Abstract: The present disclosure provides methods, systems and storage media for conducting a security review of a system. Certain examples relate to the use of trained generative AI to generating a root security query using a machine learning (ML) generator, based on a system description. A security requirement associated with the root security query is extracted, and an indication of the root security query is output at a user interface. A user input is received in response, and the ML generator generates a follow-up request that is output via the user interface. A second user input is received in response to the follow-up request, and the ML generator then determines that the security requirement is not satisfied by the target system.

Abstract: Security risks associated with scanning a computer are at least mitigated by performing the scanning off node. State data of a target node, or computer, can be acquired in various ways. The acquired state data can be subsequently employed to generate a virtual replica of the target computer or portion thereof on a second computer isolated from the target computer. The virtual replica of the target computer provides a scanner access to the data needed to perform a scan on the second computer without accessing or being able to impact the target computer.

Abstract: Security risks associated with scanning a computer are at least mitigated by performing the scanning off node. State data of a target node, or computer, can be acquired in various ways. The acquired state data can be subsequently employed to generate a virtual replica of the target computer or portion thereof on a second computer isolated from the target computer. The virtual replica of the target computer provides a scanner access to the data needed to perform a scan on the second computer without accessing or being able to impact the target computer.

Abstract: This disclosure describes methods, systems, and application programming interfaces for creating a credential managed account. This disclosure describes creating a new password managed account, defining the password managed account, wherein the password managed account is to access a service on a managed computing device, identifying the password managed account for a lifecycle, and automatically managing the password managed account by updating and changing a password for the password managed account on a periodic basis.

Abstract: Embodiments are directed to establishing a secure connection between computing systems and to providing computer system virtualization on a secure computing device. In one scenario, a computer system receives a request that at least one specified function be initiated. The request includes user credentials and a device claim that identifies the computing device. The computer system authenticates the user using the received user credentials and determines, based on the device claim, that the computing device is an approved computing device that has been approved to initiate performance of the specified function. Then, upon determining that the user has been authenticated and that the computing device is approved to initiate performance the specified function, the computer system initiates performance of the specified function.

Abstract: Embodiments are directed to establishing a secure connection between computing systems and to providing computer system virtualization on a secure computing device. In one scenario, a computer system receives a request that at least one specified function be initiated. The request includes user credentials and a device claim that identifies the computing device. The computer system authenticates the user using the received user credentials and determines, based on the device claim, that the computing device is an approved computing device that has been approved to initiate performance of the specified function. Then, upon determining that the user has been authenticated and that the computing device is approved to initiate performance the specified function, the computer system initiates performance of the specified function.

Abstract: Embodiments are directed to establishing a secure connection between computing systems and to providing computer system virtualization on a secure computing device. In one scenario, a computer system receives a request that at least one specified function be initiated. The request includes user credentials and a device claim that identifies the computing device. The computer system authenticates the user using the received user credentials and determines, based on the device claim, that the computing device is an approved computing device that has been approved to initiate performance of the specified function. Then, upon determining that the user has been authenticated and that the computing device is approved to initiate performance the specified function, the computer system initiates performance of the specified function.

Abstract: Described is a technology by which an engine parses data based upon modules arranged in a tree-like model structure. Only those modules that meet a condition with respect to the data are invoked for processing the data. Each child module specifies a parent module and specifies a condition for when the parent is to invoke the child module. As a module processes the data, if a child module's specified condition is met, it invokes the corresponding child module, (which in turn may invoke a lower child if its condition is met, and so on). When the data corresponds to protocols, the model facilitates protocol layering. A top level parent may represent one protocol (e.g., TCP), a child beneath may represent a lower-layer protocol (e.g., HTTP), whose children may handle certain types of HTTP commands, or correspond to a signature that the child module is programmed to detect.

Abstract: Architecture that stores specific passwords on behalf of users, and encrypts the passwords using encryption keys managed by a distributed key management system. The encryption keys are stored in a directory service (e.g., hierarchical) in an area that is inaccessible by selected entities (e.g., administrative users) having superior permissions such as supervisory administrators, but accessible to the account components that need to access the unencrypted passwords. The distributed key management system makes the encryption key stored in the directory service available to all hardware/software components that need the key to encrypt or decrypt the passwords.

Abstract: Systems and methods for creating a secure process on a web server can include creating an application manager process, and creating an application host process, the application host process being created under control of the application manager process. Example methods can also include restricting attributes of the application host process, and assigning a unique logon identifier to the application host process so that the application host process can only communicate with the application manager process.

