Abstract: A secure mechanism for performing a network boot sequence and provisioning a remote device may use a private key of a public key/private key encryption mechanism to generate a command by a server and have the command executed by the device. The command may be used to verify the authenticity of the remote device, and may be used to establish ownership of the device. After authenticity and, in some cases ownership is established, bootable software may be downloaded and executed. The remote device may be provisioned with software applications. One mechanism for performing the initial encrypted commands is through a Trusted Platform Module. In many embodiments, the public key for the initial encrypted communication may be provided through a trusted second channel.

Abstract: Systems and methods provide multiple partitions hosted on an isolation technology such as a hypervisor where at least one of the partitions, a local secure service partition (LSSP), provides security services to other partitions. The service partitions (LSSPs) host those high assurance services that require strict security isolation, where the service can be shared across partitions and accessed even when the user is not connected to a network. The LSSP also can certify the results of any computation using a key signed by a TPM attestation identity key (AIK), or other key held securely by the hypervisor or a service partition. The LSSPs may be configured to provide trusted audit logs, trusted security scans, trusted cryptographic services, trusted compilation and testing, trusted logon services, and the like.

Abstract: Software is authorized in accordance with a reputation of the software. A trust in the author and/or publisher of the software is determined via digital signatures and/or CoAs, and a reputation of the software is utilized to determine the intent of the software. The reputation of the software can be determined via a local service, such as an enterprise IT department and/or via a reputation determination service. When software is downloaded or to be executed, the trust in the author/publisher is determined using digital signatures and/or CoAs associated with the software. If the author/publisher is determined to be trusted, a service is called to determine the reputation of the software. The software can be installed and/or executed dependent upon the reputation of the software and trustworthiness of the author/publisher.

Abstract: A secure mechanism for performing a network boot sequence and provisioning a remote device may use a private key of a public key/private key encryption mechanism to generate a command by a server and have the command executed by the device. The command may be used to verify the authenticity of the remote device, and may be used to establish ownership of the device. After authenticity and, in some cases ownership is established, bootable software may be downloaded and executed. The remote device may be provisioned with software applications. One mechanism for performing the initial encrypted commands is through a Trusted Platform Module. In many embodiments, the public key for the initial encrypted communication may be provided through a trusted second channel.

Abstract: One or more techniques and/or systems are provided for regulating an amount of power on a power grid using a datacenter. This allows demand to be more closely brought into alignment with supply. For example, when supply exceeds demand by a predetermined level, the datacenter may increase consumption, causing demand to increase, and when demand exceeds supply and/or comes within a predetermined threshold of supply, the datacenter may decrease consumption, causing demand to decrease. In this way, the datacenter can be utilized as a regulatory tool on the grid. It may be appreciated that given the technology used by and/or operations performed by datacenters, datacenters are uniquely situated to achieve these ends as compared to other (large) energy consumers, such as manufacturing facilities that cannot shift around and/or shut-down operations swiftly.

Abstract: At computer device power on, the operating system of the computer device initiates a monitor. The monitor assigns a monitoring program to each program and object (collectively, “program”) running on the computer device to monitor the activities of the program. When the monitoring program is assigned to a program, the monitoring program is assigned an integrity and/or privacy label (collectively, “integrity label”) based on predetermined criteria applied to the monitored program. The monitoring program, in turn, assigns an integrity label to the program monitored by the monitoring program. The integrity label assigned to the monitored program is less than or equal to the integrity label of the monitoring program. The monitor enforces an integrity policy of the computer device based on the integrity label assigned to monitored programs and the integrity label associated with data, another program, or a remote network resource that the monitored program is seeking to access.

Abstract: Software restriction policy rules can be automatically generated by parsing through a specified metadata source and generating the rules in accordance with indicated preferences. Metadata sources can include storage locations, such as folders, in which case rules for each executable file in the folder can be generated. Metadata sources can also include trusted publisher stores, installation logs, difference files, and other like data sources. Indicated preferences can select from among rules based on the publisher, for files that are signed, or rules based on hashes or path information for unsigned files. In generating rules to prevent the execution of specified files, if an optimized set of rules is desired, a check can be made to determine if an exception to an existing rule can be generated instead of a new rule. The automated parsing of the indicated metadata source can provide for both completeness and correctness.

Abstract: Today, data networks are ever increasing in size and complexity. For example, a datacenter may comprise hundreds of thousands of service endpoints configured to perform work. To reduce network wide degradation, a load balancer may send work requests to healthy service endpoints, as opposed to unhealthy and/or inoperative service endpoints. Accordingly, among other things, one or more systems and/or techniques for monitoring service endpoints, which may be scalable for large scale networks, are provided. In particular, a consistent hash function may be performed to generate a monitoring scheme comprising assignments of service endpoints to monitoring groups. In this way, multiple monitoring components may monitor a subset of endpoints to ascertain health status. Additionally, the monitoring components may communicate between one another so that a monitoring component may know heath statuses of service endpoints both assigned and not assigned to the monitoring component.

Abstract: This document relates to a distributed network coordinate system. One implementation provides computer-readable storage media including instructions that may cause a processor to perform certain acts. For example, the acts may include storing an initial network location of a first device in a network. The network may include the first device and a second device. The acts may also include monitoring one or more network performance metrics related to existing application communications with the second device, and determining an updated network location of the first device, based on the initial network location and the network performance metrics. Aspects of network health can be derived from monitoring changes in the network locations of various devices within the coordinate system.

