US20050080909A1 - Methods and apparatus for scalable secure remote desktop access - Google Patents
Methods and apparatus for scalable secure remote desktop access Download PDFInfo
- Publication number
- US20050080909A1 US20050080909A1 US10/683,544 US68354403A US2005080909A1 US 20050080909 A1 US20050080909 A1 US 20050080909A1 US 68354403 A US68354403 A US 68354403A US 2005080909 A1 US2005080909 A1 US 2005080909A1
- Authority
- US
- United States
- Prior art keywords
- enrollment
- networked resource
- networked
- user
- resource
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/41—User authentication where a single sign-on provides access to a plurality of computers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2111—Location-sensitive, e.g. geographical location, GPS
Definitions
- the present invention generally relates to computer networking, and more specifically to a secure method of granting remote access to computer desktops.
- a remote user's client display displays what might be seen on the display of the host computer were the user physically viewing the host display.
- remote access software allows remote users to interact with the host computer with the client's input devices, such as a keyboard or mouse, as if the user was using the host's input device. Any computation initiated by the user's input is carried out by the host computer and the results are displayed on the client display as if it were the host display.
- One object of the invention is to provide scalable, secure, and easily administerable methods and systems for providing remote access to networked resources by combining aspects of physical access limitation measures with traditional computer access limitation measures.
- the invention relates to a method of administering a computer network.
- the method includes providing an enrollment administration system for specifying enrollment rules, and an enrollment system configured to communicate with the enrollment administration system to permit enrolling a first networked resource if permitted by the specified enrollment rules.
- the method also includes providing a remote access system for granting a user remote access to the first networked resource if the user successfully enrolled the first networked resource.
- the networked resource is a computer.
- the remote access system is provided for installation on the first networked resource. In another embodiment, the remote access system is provided for installation on a shared network resource. In this embodiment, the remote access system grants remote access to the first networked resource and a second networked resource subject to the specified enrollment rules and the user's enrollment of the first and second networked resources. In another embodiment, the remote access system denies remote access to a user that has not enrolled the first networked resource. In a further embodiment, the remote access includes remote access to the desktop of the first networked resource.
- the enrollment system disallows enrolling the first network resource from a remote console.
- the enrollment system requires enrolling the first networked resource from a console that is physically attached to the first networked resource.
- the enrollment system is a network application.
- the method further includes providing a locator system for determining the location of a user attempting to enroll the first networked resource.
- the enrolling of the first networked resource is further subject to the determined location.
- the invention in another aspect, relates to a computer system that includes an enrollment administration system for specifying enrollment rules.
- the computer system also includes a first networked resource that is configured to communicate with the enrollment administration system and a remote device configured to communicate with the first networked resource via a communications channel, such as a network.
- the computer system further includes an enrollment system for enrolling the first networked resource if permitted by the specified enrollment rules and a remote access system for granting a user of the remote device remote access to the first networked resource if the first networked resource was successfully enrolled.
- the computer system also includes an enrollment database that stores a list of networked resources that a user has enrolled.
- the invention in still another aspect, relates to a method of network administration that includes specifying an enrollment rule and enrolling a first networked resource if permitted by the specified enrollment rule. The method also includes granting a user remote access to the first networked resource from a remote device if the user had previously successfully enrolled the first networked resource, and otherwise denying a user access to the first networked resource from the remote device.
- specifying an enrollment rule includes defining a plurality of groups of users, defining a plurality of groups of networked resources, and specifying a group of networked resources that a group of users is permitted to enroll.
- FIG. 1 is a schematic depiction of remote desktop access according to an illustrative embodiment of the invention.
- FIG. 2 is a schematic diagram depicting a computer network according to an illustrative embodiment of the invention.
- FIG. 3A is a diagram of a set of computer network resource groupings according to an illustrative embodiment of the invention.
- FIG. 3B is a diagram of a set of computer network user groupings according to an illustrative embodiment of the invention.
- FIG. 4 is a table depicting example enrollment rules according to an illustrative embodiment of the invention.
- FIG. 5 is a flow chart of a method for enrolling a networked resource according to an illustrative embodiment of the invention.
- FIG. 6 is a enrollment database depicting an example set of enrollments according to an illustrative embodiment of the invention.
- FIG. 7 is a flow chart of a method of granting remote access to a computer according to an illustrative embodiment of the invention.
- One object of the present invention is to provide scalable, secure, and easily administerable methods and systems for providing remote access to networked resources by combining aspects of physical access limitation measures with traditional computer access limitation measures. Such a combination combines the low-overhead advantages of rules-based access limitations with the individualized security advantages of individual permission-based access limitations, without incurring the associated additional administrative costs.
- a first networked resource 100 is physically located in a particular location, for example, in an office.
- Networked resources can include, for example, desktop computers, workstations, laptops, handheld computers, mobile phones, personal digital assistants, computing devices that are network capable, printers, storage devices, peripherals, etc., and any data, applications, or capabilities available on or from the resources.
- the first networked resource 100 may have access to other networked resources 104 via network 106 .
- a remote device 102 is in communication with the first networked resource 100 via a communication link 108 , such as a computer network.
- the remote device 102 may be a computer such as a workstation, desktop computer, laptop, handheld computer, or any other form of computing or telecommunications device that is capable of communication and that has sufficient processor power and memory capacity to perform the operations described herein (e.g., a mobile phone or personal digital assistant).
- the communication link 108 can be implemented with any of a variety of suitable technologies, for example, over standard telephone lines, LAN or WAN links (using, e.g., 802.11, T1, T3, 56 kb, or X.25 protocols), broadband connections (using, e.g., ISDN, Frame Relay, or ATM protocols), and wireless connections, or some combination of any or all of the above.
- the first networked resource 100 is a computer that serves as a host, and the remote device 102 serves as a client.
- a user of the remote device 102 is granted access to the first networked resource 100 such that the user has access to the desktop of the first networked resource 100 . That is, instead of only having access to the services of the first networked resource 100 , the display of the remote device 102 displays what a user might see on the console monitor of the first networked resource 100 .
- the user can provide input (e.g., keyboard and mouse input) to the first networked resource 100 from the remote device 102 that is interpreted by the first networked resource 100 as if such input were made from a console that is physically attached to first networked resource.
- input e.g., keyboard and mouse input
- remote access is accomplished using MetaFrame Presentation Serverg, manufactured by Citrix Systems, Inc. of Ft. Lauderdale, Fla., on the first networked resource 100 in conjunction with the use of Citrix's Independent Computing Architecture® (ICA) clients on the remote device 102 .
- MetaFrame Presentation Serverg manufactured by Citrix Systems, Inc. of Ft. Lauderdale, Fla.
- ICA Citrix's Independent Computing Architecture®
- remote access is provided by Remote Desktop software.
- Remote Desktop is a feature included in the Windows XP® Professional operating system, manufactured by Microsoft Corporation of Redmond, Wash., that allows a host computer, such as the first networked resource 100 , to provide access to that host's desktop to clients, such as the remote device 102 , that have the Remote Desktop client software installed.
- Remote Desktop client software is included in the Windows XP® operating system and is available for computers running the Windows 95®, Windows 98®, Windows Me®, Windows NT® 4.0, or Windows 2000® operating systems.
- Remote Desktop uses the Remote Desktop Protocol, also known as RDP, to communicate between the host and the client.
- embodiments of the invention may be implemented using other suitable software and communications protocols.
- the host could operate a web server that a client could log on to using standard internet protocols such as HTTP.
- Other systems for remote desktop access include pcAnywhere®, manufactured by Symantec Corporation of Cupertino, Calif.
- the invention provides remote access to files stored on a computer.
- the invention provides remote access to applications stored on a resource, but not to any data files stored thereon.
- the invention provides remote access to a printer, display, or other output device.
- the invention provides only limited remote desktop access. For example, a user might be able to access files physically stored on the computer whose desktop he or she is accessing, but access to other networked resources, such as file server, through via desktop is limited.
- an illustrative computer system 200 includes a number of networked resources, shown in the figure as exemplary computers TermA 202 , TermB 204 , TermC 206 , CAD A 208 , CAD B 210 , CAD C 212 , AdminA 214 , AdminB 216 , AdminC 218 - and referred to collectively as “the computers.”
- the computers 202 , 204 , 206 , 208 , 210 , 212 , 214 , 216 , and 218 may be geographically proximate or dispersed.
- some or all computers in the computer system 200 may be located in a different locations than other computers in the computer system.
- Term 202 could be remote from TermB 204 and the other computers 206 , 208 , 210 , 212 , 214 , 216 and 218 .
- computers TermA 202 , TermB 204 , CADC 212 , and AdminC 218 are located in a first building 220
- computers TermC 206 , CAD A 208 , CAD B 210 , AdminA 214 , and AdminB 216 are located in a second building 222
- the computers 202 , 204 , 206 , 208 , 210 , 212 , 214 , 216 , and 218 are connected to each other over an enterprise-class network 224 .
- the computer system 200 also provides access for a remote device 201 to connect to the network 224 to access one of the computers 202 , 204 , 206 , 208 , 210 , 212 , 214 , 216 , and 218 and the networked resources.
- the remote device 201 may be part of or outside of the computer system 200 , and connects to the computer system 200 via a communications link 203 .
- the computer network 200 includes an access administration system 226 .
- the access administration system 226 is a logical grouping of several related systems that are used to determine and govern users' abilities to access and use networked resources. Each system may be located and/or executed on a computer in the first or second buildings 220 and 222 , on a computer located in a third building (not shown), on any of the computers previously described 202 , 204 , 206 , 208 , 210 , 212 , 214 , 216 , and 218 , or distributed throughout any or all of the above the computers.
- the access administration system 226 includes an enrollment administration system 228 for specifying enrollment rules.
- the enrollment administration system 228 is a software module or program made available to system administrators, for specifying such rules, although other implementations are possible.
- Enrollment rules specify which users or groups of users are permitted to enroll individual or groups of networked resources, where enrollment is the act of obtaining authorization to later access a network resource from a remote device 102 .
- a system administrator specifies an enrollment rule by defining groups of one or more users, defining groups of networked resources, and then specifying which group or groups of users are permitted to enroll which group or groups of networked resources.
- the enrollment administration system 228 provides a graphical user interface that allows the system administrator to drag-and-drop users and resources into groups and to drag-and-drop groups into enrollment rules.
- the graphical user interface provides a point-and-click interface that allows a system administrator to build groups and rules from lists of users, resources, and groups.
- a system administrator builds a group by typing in a list of user or resource identifiers (e.g., names, user names, email addresses, employee numbers, IP addresses, resource names, etc.). Whichever interface is used, the interface also allows for users or resources to be removed from groups or shifted to other groups and for rules to be altered.
- the administrator may utilize previously defined groupings.
- Large organizations often have user and resource groupings defined for other computing purposes. Such groups are defined for example using various domains, Active Directory, or lightweight directory access protocol (LDAP) directories. Resource groups may also be defined by providing ranges of IP addresses.
- LDAP lightweight directory access protocol
- enrollment rules are distinct from other access rules. For example, a system administrator may specify enrollment rules that permit a group of users to enroll a group of networked resources for remote access that the users would not otherwise be authorized to use directly. Likewise, a group of users that may be authorized to directly access a group of networked resources may not be authorized to enroll those networked resources for remote access if no such enrollment rule has been specified.
