-
公开(公告)号:US06279111B1
公开(公告)日:2001-08-21
申请号:US09096926
申请日:1998-06-12
IPC分类号: G06F1214
CPC分类号: H04L63/0807 , G06F21/335 , G06F21/604 , G06F21/6218 , G06F21/645 , G06F2221/2141 , G06F2221/2145 , G06F2221/2149
摘要: A restrict ed access token is created from an existing token, and provides less access than that token. A restricted token may be created by changing an attribute of one or more security identifiers allowing access in the parent token to a setting that denies access in the restricted token and/or removing one or more privileges from the restricted token relative to the parent token. A restricted access token also may be created by adding restricted security identifiers thereto. Once created, a process associates another process with the restricted token to launch the other process in a restricted context that is a subset of its own rights and privileges. A kernel-mode security mechanism determines whether the restricted process has access to a resource by first comparing user-based security identifiers in the restricted token and the intended type of action against a list of identifiers and actions associated with the resource. If no restricted security identifiers are in the restricted token, access is determined by this first check, otherwise a second access check further compares the restricted security identifiers against the list of identifiers and actions associated with the resource. With a token having restricted security identifiers, the process is granted access if both the first and second access checks pass. In this manner, a process is capable of restricting another process, such as possibly unruly code, in the actions it can perform.
摘要翻译: 从现有令牌创建限制访问令牌,并提供比该令牌更少的访问权限。 可以通过改变一个或多个安全标识符的属性来创建限制令牌,该安全标识符允许父令牌中的访问被拒绝在受限令牌中的访问和/或从受限令牌相对于父令牌去除一个或多个特权的设置。 还可以通过向其中添加受限制的安全标识符来创建受限访问令牌。 一旦创建,进程将另一个进程与受限制的令牌相关联,以在受限上下文中启动另一个进程,该进程是其自己的权限和特权的一部分。 内核模式安全机制通过首先将限制令牌中的基于用户的安全标识符与预期的操作类型相对于与该资源相关联的标识符和动作的列表进行比较来确定受限制的进程是否可以访问资源。 如果没有受限制的令牌中的受限制的安全标识符,则通过该第一检查确定访问,否则第二访问检查进一步将受限安全标识符与与该资源相关联的标识符和动作的列表进行比较。 使用具有受限安全标识符的令牌,如果第一和第二访问检查都通过,则该进程被授予访问权限。 以这种方式,一个进程能够限制其可以执行的动作中的其他进程,例如可能不守规矩的代码。
-
公开(公告)号:US06308273B1
公开(公告)日:2001-10-23
申请号:US09096676
申请日:1998-06-12
申请人: Mario C. Goertzel , Susi E. Strom , Praerit Garg , Bharat Shah
发明人: Mario C. Goertzel , Susi E. Strom , Praerit Garg , Bharat Shah
IPC分类号: G06F1214
CPC分类号: H04L63/10 , G06F21/6218 , G06F2221/2111 , H04L29/06 , H04L63/105 , H04L63/107 , H04L67/18 , H04L69/329
摘要: An improved computer network security system and method wherein access to network resources is based on information that includes the location of the connecting user. In general, the less trusted the location of the user, the more the access rights assigned to the user are restricted. A discrimination mechanism and process determines the location of a user with respect to categories of a security policy, such as to distinguish local users, intranet users and dial-up users from one another. Based on information including the location and the user's credentials, an access token is set up that may restrict the user's normal access in accordance with the security policy, such as to not restrict a user's processes beyond the user-based security information in the user's normal access token, while further restricting the same user's access to resources when connecting via a dial-up connection. Restricted tokens are preferably used to implement the location-based discrimination by restricting the security context of users connecting from less trusted locations.
