Abstract: A method and system for unified diagnosis of a network incident is provided. The unified diagnostics system is comprised of a monitoring tool, a network layer including a firewall, and a policy engine. The monitoring tool is invoked by a user in order to diagnose a network incident. The network layer and the policy engine generate various events that provide a history of their processing, and the monitoring tool collects these events. When the user attempts a network activity that fails, the network layer places an event notification in a notification queue. Then the monitoring tool analyzes the event notifications to identify events that are related to the same network incident. After analyzing the network incident and event information, the user can take the necessary action to correct the problem that caused the incident.

Abstract: A facility for performing an access control check is provided. The facility receives a request to perform an access control check to determine whether authorization exists to access a resource. The access control check is performed against the identity of a principal, a policy that applies to the principal, and the identity of the resource the principal wants to access. The principal may either be an application program or a combination of an application program and an identity of a user in whose context the application program is executing.

Abstract: A facility for performing an access control check as an integral component of an operating system and utilizing a centralized policy store is provided. The facility executes as an integral part of an operating system executing on a computer and receives an authorization query to determine whether a principal has authorization to access a resource. The facility applies a policy maintained in a centralized policy store that is applicable to the principal to determine whether authorization exists to access the resource. If authorization does not exist, the facility denies the authorization query and records an indication of the denial of the authorization in an audit log. The facility may trigger events based on the auditing of authorization queries. The facility may also record an indication of authorization to access the resource in the audit log.

Abstract: A facility for performing an access control check as an integral component of an operating system and utilizing a centralized policy store is provided. The facility executes as an integral part of an operating system executing on a computer and receives an authorization query to determine whether a principal has authorization to access a resource. The facility applies a policy maintained in a centralized policy store that is applicable to the principal to determine whether authorization exists to access the resource. If authorization does not exist, the facility denies the authorization query and records an indication of the denial of the authorization in an audit log. The facility may trigger events based on the auditing of authorization queries. The facility may also record an indication of authorization to access the resource in the audit log.

Abstract: Embodiments of the invention described herein are directed to a mechanism for determining whether at least one operation will be effective in view of at least one security policy. In exemplary implementations, determining whether at least one operation will be effective in view of at least one security policy may comprise determining a merged security policy for a computer system by merging security policies for the computer system from two or more sources. The security policies may be security policies set by a user and/or an administrator of the computer system, may be security policies of a computer network to which the computer system is connected, or may be security policies of one or more other computer systems that are above the computer system in a computer network hierarchy.

Abstract: A method and system for unified diagnosis of a network incident is provided. The unified diagnostics system is comprised of a monitoring tool, a network layer including a firewall, and a policy engine. The monitoring tool is invoked by a user in order to diagnose a network incident. The network layer and the policy engine generate various events that provide a history of their processing, and the monitoring tool collects these events. When the user attempts a network activity that fails, the network layer places an event notification in a notification queue. Then the monitoring tool analyzes the event notifications to identify events that are related to the same network incident. After analyzing the network incident and event information, the user can take the necessary action to correct the problem that caused the incident.

Abstract: A facility for receiving an embedded policy is provided. The facility checks an application program image for the presence of an embedded policy. If an embedded policy is detected, the facility extracts the policy from within the application program image. The facility may then apply the extracted policy to the application program image before the application program image is loaded and/or executed. Moreover, the facility may check the application program image's integrity prior to extracting the embedded policy.

Abstract: A facility for setting and revoking policies is provided. The facility receives a request from a controlling process a request to set a policy on a controlled process, and determines whether the controlling process has privilege to set the policy on the controlled process. If the facility determines that the controlling process has privilege to set the policy on the controlled process, the facility sets the policy on the controlled process, which causes the policy to be applied to the controlled process to determine whether the controlled process has authorization to access one or more resources.

Abstract: A facility for performing an access control check as an integral component of an operating system and utilizing a centralized policy store is provided. The facility executes as an integral part of an operating system executing on a computer and receives an authorization query to determine whether a principal has authorization to access a resource. The facility applies a policy maintained in a centralized policy store that is applicable to the principal to determine whether authorization exists to access the resource. If authorization does not exist, the facility denies the authorization query and records an indication of the denial of the authorization in an audit log. The facility may trigger events based on the auditing of authorization queries. The facility may also record an indication of authorization to access the resource in the audit log.

Abstract: A facility for performing an access control check is provided. The facility receives a request to perform an access control check to determine whether authorization exists to access a resource. The access control check is performed against the identity of a principal, a policy that applies to the principal, and the identity of the resource the principal wants to access. The principal may either be an application program or a combination of an application program and an identity of a user in whose context the application program is executing.

Abstract: A facility for providing access authorization is provided. The facility initially enforces a first, less restrictive policy when making its access control decisions. Subsequent to detecting an anomaly, the facility enforces a second, more restrictive policy when making its access control decisions. The facility returns to enforcing the first, less restrictive policy when the anomaly no longer exists. In another embodiment, the facility enforces a policy after detecting an anomaly and until the anomaly has ended.

Abstract: Languages for expressing security policies are provided. The languages comprise rules that specify conditions and actions. The rules may be enforced by a security engine when a security enforcement event occurs. The languages support data separation, dynamic evaluation, and ordered rule scope. By separating data from logic, security engines may only need to be updated with a portion of rules that change. With dynamic evaluation, expressions of rules may be evaluated dynamically, such as by querying a database, when a security engine enforces a rule. With ordered rule scope, when a security enforcement event implicates a number of rules simultaneously, the rules may be enforced in a deterministic and logically organized manner.