Patents by Inventor Praerit Garg
Praerit Garg has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20090228969Abstract: A selective cross-realm authenticator associates an identifier with a request from an entity authenticated in one realm to access a resource associated with a second realm. The identifier indicates that the entity was authenticated in a realm other than the realm associated with the requested resource. A domain controller associated with the resource performs an access check to verify that the authenticated user is authorized to authenticate to the requested resource. Permissions associated with the resource can be used to specify levels of access to be granted to entities authenticated by a domain controller associated with another realm.Type: ApplicationFiled: May 20, 2009Publication date: September 10, 2009Applicant: Microsoft CorporationInventors: Praerit Garg, Cliff Van Dyke, Karthik Jaganathan, Mark Pustilnik, Donald E. Schmidt
-
Patent number: 7568218Abstract: A selective cross-realm authenticator associates an identifier with a request from an entity authenticated in one realm to access a resource associated with a second realm. The identifier indicates that the entity was authenticated in a realm other than the realm associated with the requested resource. A domain controller associated with the resource performs an access check to verify that the authenticated user is authorized to authenticate to the requested resource. Permissions associated with the resource can be used to specify levels of access to be granted to entities authenticated by a domain controller associated with another realm.Type: GrantFiled: October 31, 2002Date of Patent: July 28, 2009Assignee: Microsoft CorporationInventors: Praerit Garg, Cliff Van Dyke, Karthik Jaganathan, Mark Pustilnik, Donald E. Schmidt
-
Patent number: 7552391Abstract: Methods and arrangements are provided for use in multiple user computing environments. These methods and arrangements can be configured to allow for a plurality of separate and concurrent desktops and workspaces within the shared computing environment. One method includes creating a separate desktop thread for each user that is authenticated during a logon process, creating a separate desktop associated with each desktop thread, and maintaining a list of desktop threads that are created. In this manner, several users can be logged on simultaneously. In certain implementations, the method further includes establishing a separate user environment associated with each desktop and launching a separate user shell associated with each desktop. The list of desktop threads allows for selective and/or automatic switching from a first desktop to a second desktop without terminating a desktop thread associated with the first desktop. The methods and arrangements are also applicable to remote process logon and switching.Type: GrantFiled: June 26, 2003Date of Patent: June 23, 2009Assignee: Microsoft CorporationInventors: Christopher A. Evans, Giampiero M. Sierra, Victor Tan, Praerit Garg, David Andrew Matthews, Reiner Fink, Paul S. Hellyar
-
Patent number: 7546633Abstract: A role-based authorization management system maintains an authorization policy store that represents user authorizations to perform operations associated with an application. When a user attempts to perform a function associated with an application, the authorization management system verifies that the user is authorized to perform the requested function. The authorization management system also provides an interface for an application administrator to update role-based user authorization policies associated with one or more applications.Type: GrantFiled: October 25, 2002Date of Patent: June 9, 2009Assignee: Microsoft CorporationInventors: Praerit Garg, Cliff Van Dyke, Dave McPherson, Everett McKay
-
Patent number: 7543333Abstract: Improved intrusion detection and/or tracking methods and systems are provided for use across various computing devices and networks. Certain methods, for example, form a substantially unique audit identifier during each authentication/logon process. One method includes identifying one or more substantially unique parameters that are associated with the authentication/logon process and encrypting them to form at least one audit identifier that can then be generated and logged by each device involved in the authentication/logon process. The resulting audit log file can then be audited along with similar audit log files from other devices to track a user across multiple platforms.Type: GrantFiled: April 8, 2002Date of Patent: June 2, 2009Assignee: Microsoft CorporationInventors: Bhalchandra S. Pandit, Praerit Garg, Richard B. Ward, Paul J. Leach, Scott A. Field, Robert P. Reichel, John E. Brezak
-
Patent number: 7454483Abstract: A process determines a role that a target server will perform. The process also identifies at least one security policy associated with the role. The target server is then configured to implement the identified security policies.Type: GrantFiled: May 14, 2003Date of Patent: November 18, 2008Assignee: Microsoft CorporationInventors: Kirk Soluk, Praerit Garg, Vishnu A. Patankar, Jin Huang, Xiaohong Wu