- the enrollment administration system stores the enrollment rules in an enrollment rules database.
- the enrollment administration system 228 also includes an enrollment database that identifies each networked resource that each user has enrolled.
- the access administrative system 226 includes an enrollment system 230 configured to communicate with the enrollment administration system 228 to permit enrolling a first networked resource if permitted by specified enrollment rules.
- the enrollment system 230 is a network application, in particular, a JAVA® application stored on a central server and downloaded to a networked resource in response to a user's request to enroll a networked resource.
- the enrollment request may be initiated, for example, by clicking on an icon on the desktop of the networked resource, clicking on a hyperlink on a web page, or requesting to enroll the computer from a menu.
- the enrollment system 230 operates on a networked server and the user communicates with the enrollment system 230 through a common gateway interface (CGI) via an Internet browser using HTTP, HTML, XML, or another known network protocol.
- CGI common gateway interface
- the enrollment system 230 is installed on a networked resource by transferring the software code embodying the enrollment system 230 onto the networked resource from an electronic storage medium (e.g, a floppy disk, zip disk, CD-ROM, DVD-ROM, etc.).
- the enrollment system 230 provides an interface for a user requesting enrollment to identify himself and the resource that the user is requesting to enroll.
- the enrollment system 230 communicates with the enrollment administration system 228 to determine whether a user is in fact permitted to enroll that resource.
- the communication includes sending a message to the enrollment administration system 228 that contains the identification of the user requesting enrollment of the networked resource and the identification of the networked resource the user is requesting to enroll.
- the communication in one embodiment, includes transmitting a database query, for example using Structured Query Language (SQL), to the enrollment administration system 228 .
- SQL Structured Query Language
- the communication includes a remote procedure call to be executed on the enrollment administration system 228 , the result of which is a Boolean value indicating whether the user is permitted to enroll the resource.
- the communication includes transmitting a business logic command to be interpreted by the enrollment administration system 228 .
- the enrollment administration system 228 transmits an up-to-date enrollment rules database to the enrollment system 230 .
- the enrollment system 230 queries the enrollment rule database (e.g., using SQL) to determine if the user is permitted to enroll the database.
- the communications may take place over a variety of wired connections (using, e.g., TCP/IP, ISDN, Frame Relay, or ATM protocols), and wireless connections, or some combination of any or all of the above.
- the enrollment system 230 is also responsible for verifying the identity of the user.
- User identity verification may be conducted, for example, by collecting user name-password/PIN combinations, collecting a user's biometric data, collecting a sample of the user's voice, etc.
- the access administrative system 226 also includes a remote access system 232 for granting remote access to the first networked resource if the user successfully enrolled the first networked resource.
- the access administration system 226 controls general access to the network (i.e., not to any specific resource), in addition to controlling remote access to individual or groups of networked resources.
- the remote access system 232 is a software module operating on a central network server. If a user attempts to remotely access a networked resource, the user first contacts the remote access system 232 on the central server.
- each enrollable network resource has a copy of the remote access system 232 installed, or the networked resource may download a copy of the enrollment system 230 from a server upon receipt of a remote access request.
- the remote access system 232 receives the request for remote access, verifies the identity of the user requesting access and determines whether that user has enrolled the networked resource that the user is requesting remote access to by consulting an enrollment database maintained by the enrollment administration system 228 . If the user has enrolled the networked resource, the remote access system 232 grants permission to the user to access the networked resource and such access is initiated.
- the systems 226 , 228 , 230 , and 232 are implemented as software modules or programs.
- One skilled in the art should appreciate that some or all of the system functionality may instead be implemented in a manner other than just described, for example in hardware, such as an Application Specific Integrated Circuit (ASIC) and the like.
- ASIC Application Specific Integrated Circuit
- system administrators may use the access administration system 226 or one of its constituent systems to aggregate users and resources into groups that share common characteristics, since as the number of network resources and users of a computer system 200 increases, it becomes increasingly time consuming to individually assign access rights to each user.
- FIG. 3A and FIG. 3B to ease the burden on system administrators, system administrators may use the access administration system 226 or one of its constituent systems to aggregate users and resources into groups that share common characteristics, since as the number of network resources and users of a computer system 200 increases, it becomes increasingly time consuming to individually assign access rights to each user.
- an illustrative set 300 of network resources of the computer system 200 may be grouped into Workstations 302 which includes TermA 202 , TermB 204 , and TermC 206 ; CAD Terminals 304 which includes CAD A 214 , CAD B, 216 , and CAD C 218 ; and Administrative Assistant Terminals AdminA 208 , AdminB 210 and AdminC 212 .
- Workstations 302 which includes TermA 202 , TermB 204 , and TermC 206 ;
- CAD Terminals 304 which includes CAD A 214 , CAD B, 216 , and CAD C 218 ;
- Administrative Assistant Terminals AdminA 208 , AdminB 210 and AdminC 212 Referring to FIG.
- an illustrative set 307 of computer users may be grouped as follows: Tara 314 , Tom 316 , and Ted 318 may be grouped as members of the Information Technology (IT) Staff 308 ; Ellie 320 , Erica 322 , and Edward 324 may grouped as Engineers 310 , and Alex 326 , Amy 328 , and Andrew 330 may be grouped as Administrative Assistants 312 .
- IT Information Technology
- a system administrator may specify groupings of users and/or resources using the access administration system 226 .
- the access administration system 226 provides a graphical user interface with which a system administrator may drag and drop, or point-and-click to add users or resources to groups.
- the enrollment administration system 228 also provides group-management functionality via a similar interface. The groups created for the purposes of specifying enrollment rules may be different from the groups created for specifying other access rules.
- rules may be specified to limit the ability of a group of users 308 , 310 , or 312 to both directly and/or remotely access and use a group of network resources 302 , 304 , and 306 .
- members 314 , 316 , and 318 of the IT staff 308 are responsible for maintaining the computers 202 , 204 , 206 , 208 , 210 , 212 , 214 , 216 , and 218 , a system administrator would likely want to give the of IT Staff 308 access to all of the computers 202 , 204 , 206 , 208 , 210 , 212 , 214 , 216 , and 218 .
- a system administrator may want to limit Administrative Assistants 312 to only be able to access the Administrative Assistant Terminals with lesser capabilities.
- Engineers 310 may be granted access to Workstations 302 and CAD Terminals 304 , but not to the Administrative Assistant Terminals 306 used by Administrative Assistants 312 .
- a system administrator may restrict the ability of a user to remotely access a networked resource without specifying individual user/resource limitations.
- the computer system 200 operates under a presumption that a computer user should only be able to remotely access a computer to which the user is capable of achieving direct physical access. If a user does not have physical access to a networked resource, that user should not be able to circumvent physical security measures by accessing the networked resource remotely.
- physical access means access to an input device (such as a keyboard, mouse, trackball, microphone, touchscreen, joystick, etc.) connected to a console that is physically attached to the networked resource.
- Connection may include wireless communication in the case where input devices communicate with a resource using a short range wireless signal (e.g., a wireless keyboard or mouse).
- a short range wireless signal e.g., a wireless keyboard or mouse.
- Engineers 310 in general, have access to CAD Terminals 304 but only in the buildings in which they work.
- Engineer Ellie 320 working in the second building 222 , does not have physical access to CAD C 212 , because it is located in the first building 220 .
- Ellie keeps her Workstation 302 , TermA 402 , in a locked office for privacy or security reasons, other users will not have physical access to that workstation 302 .
- the computer system 200 includes the enrollment functionality described above. Namely, a user cannot gain remote access to a networked resource of the computer system 200 if the user has not first enrolled the networked resource.
- a user may only enroll a networked resource if the user requests enrollment using an input device (e.g., keyboard, mouse, microphone, display, etc.) connected to a console that is physically attached to the networked resource.
- an input device e.g., keyboard, mouse, microphone, display, etc.
- the user will not be able to enroll the network resource and will not be able to access the networked resource remotely.
- Enrollment rules specify which users or groups of users are authorized to enroll which networked resources or groups of networked resources.
- the enrollment rules are specified at a user/resource group level rather than at an individual user/resource level, for purposes of efficiency.
- the groups may be the same groups as used for specifying other access rules or the groups may be different.
- a table 400 depicts illustrative enrollment rules, where rows represent groups of users 308 , 310 , and 312 , and columns represent groups of networked resources 302 , 304 , and 306 .
- a system administrator specifies enrollment rules, for example using the enrollment administration system 228 . To do so, the system administrator defines a plurality of groups of users 308 , 310 , and 312 and also defines groups of networked resources 302 , 304 , and 306 as described above with respect to FIGS. 3A and 3B . The system administrator then specifies which groups of users may enroll which groups of networked resources.
- a system administrator has specified that IT staff members 308 can enroll Workstations 302 , CAD Terminals 304 , and Administrative Assistant Terminals 306 as indicated by the “X”s at the intersections of the IT Staff 308 row and the columns for each of the groups of networked resources.
- Engineers 310 can enroll Workstations 302 and CAD Terminals 304
- Administrative Assistants 312 can only enroll Administrative Assistant Terminals 306 .
- system administrators can readily alter enrollment rules once specified. For example, to reflect changes in staffing (e.g., the firing, hiring or shifting of an employee) the system administrator may add or remove users to and from user groups. The same may be done for networked resource groups. Policy decisions affecting entire groups may be implemented by changing the groups of networked resources that a group of users is permitted to enroll. For example, if the system administrator that specified the enrollment rules in the table 400 decided that Administrative Assistants 312 should also be able to enroll all workstations, the rule for Administrative Assistants 312 may be altered accordingly.
- the users affected will no longer be able to enroll those networked resources.
- the change in the enrollment rule may cause the networked resources to be unenrolled.
- a flow chart of a method 500 of enrolling a networked resource begins with specification of enrollment rules (step 502 ), for example by a system administrator as described above.
- enrollment rules for example by a system administrator as described above.
- the enrollment system 230 verifies the identity of the user (step 506 ).
- Identity verification may be achieved through any identity authentication means, including for example, user-password or PIN authentication, biometric identification, voice identification, etc.
- the enrollment system 230 and the enrollment administration system 228 determine whether the user is permitted by the enrollment rules to enroll the networked resource that the user is requesting to enroll (step 508 ).
- the enrollment system 230 sends an enrollment request to the enrollment administration system 228 .
- the enrollment request includes the identification of the networked resource that the user is requesting to enroll and the identification of the user.
- the enrollment administration system 228 compares the networked resource/user pairing with the enrollment rules to determine if the user is a member of a group that has permission to enroll any of the networked resources of the group to which the networked resource in question belongs.
- Single-use copies of the enrollment rules may be downloaded to the networked resource from the enrollment administration system 228 each time a user attempts to enroll a networked resource, and in other implementations a networked resource may maintain a persistent set of enrollment rules that is updated by the enrollment administration system 228 when a system administrator alters the enrollment rules. In either of these cases, the permission verification (step 508 ) is carried out on the networked resource.
- a locator system determines the location of the user by retrieving the IP address of the networked resource from which the enrollment request was sent, typically included in the header of the packets that made up the communication, and executing a reverse Domain Name Server (DNS) look-up routine to determine the source of the request.