摘要翻译: 一种改进的计算机网络安全系统和方法,其中对网络资源的访问基于包括连接用户的位置的信息。 一般来说,用户的位置信任度越低,分配给用户的访问权限就越多。 鉴别机制和过程确定用户相对于安全策略的类别的位置,例如将本地用户,内部网用户和拨号用户彼此区分开。 基于包括位置和用户凭据在内的信息,设置可以根据安全策略来限制用户的正常访问的访问令牌,例如不将用户的进程限制在用户正常的基于用户的安全信息之外 访问令牌,同时在通过拨号连接进行连接时进一步限制同一用户对资源的访问。 优选地使用限制令牌来通过限制从不太可信位置连接的用户的安全上下文来实现基于位置的歧视。
-
3.发明授权Extensible security system and method for controlling access to objects in a computing environment 有权用于控制计算环境中对象访问的可扩展安全系统和方法公开(公告)号:US06412070B1
公开(公告)日:2002-06-25
申请号:US09157882
申请日:1998-09-21
IPC分类号: G06F1214
CPC分类号: G06F9/468 , G06F21/604 , G06F21/6218 , G06F2221/2141 , Y10S707/99939
摘要: A method and computing system for extending access control of system objects in a computing environment beyond traditional rights such as read, write, create and delete. According to the invention, a system administrator or user application is able to create control rights that are unique to the type of object. Rights can be created that do not relate to any specific property of the object, but rather define how a user may control the object. A novel object, referred to as a control access data structure, is defined for each unique control right and associates the control right with one or more objects of the computing environment. In order to grant the right to a trusted user, an improved access control entry (ACE) is defined which holds a unique identifier of the trusted user and a unique identifier of the control access data structure.
摘要翻译: 一种用于在计算环境中扩展系统对象的访问控制的方法和计算系统,超越传统权限,如读取,写入,创建和删除。 根据本发明,系统管理员或用户应用程序能够创建对象类型唯一的控制权限。 可以创建与对象的任何特定属性无关的权限,而是定义用户如何控制对象。 被称为控制访问数据结构的一个新对象是为每个唯一的控制权定义的,并将控制权与计算环境的一个或多个对象相关联。 为了授予对信任用户的权利,定义了改进的访问控制条目(ACE),其保存受信任用户的唯一标识符和控制访问数据结构的唯一标识符。
-
公开(公告)号:US06289458B1
公开(公告)日:2001-09-11
申请号:US09157771
申请日:1998-09-21
IPC分类号: G96F1214
CPC分类号: G06F21/6281 , G06F2221/2141
摘要: Providing access control to individual properties of an object is described. In one embodiment, a computer system comprises an operating system operative to control applications and services running on the system. The service maintains a service object having at least one property. Also included in the system is an access control module within the operating system. The access control module includes an access control interface operative to control access to a property of the object.
摘要翻译: 描述对对象的各个属性的访问控制。 在一个实施例中,计算机系统包括可操作以控制在系统上运行的应用和服务的操作系统。 该服务维护具有至少一个属性的服务对象。 系统中还包括操作系统中的访问控制模块。 访问控制模块包括访问控制接口,其操作以控制对对象的属性的访问。
-
公开(公告)号:US06625603B1
公开(公告)日:2003-09-23
申请号:US09157768
申请日:1998-09-21
IPC分类号: G06F1700
CPC分类号: G06F9/468 , G06F21/6218 , G06F2221/2141 , Y10S707/99939 , Y10S707/99944 , Y10S707/99952
摘要: Providing object type specific access control to an object is described. In one embodiment, a computer system comprises an operating system operative to control an application and a service running on a computer. The service maintains a service object having a link to an access control entry. The access control entry contains an access right to perform an operation on an object type. The system further includes an access control module within the operating system. The access control module includes an access control interface and operates to grant or deny the access right to perform the operation on the object.
