Abstract: A method that restricts a user's access to critical data on a client and network by requiring renewal of a client's lease for accessing the network by an administrative utility of the network during each login by a user to the client. A user/client logon policy is created for each user and/or each client and stored at the lease server. The lease server executes a utility that utilizes the policies to control whether a user is allowed to access a particular client on the network. User access to the client and ultimately the network is only provided when the lease term is renewed for the client (and user). When a lease term is not renewed/extended, the user is blocked from accessing the client system.

Abstract: A method and system for enabling security attestation for a computing device during a return from an S4 sleep state. When the computing device enters into the S4 state following a successful boot up, the attestation log is appended to the TPM tick count and the log is signed (with a security signature). When the device is awaken from S4 state, the BIOS obtains and verifies the log created during the previous boot. The CRTM maintains a set of virtual PCRs and references these virtual PCRs against the log. If the values do not match, the return from S4 state fails and the device is rebooted.

Abstract: A system and method that marks whenever a sector on a hard drive is altered. A protected archive bit is maintained for each sector on the hard drive in a secured fashion. Authenticated requests are able to reset the protected archive bit. When a file is changed, the hard drive marks the sectors of the program that have been altered. When the virus protection application executes, it retrieves the sectors that have been altered, identifies the files that correspond to such sectors, and scans the identified files. If a virus has attacked the computer and attached itself to one of the files, the file is identified and scanned and the virus is discovered with appropriate eradication actions performed. An authentication scheme is assigned to a hard drive with a secret that is shared between the drive and the virus protection program and stored in a secure location.

Abstract: Systems, methods and media for providing access to a network are disclosed. More particularly, hardware and/or software for providing network access only to client computer systems with acceptable status information are disclosed. Embodiments include a method that generally includes receiving a request for a network address from a client computer system via a network and determining whether the status of the requesting client computer system is acceptable. In the event that the status of the client computer system is determined to be acceptable, the method also generally includes assigning and transmitting a network address to the client computer system. In some embodiments, the status of the client computer system may include information about the system configuration, installed software, presence of files such as virus files, etc.

Abstract: A method and system for remotely controlling a hard drive on a local computer. A NIC includes a Port Selector under the control of a NIC processor. Access to the hard drive is selectively afforded to either the local computer or to a remote computer by the Port Selector. Preferably, the method and system permit remote access to a local hard drive even if the local computer is disabled, due to causes including, but not limited to, system failure, lost power or corrupted data on the hard drive.

Abstract: A method and system for defining every operation required of a client PC before being authorized to obtain an IP address that will enable the client PC to join a network serviced by specified DHCP servers. Each successful operation generates a value that is stored on a pre-determined location on the client PC's hard drive. A hash is created from all of the stored values, and after being encrypted, the hash is sent to the DHCP server when requesting an IP address. The DHCP server has a hash string indicative of the required status of operations that should be performed by any client PC requesting an IP address to join the network serviced by the DHCP server. If the DHCP's has string does not match with the hash sent by the client PC, then the DHCP server will not provide the requisite IP address to the client PC.

Abstract: Systems and methods to access password-protected stored data when a corresponding data password has been lost, forgotten, or is otherwise unavailable, and to recover the data password to facilitate access to the password-protected data from a digital memory device such as a hard disk drive associated with a user computer. In some embodiments the computer is communicatively coupled with a network and receives at least one encryption key from a secure computer via the network. In other embodiments the computer is a stand alone computer and receives at least one encryption key from a removable, non-volatile memory such as a CD ROM. The encryption key is used to encrypt the data password and both are stored on the hard disk drive. If the data password becomes lost, forgotten, or otherwise unavailable, the encrypted password is recovered from the hard disk drive and decrypted to recover the data password.

Abstract: There are many files in the current generation of computers, especially on the hardfile, that are not used or used only infrequently during operation. For instance, the system may contain many help text files which may never be accessed. The same applies to the DLL's. Also, some files are accessed only during a boot cycle. The present invention provides a method and program to track the locations of files in a computer which have been accessed so that, when an error occurs, only the files that need to be tested are diagnostically tested for errors, thus saving time and resources.

Abstract: Methods and arrangements for capturing information related to operational conditions are disclosed. Embodiments include volatile memory to quickly record operational parameters via, e.g., basic input output system (BIOS) code, system management interrupt (SMI) code and/or executing applications. Many embodiments provide an alternative power source and a voltage switch to protect against loss of the information between storage in the volatile memory and storage in the non-volatile memory. Some embodiments include a read controller that provides access to the volatile memory when primary power is available. The read controller may also offer direct access to the non-volatile memory in case of a catastrophic failure that renders the processing device substantially non-functional. Further embodiments include a second processing device to generate a usage model and/or to perform diagnostics with the operational parameters.

Abstract: A secure computer system includes a central processing unit in which plural programs reside. The system includes means for verifying whether the at least one program is trusted or not trusted. That means can be an external key device that includes a verification program that can communicate with the programs residing within the central processing unit.

Abstract: An apparatus, a system, and a method are provided for transitioning networked computing devices to a lower power state. The apparatus, system, and method include an interface module configured to receive a power saving command from a remote site on a network. A determination module is provided to determine whether the client is in a selected state whereby it can comply with the power savings command. A power saving module is provided to execute a selected power saving scheme responsive to a determination that the client is in a selected state whereby it can comply with the power savings command.