- DNS reverse Domain Name Server
- the enrollment administration system 228 determines whether the user requested enrollment of the networked resource from a console that is physically attached to networked resource the user is requesting to enroll (step 512 ) by comparing the determined enrollment request source with the networked resource that is identified in the enrollment request.
- the locator system transmits to, and causes the execution of a Java® applet or ActiveX® control on the requested resource to determine whether the user is actually logged in to a console that is physically attached to the resource.
- the source of the request may be verified by transmitting to, and causing the execution of a Java® applet or ActiveX® control on the source of the request that forces the source to identify itself.
- the enrollment administration system 228 compares the forced identification with the network resource the user requested to enroll.
- the enrollment administration system carries out a combination of two or more of the above listed verification methods to ensure a robust request source identification.
- the enrollment administration system 228 enrolls the networked resource for the user (step 514 ) by updating an enrollment database. (See FIG. 6 below). If the user is not permitted to enroll the networked resource based on the enrollment rules, or it is determined that the user is attempting to enroll the computer from a remote location, enrollment is denied (step 516 ).
- the enrollment administration system 228 determines the location of the user and verifies that the user is requesting enrollment of the networked resource from which the enrollment request originated before determining whether the user is permitted to enroll the networked resource according to the enrollment rules.
- the enrollment administration system 228 enables a system administrator to specify enrollment rules that allow a group of users to remotely enroll networked resources or to specify groups of resources that may be enrolled remotely.
- enrollment rules allow a user to enroll a file server (or a portion of a file server) that is part of a secure network from a console that is a part of that secure network but that is not physically attached to the file server.
- the enrollment administration system 228 maintains the information about enrolled resources and users.
- This storage may be implemented in many ways, including in the form of data files in a database.
- the database 600 stores enrollment data for each individual user and each networked resource.
- the enrollment is stored in the enrollment database 600 .
- engineer Ellie 320 has enrolled TermA, CAD A and CAD B. The table is consulted when a user attempts to remotely access a networked resource.
- a method 700 of granting remote access to a networked resource includes querying the enrollment database for example, the enrollment database 600 .
- the request for access is received by the remote access system 232 (step 702 ).
- the remote access system 232 verifies the identification of the user (step 703 ), also referred to as authentication.
- the remote access system 232 may authenticate a user using any suitable identity authentication means, including user name-password/PIN pairs, certificates, biometric data, one time keys, voice samples, etc.
- the remote access system 232 determines whether the user has previously enrolled the first networked resource 100 (step 706 ). If the user has previously enrolled the first networked resource, the remote access system 232 grants access to the first networked resource 100 (step 708 ), otherwise the remote access system 232 denies remote access to the first networked resource 100 .
- a system administrator could set additional remote access rules that limit which remote devices users may use to remotely access networked resources.
- a system administrator may specify a rule that only allows users or groups of users to remotely access networked resources or a group of networked resources from a networked resource directly connected to the computing system 200 .
- Tara 314 for example, who according to the enrollment database 600 has enrolled AdminC 218 , could remotely access AdminC 218 from AdminA 214 , but Ted 318 , who also has enrolled AdminC 218 could not remotely access AdminC from remote device 102 .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Bioethics (AREA)
- Information Transfer Between Computers (AREA)
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
- Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
- Telephonic Communication Services (AREA)
- Catching Or Destruction (AREA)
- Pharmaceuticals Containing Other Organic And Inorganic Compounds (AREA)
- Motorcycle And Bicycle Frame (AREA)
Abstract
The invention provides scalable, secure, and easily administerable methods and systems for providing remote access to networked resources by combing aspects of physical access limitation measures with traditional computer access limitation measures. The methods and systems utilize an enrollment administration system for specifying enrollment rules, an enrollment system configured to communicate with the enrollment administration system to permit enrolling a first networked resource if permitted by specified enrollment rules, and a remote access system for granting a user remote access to the first networked resource if the user successfully enrolled the first networked resource.
Description
- The present invention generally relates to computer networking, and more specifically to a secure method of granting remote access to computer desktops.
- Many corporate computer users regularly rely on the applications and files stored on the hard drive of their personal office computers for their computing needs. However, most of these computers lack portability, or if portable, can not provide suitable access to resources available to their personal office computers.
- In order to provide computer users access to the resources of their personal office computers from remote devices, such as their home computers or laptops, programmers have developed several technologies for remotely accessing the resources of a computer, called a host, from a second, remote device, called a client. Using such technologies, a remote user's client display displays what might be seen on the display of the host computer were the user physically viewing the host display. In addition, remote access software allows remote users to interact with the host computer with the client's input devices, such as a keyboard or mouse, as if the user was using the host's input device. Any computation initiated by the user's input is carried out by the host computer and the results are displayed on the client display as if it were the host display.
- While these technologies have been successful and useful on a limited scale, they can present administrative burdens in large scale, enterprise systems. Large enterprise systems require secure regulated access for large numbers of users to large numbers of networked resources. Some systems allow specification of broad access rules that apply to groups of users or resources, but do not typically place access limitations on any individual or individual resource. Some systems have individual permission-based methods that typically require a system administrator to specify access limitations for each and every user and resource. The former methods often provide insufficient security since the access rules tend to be overly broad, and the latter method commonly requires an unusually high level of administrative overhead in large systems.
- One object of the invention is to provide scalable, secure, and easily administerable methods and systems for providing remote access to networked resources by combining aspects of physical access limitation measures with traditional computer access limitation measures.
- In one aspect, the invention relates to a method of administering a computer network. The method includes providing an enrollment administration system for specifying enrollment rules, and an enrollment system configured to communicate with the enrollment administration system to permit enrolling a first networked resource if permitted by the specified enrollment rules. The method also includes providing a remote access system for granting a user remote access to the first networked resource if the user successfully enrolled the first networked resource. In one embodiment the networked resource is a computer.
- In one embodiment, the remote access system is provided for installation on the first networked resource. In another embodiment, the remote access system is provided for installation on a shared network resource. In this embodiment, the remote access system grants remote access to the first networked resource and a second networked resource subject to the specified enrollment rules and the user's enrollment of the first and second networked resources. In another embodiment, the remote access system denies remote access to a user that has not enrolled the first networked resource. In a further embodiment, the remote access includes remote access to the desktop of the first networked resource.
- In another embodiment, the enrollment system disallows enrolling the first network resource from a remote console. In another embodiment, the enrollment system requires enrolling the first networked resource from a console that is physically attached to the first networked resource. In still another embodiment, the enrollment system is a network application. In one embodiment, the method further includes providing a locator system for determining the location of a user attempting to enroll the first networked resource. In a further embodiment, the enrolling of the first networked resource is further subject to the determined location.
- In another aspect, the invention relates to a computer system that includes an enrollment administration system for specifying enrollment rules. The computer system also includes a first networked resource that is configured to communicate with the enrollment administration system and a remote device configured to communicate with the first networked resource via a communications channel, such as a network. In addition, the computer system further includes an enrollment system for enrolling the first networked resource if permitted by the specified enrollment rules and a remote access system for granting a user of the remote device remote access to the first networked resource if the first networked resource was successfully enrolled. In one embodiment, the computer system also includes an enrollment database that stores a list of networked resources that a user has enrolled.
- In still another aspect, the invention relates to a method of network administration that includes specifying an enrollment rule and enrolling a first networked resource if permitted by the specified enrollment rule. The method also includes granting a user remote access to the first networked resource from a remote device if the user had previously successfully enrolled the first networked resource, and otherwise denying a user access to the first networked resource from the remote device. In one embodiment, specifying an enrollment rule includes defining a plurality of groups of users, defining a plurality of groups of networked resources, and specifying a group of networked resources that a group of users is permitted to enroll.
- The foregoing discussion will be understood more readily from the following detailed description of the invention, when taken in conjunction with the accompanying drawings:
-
FIG. 1 is a schematic depiction of remote desktop access according to an illustrative embodiment of the invention. -
FIG. 2 is a schematic diagram depicting a computer network according to an illustrative embodiment of the invention. -
FIG. 3A is a diagram of a set of computer network resource groupings according to an illustrative embodiment of the invention. -
FIG. 3B is a diagram of a set of computer network user groupings according to an illustrative embodiment of the invention. -
FIG. 4 is a table depicting example enrollment rules according to an illustrative embodiment of the invention. -
FIG. 5 is a flow chart of a method for enrolling a networked resource according to an illustrative embodiment of the invention. -
FIG. 6 is a enrollment database depicting an example set of enrollments according to an illustrative embodiment of the invention; and -
FIG. 7 is a flow chart of a method of granting remote access to a computer according to an illustrative embodiment of the invention. - In the physical world, one protects resources by implementing physical access limitations. File cabinets are locked, vaults are sealed, and office doors are closed. In any of these cases, having the key, alone, is not sufficient to access the resources within the cabinet, vault, or office. One must both have the key and simultaneously be physically present at the cabinet, vault, or office. In a traditional networked computer environment, however, improvements in access restrictions have focused on creating more complex locks and keys (e.g., user-password/PIN systems, biometric identity verification, voice verification, etc.) and have largely ignored the security benefits that physical access limitations can provide. That is, for many computer systems, if a user has the appropriate “key,” that user can access a networked resource without ever needing to have actually been physically present near the resource. One object of the present invention is to provide scalable, secure, and easily administerable methods and systems for providing remote access to networked resources by combining aspects of physical access limitation measures with traditional computer access limitation measures. Such a combination combines the low-overhead advantages of rules-based access limitations with the individualized security advantages of individual permission-based access limitations, without incurring the associated additional administrative costs.
- Referring to
FIG. 1 , a first networkedresource 100 is physically located in a particular location, for example, in an office. Networked resources can include, for example, desktop computers, workstations, laptops, handheld computers, mobile phones, personal digital assistants, computing devices that are network capable, printers, storage devices, peripherals, etc., and any data, applications, or capabilities available on or from the resources. The firstnetworked resource 100 may have access to other networkedresources 104 vianetwork 106. Aremote device 102 is in communication with the first networkedresource 100 via acommunication link 108, such as a computer network. Theremote device 102 may be a computer such as a workstation, desktop computer, laptop, handheld computer, or any other form of computing or telecommunications device that is capable of communication and that has sufficient processor power and memory capacity to perform the operations described herein (e.g., a mobile phone or personal digital assistant). Thecommunication link 108 can be implemented with any of a variety of suitable technologies, for example, over standard telephone lines, LAN or WAN links (using, e.g., 802.11, T1, T3, 56 kb, or X.25 protocols), broadband connections (using, e.g., ISDN, Frame Relay, or ATM protocols), and wireless connections, or some combination of any or all of the above. - In an illustrative embodiment of the invention, the first
networked resource 100 is a computer that serves as a host, and theremote device 102 serves as a client. A user of theremote device 102 is granted access to the firstnetworked resource 100 such that the user has access to the desktop of the firstnetworked resource 100. That is, instead of only having access to the services of the firstnetworked resource 100, the display of theremote device 102 displays what a user might see on the console monitor of the firstnetworked resource 100. Likewise, the user can provide input (e.g., keyboard and mouse input) to the firstnetworked resource 100 from theremote device 102 that is interpreted by the firstnetworked resource 100 as if such input were made from a console that is physically attached to first networked resource. - In one such embodiment, remote access is accomplished using MetaFrame Presentation Serverg, manufactured by Citrix Systems, Inc. of Ft. Lauderdale, Fla., on the first
networked resource 100 in conjunction with the use of Citrix's Independent Computing Architecture® (ICA) clients on theremote device 102. - In an alternative embodiment, remote access is provided by Remote Desktop software. Remote Desktop is a feature included in the Windows XP® Professional operating system, manufactured by Microsoft Corporation of Redmond, Wash., that allows a host computer, such as the first
networked resource 100, to provide access to that host's desktop to clients, such as theremote device 102, that have the Remote Desktop client software installed. Remote Desktop client software is included in the Windows XP® operating system and is available for computers running the Windows 95®, Windows 98®, Windows Me®, Windows NT® 4.0, or Windows 2000® operating systems. Remote Desktop uses the Remote Desktop Protocol, also known as RDP, to communicate between the host and the client. - It is to be understood that embodiments of the invention may be implemented using other suitable software and communications protocols. For example, the host could operate a web server that a client could log on to using standard internet protocols such as HTTP. Other systems for remote desktop access include pcAnywhere®, manufactured by Symantec Corporation of Cupertino, Calif.
