Michael R Swift

US Patent:

6377691, Apr 23, 2002

Filed:

Dec 9, 1996

Appl. No.:

08/762166

Inventors:

Michael M. Swift - Seattle WA
Bharat Shah - Newcastle WA

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

H04L 900

US Classification:

380277

Abstract:

The disclosed system uses a challenge-response authentication protocol for datagram-based remote procedure calls. Using a challenge-response authentication protocol has many advantages over using a conventional authentication protocol. There are two primary components responsible for communication using the challenge-response protocol: a challenge-response protocol component on the client computer (client C-R component) and a challenge-response protocol component on the server computer (server C-R component). In order to start a session using the challenge-response protocol, the client C-R component first generates a session key. The session key is used by both the client C-R component and the server C-R component for encrypting and decrypting messages. After creating the session key, the client C-R component encrypts a message containing a request for a remote procedure call and sends it to the server C-R component. In response, the server C-R component sends a challenge to the client C-R component.

US Patent:

6401211, Jun 4, 2002

Filed:

Mar 15, 2000

Appl. No.:

09/525419

Inventors:

Richard B. Ward - Redmond WA
Michael M. Swift - Seattle WA
Paul J. Leach - Seattle WA

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 1100

US Classification:

713201, 713200

Abstract:

A system and method of combined user logon-authentication provides enhanced logon performance by utilizing communications with a network access control server for user authentication to provide user account data required for user logon. When a user logs on a computer, the computer initiates a network access control process with a network access control server for obtaining access to network services, including the computer that the user is logging on. During the access control process, the network access control server authenticates the user and queries a directory service for the account data for the user. The network access control server includes the user account data in one of the communication packets sent to the computer in the network access control process. The computer retrieves the user account data from the communication packet and uses the data to complete the user logon.

US Patent:

6412070, Jun 25, 2002

Filed:

Sep 21, 1998

Appl. No.:

09/157882

Inventors:

Clifford P. Van Dyke - Bellevue WA
Peter T. Brundrett - Seattle WA
Michael M. Swift - Seattle WA
Praerit Garg - Kirkland WA
Richard B. Ward - Redmond WA

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 1214

US Classification:

713200, 713201, 713167, 707 9, 707 10

Abstract:

A method and computing system for extending access control of system objects in a computing environment beyond traditional rights such as read, write, create and delete. According to the invention, a system administrator or user application is able to create control rights that are unique to the type of object. Rights can be created that do not relate to any specific property of the object, but rather define how a user may control the object. A novel object, referred to as a control access data structure, is defined for each unique control right and associates the control right with one or more objects of the computing environment. In order to grant the right to a trusted user, an improved access control entry (ACE) is defined which holds a unique identifier of the trusted user and a unique identifier of the control access data structure.

US Patent:

6427209, Jul 30, 2002

Filed:

Apr 14, 2000

Appl. No.:

09/549794

Inventors:

Richard B. Ward - Redmond WA
Michael M. Swift - Seattle WA
Paul J. Leach - Seattle WA

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

H04L 900

US Classification:

713201, 713200, 713168, 713171, 713175

Abstract:

A system and method of combined user logon-authentication provides enhanced logon performance by utilizing communications with a network access control server for user authentication to provide user account data required for user logon. When a user logs on a computer, the computer initiates a network access control process with a network access control server for obtaining access to network services, including the computer that the user is logging on. During the access control process, the network access control server authenticates the user and queries a directory service for the account data for the user. The network access control server includes the user account data in one of the communication packets sent to the computer in the network access control process. The computer retrieves the user account data from the communication packet and uses the data to complete the user logon.

US Patent:

6505300, Jan 7, 2003

Filed:

Jun 12, 1998

Appl. No.:

09/097218

Inventors:

Shannon Chan - Bellevue WA
Gregory Jensenworth - Redmond WA
Mario C. Goertzel - Kirkland WA
Bharat Shah - New Castle WA
Michael M. Swift - Seattle WA
Richard B. Ward - Redmond WA

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 0124

US Classification:

713164, 713165, 713166, 713167, 709229

Abstract:

Restricted execution contexts are provided for untrusted content, such as computer code or other data downloaded from websites, electronic mail messages and any attachments thereto, and scripts or client processes run on a server. A restricted process is set up for the untrusted content, and any actions attempted by the content are subject to the restrictions of the process, which may be based on various criteria. Whenever a process attempt to access a resource, a token associated with that process is compared against security information of that resource to determine if the type of access is allowed. The security information of each resource thus determines the extent to which the restricted process, and thus the untrusted content, has access. In general, the criteria used for setting up restrictions for each untrusted contents process is information indicative of how trusted or untrusted the content is likely to be.

US Patent:

6625603, Sep 23, 2003

Filed:

Sep 21, 1998

Appl. No.:

09/157768

Inventors:

Praerit Garg - Kirkland WA
Michael M. Swift - Seattle WA
Clifford P. Van Dyke - Bellevue WA
Richard B. Ward - Redmond WA
Peter T. Brundrett - Seattle WA

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 1700

US Classification:

707 9, 707103 R, 707201, 709319, 709320

Abstract:

Providing object type specific access control to an object is described. In one embodiment, a computer system comprises an operating system operative to control an application and a service running on a computer. The service maintains a service object having a link to an access control entry. The access control entry contains an access right to perform an operation on an object type. The system further includes an access control module within the operating system. The access control module includes an access control interface and operates to grant or deny the access right to perform the operation on the object.

US Patent:

7113994, Sep 26, 2006

Filed:

Jan 24, 2000

Appl. No.:

09/490199

Inventors:

Michael M. Swift - Seattle WA, US
Neta Amit - Haifa, IL
Richard B. Ward - Redmond WA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 15/16

US Classification:

709229, 709200, 707 9, 707 10, 707513, 39518701

Abstract:

A method of controlling access to network services enables an authorized proxy client to access a service on behalf of a user. To permit the client to function as a proxy, the user registers proxy authorization information with a trusted security server. The proxy authorization information identifies the proxy client and specifies the extent of proxy authority granted to the proxy client. When the proxy client wants to access a target service on behalf of the user, it sends a proxy request to the trusted security server. The trusted security server checks the proxy authorization information of the user to verify whether the request is within the proxy authority granted to the proxy client. If so, the trusted security server returns to the proxy client a data structure containing information recognizable by the target service to authenticate the proxy client for accessing the target service on behalf of the user.

US Patent:

7308709, Dec 11, 2007

Filed:

Apr 27, 2000

Appl. No.:

09/560079

Inventors:

Richard B. Ward - Redmond WA, US
Paul J. Leach - Seattle WA, US
Michael M. Swift - Seattle WA, US

Assignee:

Microsoft Corporation - Redmond WA

International Classification:

G06F 17/00
H04L 9/00

US Classification:

726 10, 713151, 713153, 713155

Abstract:

A methododology is provided for facilitating authentication of a service. The methodology includes making a request to a first party for authentication of a service, the request including a first alias. A list of aliases associated with the service is then searched enabling a second party making the request to access the service if a match is found between the first alias and at least one alias of the list of aliases.