公开(公告)号：US5768519A

公开(公告)日：1998-06-16

申请号：US587275

申请日：1996-01-18

申请人： Michael M. Swift ,  Robert Reichel ,  Pradyumna K. Misra ,  Michael R.C. Seaman ,  James William Kelly

发明人： Michael M. Swift ,  Robert Reichel ,  Pradyumna K. Misra ,  Michael R.C. Seaman ,  James William Kelly

IPC分类号： G06F1/00 ,  G06F21/00 ,  H04L29/06 ,  H04W12/00 ,  G06F13/00 ,  G06F7/14

CPC分类号： H04L63/0823 ,  G06F21/6218 ,  H04L29/06 ,  H04L63/101 ,  H04W12/08 ,  Y10S707/99939

摘要： A method is provided, in accordance with the present invention, for merging a source domain into a target domain in a network. Merging domains comprises replacing a first account identification for each account associated with the source domain by a second account identification associated with the target domain. Next, in accordance with the present invention, for each account associated with the source domain, the first account identification is added to an account security data structure storing account identifications with which the account has previously been associated when associated with a former, merged domain.

摘要翻译： 根据本发明，提供一种用于将源域合并到网络中的目标域中的方法。 合并域包括通过与目标域相关联的第二帐户标识替换与源域相关联的每个帐户的第一帐户标识。 接下来，根据本发明，对于与源域相关联的每个帐户，将第一帐户标识添加到存储帐户标识的帐户安全数据结构中，该账户标识与前一个合并的域相关联时该帐户先前已经被关联。

公开(公告)号：US5708812A

公开(公告)日：1998-01-13

申请号：US588344

申请日：1996-01-18

申请人： Clifford P. Van Dyke ,  Michael M. Swift ,  Keith W. Logan ,  Pradyumna K. Misra

发明人： Clifford P. Van Dyke ,  Michael M. Swift ,  Keith W. Logan ,  Pradyumna K. Misra

IPC分类号： G06F9/44 ,  G06F17/60

CPC分类号： G06F8/00 ,  Y10S707/99939 ,  Y10S707/99953

摘要： A method and apparatus are described for facilitating the migration of accounts from a source domain to a target domain in a computer network without affecting the capability of users and services associated with the source domain to access source domain resources after the users' and services' accounts have been migrated to the target domain. Migrating source domain accounts is facilitated by a dual-identity Domain Controller having simultaneous access to replicating mechanisms of both the source domain and the target domain. When accounts are migrated to a directory service of objects for the target domain, the accounts are modified to include security information defining access rights of the migrated accounts within the target domain. Security information relating to an account's access rights in the source domain is preserved in the migrated account stored in the target domain directory service of objects databases.

摘要翻译： 描述了一种方法和装置，用于促进帐户从计算机网络中的源域迁移到目标域，而不影响用户和服务帐户之后的与源域相关联的用户和服务的访问源域资源的能力 已迁移到目标域。 双域身份域控制器可以同时访问源域和目标域的复制机制来促进迁移源域帐户。 当帐户迁移到目标域的对象的目录服务时，会修改帐户以包括定义目标域中已迁移帐户的访问权限的安全信息。 与存储在对象数据库的目标域目录服务中的迁移帐户中保留与源域中帐户访问权限相关的安全信息。

公开(公告)号：US5761669A

公开(公告)日：1998-06-02

申请号：US534197

申请日：1995-09-26

申请人： David S. Montague ,  Pradyumna K. Misra ,  Michael M. Swift ,  Robert P. Reichel

发明人： David S. Montague ,  Pradyumna K. Misra ,  Michael M. Swift ,  Robert P. Reichel

IPC分类号： G06F21/00 ,  H04L29/06 ,  G06F17/30

CPC分类号： H04L29/06 ,  G06F21/604 ,  G06F21/6236 ,  H04L63/101 ,  H04L63/20 ,  G06F2221/2101 ,  G06F2221/2141 ,  G06F2221/2145 ,  Y10S707/959 ,  Y10S707/99944

摘要： A method and system for controlling access to entities on a network on which a plurality of servers are installed that use different operating systems. A request is entered by a user at a workstation on the network to set access permissions to an entity on the network in regard to a trustee. In response to the request, various application programming interfaces (APIs) are called to translate the generic request to set permissions on the entity into a format appropriate for the operating system that controls the entity. Assuming that the user has the appropriate rights to set access permissions to the entity as requested, and assuming that the trustee identified by the user is among those who can have rights set to the entity, the request made by the user is granted. Entities include both "containers" and "objects." Entities are either software, such as directories (containers) and files (objects), or hardware, such as printers (objects).

