Determining a merged security policy for a computer system

US 20090007219A1
Filed: 06/28/2007
Published: 01/01/2009
Est. Priority Date: 06/28/2007
Status: Active Grant

First Claim

Patent Images

1. At least one computer-readable medium having encoded thereon computer-executable instructions which, when executed, perform a method, the method comprising:

(A) retrieving a plurality of security policies;

(B) merging the plurality of security policies into a merged security policy; and

(C) determining whether at least one operation will be effective in view of the merged security policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention described herein are directed to a mechanism for determining whether at least one operation will be effective in view of at least one security policy. In exemplary implementations, determining whether at least one operation will be effective in view of at least one security policy may comprise determining a merged security policy for a computer system by merging security policies for the computer system from two or more sources. The security policies may be security policies set by a user and/or an administrator of the computer system, may be security policies of a computer network to which the computer system is connected, or may be security policies of one or more other computer systems that are above the computer system in a computer network hierarchy.

71 Citations

View as Search Results

20 Claims

1. At least one computer-readable medium having encoded thereon computer-executable instructions which, when executed, perform a method, the method comprising:
- (A) retrieving a plurality of security policies;
  
  (B) merging the plurality of security policies into a merged security policy; and
  
  (C) determining whether at least one operation will be effective in view of the merged security policy.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The at least one computer-readable medium of claim 1, wherein the at least one operation is modifying a security policy, and determining whether the at least one operation will be effective comprises determining whether the modified security policy will be effective in view of the merged security policy.
  - 3. The at least one computer-readable medium of claim 2, wherein modifying a security policy comprises adding a security policy.
  - 4. The at least one computer-readable medium of claim 1, wherein the at least one operation is executing one or more applications, and determining whether the at least one operation will be effective comprises determining whether the one or more applications will be capable of executing.
  - 5. The at least one computer-readable medium of claim 1, wherein the act (A) comprises retrieving at least one first security policy from a first computer system and retrieving at least one second security policy from a second computer system.
  - 6. The at least one computer-readable medium of claim 1, wherein the act (C) comprises querying the merged security policy to determine whether it comprises at least one setting or characteristic that permits the at least one operation to be effective.

7. An apparatus for use in a computer environment comprising at least one computer system and a plurality of security facilities that each implements at least one security policy applicable to the computer system, the apparatus comprising:
- at least one processor programmed to;
  
  receive at least one input regarding at least one operation,retrieve at least two security policies from the plurality of security facilities,determine a merged security policy by aggregating the at least two security policies, anddetermine whether the at least one operation will be effective in view of the merged security policy.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus of claim 7, wherein the at least one operation is modifying a security policy, and determining whether the at least one operation will be effective comprises determining whether the modified security policy will be effective in view of the merged security policy.
  - 9. The apparatus of claim 8, wherein modifying a security policy comprises adding a security policy.
  - 10. The apparatus of claim 7, wherein the at least one operation is executing one or more applications, and determining whether the at least one operation will be effective comprises determining whether the one or more applications will be capable of executing.
  - 11. The apparatus of claim 7, wherein retrieving the at least two security policies comprises retrieving a first security policy from a first security facility and a second security policy from a second security facility, and wherein the first and second security facilities are implemented on the computer system.
  - 12. The apparatus of claim 7, wherein retrieving the at least two security policies comprises retrieving a first security policy from a first security facility and a second security policy from a second security facility, and wherein the first and second security facilities are implemented on different computer systems in the computer environment.

13. A method for use in a computer environment comprising at least one computer system and a plurality of security facilities that each implements at least one security policy for the computer system, wherein the plurality of security facilities comprises a first security facility, the method comprising acts of:
- (A) determining whether a merging of a plurality of security policies specified for the computer system permits at least one first security policy specified to be implemented via the first security facility to be effective in the computer system.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, wherein the first security facility is a connection security facility that negotiates and enforces security for connections.
  - 15. The method of claim 13, wherein the first security facility is a firewall and the at least one first security policy is a firewall policy and/or a firewall setting.
  - 16. The method of claim 15, wherein the at least one first security policy is a firewall policy.
  - 17. The method of claim 15, wherein the at least one first security policy is a firewall setting.
  - 18. The method of claim 13, wherein the plurality of security facilities comprises at least one group firewall security policy and at least one local firewall security policy, and wherein the act (A) comprises determining whether the at least one group firewall security policy overrides the at least one local firewall security policy.
  - 19. The method of claim 13, wherein the plurality of security facilities are all implemented on a single computer system in the computer environment.
  - 20. The method of claim 13, wherein the plurality of security facilities are distributed among multiple computer systems in the computer environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Vayman, Mark, Yariv, Eran, Diaz Cuellar, Gerardo, Abzarian, David

Granted Patent

US 8,443,433 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

Determining a merged security policy for a computer system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

71 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Determining a merged security policy for a computer system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links