-
1.发明授权Extensible security system and method for controlling access to objects in a computing environment 有权用于控制计算环境中对象访问的可扩展安全系统和方法公开(公告)号:US06412070B1
公开(公告)日:2002-06-25
申请号:US09157882
申请日:1998-09-21
IPC分类号: G06F1214
CPC分类号: G06F9/468 , G06F21/604 , G06F21/6218 , G06F2221/2141 , Y10S707/99939
摘要: A method and computing system for extending access control of system objects in a computing environment beyond traditional rights such as read, write, create and delete. According to the invention, a system administrator or user application is able to create control rights that are unique to the type of object. Rights can be created that do not relate to any specific property of the object, but rather define how a user may control the object. A novel object, referred to as a control access data structure, is defined for each unique control right and associates the control right with one or more objects of the computing environment. In order to grant the right to a trusted user, an improved access control entry (ACE) is defined which holds a unique identifier of the trusted user and a unique identifier of the control access data structure.
摘要翻译: 一种用于在计算环境中扩展系统对象的访问控制的方法和计算系统,超越传统权限,如读取,写入,创建和删除。 根据本发明,系统管理员或用户应用程序能够创建对象类型唯一的控制权限。 可以创建与对象的任何特定属性无关的权限,而是定义用户如何控制对象。 被称为控制访问数据结构的一个新对象是为每个唯一的控制权定义的,并将控制权与计算环境的一个或多个对象相关联。 为了授予对信任用户的权利,定义了改进的访问控制条目(ACE),其保存受信任用户的唯一标识符和控制访问数据结构的唯一标识符。
-
公开(公告)号:US06625603B1
公开(公告)日:2003-09-23
申请号:US09157768
申请日:1998-09-21
IPC分类号: G06F1700
CPC分类号: G06F9/468 , G06F21/6218 , G06F2221/2141 , Y10S707/99939 , Y10S707/99944 , Y10S707/99952
摘要: Providing object type specific access control to an object is described. In one embodiment, a computer system comprises an operating system operative to control an application and a service running on a computer. The service maintains a service object having a link to an access control entry. The access control entry contains an access right to perform an operation on an object type. The system further includes an access control module within the operating system. The access control module includes an access control interface and operates to grant or deny the access right to perform the operation on the object.
摘要翻译: 对对象提供对象类型特定的访问控制被描述。 在一个实施例中,计算机系统包括可操作以控制应用和在计算机上运行的服务的操作系统。 服务维护具有到访问控制条目的链接的服务对象。 访问控制条目包含对对象类型执行操作的访问权限。 系统还包括操作系统内的访问控制模块。 访问控制模块包括访问控制接口并且操作以授予或拒绝对对象执行操作的访问权限。
-
公开(公告)号:US06289458B1
公开(公告)日:2001-09-11
申请号:US09157771
申请日:1998-09-21
IPC分类号: G96F1214
CPC分类号: G06F21/6281 , G06F2221/2141
摘要: Providing access control to individual properties of an object is described. In one embodiment, a computer system comprises an operating system operative to control applications and services running on the system. The service maintains a service object having at least one property. Also included in the system is an access control module within the operating system. The access control module includes an access control interface operative to control access to a property of the object.
摘要翻译: 描述对对象的各个属性的访问控制。 在一个实施例中,计算机系统包括可操作以控制在系统上运行的应用和服务的操作系统。 该服务维护具有至少一个属性的服务对象。 系统中还包括操作系统中的访问控制模块。 访问控制模块包括访问控制接口,其操作以控制对对象的属性的访问。
-
4.发明授权Method and apparatus for Migrating from a source domain network controller to a target domain network controller 失效从源域网络控制器迁移到目标域网络控制器的方法和装置
公开(公告)号:US5708812A
公开(公告)日:1998-01-13
申请号:US588344
申请日:1996-01-18
CPC分类号: G06F8/00 , Y10S707/99939 , Y10S707/99953
摘要: A method and apparatus are described for facilitating the migration of accounts from a source domain to a target domain in a computer network without affecting the capability of users and services associated with the source domain to access source domain resources after the users' and services' accounts have been migrated to the target domain. Migrating source domain accounts is facilitated by a dual-identity Domain Controller having simultaneous access to replicating mechanisms of both the source domain and the target domain. When accounts are migrated to a directory service of objects for the target domain, the accounts are modified to include security information defining access rights of the migrated accounts within the target domain. Security information relating to an account's access rights in the source domain is preserved in the migrated account stored in the target domain directory service of objects databases.