Abstract: A system and method for controlling access to a computer provides for loose security within a local network while retaining strong security against external access to the network. In one embodiment, a user has access to trusted nodes in a secured group within an unmanaged network, without being required to choose, enter and remember a login password. To establish such a secure blank password or one-click logon account for the user on a computer, a strong random password is generated and stored, and the account is designated as a blank password account. If the device is part of a secured network group, the strong random password is replicated to the other trusted nodes. When a user with a blank password account wishes to log in to a computer, the stored strong random password is retrieved and the user is authenticated.

Abstract: A computer-readable medium bearing computer-executable instructions which, when executed on a computer, carry out a method for handling a request for an operating system service is presented. The method comprises receiving a request for execution of an operating system service. The corresponding operating system service is then identified. A unique service identifier that corresponds to the requested operating system service is obtained. A service thread is generated, the thread being associated with an executing process. Storage associated with the service thread is initialized with the unique service identifier. Thereafter, the execution of the service thread is initiated.

Abstract: Architecture that stores specific passwords on behalf of users, and encrypts the passwords using encryption keys managed by a distributed key management system. The encryption keys are stored in a directory service (e.g., hierarchical) in an area that is inaccessible by selected entities (e.g., administrative users) having superior permissions such as supervisory administrators, but accessible to the account components that need to access the unencrypted passwords. The distributed key management system makes the encryption key stored in the directory service available to all hardware/software components that need the key to encrypt or decrypt the passwords.

Abstract: Described is a technology by which an engine parses data based upon modules arranged in a tree-like model structure. Only those modules that meet a condition with respect to the data are invoked for processing the data. Each child module specifies a parent module and specifies a condition for when the parent is to invoke the child module. As a module processes the data, if a child module's specified condition is met, it invokes the corresponding child module, (which in turn may invoke a lower child if its condition is met, and so on). When the data corresponds to protocols, the model facilitates protocol layering. A top level parent may represent one protocol (e.g., TCP), a child beneath may represent a lower-layer protocol (e.g., HTTP), whose children may handle certain types of HTTP commands, or correspond to a signature that the child module is programmed to detect.

Abstract: This disclosure describes methods, systems, and application programming interfaces for creating a credential managed account. This disclosure describes creating a new password managed account, defining the password managed account, wherein the password managed account is to access a service on a managed computing device, identifying the password managed account for a lifecycle, and automatically managing the password managed account by updating and changing a password for the password managed account on a periodic basis.

Abstract: A computer system having secured network services is presented. The computer system comprises a processor, a memory, and a network action processing module. The network action processing module processes network actions from one or more network services executing on the computer system. The computer system is further configured to execute at least network service performing network actions in conjunction with the network action processing module. Upon receiving a network action from a network service, the network action processing module determines whether the network action is a valid network action according to a network action control list. If the network action is determined to not be a valid network action, the network action is blocked. Alternatively, if the network action is determined to be a valid network action, the network action is permitted to be completed.

Abstract: Systems and methods for creating a secure process on a web server can include creating an application manager process, and creating an application host process, the application host process being created under control of the application manager process. Example methods can also include restricting attributes of the application host process, and assigning a unique logon identifier to the application host process so that the application host process can only communicate with the application manager process.

Abstract: A facility is provided for conditionally reserving resources in an operating system. In various embodiments, the facility receives an indication of a conditional reservation declarator that identifies at least a resource, an action, a condition, and a principal. The conditional reservation declarator can specify a directive that corresponds to the identified resource, action, condition, and principal. The facility configures itself to apply the specified directive in relation to the identified action and resource when the principal attempts to perform the identified action in relation to the identified resource and the condition is met. The facility can apply the specified directive when it determines that the principal is attempting to perform the identified action on the identified resource when the condition is met.

Abstract: Techniques for reserving resources in an operating system are provided. The techniques include receiving an indication of an authorization setting specifying a directive and identifying at least a resource, an action, and a principal, configuring to apply the specified directive in relation to the identified action and resource when the principal attempts to perform the identified action in relation to the indicated resource, determining that the principal is attempting to perform the identified action on the identified resource, and applying the specified directive. The techniques function whether or not the resources or principals exist when the resources are reserved.

Abstract: A computer-readable medium bearing computer-executable instructions which, when executed on a computer, carry out a method for handling a request for an operating system service is presented. The method comprises receiving a request for execution of an operating system service. The corresponding operating system service is then identified. A unique service identifier that corresponds to the requested operating system service is obtained. A service thread is generated, the thread being associated with an executing process. Storage associated with the service thread is initialized with the unique service identifier. Thereafter, the execution of the service thread is initiated.