- In addition to, or instead of granting remote desktop access, other embodiments of the invention provide more limited remote access to networked resources. For example, in one embodiment, the invention provides remote access to files stored on a computer. In another embodiment, the invention provides remote access to applications stored on a resource, but not to any data files stored thereon. In another embodiment, the invention provides remote access to a printer, display, or other output device.
- In another embodiment, the invention provides only limited remote desktop access. For example, a user might be able to access files physically stored on the computer whose desktop he or she is accessing, but access to other networked resources, such as file server, through via desktop is limited.
- Referring now to
FIG. 2 , anillustrative computer system 200 includes a number of networked resources, shown in the figure asexemplary computers TermA 202,TermB 204,TermC 206,CAD A 208,CAD B 210,CAD C 212,AdminA 214,AdminB 216, AdminC 218- and referred to collectively as “the computers.” Thecomputers computer system 200 may be located in a different locations than other computers in the computer system. For example,Term 202 could be remote fromTermB 204 and theother computers - As depicted in the figure, however,
computers TermA 202,TermB 204,CADC 212, andAdminC 218 are located in afirst building 220, andcomputers TermC 206,CAD A 208,CAD B 210,AdminA 214, andAdminB 216 are located in asecond building 222. Thecomputers class network 224. Thecomputer system 200 also provides access for aremote device 201 to connect to thenetwork 224 to access one of thecomputers remote device 201 may be part of or outside of thecomputer system 200, and connects to thecomputer system 200 via acommunications link 203. - The
computer network 200 includes anaccess administration system 226. In general, theaccess administration system 226 is a logical grouping of several related systems that are used to determine and govern users' abilities to access and use networked resources. Each system may be located and/or executed on a computer in the first orsecond buildings - The
access administration system 226 includes anenrollment administration system 228 for specifying enrollment rules. In one embodiment theenrollment administration system 228 is a software module or program made available to system administrators, for specifying such rules, although other implementations are possible. Enrollment rules specify which users or groups of users are permitted to enroll individual or groups of networked resources, where enrollment is the act of obtaining authorization to later access a network resource from aremote device 102. A system administrator specifies an enrollment rule by defining groups of one or more users, defining groups of networked resources, and then specifying which group or groups of users are permitted to enroll which group or groups of networked resources. - To facilitate defining groups and specifying rules, in one embodiment the
enrollment administration system 228 provides a graphical user interface that allows the system administrator to drag-and-drop users and resources into groups and to drag-and-drop groups into enrollment rules. In another embodiment, the graphical user interface provides a point-and-click interface that allows a system administrator to build groups and rules from lists of users, resources, and groups. In still other embodiments, a system administrator builds a group by typing in a list of user or resource identifiers (e.g., names, user names, email addresses, employee numbers, IP addresses, resource names, etc.). Whichever interface is used, the interface also allows for users or resources to be removed from groups or shifted to other groups and for rules to be altered. - In a further embodiment, the administrator may utilize previously defined groupings. Large organizations often have user and resource groupings defined for other computing purposes. Such groups are defined for example using various domains, Active Directory, or lightweight directory access protocol (LDAP) directories. Resource groups may also be defined by providing ranges of IP addresses.
- In one embodiment, enrollment rules are distinct from other access rules. For example, a system administrator may specify enrollment rules that permit a group of users to enroll a group of networked resources for remote access that the users would not otherwise be authorized to use directly. Likewise, a group of users that may be authorized to directly access a group of networked resources may not be authorized to enroll those networked resources for remote access if no such enrollment rule has been specified. In one embodiment, the enrollment administration system stores the enrollment rules in an enrollment rules database. In another embodiment the
enrollment administration system 228 also includes an enrollment database that identifies each networked resource that each user has enrolled. - The access
administrative system 226 includes anenrollment system 230 configured to communicate with theenrollment administration system 228 to permit enrolling a first networked resource if permitted by specified enrollment rules. In one embodiment, theenrollment system 230 is a network application, in particular, a JAVA® application stored on a central server and downloaded to a networked resource in response to a user's request to enroll a networked resource. The enrollment request may be initiated, for example, by clicking on an icon on the desktop of the networked resource, clicking on a hyperlink on a web page, or requesting to enroll the computer from a menu. - In alternative embodiments the
enrollment system 230 operates on a networked server and the user communicates with theenrollment system 230 through a common gateway interface (CGI) via an Internet browser using HTTP, HTML, XML, or another known network protocol. In yet a further embodiment, theenrollment system 230 is installed on a networked resource by transferring the software code embodying theenrollment system 230 onto the networked resource from an electronic storage medium (e.g, a floppy disk, zip disk, CD-ROM, DVD-ROM, etc.). - The
enrollment system 230 provides an interface for a user requesting enrollment to identify himself and the resource that the user is requesting to enroll. Theenrollment system 230 communicates with theenrollment administration system 228 to determine whether a user is in fact permitted to enroll that resource. In one embodiment, the communication includes sending a message to theenrollment administration system 228 that contains the identification of the user requesting enrollment of the networked resource and the identification of the networked resource the user is requesting to enroll. The communication, in one embodiment, includes transmitting a database query, for example using Structured Query Language (SQL), to theenrollment administration system 228. In another embodiment, the communication includes a remote procedure call to be executed on theenrollment administration system 228, the result of which is a Boolean value indicating whether the user is permitted to enroll the resource. In a further embodiment, the communication includes transmitting a business logic command to be interpreted by theenrollment administration system 228. - In yet another embodiment, the
enrollment administration system 228 transmits an up-to-date enrollment rules database to theenrollment system 230. In this embodiment, after receiving the up-to-date enrollment rule database, theenrollment system 230 queries the enrollment rule database (e.g., using SQL) to determine if the user is permitted to enroll the database. The communications may take place over a variety of wired connections (using, e.g., TCP/IP, ISDN, Frame Relay, or ATM protocols), and wireless connections, or some combination of any or all of the above. - In one embodiment, the
enrollment system 230 is also responsible for verifying the identity of the user. User identity verification may be conducted, for example, by collecting user name-password/PIN combinations, collecting a user's biometric data, collecting a sample of the user's voice, etc. - The access
administrative system 226 also includes aremote access system 232 for granting remote access to the first networked resource if the user successfully enrolled the first networked resource. In one embodiment, theaccess administration system 226 controls general access to the network (i.e., not to any specific resource), in addition to controlling remote access to individual or groups of networked resources. In one embodiment theremote access system 232 is a software module operating on a central network server. If a user attempts to remotely access a networked resource, the user first contacts theremote access system 232 on the central server. In another embodiment, each enrollable network resource has a copy of theremote access system 232 installed, or the networked resource may download a copy of theenrollment system 230 from a server upon receipt of a remote access request. - In one embodiment, the
remote access system 232 receives the request for remote access, verifies the identity of the user requesting access and determines whether that user has enrolled the networked resource that the user is requesting remote access to by consulting an enrollment database maintained by theenrollment administration system 228. If the user has enrolled the networked resource, theremote access system 232 grants permission to the user to access the networked resource and such access is initiated. - In the embodiments described above, the
systems - The operation of the systems of the
access administration system 226 may be understood further with reference toFIGS. 3-7 . - Referring to
FIG. 3A andFIG. 3B , to ease the burden on system administrators, system administrators may use theaccess administration system 226 or one of its constituent systems to aggregate users and resources into groups that share common characteristics, since as the number of network resources and users of acomputer system 200 increases, it becomes increasingly time consuming to individually assign access rights to each user. Referring toFIG. 3A , anillustrative set 300 of network resources of thecomputer system 200 may be grouped intoWorkstations 302 which includesTermA 202,TermB 204, andTermC 206;CAD Terminals 304 which includesCAD A 214, CAD B, 216, andCAD C 218; and AdministrativeAssistant Terminals AdminA 208,AdminB 210 andAdminC 212. Referring toFIG. 3B , an illustrative set 307 of computer users may be grouped as follows:Tara 314,Tom 316, andTed 318 may be grouped as members of the Information Technology (IT)Staff 308;Ellie 320,Erica 322, andEdward 324 may grouped asEngineers 310, andAlex 326,Amy 328, andAndrew 330 may be grouped asAdministrative Assistants 312. - In one embodiment, a system administrator may specify groupings of users and/or resources using the
access administration system 226. In one embodiment, theaccess administration system 226 provides a graphical user interface with which a system administrator may drag and drop, or point-and-click to add users or resources to groups. In another embodiment, theenrollment administration system 228 also provides group-management functionality via a similar interface. The groups created for the purposes of specifying enrollment rules may be different from the groups created for specifying other access rules. - After groups of users and resources are defined, rules may be specified to limit the ability of a group of
users network resources members IT staff 308 are responsible for maintaining thecomputers IT Staff 308 access to all of thecomputers Administrative Assistants 312 to only be able to access the Administrative Assistant Terminals with lesser capabilities.Engineers 310 may be granted access toWorkstations 302 andCAD Terminals 304, but not to theAdministrative Assistant Terminals 306 used byAdministrative Assistants 312. - In one embodiment, a system administrator may restrict the ability of a user to remotely access a networked resource without specifying individual user/resource limitations. As mentioned above, the
computer system 200 operates under a presumption that a computer user should only be able to remotely access a computer to which the user is capable of achieving direct physical access. If a user does not have physical access to a networked resource, that user should not be able to circumvent physical security measures by accessing the networked resource remotely. Here, physical access means access to an input device (such as a keyboard, mouse, trackball, microphone, touchscreen, joystick, etc.) connected to a console that is physically attached to the networked resource. Connection may include wireless communication in the case where input devices communicate with a resource using a short range wireless signal (e.g., a wireless keyboard or mouse). In a simple example,Engineers 310, in general, have access toCAD Terminals 304 but only in the buildings in which they work.Engineer Ellie 320, working in thesecond building 222, does not have physical access toCAD C 212, because it is located in thefirst building 220. Likewise, if Ellie keeps herWorkstation 302, TermA 402, in a locked office for privacy or security reasons, other users will not have physical access to thatworkstation 302. - According to an embodiment of the invention, to enforce this extension of physical access limitations into the remote access environment, the
computer system 200 includes the enrollment functionality described above. Namely, a user cannot gain remote access to a networked resource of thecomputer system 200 if the user has not first enrolled the networked resource. Preferably, a user may only enroll a networked resource if the user requests enrollment using an input device (e.g., keyboard, mouse, microphone, display, etc.) connected to a console that is physically attached to the networked resource. As such, if a user cannot physically access such an input device, the user will not be able to enroll the network resource and will not be able to access the networked resource remotely. - In one such embodiment, not all users who have direct physical access to a computer may enroll the computer. Enrollment rules specify which users or groups of users are authorized to enroll which networked resources or groups of networked resources. Preferably, the enrollment rules are specified at a user/resource group level rather than at an individual user/resource level, for purposes of efficiency. The groups may be the same groups as used for specifying other access rules or the groups may be different.