Abstract: Methods, systems, and media are disclosed for managing a remote client of a computer system. One example embodiment includes transmitting a modified wake-on LAN (“WOL”) packet to a network receive buffer on the remote client, wherein the modified WOL packet comprises additional data, such as executable code or functions. Further, the example embodiment includes retrieving, by BIOS associated with the remote client, of the modified WOL packet from the network receive buffer, storing, by the BIOS, storing of the additional data in memory associated with the network receive buffer, and retrieving, by BIOS associated with the remote client, of the additional data from the memory. Further still, the example embodiment includes processing of the additional data, which may occur by an application stored on the PARTIES partition, wherein the parsed, additional data is interpreted and executed by the application.

Abstract: A system and method for autonomic wireless presence ping is presented. An IS administrator wishes to collect capacity requirement information corresponding to a wireless network, such as the number of packets a client sends to and receives from an access point. The IS administrator sends a request to the access point. In turn, the access point sends a control packet to client devices it supports, instructing them to enable an enhanced presence ping bit. Each client enables its enhanced presence ping bit, and collect enhanced status information. Each client device sends the enhanced status information to the access point either when a timer expires, or when the client device receives a ping request from the access point. The access point then forwards the enhanced status information to the IS administrator for analysis.

Abstract: A data processing network configuration includes a server and an access point wired to a network and a mobile system wirelessly connected to the access point. The access point receives and stores a request to retrieve information from the mobile system. The mobile system, when in a powered down state, powers its wireless network adapter periodically to poll the access point to discover the stored request for information. The mobile system responds to discovery of the stored request by retrieving the requested information from nonvolatile storage of the mobile system and transmitting the requested information via the wireless network adapter while otherwise remaining powered down. The information request may be a system management request and the request packet may include a Media Access Control (MAC) address repeated multiple times. The access point stores pending requests in a table having an entry for each associated mobile system.

Abstract: Systems, methods, and media for providing remote wake-up and management of systems in a network are disclosed. More particularly, hardware and/or software for a server to receive feedback from a client as to the status of its wake-on-LAN functionality is disclosed. Embodiments include hardware and/or software for determining a client to be managed, determining whether the client is active on the network, transmitting a first network packet comprising a wake-on-LAN packet, and receiving a return wake-on-LAN packet, which comprises an indication of the address of the client and an indication of the status of the wake-on-LAN functionality of the client. Embodiments may also include transmitting a command to start a management session on the client.

Abstract: An apparatus, system and method of verifying an interface address are provided. A communication device is connected to a network. The apparatus, system and method query the communication device for an interface address identifying the communication device to the network. The apparatus, system, and method further receive the interface address from the communication device and identify an invalid interface address. In one embodiment, the interface address is invalid if it is outside of a specified interface address range. The apparatus, system, and method mitigate the invalid interface address. In one embodiment, the apparatus, system, and method mitigate the invalid interface address by deactivating the network.

Abstract: Systems and arrangements for remotely selecting a bootable image via a WOL packet for a wake-on-LAN (WOL) capable computer are contemplated. Server-side embodiments include hardware and/or software for determining a client to be managed, determining whether the client is active on the network, and transmitting a WOL packet having a vector, or operating system partition identification (OSPID), to describe a bootable image accessible by the WOL capable computer. Some embodiments may include an OSPID that points to a secure bootable image such as a bootable image on a hard drive, a compact disk (CD) connected to the computer, or other local resource. Client-side embodiments may receive the WOL packet at, for instance, a network interface card (NIC), recognize that the WOL packet includes an OSPID that describes the bootable image to boot, and implement an alternative boot sequence to boot from that bootable image.

Abstract: An apparatus for securely backing up data using a cryptographic module includes a mass storage device having a first accessible portion and a second encrypted portion. The mass storage device is initialized to only decrypt the encrypted portion on the system that first created the encrypted portion. The cryptographic module may be a Trusted Platform Module (TPM) based on specifications from the Trusted Computer Group. The mass storage device comprises a trusted platform interface module configured to communicate with the TPM. The system may include a motherboard having a TPM, and the mass storage device. The method in one embodiment comprises providing a computer readable mass storage device, initializing a password module, transmitting an encrypted password to the cryptographic module, authenticating the encrypted password, decrypting the encrypted password, transmitting the decrypted password to the computer readable medium, and decrypting the second encrypted portion using the decrypted password.

Abstract: An apparatus, method, and system to seal a data repository to a trusted computing platform is described. The data repository may be sealed by encrypting the data on the repository and sealing a cryptographic key to a specific set of platform resources. With the data repository sealed to the platform, the system boot sequence will fail if the system configuration is compromised, for example by insertion of “snoopware” or a modified BIOS. Additionally, if the computer containing the data repository is lost or stolen, the encrypted data remains secure even if the repository is attached to a system modified to bypass normal safeguards.

Abstract: A system and method for enabling multiple levels of access to data on a system includes receiving an identifying metric and processing the metric by salting, hashing, encrypting, or a combination thereof the metric to obtain a table lookup value. The table lookup value is used to index a PW hash table to retrieve a security value. The security value is used to update the contents of a hardware register value such as a selected platform configuration register (PCR) of a Trusted Platform Module (TPM). A selected cryptographic key is then released to the user if the hardware register value matches a predetermined value. In this embodiment, each of a set of security values corresponds to a cryptographic key and each cryptographic key corresponds to one of the levels of access to data.