-
Patent number: 7437429Abstract: Access to WebDAV (Distributed Authoring and Versioning) servers is provided in a manner that is essentially transparent to applications. A WebDAV redirector and related components support file system I/O requests and network requests directed to WebDAV servers identified by URI (Universal Resource Identifier) names, or by a drive may be mapped to a WebDAV share. An application's create or open I/O requests directed to a WebDAV server are detected, and result in a local copy of the file being downloaded and cached for local access. When closed, the local file is uploaded to the WebDAV server. Network-related requests such as for browsing that are directed to a WebDAV server are also handled transparently. WebDAV files may be locally encrypted and decrypted at the file system level, transparent to applications and the WebDAV server, via an encrypting file system that performs local encryption and decryption at the local file system level.Type: GrantFiled: January 17, 2002Date of Patent: October 14, 2008Assignee: Microsoft CorporationInventors: Shishir Pardikar, Rohan Kumar, Yun Lin, Praerit Garg, Jianrong Gu
-
Patent number: 7434257Abstract: A dynamic authorization callback mechanism is provided that implements a dynamic authorization model. An application can thus implement virtually any authorization policy by utilizing dynamic data and flexible policy algorithms inherent in the dynamic authorization model. Dynamic data, such as client operation parameter values, client attributes stored in a time-varying or updateable data store, run-time or environmental factors such as time-of-day, and any other static or dynamic data that is managed or retrievable by the application may be evaluated in connection with access control decisions. Hence, applications may define and implement business rules that can be expressed in terms of run-time operations and dynamic data. An application thus has substantial flexibility in defining and implementing custom authorization policy, and at the same time provides standard definitions for such dynamic data and policy.Type: GrantFiled: May 4, 2001Date of Patent: October 7, 2008Assignee: Microsoft CorporationInventors: Praerit Garg, Robert P. Reichel, Richard B. Ward, Kedarnath A. Dubhashi, Jeffrey B. Hamblin, Anne C. Hopkins
-
Patent number: 7353535Abstract: A flexible way of expressing trust policies using, for example, XML. Multiple statement types may be expressed for a single authority type. Statement types may include less than all of the statements made by an authority type. Authority types may be defined using any manner interpretable by the computing system using the trust policy. In addition, trust policies may be updated as trust levels change. Even multiple trust policies may be used with reconciliation between the multiple trust policies being accomplished by using the more restrictive trust policy with respect to an assertion.Type: GrantFiled: March 31, 2003Date of Patent: April 1, 2008Assignee: Microsoft CorporationInventors: Christopher G. Kaler, John P. Shewchuk, Giovanni M. Della-Libera, Praerit Garg, Brendan W. Dixon
-
Patent number: 7350204Abstract: A system and method that automatically, transparently and securely controls software execution by identifying and classifying software, and locating a rule and associated security level for executing executable software. The security level may disallow the software's execution, restrict the execution to some extent, or allow unrestricted execution. To restrict software, a restricted access token may be computed that reduces software's access to resources, and/or removes privileges, relative to a user's normal access token. The rules that control execution for a given machine or user may be maintained in a restriction policy, e.g., locally maintained and/or in a group policy object distributable over a network. Software may be identified/classified by a hash of its content, by a digital signature, by its file system or network path, and/or by its URL zone. For software having multiple classifications, a precedence mechanism is provided to establish the applicable rule/security level.Type: GrantFiled: June 8, 2001Date of Patent: March 25, 2008Assignee: Microsoft CorporationInventors: John J. Lambert, Praerit Garg, Jeffrey A. Lawson
-
Patent number: 7243374Abstract: The following subject matter provides for modeling an application's potential security threats at a logical component level early in the design phase of the application. Specifically, in a computer system, multiple model components are defined to represent respective logical elements of the application. Each model component includes a corresponding set of security threats that could potentially be of import not only to the component but also to the application as a whole in its physical implementation. The model components are interconnected to form a logical model of the application. One or more potential security threats are then analyzed in terms of the model components in the logical model.Type: GrantFiled: August 8, 2001Date of Patent: July 10, 2007Assignee: Microsoft CorporationInventors: Michael Howard, Praerit Garg, Loren M. Kohnfelder