Abstract: At computer device power on, the operating system of the computer device initiates a monitor. The monitor assigns a monitoring program to each program and object (collectively, “program”) running on the computer device to monitor the activities of the program. When the monitoring program is assigned to a program, the monitoring program is assigned an integrity and/or privacy label (collectively, “integrity label”) based on predetermined criteria applied to the monitored program. The monitoring program, in turn, assigns an integrity label to the program monitored by the monitoring program. The integrity label assigned to the monitored program is less than or equal to the integrity label of the monitoring program. The monitor enforces an integrity policy of the computer device based on the integrity label assigned to monitored programs and the integrity label associated with data, another program, or a remote network resource that the monitored program is seeking to access.

Abstract: At computer device power on, the operating system of the computer device initiates a monitor. The monitor assigns a monitoring program to each program and object (collectively, “program”) running on the computer device to monitor the activities of the program. When the monitoring program is assigned to a program, the monitoring program is assigned an integrity and/or privacy label (collectively, “integrity label”) based on predetermined criteria applied to the monitored program. The monitoring program, in turn, assigns an integrity label to the program monitored by the monitoring program. The integrity label assigned to the monitored program is less than or equal to the integrity label of the monitoring program. The monitor enforces an integrity policy of the computer device based on the integrity label assigned to monitored programs and the integrity label associated with data, another program, or a remote network resource that the monitored program is seeking to access.

Abstract: Today, data networks are ever increasing in size and complexity. For example, a datacenter may comprise hundreds of thousands of service endpoints configured to perform work. To reduce network wide degradation, a load balancer may send work requests to healthy service endpoints, as opposed to unhealthy and/or inoperative service endpoints. Accordingly, among other things, one or more systems and/or techniques for monitoring service endpoints, which may be scalable for large scale networks, are provided. In particular, a consistent hash function may be performed to generate a monitoring scheme comprising assignments of service endpoints to monitoring groups. In this way, multiple monitoring components may monitor a subset of endpoints to ascertain health status. Additionally, the monitoring components may communicate between one another so that a monitoring component may know heath statuses of service endpoints both assigned and not assigned to the monitoring component.

Abstract: Systems, methods, and computer-readable media for identifying executable scenario solutions relevant to a user query and returning such executable scenario solutions as search results in response to the user query are provided. Upon receiving a user query, a plurality of results is returned, each result being representative of a series of steps which may be implemented to address a particular issue relevant to the received user query. Often, a series of steps or scenario includes a number of sub-scenarios, each of which is to be executed sequentially to achieve the desired result. Accordingly, upon selection of a particular search result, the user may be guided through a series of sub-scenario result options until an item having direct association to a series of steps is selected. Once selected, the executable scenario solution is presented to the user for execution.

Abstract: This document describes tools capable of receiving reputation metadata effective to enable better decision making about whether or not to authorize operations. The tools may build a reputation value from this reputation metadata and, based on this value and an authorization rule, better decide whether or not to authorize an operation requested by some program, application, or other actor.

Abstract: This document describes tools capable of receiving reputation metadata effective to enable better decision making about whether or not to authorize operations. The tools may build a reputation value from this reputation metadata and, based on this value and an authorization rule, better decide whether or not to authorize an operation requested by some program, application, or other actor.

Abstract: Methods for using scenario solution-related information to generate customized user experiences are provided. Upon receiving a user query, a plurality of results is returned, each result being representative of a scenario solution which may be utilized to address a particular issue relevant to the received query. At the time of authoring, each scenario solution is organized based upon one or more keywords and/or one or more categories (i.e., namespaces). Data associated with a namespace/keyword corresponding to a returned search result may be mined to determine information beyond basic scenario solution search results that may be of interest to the user.

Abstract: Methods for using scenario solution-related information to generate customized user experiences are provided. Upon receiving a user query, a plurality of results is returned, each result being representative of a scenario solution which may be utilized to address a particular issue relevant to the received query. At the time of authoring, each scenario solution is organized based upon one or more keywords and/or one or more categories (i.e., namespaces). Data associated with a namespace/keyword corresponding to a returned search result may be mined to determine information beyond basic scenario solution search results that may be of interest to the user.

Abstract: Mechanisms for organizing scenario solution-related information based upon a user's locality are provided. Locality refers to a collection of metadata created based upon scenario solutions executed by a user and/or enablers acquired by a user during scenario solution execution. Such metadata may be stored in association with a scenario solution execution workspace and/or in association with a user-specific information store. Once such information is acquired, a user may desire to share the information, or a portion thereof, with one or more other users, for instance, the members of a user group. However, often times, the user would prefer that the information not be made available to the general public. Thus, mechanisms for controlling access to user-specific information are also provided.

Abstract: Software restriction policy rules can be automatically generated by parsing through a specified metadata source and generating the rules in accordance with indicated preferences. Metadata sources can include storage locations, such as folders, in which case rules for each executable file in the folder can be generated. Metadata sources can also include trusted publisher stores, installation logs, difference files, and other like data sources. Indicated preferences can select from among rules based on the publisher, for files that are signed, or rules based on hashes or path information for unsigned files. In generating rules to prevent the execution of specified files, if an optimized set of rules is desired, a check can be made to determine if an exception to an existing rule can be generated instead of a new rule. The automated parsing of the indicated metadata source can provide for both completeness and correctness.

Abstract: Application factoring or partitioning is used to integrate secure features into a conventional application. An application's functionality is partitioned into two sets according to whether a given action does, or does not, involve the handling of sensitive data. Separate software objects (processors) are created to perform these two sets of actions. A trusted processor handles secure data and runs in a high-assurance environment. When another processor encounters secure data, that data is sent to the trusted processor. The data is wrapped in such a way that allows it to be routed to the trusted processor, and prevents the data from being deciphered by any entity other than the trusted processor. An infrastructure is provided that wraps objects, routes them to the correct processor, and allows their integrity to be attested through a chain of trust leading back to base component that is known to be trustworthy.