- Referring to
FIG. 4A , a table 400 depicts illustrative enrollment rules, where rows represent groups ofusers networked resources enrollment administration system 228. To do so, the system administrator defines a plurality of groups ofusers networked resources FIGS. 3A and 3B . The system administrator then specifies which groups of users may enroll which groups of networked resources. For example, in the table 400, a system administrator has specified thatIT staff members 308 can enrollWorkstations 302,CAD Terminals 304, andAdministrative Assistant Terminals 306 as indicated by the “X”s at the intersections of theIT Staff 308 row and the columns for each of the groups of networked resources. Similarly,Engineers 310 can enrollWorkstations 302 andCAD Terminals 304, andAdministrative Assistants 312 can only enrollAdministrative Assistant Terminals 306. - It should be understood that these rules may be specified in a table form as just described, but also or instead through use of commands, data lists, data files, XML tags or any other suitable mechanism for rule specification.
- Using the
enrollment administration system 228, system administrators can readily alter enrollment rules once specified. For example, to reflect changes in staffing (e.g., the firing, hiring or shifting of an employee) the system administrator may add or remove users to and from user groups. The same may be done for networked resource groups. Policy decisions affecting entire groups may be implemented by changing the groups of networked resources that a group of users is permitted to enroll. For example, if the system administrator that specified the enrollment rules in the table 400 decided thatAdministrative Assistants 312 should also be able to enroll all workstations, the rule forAdministrative Assistants 312 may be altered accordingly. In the case that a system administrator removes the ability of one or more users, or groups of users to enroll one or more network resources, the users affected will no longer be able to enroll those networked resources. In some embodiments, if the networked resources were already enrolled by the affected users, the change in the enrollment rule may cause the networked resources to be unenrolled. - Referring to
FIG. 5 , a flow chart of amethod 500 of enrolling a networked resource (e.g.,computers enrollment system 230 verifies the identity of the user (step 506). Identity verification (step 506) may be achieved through any identity authentication means, including for example, user-password or PIN authentication, biometric identification, voice identification, etc. - The
enrollment system 230 and theenrollment administration system 228 determine whether the user is permitted by the enrollment rules to enroll the networked resource that the user is requesting to enroll (step 508). In the illustrative embodiment, theenrollment system 230 sends an enrollment request to theenrollment administration system 228. The enrollment request includes the identification of the networked resource that the user is requesting to enroll and the identification of the user. Theenrollment administration system 228 then compares the networked resource/user pairing with the enrollment rules to determine if the user is a member of a group that has permission to enroll any of the networked resources of the group to which the networked resource in question belongs. - Single-use copies of the enrollment rules may be downloaded to the networked resource from the
enrollment administration system 228 each time a user attempts to enroll a networked resource, and in other implementations a networked resource may maintain a persistent set of enrollment rules that is updated by theenrollment administration system 228 when a system administrator alters the enrollment rules. In either of these cases, the permission verification (step 508) is carried out on the networked resource. - If the user is permitted to enroll the networked resource based on the enrollment rules, the location of the user is determined (step 510). In one embodiment, a locator system determines the location of the user by retrieving the IP address of the networked resource from which the enrollment request was sent, typically included in the header of the packets that made up the communication, and executing a reverse Domain Name Server (DNS) look-up routine to determine the source of the request. The
enrollment administration system 228 then determines whether the user requested enrollment of the networked resource from a console that is physically attached to networked resource the user is requesting to enroll (step 512) by comparing the determined enrollment request source with the networked resource that is identified in the enrollment request. In another embodiment, the locator system transmits to, and causes the execution of a Java® applet or ActiveX® control on the requested resource to determine whether the user is actually logged in to a console that is physically attached to the resource. In a further embodiment, the source of the request may be verified by transmitting to, and causing the execution of a Java® applet or ActiveX® control on the source of the request that forces the source to identify itself. Theenrollment administration system 228 then compares the forced identification with the network resource the user requested to enroll. In one embodiment, the enrollment administration system carries out a combination of two or more of the above listed verification methods to ensure a robust request source identification. - If it is determined that the user sent the enrollment request from a console that is physically attached to the networked resource that the user is requesting to enroll (step 512), the
enrollment administration system 228 enrolls the networked resource for the user (step 514) by updating an enrollment database. (SeeFIG. 6 below). If the user is not permitted to enroll the networked resource based on the enrollment rules, or it is determined that the user is attempting to enroll the computer from a remote location, enrollment is denied (step 516). - In an alternative embodiment, the
enrollment administration system 228 determines the location of the user and verifies that the user is requesting enrollment of the networked resource from which the enrollment request originated before determining whether the user is permitted to enroll the networked resource according to the enrollment rules. In a further embodiment, theenrollment administration system 228 enables a system administrator to specify enrollment rules that allow a group of users to remotely enroll networked resources or to specify groups of resources that may be enrolled remotely. For example, in one embodiment, enrollment rules allow a user to enroll a file server (or a portion of a file server) that is part of a secure network from a console that is a part of that secure network but that is not physically attached to the file server. - Referring to
FIG. 6 , theenrollment administration system 228 maintains the information about enrolled resources and users. This storage may be implemented in many ways, including in the form of data files in a database. As shown in the illustrative depiction of the contents of anenrollment database 600, in the figure, thedatabase 600 stores enrollment data for each individual user and each networked resource. When a user successfully enrolls a networked resource (step 514), the enrollment is stored in theenrollment database 600. For example, according to theenrollment database 600,engineer Ellie 320 has enrolled TermA, CAD A and CAD B. The table is consulted when a user attempts to remotely access a networked resource. - Referring to
FIG. 7 , amethod 700 of granting remote access to a networked resource includes querying the enrollment database for example, theenrollment database 600. When a user attempts to remotely access the firstnetworked resource 100, the request for access is received by the remote access system 232 (step 702). Theremote access system 232 verifies the identification of the user (step 703), also referred to as authentication. As described above in relation to verifying an identity of a user in the enrollment context, theremote access system 232 may authenticate a user using any suitable identity authentication means, including user name-password/PIN pairs, certificates, biometric data, one time keys, voice samples, etc. Theremote access system 232 then determines whether the user has previously enrolled the first networked resource 100 (step 706). If the user has previously enrolled the first networked resource, theremote access system 232 grants access to the first networked resource 100 (step 708), otherwise theremote access system 232 denies remote access to the firstnetworked resource 100. - In alternative embodiments, a system administrator could set additional remote access rules that limit which remote devices users may use to remotely access networked resources. For example, a system administrator may specify a rule that only allows users or groups of users to remotely access networked resources or a group of networked resources from a networked resource directly connected to the
computing system 200. Under such a rule,Tara 314, for example, who according to theenrollment database 600 has enrolledAdminC 218, could remotely accessAdminC 218 fromAdminA 214, butTed 318, who also has enrolledAdminC 218 could not remotely access AdminC fromremote device 102. - One skilled in the art will realize the invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The foregoing embodiments are therefore to be considered in all respects illustrative rather than limiting of the invention. The scope of the invention is not limited to just the foregoing description.
Claims (29)
1. A method of administering a computer network, the method comprising:
providing an enrollment administration system for specifying enrollment rules;
providing an enrollment system configured to communicate with the enrollment administration system to permit enrolling a first networked resource if permitted by specified enrollment rules; and
providing a remote access system for granting a user remote access to the first networked resource if the user successfully enrolled the first networked resource.
2. The method of claim 1 wherein the networked resource is a computer.
3. The method of claim 1 wherein the remote access system denies remote access to the first networked resource to a user that has not enrolled the first networked resource.
4. The method of claim 1 wherein the remote access system is provided for installation on the first networked resource.
5. The method of claim 1 wherein the remote access system is provided for installation on a shared network resource, and the remote access system grants remote access to the first networked resource and a second networked resource subject to the specified enrollment rules and the user's enrollment of the first networked resource and the second networked resource.
6. The method of claim 1 wherein the enrollment system disallows enrolling the first networked resource from a remote console.
7. The method of claim 1 wherein the enrollment system requires enrolling the first networked resource from console physically-attached to the first networked resource.
8. The method of claim 1 wherein the remote access comprises remote access to the desktop of the first networked resource.
9. The method of claim 1 wherein the enrollment system is a network application.
10. The method of claim 9 further comprising providing a locator system for determining the location of a user attempting to enroll the first networked resource.
11. The method of claim 10 wherein enrolling the first networked resource is further subject to the determined location.
12. A computer system comprising:
an enrollment administration system for specifying enrollment rules;
a first networked resource configured to communicate with the enrollment administration system;
a remote device configured to communicate with the first networked resource via a communications channel;
an enrollment system for enrolling the first networked resource if permitted by the specified enrollment rules; and
a remote access system for granting a user of the remote device remote access to the first networked resource if the first networked resource was successfully enrolled.
13. The computer system of claim 12 wherein the first networked resource is a computer.
14. The computer system of claim 12 wherein the remote access system denies remote access to the first networked resource to a user of the remote device that has not enrolled the first networked resource.
15. The computer system of claim 12 wherein the remote access system is installed on the first networked resource.
16. The computer system of claim 12 wherein the remote access system is installed on a shared network resource, and the remote access system grants a user of the remote device access to the first networked resource and a second networked resource subject to the enrollment rules and the user's enrollment of the first and second networked resources.
17. The computer system of claim 12 wherein the enrollment system disallows enrolling the first networked resource from a remote console.
18. The computer system of claim 12 wherein the enrollment system requires enrolling the first networked resource from a console physically-attached to the first networked resource.
19. The computer system of claim 12 wherein the remote access to the first networked resource comprises remote access to the desktop of the first networked resource.
20. The computer system of claim 12 wherein the enrollment system is a network application.
21. The computer system of claim 20 further comprising a locator system for determining the location of a user attempting to enroll the first networked resource.
22. The computer system of claim 21 wherein enrolling the first networked resource is further subject to the determined location of user.
23. The computer system of claim 12 wherein the enrollment administration system comprises an enrollment database that stores a list of networked resources a user has enrolled.