-
Publication number: 20070112847Abstract: Modeling operational policies of operating a business's or institution's actual or planned IT system. The IT system may include components such as applications, application hosts, one or more networks or components thereof, hardware, and interrelationships between the components. The IT system is to be operated in accordance with operational policies that govern existence or numerosity of components, how the components are interrelated, how the components and interrelationships are configured, and/or manual or automated processes for managing and maintaining the IT system. The modeling may involve generating code that conforms to a language by declaring abstractions using types that correspond to the components of the IT system, by declaring types of interrelationships that correspond to the interrelationships of the IT system, and by defining constraints upon and between the abstract types, where the constraints correspond to operational policies of operating the IT system.Type: ApplicationFiled: November 2, 2005Publication date: May 17, 2007Applicant: Microsoft CorporationInventors: Pratul Dublish, Bassam Tabbara, Geoffrey Outhred, Jeffrey Parham, Kevin Grealish, Praerit Garg
-
Patent number: 7200869Abstract: Described is an invention for safeguarding against the modification of certain data associated with one domain of a distributed network by an entity (such as an administrator) within another domain of the distributed network while still allowing the entity to modify other data associated with the one domain. More particularly, security safeguards are applied by a directory replication service that operates to replicate the shared data to each domain in a domain “forest.” Those security safeguards allow a user to indicate that certain modifications of specified shared data may only be made within the domain in which the shared data was created. In that way, a shared data namespace may still be implemented in which trust relationships exist so that, for example, an administrator in one domain may alter a configuration of another domain within the forest. However, certain data may be restricted by these safeguards such that certain modifications of that data (e.g.Type: GrantFiled: September 15, 2000Date of Patent: April 3, 2007Assignee: Microsoft CorporationInventors: Donald J. Hacherl, Praerit Garg, Murli D. Satagopan, Robert P. Reichel
-
Patent number: 7185359Abstract: An enterprise network architecture has a trust link established between two autonomous network systems that enables transitive resource access between network domains of the two network systems. The trust link is defined by data structures maintained by each of the respective network systems. The first network system maintains namespaces that correspond to the second network system and a domain controller in the first network system, or a first network system administrator, indicates whether to trust individual namespaces. An account managed by a domain in the second network system can request authentication via a domain controller in the first network system. The first network system determines from the trust link to communicate the authentication request to the second network system. The first network system also determines from the trust link where to communicate authorization requests when administrators manage group memberships and access control lists.Type: GrantFiled: December 21, 2001Date of Patent: February 27, 2007Assignee: Microsoft CorporationInventors: Donald E. Schmidt, Clifford P. Van Dyke, Paul J. Leach, Praerit Garg, Murli D. Satagopan
-
Patent number: 7127719Abstract: Methods and arrangements are provided for use in multiple user computing environments. These methods and arrangements can be configured to allow for a plurality of separate and concurrent desktops and workspaces within the shared computing environment. One method includes creating a separate desktop thread for each user that is authenticated during a logon process, creating a separate desktop associated with each desktop thread, and maintaining a list of desktop threads that are created. In this manner, several users can be logged on simultaneously. In certain implementations, the method further includes establishing a separate user environment associated with each desktop and launching a separate user shell associated with each desktop. The list of desktop threads allows for selective and/or automatic switching from a first desktop to a second desktop without terminating a desktop thread associated with the first desktop. The methods and arrangements are also applicable to remote process logon and switching.Type: GrantFiled: October 15, 2004Date of Patent: October 24, 2006Assignee: Microsoft CorporationInventors: Christopher A. Evans, Giampiero M. Sierra, Victor Tan, Praerit Garg, David A. Matthews, Reiner Fink, Paul S. Hellyar
-