摘要翻译: 对对象提供对象类型特定的访问控制被描述。 在一个实施例中,计算机系统包括可操作以控制应用和在计算机上运行的服务的操作系统。 服务维护具有到访问控制条目的链接的服务对象。 访问控制条目包含对对象类型执行操作的访问权限。 系统还包括操作系统内的访问控制模块。 访问控制模块包括访问控制接口并且操作以授予或拒绝对对象执行操作的访问权限。
-
公开(公告)号:US07869383B2
公开(公告)日:2011-01-11
申请号:US12179527
申请日:2008-07-24
申请人: Bassam Tabbara , Praerit Garg
发明人: Bassam Tabbara , Praerit Garg
IPC分类号: H04L12/28
CPC分类号: H04L47/70 , G06Q30/06 , H04L67/1097
摘要: A hardware and/or software facility for durably and securely storing data within a shared community storage network. A user may have a storage device that they intend to share with others in the network. All or a portion of the storage device is registered with the community storage network as a storage node. Once registered with the network, third party data may be stored on the storage node and remotely accessed by third parties. In addition, data stored on the storage device by the user may be stored in the shared community storage network by encrypting the data, adding redundancy, and distributing it to other storage nodes within the storage network. Data that is stored in the storage network is accessible to the user even if their storage device is inaccessible or fails.
摘要翻译: 用于在共享社区存储网络中持久和安全地存储数据的硬件和/或软件设施。 用户可以具有他们打算在网络中与他人共享的存储设备。 存储设备的全部或一部分作为存储节点向社区存储网络注册。 一旦向网络注册,第三方数据可能存储在存储节点上,并被第三方远程访问。 此外,用户存储在存储设备上的数据可以通过加密数据,添加冗余并将其分发到存储网络中的其他存储节点来存储在共享社区存储网络中。 即使存储设备无法访问或出现故障,用户也可以访问存储在存储网络中的数据。
-
公开(公告)号:US20100020718A1
公开(公告)日:2010-01-28
申请号:US12179527
申请日:2008-07-24
申请人: Bassam Tabbara , Praerit Garg
发明人: Bassam Tabbara , Praerit Garg
IPC分类号: H04L12/28
CPC分类号: H04L47/70 , G06Q30/06 , H04L67/1097
摘要: A hardware and/or software facility for durably and securely storing data within a shared community storage network. A user may have a storage device that they intend to share with others in the network. All or a portion of the storage device is registered with the community storage network as a storage node. Once registered with the network, third party data may be stored on the storage node and remotely accessed by third parties. In addition, data stored on the storage device by the user may be stored in the shared community storage network by encrypting the data, adding redundancy, and distributing it to other storage nodes within the storage network. Data that is stored in the storage network is accessible to the user even if their storage device is inaccessible or fails.
摘要翻译: 用于在共享社区存储网络中持久和安全地存储数据的硬件和/或软件设施。 用户可以具有他们打算在网络中与他人共享的存储设备。 存储设备的全部或一部分作为存储节点向社区存储网络注册。 一旦向网络注册,第三方数据可能存储在存储节点上,并被第三方远程访问。 此外,用户存储在存储设备上的数据可以通过加密数据,添加冗余并将其分发到存储网络中的其他存储节点来存储在共享社区存储网络中。 即使存储设备无法访问或出现故障,用户也可以访问存储在存储网络中的数据。
-
公开(公告)号:US07568218B2
公开(公告)日:2009-07-28
申请号:US10285175
申请日:2002-10-31
IPC分类号: H04L9/32
CPC分类号: H04L63/10 , H04L63/08 , H04L63/0807 , H04L63/0815 , H04L63/101
摘要: A selective cross-realm authenticator associates an identifier with a request from an entity authenticated in one realm to access a resource associated with a second realm. The identifier indicates that the entity was authenticated in a realm other than the realm associated with the requested resource. A domain controller associated with the resource performs an access check to verify that the authenticated user is authorized to authenticate to the requested resource. Permissions associated with the resource can be used to specify levels of access to be granted to entities authenticated by a domain controller associated with another realm.