摘要翻译: 描述了一种方法和装置,用于促进帐户从计算机网络中的源域迁移到目标域,而不影响用户和服务帐户之后的与源域相关联的用户和服务的访问源域资源的能力 已迁移到目标域。 双域身份域控制器可以同时访问源域和目标域的复制机制来促进迁移源域帐户。 当帐户迁移到目标域的对象的目录服务时,会修改帐户以包括定义目标域中已迁移帐户的访问权限的安全信息。 与存储在对象数据库的目标域目录服务中的迁移帐户中保留与源域中帐户访问权限相关的安全信息。
-
公开(公告)号:US5719941A
公开(公告)日:1998-02-17
申请号:US587886
申请日:1996-01-12
CPC分类号: H04L63/083 , G06F21/31 , G06Q20/4012 , G06F2211/007 , H04L63/0428
摘要: A method for changing an account password stored at a physically remote location is provided. After initiating a password change sequence, a user submits both an old and a new password to its client machine. Thereafter, the client computes two message values to be transmitted to the server. The first message is computed by encrypting at least the new password using a one-way hash of the old password as an encryption key. The second message is computed by encrypting the one-way hash of the old password using a one-way hash of the new clear text password as the encryption key. The server receives both messages and computes a first decrypted value by decrypting the first message using the one-way hash of the old password, previously stored at the server, as the decryption key. The server computes a second decrypted value by decrypting the second message using a one-way hash of the first decrypted value as the decryption key. The server compares the decrypted one-way hashed value, transmitted in encrypted form in the second message, to the pre-stored hashed old password. If the two values are equal, then the server replaces the old password by the new password.
摘要翻译: 提供了一种用于改变存储在物理上远程位置的帐户密码的方法。 启动密码更改顺序后,用户将旧密码和新密码提交给客户机。 此后,客户端计算要发送到服务器的两个消息值。 通过使用旧密码的单向散列作为加密密钥来加密至少新密码来计算第一消息。 通过使用新的明文密码的单向散列作为加密密钥加密旧密码的单向散列来计算第二消息。 服务器接收两个消息并通过使用先前存储在服务器上的旧密码的单向散列作为解密密钥来解密第一消息来计算第一解密值。 服务器通过使用第一解密值的单向散列作为解密密钥对第二消息进行解密来计算第二解密值。 服务器将在第二消息中以加密形式传送的解密的单向散列值与预先存储的散列旧密码进行比较。 如果两个值相等,则服务器将使用新密码替换旧密码。
-
公开(公告)号:US06279111B1
公开(公告)日:2001-08-21
申请号:US09096926
申请日:1998-06-12
IPC分类号: G06F1214
CPC分类号: H04L63/0807 , G06F21/335 , G06F21/604 , G06F21/6218 , G06F21/645 , G06F2221/2141 , G06F2221/2145 , G06F2221/2149
摘要: A restrict ed access token is created from an existing token, and provides less access than that token. A restricted token may be created by changing an attribute of one or more security identifiers allowing access in the parent token to a setting that denies access in the restricted token and/or removing one or more privileges from the restricted token relative to the parent token. A restricted access token also may be created by adding restricted security identifiers thereto. Once created, a process associates another process with the restricted token to launch the other process in a restricted context that is a subset of its own rights and privileges. A kernel-mode security mechanism determines whether the restricted process has access to a resource by first comparing user-based security identifiers in the restricted token and the intended type of action against a list of identifiers and actions associated with the resource. If no restricted security identifiers are in the restricted token, access is determined by this first check, otherwise a second access check further compares the restricted security identifiers against the list of identifiers and actions associated with the resource. With a token having restricted security identifiers, the process is granted access if both the first and second access checks pass. In this manner, a process is capable of restricting another process, such as possibly unruly code, in the actions it can perform.
摘要翻译: 从现有令牌创建限制访问令牌,并提供比该令牌更少的访问权限。 可以通过改变一个或多个安全标识符的属性来创建限制令牌,该安全标识符允许父令牌中的访问被拒绝在受限令牌中的访问和/或从受限令牌相对于父令牌去除一个或多个特权的设置。 还可以通过向其中添加受限制的安全标识符来创建受限访问令牌。 一旦创建,进程将另一个进程与受限制的令牌相关联,以在受限上下文中启动另一个进程,该进程是其自己的权限和特权的一部分。 内核模式安全机制通过首先将限制令牌中的基于用户的安全标识符与预期的操作类型相对于与该资源相关联的标识符和动作的列表进行比较来确定受限制的进程是否可以访问资源。 如果没有受限制的令牌中的受限制的安全标识符,则通过该第一检查确定访问,否则第二访问检查进一步将受限安全标识符与与该资源相关联的标识符和动作的列表进行比较。 使用具有受限安全标识符的令牌,如果第一和第二访问检查都通过,则该进程被授予访问权限。 以这种方式,一个进程能够限制其可以执行的动作中的其他进程,例如可能不守规矩的代码。
-
公开(公告)号:US06505300B2
公开(公告)日:2003-01-07
申请号:US09097218
申请日:1998-06-12
申请人: Shannon Chan , Gregory Jensenworth , Mario C. Goertzel , Bharat Shah , Michael M. Swift , Richard B. Ward
发明人: Shannon Chan , Gregory Jensenworth , Mario C. Goertzel , Bharat Shah , Michael M. Swift , Richard B. Ward
IPC分类号: G06F0124
CPC分类号: G06F21/6218 , G06F21/53 , G06F2221/2101 , G06F2221/2141 , G06F2221/2145 , G06F2221/2149
摘要: Restricted execution contexts are provided for untrusted content, such as computer code or other data downloaded from websites, electronic mail messages and any attachments thereto, and scripts or client processes run on a server. A restricted process is set up for the untrusted content, and any actions attempted by the content are subject to the restrictions of the process, which may be based on various criteria. Whenever a process attempt to access a resource, a token associated with that process is compared against security information of that resource to determine if the type of access is allowed. The security information of each resource thus determines the extent to which the restricted process, and thus the untrusted content, has access. In general, the criteria used for setting up restrictions for each untrusted content's process is information indicative of how trusted or untrusted the content is likely to be.