Patent number: 7096367Abstract: An authorization handle is supported for each access policy determination that is likely to be repeated. In particular, an authorization handle may be assigned to access check results associated with the same discretionary access control list and the same client context. This likelihood may be determined based upon pre-set criteria for the application or service, based on usage history and the like. Once an access policy determination is assigned an authorization handle, the static maximum allowed access is cached for that policy determination. From access check to access check, the set of permissions desired by the client may change, and dynamic factors that might affect the overall privilege grant may also change; however, generally there is still a set of policies that is unaffected by the changes and common across access requests. The cached static maximum allowed access data is thus used to provide efficient operations for the evaluation of common policy sets.Type: GrantFiled: May 4, 2001Date of Patent: August 22, 2006Assignee: Microsoft CorporationInventors: Praerit Garg, Robert P. Reichel, Richard B. Ward, Kedarnath A. Dubhashi, Jeffrey B. Hamblin, Anne C. Hopkins
-
Publication number: 20060184646Abstract: An enterprise network architecture has a trust link established between two autonomous network systems that enables transitive resource access between network domains of the two network systems. The trust link is defined by data structures maintained by each of the respective network systems. The first network system maintains namespaces that correspond to the second network system and a domain controller in the first network system, or a first network system administrator, indicates whether to trust individual namespaces. An account managed by a domain in the second network system can request authentication via a domain controller in the first network system. The first network system determines from the trust link to communicate the authentication request to the second network system. The first network system also determines from the trust link where to communicate authorization requests when administrators manage group memberships and access control lists.Type: ApplicationFiled: April 24, 2006Publication date: August 17, 2006Applicant: Microsoft CorporationInventors: Donald Schmidt, Clifford Van Dyke, Paul Leach, Praerit Garg, Murli Satagopan
-
Publication number: 20060168152Abstract: A process identifies one or more roles associated with a target server. The process also identifies one or more services associated with each role and identifies one or more ports associated with each role. The identified ports associated with the role are presented to a user. The user is requested to select among the identified ports associated with the role.Type: ApplicationFiled: June 30, 2003Publication date: July 27, 2006Inventors: Kirk Soluk, Everett McKay, Hitesh Raigandhi, Yang Gao, Praerit Garg
-
Patent number: 6986043Abstract: A system and method for encryption and decryption of files. The system and method operate in conjunction with the file system to transparently encrypt and decrypt files in using a public key-private key pair encryption scheme. When a user puts a file in an encrypted directory or encrypts a file, data writes to the disk for that file are encrypted with a random file encryption key generated from a random number and encrypted with the public key of a user and the public key of at least one recovery agent. The encrypted key information is stored with the file, whereby the user or a recovery agent can decrypt the file data using a private key. With a correct private key, encrypted reads are decrypted transparently by the file system and returned to the user. One or more selectable encryption and decryption algorithms may be provided via interchangeable cryptographic modules.Type: GrantFiled: May 29, 2001Date of Patent: January 10, 2006Assignee: Microsoft CorporationInventors: Brian Andrew, Jianrong Gu, Mark J. Zbikowski, Praerit Garg, Mike K. Lai, Wesley Witt, Klaus U. Schutz
-
Patent number: 6917951Abstract: Described is a system and method for replicating each of a set of resources to a subject computer in a replica set prior to making use of a resource in the set of resources. The set of resources includes resources that are dependent upon each other for a proper functioning of the group. A manifest file that identifies each resource in a group of interrelated resources is used. The manifest file is generated at one computer in the replica set (typically the computer at which a modification to one of the interrelated resources occurred). When the modification occurs to one of the set of resources, the manifest file is transmitted (e.g., itself replicated) to each computer in the replica set. The manifest file includes an indicator that identifies the manifest file as a special file. When received at another computer in the replica set, a service evaluates the manifest file to identify whether the appropriate versions of the identified resources exist at the receiving computer.Type: GrantFiled: July 26, 2001Date of Patent: July 12, 2005Assignee: Microsoft CorporationInventors: David A. Orbits, Praerit Garg, Sudarshan A. Chitre, Balan Sethu Raman