24. A method of network administration comprising:
specifying an enrollment rule;
enrolling a first networked resource if permitted by the specified enrollment rule;
granting a user remote access to the first networked resource from a remote device if the user had previously successfully enrolled the first networked resource; and
denying an user access to the first networked resource from the remote device if the user had not previously successfully enrolled the first networked resource.
25. The method of claim 24 wherein the first networked resource is a computer.
26. The method of claim 24 wherein specifying an enrollment rule further comprises:
defining a plurality of groups of users;
defining a plurality of groups of networked resources; and
specifying a group of networked resources that a group of users is permitted to enroll.
27. The method of claim 24 wherein enrolling the first networked resource is disallowed from a remote console.
28. The method of claim 24 wherein enrolling the first networked resource requires the user to enroll from a console physically attached to the first networked resource.
29. The method of claim 24 wherein granting access to the first networked resource comprises granting access to the desktop of the first networked resource.
Priority Applications (13)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/683,544 US20050080909A1 (en) | 2003-10-10 | 2003-10-10 | Methods and apparatus for scalable secure remote desktop access |
DE602004012300T DE602004012300T2 (en) | 2003-10-10 | 2004-09-10 | METHOD AND DEVICES FOR SCALABLE SAFE REMOTE DESKTOP ACCESS |
AU2004284747A AU2004284747A1 (en) | 2003-10-10 | 2004-09-10 | Methods and apparatus for scalable secure remote desktop access |
AT04783772T ATE388435T1 (en) | 2003-10-10 | 2004-09-10 | METHOD AND DEVICES FOR SCALABLE SECURE REMOTE DESKTOP ACCESS |
ES04783772T ES2303098T3 (en) | 2003-10-10 | 2004-09-10 | METHODS AND APPLIANCES FOR REMOTE SECURE ACCESS TO DESKTOP ADJUSTABLE SCALE. |
JP2006533905A JP2007509389A (en) | 2003-10-10 | 2004-09-10 | Method and apparatus for extensible and secure remote desktop access |
KR1020067006935A KR20060134925A (en) | 2003-10-10 | 2004-09-10 | Methods and apparatus for scalable secure remote desktop access |
EP04783772A EP1671204B1 (en) | 2003-10-10 | 2004-09-10 | Methods and apparatus for scalable secure remote desktop access |
PCT/US2004/029682 WO2005041004A1 (en) | 2003-10-10 | 2004-09-10 | Methods and apparatus for scalable secure remote desktop access |
CA002541916A CA2541916A1 (en) | 2003-10-10 | 2004-09-10 | Methods and apparatus for scalable secure remote desktop access |
IL174812A IL174812A0 (en) | 2003-10-10 | 2006-04-05 | Methods and apparatus for scalable sceure remote desktop access |
HK06113858A HK1093242A1 (en) | 2003-10-10 | 2006-12-18 | Methods and apparatus for scalable secure remote desktop access |
US13/294,965 US8719433B2 (en) | 2003-10-10 | 2011-11-11 | Methods and apparatus for scalable secure remote desktop access |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/683,544 US20050080909A1 (en) | 2003-10-10 | 2003-10-10 | Methods and apparatus for scalable secure remote desktop access |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/294,965 Continuation US8719433B2 (en) | 2003-10-10 | 2011-11-11 | Methods and apparatus for scalable secure remote desktop access |
Publications (1)
Publication Number | Publication Date |
---|---|
US20050080909A1 true US20050080909A1 (en) | 2005-04-14 |
Family
ID=34422757
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/683,544 Abandoned US20050080909A1 (en) | 2003-10-10 | 2003-10-10 | Methods and apparatus for scalable secure remote desktop access |
US13/294,965 Expired - Lifetime US8719433B2 (en) | 2003-10-10 | 2011-11-11 | Methods and apparatus for scalable secure remote desktop access |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/294,965 Expired - Lifetime US8719433B2 (en) | 2003-10-10 | 2011-11-11 | Methods and apparatus for scalable secure remote desktop access |
Country Status (12)
Country | Link |
---|---|
US (2) | US20050080909A1 (en) |
EP (1) | EP1671204B1 (en) |
JP (1) | JP2007509389A (en) |
KR (1) | KR20060134925A (en) |
AT (1) | ATE388435T1 (en) |
AU (1) | AU2004284747A1 (en) |
CA (1) | CA2541916A1 (en) |
DE (1) | DE602004012300T2 (en) |
ES (1) | ES2303098T3 (en) |
HK (1) | HK1093242A1 (en) |
IL (1) | IL174812A0 (en) |
WO (1) | WO2005041004A1 (en) |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080013411A1 (en) * | 2006-07-12 | 2008-01-17 | Tyler Thorp | Electronic Library for Managing Data on Removable Storage Devices |
WO2008106295A1 (en) * | 2007-02-28 | 2008-09-04 | Microsoft Corporation | Strategies for securely applying connection policies via a gateway |
US20080313545A1 (en) * | 2007-06-13 | 2008-12-18 | Microsoft Corporation | Systems and methods for providing desktop or application remoting to a web browser |
EP2031541A1 (en) * | 2007-09-03 | 2009-03-04 | LG Electronics Inc. | Facility management system and control method of facility management system |
US20090132836A1 (en) * | 2007-11-16 | 2009-05-21 | Keisuke Mera | Power-saving control apparatus and method |
US20090222531A1 (en) * | 2008-02-28 | 2009-09-03 | Microsoft Corporation | XML-based web feed for web access of remote resources |
US20090222565A1 (en) * | 2008-02-28 | 2009-09-03 | Microsoft Corporation | Centralized Publishing of Network Resources |
US20090327905A1 (en) * | 2008-06-27 | 2009-12-31 | Microsoft Corporation | Integrated client for access to remote resources |
US20100030346A1 (en) * | 2007-02-02 | 2010-02-04 | Mitsuhiro Watanabe | Control system and control method for controlling controllable device such as peripheral device, and computer program for control |
US7870496B1 (en) | 2009-01-29 | 2011-01-11 | Jahanzeb Ahmed Sherwani | System using touchscreen user interface of a mobile device to remotely control a host computer |
US20130346543A1 (en) * | 2012-06-22 | 2013-12-26 | International Business Machines Corporation | Cloud service selector |
US20160026785A1 (en) * | 2009-01-06 | 2016-01-28 | Vetrix, Llc | Integrated physical and logical security management via a portable device |
US20160371483A1 (en) * | 2014-03-11 | 2016-12-22 | Fuji Machine Mfg. Co., Ltd. | Account authority management device and account authority management method for a component mounter related application |
US10110551B1 (en) * | 2017-08-14 | 2018-10-23 | Reza Toghraee | Computer-implemented system and methods for providing IPoE network access using software defined networking |
US10380551B2 (en) * | 2015-12-31 | 2019-08-13 | Dropbox, Inc. | Mixed collaboration teams |
US11190559B1 (en) * | 2009-12-23 | 2021-11-30 | 8X8, Inc. | Computer server configured for data meetings with optional participant-selected call-connecting attributes |
US11438732B2 (en) | 2009-03-06 | 2022-09-06 | Vetrix, Llc | Systems and methods for mobile tracking, communications and alerting |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11687325B2 (en) * | 2014-07-03 | 2023-06-27 | Able World International Limited | Method for constructing an interactive digital catalog, and computer-readable storage medium and interactive digital catalog using the same |
TWI563404B (en) * | 2014-07-03 | 2016-12-21 | Able World Internat Ltd | Networking cooperation method and machine using such method |
US9626157B2 (en) | 2014-07-03 | 2017-04-18 | Able World International Limited | Method of projecting a workspace and system using the same |
SG11201610925UA (en) * | 2014-07-03 | 2017-02-27 | Able World Internat Ltd | Method for projecting workspace and system using same |
US9134963B1 (en) * | 2014-07-03 | 2015-09-15 | U3D Limited | Method of unifying information and tool from a plurality of information sources |
CN111371183A (en) * | 2020-04-10 | 2020-07-03 | 南京智汇电力技术有限公司 | Remote liquid crystal control method suitable for power distribution network protection and automation equipment |
US11783062B2 (en) | 2021-02-16 | 2023-10-10 | Microsoft Technology Licensing, Llc | Risk-based access to computing environment secrets |
US11848824B2 (en) * | 2021-07-23 | 2023-12-19 | Vmware, Inc. | Distributed auto discovery service |
Citations (49)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4840284A (en) * | 1988-01-15 | 1989-06-20 | Hoover Group, Inc. | Sloped bottom tank |
US5696898A (en) * | 1995-06-06 | 1997-12-09 | Lucent Technologies Inc. | System and method for database access control |
US5889942A (en) * | 1996-12-18 | 1999-03-30 | Orenshteyn; Alexander S. | Secured system for accessing application services from a remote station |
US5996076A (en) * | 1997-02-19 | 1999-11-30 | Verifone, Inc. | System, method and article of manufacture for secure digital certification of electronic commerce |
US6022315A (en) * | 1993-12-29 | 2000-02-08 | First Opinion Corporation | Computerized medical diagnostic and treatment advice system including network access |
US6038563A (en) * | 1997-10-31 | 2000-03-14 | Sun Microsystems, Inc. | System and method for restricting database access to managed object information using a permissions table that specifies access rights corresponding to user access rights to the managed objects |
US6157953A (en) * | 1998-07-28 | 2000-12-05 | Sun Microsystems, Inc. | Authentication and access control in a management console program for managing services in a computer network |
US6161139A (en) * | 1998-07-10 | 2000-12-12 | Encommerce, Inc. | Administrative roles that govern access to administrative functions |
US6206829B1 (en) * | 1996-07-12 | 2001-03-27 | First Opinion Corporation | Computerized medical diagnostic and treatment advice system including network access |
US6308273B1 (en) * | 1998-06-12 | 2001-10-23 | Microsoft Corporation | Method and system of security location discrimination |
US6449627B1 (en) * | 2000-01-21 | 2002-09-10 | International Business Machines Corp. | Volume management method and system for a compilation of content |
US20020138572A1 (en) * | 2000-12-22 | 2002-09-26 | Delany Shawn P. | Determining a user's groups |
US6477580B1 (en) * | 1999-08-31 | 2002-11-05 | Accenture Llp | Self-described stream in a communication services patterns environment |
US20020184217A1 (en) * | 2001-04-19 | 2002-12-05 | Bisbee Stephen F. | Systems and methods for state-less authentication |
US20030014327A1 (en) * | 2001-06-29 | 2003-01-16 | Kristofer Skantze | System and method in electronic commerce from hand-held computer units |
US6606744B1 (en) * | 1999-11-22 | 2003-08-12 | Accenture, Llp | Providing collaborative installation management in a network-based supply chain environment |
US6611840B1 (en) * | 2000-01-21 | 2003-08-26 | International Business Machines Corporation | Method and system for removing content entity object in a hierarchically structured content object stored in a database |
US6629081B1 (en) * | 1999-12-22 | 2003-09-30 | Accenture Llp | Account settlement and financing in an e-commerce environment |
US6636585B2 (en) * | 2000-06-26 | 2003-10-21 | Bearingpoint, Inc. | Metrics-related testing of an operational support system (OSS) of an incumbent provider for compliance with a regulatory scheme |