摘要翻译： 一种用于控制对其上安装有使用不同操作系统的多个服务器的网络上的实体的访问的方法和系统。 用户在网络上的工作站输入请求，以设置关于受信任者对网络上的实体的访问权限。 为响应该请求，调用各种应用程序编程接口（API）来转换通用请求以将该实体的权限设置为适用于控制该实体的操作系统的格式。 假设用户具有根据请求设置对实体的访问许可的适当权限，并且假设用户标识的受信者是可以具有设置到该实体的权限的用户，则授予用户的请求。 实体包括“容器”和“对象”。 实体是软件，如目录（容器）和文件（对象）或硬件，如打印机（对象）。

公开(公告)号：US5675782A

公开(公告)日：1997-10-07

申请号：US465990

申请日：1995-06-06

申请人： David S. Montague ,  Pradyumna K. Misra ,  Michael M. Swift

发明人： David S. Montague ,  Pradyumna K. Misra ,  Michael M. Swift

IPC分类号： G06F21/00 ,  H04L29/06 ,  G06F17/30

CPC分类号： H04L63/20 ,  G06F21/604 ,  G06F21/6236 ,  H04L29/06 ,  H04L63/101 ,  G06F2221/2101 ,  G06F2221/2141 ,  G06F2221/2145

摘要： A method and system for controlling access to entities on a network on which a plurality of servers are installed that use different operating systems. A request is entered by a user at a workstation on the network to set access permissions to an entity on the network in regard to a trustee. In response to the request, various application programming interfaces (APIs) are called to translate the generic request to set permissions on the entity into a format appropriate for the operating system that controls the entity. Assuming that the user has the appropriate rights to set access permissions to the entity as requested, and assuming that the trustee identified by the user is among those who can have rights set to the entity, the request made by the user is granted. Entities include both "containers" and "objects." Entities are either software, such as directories (containers) and files (objects), or hardware, such as printers (objects).

摘要翻译： 一种用于控制对其上安装有使用不同操作系统的多个服务器的网络上的实体的访问的方法和系统。 用户在网络上的工作站输入请求，以设置关于受信任者对网络上的实体的访问权限。 为响应该请求，调用各种应用程序编程接口（API）来转换通用请求以将该实体的权限设置为适用于控制该实体的操作系统的格式。 假设用户具有根据请求设置对实体的访问许可的适当权限，并且假设用户标识的受信者是可以具有设置权限的用户之一，则授予用户的请求。 实体包括“容器”和“对象”。 实体是软件，如目录（容器）和文件（对象）或硬件，如打印机（对象）。

公开(公告)号：US08239633B2

公开(公告)日：2012-08-07

申请号：US12217811

申请日：2008-07-09

申请人： David A. Wood ,  Mark D. Hill ,  Michael M. Swift ,  Michael R. Marty ,  Luke Yen ,  Kevin E. Moore ,  Jayaram Bobba ,  Haris Volos

发明人： David A. Wood ,  Mark D. Hill ,  Michael M. Swift ,  Michael R. Marty ,  Luke Yen ,  Kevin E. Moore ,  Jayaram Bobba ,  Haris Volos

IPC分类号： G06F12/08

CPC分类号： G06F12/0815

摘要： A coherence controller in hardware of an apparatus in an example detects conflicts on coherence requests through direct, non-broadcast employment of signatures that: summarize read-sets and write-sets of memory transactions; and provide false positives but no false negatives for the conflicts on the coherence requests. The signatures comprise fixed-size representations of a substantially arbitrary set of addresses for the read-sets and the write-sets of the memory transactions.

