abstract: Embodiments of the invention are directed to a firewall installer that receives a set of configuration instructions for configuring a firewall in a declarative format that describes one or more rules to be implemented by the firewall, and that automatically configures the firewall. Providing a firewall installer that is capable of configuring a firewall based upon declarative input rather than procedural process-oriented input facilitates administration of a firewall by allowing an administrator to specify desired firewall configuration at a higher, declarative level and frees the administrator from the need to specify procedures for implementing configuration changes in the firewall. In one embodiment of the invention, the firewall installer can receive and store input for configuring a firewall even when the firewall is not running, such that the firewall executes on those configuration changes when it next comes online.

Abstract: Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices. A firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts.

Abstract: Management of security firewall settings in a networked computing environment is described. One example embodiment includes applying security settings and exceptions to the security settings based on network class for network communication, and upon detection of an event, revoking at least one exception for at least one network in a specified class.