摘要翻译: 为不受信任的内容提供限制的执行上下文,例如计算机代码或从网站下载的其他数据,电子邮件消息及其任何附件,以及在服务器上运行的脚本或客户端进程。 为不受信任的内容设置了限制的过程,并且内容尝试的任何操作都受到过程的限制,这可能基于各种标准。 每当进程尝试访问资源时,将与该进程关联的令牌与该资源的安全信息进行比较,以确定是否允许访问类型。 因此,每个资源的安全信息决定了受限制的过程以及不可信内容的访问程度。 一般来说,用于为每个不受信任的内容过程设置限制的标准是指示内容可能受信任或不受信任的信息。
-
8.发明授权公开(公告)号:US06401211B1
公开(公告)日:2002-06-04
申请号:US09525419
申请日:2000-03-15
IPC分类号: G06F1100
CPC分类号: H04L67/306 , G06F21/33 , H04L63/0807 , H04L63/102 , H04L69/329
摘要: A system and method of combined user logon-authentication provides enhanced logon performance by utilizing communications with a network access control server for user authentication to provide user account data required for user logon. When a user logs on a computer, the computer initiates a network access control process with a network access control server for obtaining access to network services, including the computer that the user is logging on. During the access control process, the network access control server authenticates the user and queries a directory service for the account data for the user. The network access control server includes the user account data in one of the communication packets sent to the computer in the network access control process. The computer retrieves the user account data from the communication packet and uses the data to complete the user logon.
-
公开(公告)号:US07716722B2
公开(公告)日:2010-05-11
申请号:US11424517
申请日:2006-06-15
申请人: Michael M. Swift , Neta Amit , Richard B. Ward
发明人: Michael M. Swift , Neta Amit , Richard B. Ward
IPC分类号: G06F15/16
CPC分类号: G06F21/33 , Y10S707/99939
摘要: A method of controlling access to network services enables an authorized proxy client to access a service on behalf of a user. To permit the client to function as a proxy, the user registers proxy authorization information with a trusted security server. The proxy authorization information identifies the proxy client and specifies the extent of proxy authority granted to the proxy client. When the proxy client wants to access a target service on behalf of the user, it sends a proxy request to the trusted security server. The trusted security server checks the proxy authorization information of the user to verify whether the request is within the proxy authority granted to the proxy client. If so, the trusted security server returns to the proxy client a data structure containing information recognizable by the target service to authenticate the proxy client for accessing the target service on behalf of the user.
摘要翻译: 控制对网络服务的访问的方法使得授权代理客户端能够代表用户访问服务。 为了允许客户端作为代理,用户使用可信赖的安全服务器注册代理授权信息。 代理授权信息标识代理客户端,并指定授予代理客户端的代理授权的范围。 当代理客户端想要代表用户访问目标服务时,它向可信安全服务器发送代理请求。 受信任的安全服务器检查用户的代理授权信息,以验证请求是否在授予代理客户端的代理授权内。 如果是这样,则可信赖安全服务器向代理客户端返回包含目标服务可识别的信息的数据结构,以便代表用户验证代理客户端来访问目标服务。
-
10.发明授权System and method for managing and authenticating services via service principal names 有权通过服务主体名称管理和认证服务的系统和方法公开(公告)号:US07308709B1
公开(公告)日:2007-12-11
申请号:US09560079
申请日:2000-04-27
CPC分类号: H04L63/0807 , G06Q20/3674 , H04L63/0407
摘要: A methododology is provided for facilitating authentication of a service. The methodology includes making a request to a first party for authentication of a service, the request including a first alias. A list of aliases associated with the service is then searched enabling a second party making the request to access the service if a match is found between the first alias and at least one alias of the list of aliases.
摘要翻译: 提供了一种便于认证服务的方法学。 该方法包括向第一方请求服务认证,该请求包括第一别名。 然后搜索与服务相关联的别名的列表,使得如果在第一别名和别名列表的至少一个别名之间找到匹配,则允许进行请求的第二方访问该服务。
-
-
-
-
-
-
-
-
-
搜索结果
22 条记录 (耗时 0.034 秒)