摘要翻译： 在示例中的装置的硬件中的相干控制器通过直接，非广播使用签名来检测对相干请求的冲突，所述签名总结了存储器事务的读取集和写入集合; 并提供错误的肯定，但对于一致性要求的冲突没有错误的否定。 签名包括对于存储器事务的读取集合和写入集合的基本上任意的地址集的固定大小表示。

公开(公告)号：US06505300B2

公开(公告)日：2003-01-07

申请号：US09097218

申请日：1998-06-12

申请人： Shannon Chan ,  Gregory Jensenworth ,  Mario C. Goertzel ,  Bharat Shah ,  Michael M. Swift ,  Richard B. Ward

发明人： Shannon Chan ,  Gregory Jensenworth ,  Mario C. Goertzel ,  Bharat Shah ,  Michael M. Swift ,  Richard B. Ward

IPC分类号： G06F0124

CPC分类号： G06F21/6218 ,  G06F21/53 ,  G06F2221/2101 ,  G06F2221/2141 ,  G06F2221/2145 ,  G06F2221/2149

摘要： Restricted execution contexts are provided for untrusted content, such as computer code or other data downloaded from websites, electronic mail messages and any attachments thereto, and scripts or client processes run on a server. A restricted process is set up for the untrusted content, and any actions attempted by the content are subject to the restrictions of the process, which may be based on various criteria. Whenever a process attempt to access a resource, a token associated with that process is compared against security information of that resource to determine if the type of access is allowed. The security information of each resource thus determines the extent to which the restricted process, and thus the untrusted content, has access. In general, the criteria used for setting up restrictions for each untrusted content's process is information indicative of how trusted or untrusted the content is likely to be.

摘要翻译： 为不受信任的内容提供限制的执行上下文，例如计算机代码或从网站下载的其他数据，电子邮件消息及其任何附件，以及在服务器上运行的脚本或客户端进程。 为不受信任的内容设置了限制的过程，并且内容尝试的任何操作都受到过程的限制，这可能基于各种标准。 每当进程尝试访问资源时，将与该进程关联的令牌与该资源的安全信息进行比较，以确定是否允许访问类型。 因此，每个资源的安全信息决定了受限制的过程以及不可信内容的访问程度。 一般来说，用于为每个不受信任的内容过程设置限制的标准是指示内容可能受信任或不受信任的信息。

公开(公告)号：US06412070B1

公开(公告)日：2002-06-25

申请号：US09157882

申请日：1998-09-21

申请人： Clifford P. Van Dyke ,  Peter T. Brundrett ,  Michael M. Swift ,  Praerit Garg ,  Richard B. Ward

发明人： Clifford P. Van Dyke ,  Peter T. Brundrett ,  Michael M. Swift ,  Praerit Garg ,  Richard B. Ward

IPC分类号： G06F1214

CPC分类号： G06F9/468 ,  G06F21/604 ,  G06F21/6218 ,  G06F2221/2141 ,  Y10S707/99939

摘要： A method and computing system for extending access control of system objects in a computing environment beyond traditional rights such as read, write, create and delete. According to the invention, a system administrator or user application is able to create control rights that are unique to the type of object. Rights can be created that do not relate to any specific property of the object, but rather define how a user may control the object. A novel object, referred to as a control access data structure, is defined for each unique control right and associates the control right with one or more objects of the computing environment. In order to grant the right to a trusted user, an improved access control entry (ACE) is defined which holds a unique identifier of the trusted user and a unique identifier of the control access data structure.

摘要翻译： 一种用于在计算环境中扩展系统对象的访问控制的方法和计算系统，超越传统权限，如读取，写入，创建和删除。 根据本发明，系统管理员或用户应用程序能够创建对象类型唯一的控制权限。 可以创建与对象的任何特定属性无关的权限，而是定义用户如何控制对象。 被称为控制访问数据结构的一个新对象是为每个唯一的控制权定义的，并将控制权与计算环境的一个或多个对象相关联。 为了授予对信任用户的权利，定义了改进的访问控制条目（ACE），其保存受信任用户的唯一标识符和控制访问数据结构的唯一标识符。

公开(公告)号：US06401211B1

公开(公告)日：2002-06-04

申请号：US09525419

申请日：2000-03-15

申请人： John E. Brezak, Jr. ,  Richard B. Ward ,  Michael M. Swift ,  Paul J. Leach

发明人： John E. Brezak, Jr. ,  Richard B. Ward ,  Michael M. Swift ,  Paul J. Leach

IPC分类号： G06F1100

CPC分类号： H04L67/306 ,  G06F21/33 ,  H04L63/0807 ,  H04L63/102 ,  H04L69/329

摘要： A system and method of combined user logon-authentication provides enhanced logon performance by utilizing communications with a network access control server for user authentication to provide user account data required for user logon. When a user logs on a computer, the computer initiates a network access control process with a network access control server for obtaining access to network services, including the computer that the user is logging on. During the access control process, the network access control server authenticates the user and queries a directory service for the account data for the user. The network access control server includes the user account data in one of the communication packets sent to the computer in the network access control process. The computer retrieves the user account data from the communication packet and uses the data to complete the user logon.