摘要翻译: 选择性跨域认证器将标识符与来自在一个领域中认证的实体的请求相关联,以访问与第二领域相关联的资源。 该标识符表示该实体在与所请求的资源相关联的领域以外的领域中被认证。 与资源相关联的域控制器执行访问检查,以验证经过身份验证的用户是否被授权对请求的资源进行身份验证。 与该资源相关联的权限可用于指定授予由与另一领域相关联的域控制器认证的实体的访问级别。
-
9.发明授权Methods and arrangements for providing multiple concurrent desktops and workspaces in a shared computing environment having remote nodes 有权在具有远程节点的共享计算环境中提供多个并发桌面和工作空间的方法和安排公开(公告)号:US07552391B2
公开(公告)日:2009-06-23
申请号:US10606591
申请日:2003-06-26
申请人: Christopher A. Evans , Giampiero M. Sierra , Victor Tan , Praerit Garg , David Andrew Matthews , Reiner Fink , Paul S. Hellyar
发明人: Christopher A. Evans , Giampiero M. Sierra , Victor Tan , Praerit Garg , David Andrew Matthews , Reiner Fink , Paul S. Hellyar
IPC分类号: G06F3/00
CPC分类号: G06F9/451
摘要: Methods and arrangements are provided for use in multiple user computing environments. These methods and arrangements can be configured to allow for a plurality of separate and concurrent desktops and workspaces within the shared computing environment. One method includes creating a separate desktop thread for each user that is authenticated during a logon process, creating a separate desktop associated with each desktop thread, and maintaining a list of desktop threads that are created. In this manner, several users can be logged on simultaneously. In certain implementations, the method further includes establishing a separate user environment associated with each desktop and launching a separate user shell associated with each desktop. The list of desktop threads allows for selective and/or automatic switching from a first desktop to a second desktop without terminating a desktop thread associated with the first desktop. The methods and arrangements are also applicable to remote process logon and switching.
摘要翻译: 提供了在多个用户计算环境中使用的方法和布置。 这些方法和布置可以被配置为允许在共享计算环境内的多个单独的和并发的桌面和工作空间。 一种方法包括为登录过程中进行身份验证的每个用户创建单独的桌面线程,创建与每个桌面线程相关联的单独桌面,以及维护创建的桌面线程列表。 以这种方式,几个用户可以同时登录。 在某些实现中,该方法还包括建立与每个桌面相关联的单独的用户环境并且启动与每个桌面相关联的单独的用户外壳。 桌面线程列表允许从第一桌面到第二桌面的选择性和/或自动切换,而不终止与第一台桌面相关联的桌面线程。 方法和布置也适用于远程进程登录和切换。
-
公开(公告)号:US20070112847A1
公开(公告)日:2007-05-17
申请号:US11266156
申请日:2005-11-02
申请人: Pratul Dublish , Bassam Tabbara , Geoffrey Outhred , Jeffrey Parham , Kevin Grealish , Praerit Garg
发明人: Pratul Dublish , Bassam Tabbara , Geoffrey Outhred , Jeffrey Parham , Kevin Grealish , Praerit Garg
IPC分类号: G06F7/00
CPC分类号: G06F21/577 , G06Q10/06
摘要: Modeling operational policies of operating a business's or institution's actual or planned IT system. The IT system may include components such as applications, application hosts, one or more networks or components thereof, hardware, and interrelationships between the components. The IT system is to be operated in accordance with operational policies that govern existence or numerosity of components, how the components are interrelated, how the components and interrelationships are configured, and/or manual or automated processes for managing and maintaining the IT system. The modeling may involve generating code that conforms to a language by declaring abstractions using types that correspond to the components of the IT system, by declaring types of interrelationships that correspond to the interrelationships of the IT system, and by defining constraints upon and between the abstract types, where the constraints correspond to operational policies of operating the IT system.
摘要翻译: 建立运营企业或机构实际或计划的IT系统的运营策略。 IT系统可以包括诸如应用,应用主机,一个或多个网络或其组件,硬件和组件之间的相互关系的组件。 IT系统将根据管理组件的存在或数量,组件相互关联的操作策略,组件和相互关系的配置方式以及/或用于管理和维护IT系统的手动或自动化过程来运行。 建模可能涉及生成符合语言的代码,通过使用与IT系统的组件相对应的类型声明抽象,通过声明与IT系统的相互关系相对应的相互关系的类型,以及通过在抽象之间和之间定义约束 类型,其中的约束对应于操作IT系统的操作策略。
-
-
-
-
-
-
-
-
-
搜索结果
43 条记录 (耗时 0.028 秒)