US6671818B1 (en) * | 1999-11-22 | 2003-12-30 | Accenture Llp | Problem isolation through translating and filtering events into a standard object format in a network based supply chain |
US6675193B1 (en) * | 1999-10-29 | 2004-01-06 | Invensys Software Systems | Method and system for remote control of a local system |
US6721805B1 (en) * | 1998-11-12 | 2004-04-13 | International Business Machines Corporation | Providing shared-medium multiple access capability in point-to-point communications |
US6738901B1 (en) * | 1999-12-15 | 2004-05-18 | 3M Innovative Properties Company | Smart card controlled internet access |
US6820082B1 (en) * | 2000-04-03 | 2004-11-16 | Allegis Corporation | Rule based database security system and method |
US6839701B1 (en) * | 2000-01-21 | 2005-01-04 | International Business Machines | Hitmask for querying hierarchically related content entities |
US6850252B1 (en) * | 1999-10-05 | 2005-02-01 | Steven M. Hoffberg | Intelligent electronic appliance system and method |
US6898628B2 (en) * | 2001-03-22 | 2005-05-24 | International Business Machines Corporation | System and method for providing positional authentication for client-server systems |
US6920502B2 (en) * | 2000-04-13 | 2005-07-19 | Netilla Networks, Inc. | Apparatus and accompanying methods for providing, through a centralized server site, an integrated virtual office environment, remotely accessible via a network-connected web browser, with remote network monitoring and management capabilities |
US6944596B1 (en) * | 2000-02-23 | 2005-09-13 | Accenture Llp | Employee analysis based on results of an education business simulation |
US6947156B1 (en) * | 1996-12-26 | 2005-09-20 | Canon Kabushiki Kaisha | Remote control apparatus and system in which identification or control information is obtained from a device to be controlled |
US6957199B1 (en) * | 2000-08-30 | 2005-10-18 | Douglas Fisher | Method, system and service for conducting authenticated business transactions |
US6986102B1 (en) * | 2000-01-21 | 2006-01-10 | International Business Machines Corporation | Method and configurable model for storing hierarchical data in a non-hierarchical data repository |
US7007034B1 (en) * | 2000-01-21 | 2006-02-28 | International Business Machines Corporation | File structure for storing content objects in a data repository |
US7043488B1 (en) * | 2000-01-21 | 2006-05-09 | International Business Machines Corporation | Method and system for storing hierarchical content objects in a data repository |
US7069234B1 (en) * | 1999-12-22 | 2006-06-27 | Accenture Llp | Initiating an agreement in an e-commerce environment |
US7076494B1 (en) * | 2000-01-21 | 2006-07-11 | International Business Machines Corporation | Providing a functional layer for facilitating creation and manipulation of compilations of content |
US7085648B2 (en) * | 2000-11-17 | 2006-08-01 | Nec Corporation | Information delivering server and clients and method thereof and storing medium stored programs to execute information delivery |
US7089239B1 (en) * | 2000-01-21 | 2006-08-08 | International Business Machines Corporation | Method and system for preventing mutually exclusive content entities stored in a data repository to be included in the same compilation of content |
US7103663B2 (en) * | 2001-06-11 | 2006-09-05 | Matsushita Electric Industrial Co., Ltd. | License management server, license management system and usage restriction method |
US7124101B1 (en) * | 1999-11-22 | 2006-10-17 | Accenture Llp | Asset tracking in a network-based supply chain environment |
US7130807B1 (en) * | 1999-11-22 | 2006-10-31 | Accenture Llp | Technology sharing during demand and supply planning in a network-based supply chain environment |
US7136903B1 (en) * | 1996-11-22 | 2006-11-14 | Mangosoft Intellectual Property, Inc. | Internet-based shared file service with native PC client access and semantics and distributed access control |
US7143136B1 (en) * | 2002-06-06 | 2006-11-28 | Cadence Design Systems, Inc. | Secure inter-company collaboration environment |
US7167844B1 (en) * | 1999-12-22 | 2007-01-23 | Accenture Llp | Electronic menu document creator in a virtual financial environment |
US7171615B2 (en) * | 2002-03-26 | 2007-01-30 | Aatrix Software, Inc. | Method and apparatus for creating and filing forms |
US7185192B1 (en) * | 2000-07-07 | 2007-02-27 | Emc Corporation | Methods and apparatus for controlling access to a resource |
US7206851B2 (en) * | 2002-07-11 | 2007-04-17 | Oracle International Corporation | Identifying dynamic groups |
US7243138B1 (en) * | 2002-02-01 | 2007-07-10 | Oracle International Corporation | Techniques for dynamic rule-based response to a request for a resource on a network |
US7313827B2 (en) * | 2003-07-10 | 2007-12-25 | International Business Machines Corporation | Apparatus and method for analysis of conversational patterns to position information and autonomic access control list management |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3995338B2 (en) * | 1998-05-27 | 2007-10-24 | 富士通株式会社 | Network connection control method and system |
US20020103889A1 (en) * | 2000-02-11 | 2002-08-01 | Thomas Markson | Virtual storage layer approach for dynamically associating computer storage with processing hosts |
US6789112B1 (en) * | 2000-05-08 | 2004-09-07 | Citrix Systems, Inc. | Method and apparatus for administering a server having a subsystem in communication with an event channel |
US6785713B1 (en) * | 2000-05-08 | 2004-08-31 | Citrix Systems, Inc. | Method and apparatus for communicating among a network of servers utilizing a transport mechanism |
US6686838B1 (en) * | 2000-09-06 | 2004-02-03 | Xanboo Inc. | Systems and methods for the automatic registration of devices |
JP2003271429A (en) * | 2002-03-15 | 2003-09-26 | Hitachi Ltd | Storage device resource managing method, storage resource managing program, recording medium recording the program, and storage resource managing device |
US7216163B2 (en) * | 2002-05-15 | 2007-05-08 | Oracle International Corporation | Method and apparatus for provisioning tasks using a provisioning bridge server |
US7363363B2 (en) * | 2002-05-17 | 2008-04-22 | Xds, Inc. | System and method for provisioning universal stateless digital and computing services |
US7469282B2 (en) * | 2003-01-21 | 2008-12-23 | At&T Intellectual Property I, L.P. | Method and system for provisioning and maintaining a circuit in a data network |
US20040210623A1 (en) * | 2003-03-06 | 2004-10-21 | Aamer Hydrie | Virtual network topology generation |
US7499834B1 (en) * | 2004-09-30 | 2009-03-03 | Emc Corporation | System and methods for reporting device allocation |
-
2003
- 2003-10-10 US US10/683,544 patent/US20050080909A1/en not_active Abandoned
-
2004
- 2004-09-10 KR KR1020067006935A patent/KR20060134925A/en not_active Application Discontinuation
- 2004-09-10 ES ES04783772T patent/ES2303098T3/en active Active
- 2004-09-10 WO PCT/US2004/029682 patent/WO2005041004A1/en active Application Filing
- 2004-09-10 CA CA002541916A patent/CA2541916A1/en not_active Abandoned
- 2004-09-10 AT AT04783772T patent/ATE388435T1/en not_active IP Right Cessation
- 2004-09-10 AU AU2004284747A patent/AU2004284747A1/en not_active Abandoned
- 2004-09-10 JP JP2006533905A patent/JP2007509389A/en active Pending
- 2004-09-10 DE DE602004012300T patent/DE602004012300T2/en active Active
- 2004-09-10 EP EP04783772A patent/EP1671204B1/en active Active
-
2006
- 2006-04-05 IL IL174812A patent/IL174812A0/en unknown
- 2006-12-18 HK HK06113858A patent/HK1093242A1/en not_active IP Right Cessation
-
2011
- 2011-11-11 US US13/294,965 patent/US8719433B2/en not_active Expired - Lifetime
Patent Citations (53)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4840284B1 (en) * | 1988-01-15 | 1996-10-01 | Nationsbank Of Georgia | Sloped bottom tank |
US4840284A (en) * | 1988-01-15 | 1989-06-20 | Hoover Group, Inc. | Sloped bottom tank |
US6022315A (en) * | 1993-12-29 | 2000-02-08 | First Opinion Corporation | Computerized medical diagnostic and treatment advice system including network access |
US5696898A (en) * | 1995-06-06 | 1997-12-09 | Lucent Technologies Inc. | System and method for database access control |
US6849045B2 (en) * | 1996-07-12 | 2005-02-01 | First Opinion Corporation | Computerized medical diagnostic and treatment advice system including network access |
US6206829B1 (en) * | 1996-07-12 | 2001-03-27 | First Opinion Corporation | Computerized medical diagnostic and treatment advice system including network access |
US6482156B2 (en) * | 1996-07-12 | 2002-11-19 | First Opinion Corporation | Computerized medical diagnostic and treatment advice system including network access |
US7136903B1 (en) * | 1996-11-22 | 2006-11-14 | Mangosoft Intellectual Property, Inc. | Internet-based shared file service with native PC client access and semantics and distributed access control |
US5889942A (en) * | 1996-12-18 | 1999-03-30 | Orenshteyn; Alexander S. | Secured system for accessing application services from a remote station |
US6947156B1 (en) * | 1996-12-26 | 2005-09-20 | Canon Kabushiki Kaisha | Remote control apparatus and system in which identification or control information is obtained from a device to be controlled |
US5996076A (en) * | 1997-02-19 | 1999-11-30 | Verifone, Inc. | System, method and article of manufacture for secure digital certification of electronic commerce |
US6038563A (en) * | 1997-10-31 | 2000-03-14 | Sun Microsystems, Inc. | System and method for restricting database access to managed object information using a permissions table that specifies access rights corresponding to user access rights to the managed objects |
US6308273B1 (en) * | 1998-06-12 | 2001-10-23 | Microsoft Corporation | Method and system of security location discrimination |
US6161139A (en) * | 1998-07-10 | 2000-12-12 | Encommerce, Inc. | Administrative roles that govern access to administrative functions |
US6157953A (en) * | 1998-07-28 | 2000-12-05 | Sun Microsystems, Inc. | Authentication and access control in a management console program for managing services in a computer network |
US6721805B1 (en) * | 1998-11-12 | 2004-04-13 | International Business Machines Corporation | Providing shared-medium multiple access capability in point-to-point communications |
US6477580B1 (en) * | 1999-08-31 | 2002-11-05 | Accenture Llp | Self-described stream in a communication services patterns environment |
US6850252B1 (en) * | 1999-10-05 | 2005-02-01 | Steven M. Hoffberg | Intelligent electronic appliance system and method |
US6675193B1 (en) * | 1999-10-29 | 2004-01-06 | Invensys Software Systems | Method and system for remote control of a local system |
US6671818B1 (en) * | 1999-11-22 | 2003-12-30 | Accenture Llp | Problem isolation through translating and filtering events into a standard object format in a network based supply chain |
US6606744B1 (en) * | 1999-11-22 | 2003-08-12 | Accenture, Llp | Providing collaborative installation management in a network-based supply chain environment |
US7124101B1 (en) * | 1999-11-22 | 2006-10-17 | Accenture Llp | Asset tracking in a network-based supply chain environment |