公开(公告)号：US06377691B1

公开(公告)日：2002-04-23

申请号：US08762166

申请日：1996-12-09

申请人： Michael M. Swift ,  Bharat Shah

发明人： Michael M. Swift ,  Bharat Shah

IPC分类号： H04L900

CPC分类号： H04L63/04 ,  H04L63/0807 ,  H04L63/0869 ,  H04L63/12

摘要： The disclosed system uses a challenge-response authentication protocol for datagram-based remote procedure calls. Using a challenge-response authentication protocol has many advantages over using a conventional authentication protocol. There are two primary components responsible for communication using the challenge-response protocol: a challenge-response protocol component on the client computer (client C-R component) and a challenge-response protocol component on the server computer (server C-R component). In order to start a session using the challenge-response protocol, the client C-R component first generates a session key. The session key is used by both the client C-R component and the server C-R component for encrypting and decrypting messages. After creating the session key, the client C-R component encrypts a message containing a request for a remote procedure call and sends it to the server C-R component. In response, the server C-R component sends a challenge to the client C-R component. The challenge contains a unique identifier generated by the server C-R component. The client C-R component responds to the challenge by sending a challenge response and the session key. The challenge response is the unique identifier contained within the challenge encrypted with the password of the user of the client computer. The session key is also encrypted using this password. Upon receiving the challenge response, the server C-R component uses its copy of the client's password to create its own version of the challenge response and compares it to the version received from the client C-R component. If the two versions of the challenge response are identical, the identity of the user of the client computer has been verified. If the two versions are not identical, an attempted unauthorized access has been detected. After verification, the server C-R component extracts the session key, decrypts the message, and invokes the requested procedure of the server program. Subsequently, the server C-R component will send and receive encrypted messages from the client C-R component, thereby facilitating a remote procedure call.

公开(公告)号：US06308274B1

公开(公告)日：2001-10-23

申请号：US09096679

申请日：1998-06-12

申请人： Michael M. Swift

发明人： Michael M. Swift

IPC分类号： G06F1214

CPC分类号： G06F21/604 ,  G06F21/6218 ,  G06F2221/2141 ,  G06F2221/2145 ,  G06F2221/2149

摘要： A method and mechanism to enforce reduced access via restricted access tokens. Restricted access tokens are based on an existing token, and have less access than that existing token. A process is associated with a restricted token, and when the restricted process attempts to perform an action on a resource, a security mechanism compares the access token information with security information associated with the resource to grant or deny access. Application programs may have restriction information stored in association therewith, such that when launched, a restricted token is created for that application based on the restriction information thereby automatically reducing that application's access. Applications may be divided into different access levels such as privileged and non-privileged portions, thereby automatically restricting the actions a user can perform via that application. Also, the system may enforce running with reduced access by running user processes with a restricted token, and then requiring a definite action by the user to specifically override actions that are restricted by temporarily running with the user's normal token.

摘要翻译： 一种通过限制访问令牌实现减少访问的方法和机制。 限制访问令牌基于现有令牌，并且具有比现有令牌更少的访问权限。 进程与限制令牌相关联，并且当受限进程尝试对资源执行动作时，安全机制将访问令牌信息与与资源相关联的安全信息进行比较以允许或拒绝访问。 应用程序可以具有与其相关联地存储的限制信息，使得当启动时，基于限制信息为该应用创建受限标记，从而自动减少该应用的访问。 应用程序可以分为不同的访问级别，如特权和非特权部分，从而自动限制用户可以通过该应用程序执行的操作。 此外，系统可以通过使用受限制的令牌运行用户进程来强制执行具有减少的访问的运行，然后由用户需要明确的动作来专门地覆盖由用户正常令牌暂时运行而限制的动作。