US7130807B1 (en) * | 1999-11-22 | 2006-10-31 | Accenture Llp | Technology sharing during demand and supply planning in a network-based supply chain environment |
US6738901B1 (en) * | 1999-12-15 | 2004-05-18 | 3M Innovative Properties Company | Smart card controlled internet access |
US6629081B1 (en) * | 1999-12-22 | 2003-09-30 | Accenture Llp | Account settlement and financing in an e-commerce environment |
US7167844B1 (en) * | 1999-12-22 | 2007-01-23 | Accenture Llp | Electronic menu document creator in a virtual financial environment |
US7069234B1 (en) * | 1999-12-22 | 2006-06-27 | Accenture Llp | Initiating an agreement in an e-commerce environment |
US6839701B1 (en) * | 2000-01-21 | 2005-01-04 | International Business Machines | Hitmask for querying hierarchically related content entities |
US7043488B1 (en) * | 2000-01-21 | 2006-05-09 | International Business Machines Corporation | Method and system for storing hierarchical content objects in a data repository |
US7089239B1 (en) * | 2000-01-21 | 2006-08-08 | International Business Machines Corporation | Method and system for preventing mutually exclusive content entities stored in a data repository to be included in the same compilation of content |
US6449627B1 (en) * | 2000-01-21 | 2002-09-10 | International Business Machines Corp. | Volume management method and system for a compilation of content |
US7076494B1 (en) * | 2000-01-21 | 2006-07-11 | International Business Machines Corporation | Providing a functional layer for facilitating creation and manipulation of compilations of content |
US6611840B1 (en) * | 2000-01-21 | 2003-08-26 | International Business Machines Corporation | Method and system for removing content entity object in a hierarchically structured content object stored in a database |
US6986102B1 (en) * | 2000-01-21 | 2006-01-10 | International Business Machines Corporation | Method and configurable model for storing hierarchical data in a non-hierarchical data repository |
US7007034B1 (en) * | 2000-01-21 | 2006-02-28 | International Business Machines Corporation | File structure for storing content objects in a data repository |
US6944596B1 (en) * | 2000-02-23 | 2005-09-13 | Accenture Llp | Employee analysis based on results of an education business simulation |
US6820082B1 (en) * | 2000-04-03 | 2004-11-16 | Allegis Corporation | Rule based database security system and method |
US6920502B2 (en) * | 2000-04-13 | 2005-07-19 | Netilla Networks, Inc. | Apparatus and accompanying methods for providing, through a centralized server site, an integrated virtual office environment, remotely accessible via a network-connected web browser, with remote network monitoring and management capabilities |
US6636585B2 (en) * | 2000-06-26 | 2003-10-21 | Bearingpoint, Inc. | Metrics-related testing of an operational support system (OSS) of an incumbent provider for compliance with a regulatory scheme |
US6678355B2 (en) * | 2000-06-26 | 2004-01-13 | Bearingpoint, Inc. | Testing an operational support system (OSS) of an incumbent provider for compliance with a regulatory scheme |
US7185192B1 (en) * | 2000-07-07 | 2007-02-27 | Emc Corporation | Methods and apparatus for controlling access to a resource |
US6957199B1 (en) * | 2000-08-30 | 2005-10-18 | Douglas Fisher | Method, system and service for conducting authenticated business transactions |
US7085648B2 (en) * | 2000-11-17 | 2006-08-01 | Nec Corporation | Information delivering server and clients and method thereof and storing medium stored programs to execute information delivery |
US20020138572A1 (en) * | 2000-12-22 | 2002-09-26 | Delany Shawn P. | Determining a user's groups |
US6898628B2 (en) * | 2001-03-22 | 2005-05-24 | International Business Machines Corporation | System and method for providing positional authentication for client-server systems |
US20020184217A1 (en) * | 2001-04-19 | 2002-12-05 | Bisbee Stephen F. | Systems and methods for state-less authentication |
US7103663B2 (en) * | 2001-06-11 | 2006-09-05 | Matsushita Electric Industrial Co., Ltd. | License management server, license management system and usage restriction method |
US20030014327A1 (en) * | 2001-06-29 | 2003-01-16 | Kristofer Skantze | System and method in electronic commerce from hand-held computer units |
US7243138B1 (en) * | 2002-02-01 | 2007-07-10 | Oracle International Corporation | Techniques for dynamic rule-based response to a request for a resource on a network |
US7171615B2 (en) * | 2002-03-26 | 2007-01-30 | Aatrix Software, Inc. | Method and apparatus for creating and filing forms |
US7143136B1 (en) * | 2002-06-06 | 2006-11-28 | Cadence Design Systems, Inc. | Secure inter-company collaboration environment |
US7206851B2 (en) * | 2002-07-11 | 2007-04-17 | Oracle International Corporation | Identifying dynamic groups |
US7313827B2 (en) * | 2003-07-10 | 2007-12-25 | International Business Machines Corporation | Apparatus and method for analysis of conversational patterns to position information and autonomic access control list management |
Cited By (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080013411A1 (en) * | 2006-07-12 | 2008-01-17 | Tyler Thorp | Electronic Library for Managing Data on Removable Storage Devices |
US8661185B2 (en) * | 2006-07-12 | 2014-02-25 | Sandisk Technologies Inc. | Electronic library for managing data on removable storage devices |
US20100030346A1 (en) * | 2007-02-02 | 2010-02-04 | Mitsuhiro Watanabe | Control system and control method for controlling controllable device such as peripheral device, and computer program for control |
US8201218B2 (en) | 2007-02-28 | 2012-06-12 | Microsoft Corporation | Strategies for securely applying connection policies via a gateway |
WO2008106295A1 (en) * | 2007-02-28 | 2008-09-04 | Microsoft Corporation | Strategies for securely applying connection policies via a gateway |
US20080313545A1 (en) * | 2007-06-13 | 2008-12-18 | Microsoft Corporation | Systems and methods for providing desktop or application remoting to a web browser |
EP2031541A1 (en) * | 2007-09-03 | 2009-03-04 | LG Electronics Inc. | Facility management system and control method of facility management system |
US20090063181A1 (en) * | 2007-09-03 | 2009-03-05 | Lg Electronics Inc. | Facility management system and control method of facility management system |
US20090132836A1 (en) * | 2007-11-16 | 2009-05-21 | Keisuke Mera | Power-saving control apparatus and method |
US9787716B2 (en) * | 2007-11-16 | 2017-10-10 | Kabushiki Kaisha Toshiba | Power saving control apparatus and method |
US20090222565A1 (en) * | 2008-02-28 | 2009-09-03 | Microsoft Corporation | Centralized Publishing of Network Resources |
US8161160B2 (en) | 2008-02-28 | 2012-04-17 | Microsoft Corporation | XML-based web feed for web access of remote resources |
US20090222531A1 (en) * | 2008-02-28 | 2009-09-03 | Microsoft Corporation | XML-based web feed for web access of remote resources |
US8683062B2 (en) | 2008-02-28 | 2014-03-25 | Microsoft Corporation | Centralized publishing of network resources |
US20090327905A1 (en) * | 2008-06-27 | 2009-12-31 | Microsoft Corporation | Integrated client for access to remote resources |
US8612862B2 (en) | 2008-06-27 | 2013-12-17 | Microsoft Corporation | Integrated client for access to remote resources |
US20160026785A1 (en) * | 2009-01-06 | 2016-01-28 | Vetrix, Llc | Integrated physical and logical security management via a portable device |
US8276085B2 (en) | 2009-01-29 | 2012-09-25 | Iteleport, Inc. | Image navigation for touchscreen user interface |
US20110093822A1 (en) * | 2009-01-29 | 2011-04-21 | Jahanzeb Ahmed Sherwani | Image Navigation for Touchscreen User Interface |
US7870496B1 (en) | 2009-01-29 | 2011-01-11 | Jahanzeb Ahmed Sherwani | System using touchscreen user interface of a mobile device to remotely control a host computer |
US11438732B2 (en) | 2009-03-06 | 2022-09-06 | Vetrix, Llc | Systems and methods for mobile tracking, communications and alerting |
US11190559B1 (en) * | 2009-12-23 | 2021-11-30 | 8X8, Inc. | Computer server configured for data meetings with optional participant-selected call-connecting attributes |
US11595452B1 (en) * | 2009-12-23 | 2023-02-28 | 8X8, Inc. | Computer server configured for data meetings with optional participant-selected call-connecting attributes |
US20130346543A1 (en) * | 2012-06-22 | 2013-12-26 | International Business Machines Corporation | Cloud service selector |
US20160371483A1 (en) * | 2014-03-11 | 2016-12-22 | Fuji Machine Mfg. Co., Ltd. | Account authority management device and account authority management method for a component mounter related application |
US10289834B2 (en) * | 2014-03-11 | 2019-05-14 | Fuji Corporation | Account authority management device and account authority management method for a component mounter related application |
US10380551B2 (en) * | 2015-12-31 | 2019-08-13 | Dropbox, Inc. | Mixed collaboration teams |
US10110551B1 (en) * | 2017-08-14 | 2018-10-23 | Reza Toghraee | Computer-implemented system and methods for providing IPoE network access using software defined networking |
Also Published As
Publication number | Publication date |
---|---|
US8719433B2 (en) | 2014-05-06 |
HK1093242A1 (en) | 2007-02-23 |
EP1671204B1 (en) | 2008-03-05 |
DE602004012300T2 (en) | 2009-03-19 |
JP2007509389A (en) | 2007-04-12 |
US20120060204A1 (en) | 2012-03-08 |
WO2005041004A1 (en) | 2005-05-06 |
AU2004284747A1 (en) | 2005-05-06 |
ES2303098T3 (en) | 2008-08-01 |
EP1671204A1 (en) | 2006-06-21 |
ATE388435T1 (en) | 2008-03-15 |
KR20060134925A (en) | 2006-12-28 |
DE602004012300D1 (en) | 2008-04-17 |
CA2541916A1 (en) | 2005-05-06 |
IL174812A0 (en) | 2006-08-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8719433B2 (en) | Methods and apparatus for scalable secure remote desktop access | |
US10505930B2 (en) | System and method for data and request filtering | |
JP5052523B2 (en) | Authenticating principals in a federation | |
US7660880B2 (en) | System and method for automated login | |
US6826692B1 (en) | Method and apparatus to permit automated server determination for foreign system login | |
JP4164855B2 (en) | Server support method and system for pluggable authorization system | |
US9686262B2 (en) | Authentication based on previous authentications | |
US7941849B2 (en) | System and method for audit tracking | |
JP5205380B2 (en) | Method and apparatus for providing trusted single sign-on access to applications and Internet-based services | |
US7305562B1 (en) | System, method and computer program product for an authentication management infrastructure | |
US7194764B2 (en) | User authentication | |
US8108907B2 (en) | Authentication of user database access | |
US8250633B2 (en) | Techniques for flexible resource authentication | |
US20040148372A1 (en) | Web-browser based heterogeneous systems management tool | |
WO2001065375A1 (en) | System, method and computer program product for an authentication management infrastructure |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: CITRIX SYSTEMS, INC., FLORIDA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:PANASYUK, ANATOLIY;SIRJANI, ABOLFAZL;WALTERS, BEN;AND OTHERS;REEL/FRAME:014422/0077;SIGNING DATES FROM 20030925 TO 20030926 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |