Methods and systems for network-based management of application security

US 20070043943A1
Filed: 08/18/2005
Published: 02/22/2007
Est. Priority Date: 08/18/2005
Status: Active Grant

First Claim

Patent Images

1. For modifying access to securable objects, a method comprising:

A) providing a rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, the rule specifying at least one group to be added to a token of a process that satisfies the application-criterion set and whose access to securable objects is controlled by an operating system in accordance with the token, at least one said specified group being a group other than the Administrators group; and

B) before the operating system employs a process'"'"'s token to determine that process'"'"'s access to securable objects;

i) making a determination of whether that process satisfies the criterion set; and

ii) if and only if that determination is affirmative, adding to that process'"'"'s token in response to that rule each group that the rule specifies.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To control privileges and access to resources on a per-process basis, an administrator creates a rule that may be applied to modify a process'"'"'s token. The rule includes an application-criterion set and changes to be made to the groups and/or privileges of a token. The rule is set as a policy within a group policy object (GPO), where a GPO is associated with one or more groups of computers. When a GPO containing a rule is applied to a computer, a driver installed on the computer accesses the rule(s) anytime a logged-on user executes a process. If the executed process satisfies the criterion set of a rule the changes contained within the rule are made to the process token, and the user has expanded and/or contracted access and/or privileges for only that process.

100 Citations

View as Search Results

38 Claims

1. For modifying access to securable objects, a method comprising:
- A) providing a rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, the rule specifying at least one group to be added to a token of a process that satisfies the application-criterion set and whose access to securable objects is controlled by an operating system in accordance with the token, at least one said specified group being a group other than the Administrators group; and
  
  B) before the operating system employs a process'"'"'s token to determine that process'"'"'s access to securable objects;
  
  i) making a determination of whether that process satisfies the criterion set; and
  
  ii) if and only if that determination is affirmative, adding to that process'"'"'s token in response to that rule each group that the rule specifies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein:
    - A) the rule is one of a plurality of such rules;
      
      B) the method includes assigning relative priorities to the rules; and
      
      C) the method includes adding a group to the process'"'"'s token in response to a given rule only if the process satisfies the application-criterion set of no rule whose priority is higher than the given rule'"'"'s.
  - 3. The method according to claim 1, wherein:
    - A) the process executes an executable entity; and
      
      B) at least one said criterion is that the executable entity match an executable-entity identifier specified by that criterion.
  - 4. The method according to claim 3, wherein the executable entity is an executable file.
  - 5. The method according to claim 4, wherein the executable-entity identifier is a hash on the executable file'"'"'s contents.
  - 6. The method according to claim 4, wherein the executable-entity identifier represents the executable file'"'"'s path.
  - 7. The method according to claim 1, wherein:
    - A) the rule further specifies at least one privilege to be added to the token of a process that satisfies the application-criterion set; and
      
      B) the method further comprises adding each privilege that the rule specifies to a process'"'"'s token if the process satisfies the application-criterion set.
  - 8. The method according to claim 1, wherein:
    - A) the rule further includes an inheritance option set to either block or allow inheritance, by any child process, of any group or groups added to the token of a parent process; and
      
      B) if the inheritance option is set to block and the process does not satisfy any said rule'"'"'s application-criterion set, the method further comprises determining if the process is the child of another process and if the process is the grandchild of another process, and if both determinations are affirmative, make that process'"'"'s token the same as the token of its grandparent process, and if not, make that process'"'"'s token the same as an unmodified access token.
  - 9. The method according to claim 1, wherein one said criterion is that the user match a user identifier specified by that criterion.

10. For modifying a user'"'"'s privileges to perform systems-related operations, a method comprising:
- A) providing a rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, the rule specifying at least one privilege to be added to a token of a process that satisfies the application-criterion set and whose performance of system operations is controlled by an operating system in accordance with the token; and
  
  B) before the operating system employs a process'"'"'s token to determine that process'"'"'s privileges;
  
  i) making a determination of whether that process satisfies the criterion set; and
  
  ii) if and only if that determination is affirmative, adding to that process'"'"'s token in response to that rule each privilege that the rule specifies.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method according to claim 10, wherein:
    - A) the rule is one of a plurality of such rules;
      
      B) the method includes assigning relative priorities to the rules; and
      
      C) the method includes adding a privilege to the process'"'"'s token in response to a given rule only if the process satisfies the application-criterion set of no rule whose priority is higher than the given rule'"'"'s.
  - 12. The method according to claim 10, wherein:
    - A) the process executes an executable entity; and
      
      B) at least one said criterion is that the executable entity match an executable-entity identifier specified by that criterion.
  - 13. The method according to claim 10, wherein:
    - C) the rule further specifies at least one group to be added to the token of a process that satisfies the application-criterion set; and
      
      D) the method further comprises adding each group that the rule specifies to a process'"'"'s token if the process satisfies the application-criterion set.
  - 14. The method according to claim 10, wherein:
    - A) the rule further includes an inheritance option set to either block or allow inheritance, by any child process, of any privilege or privileges added to the token of a parent process; and
      
      B) if the inheritance option is set to block and the process does not satisfy any said rule'"'"'s application-criterion set, the method further comprises determining if the process is the child of another process and if the process is the grandchild of another process, and if both determinations are affirmative, make that process'"'"'s token the same as the token of its grandparent process, and if not, make that process'"'"'s token the same as an unmodified access token.
  - 15. The method according to claim 10, wherein one said criterion is that the user match a user identifier specified by that criterion.

16. For blocking inheritance of a modified token of a process, a method comprising:
- A) providing at least one rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, the rule specifying (1) at least one change to be made to a token of a process that satisfies the application-criterion set and whose privileges and access to securable objects are controlled by an operating system in accordance with the token, and (2) an inheritance option set to either block or allow inheritance, by any child process, of any changes made to the token of a parent process; and
  
  B) if the inheritance option is set to block and the process does not satisfy any said rule'"'"'s application-criterion set, before the operating system of the computer employs a process'"'"'s token to determine that process'"'"'s privileges and access to securable objects, determining if the process is the child of another process and if the process is the grandchild of another process, and if both determinations are affirmative, make that process'"'"'s token the same as the token of its grandparent process, and if not, make that process'"'"'s token the same as an unmodified access token.
- View Dependent Claims (17, 18, 19)
- - 17. The method according to claim 16, where the at least one change is one of adding a group, removing a group, adding a privilege, and removing a privilege.
  - 18. The method according to claim 16, wherein:
    - A) the process executes an executable entity; and
      
      B) at least one said criterion is that the executable entity match an executable-entity identifier specified by that criterion.
  - 19. The method according to claim 16, wherein one said criterion is that the user match a user identifier specified by that criterion.

20. For limiting changes made to a token of a process, a method comprising:
- A) providing a rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, wherein one said criterion is that the user match a user identifier specified by that criterion, the rule specifying at least one change to be made to a token of a process that satisfies the application-criterion set and whose access to securable objects and privileges is controlled by an operating system in accordance with the token; and
  
  B) before the operating system employs a process'"'"'s token to determine that process'"'"'s access to securable objects and privileges;
  
  i) making a determination of whether that process satisfies the criterion set; and
  
  ii) if and only if that determination is affirmative, changing that process'"'"'s token in response to that rule according to each change that the rule specifies.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The method according to claim 20, where the at least one change is one of adding a group, removing a group, adding a privilege, and removing a privilege.
  - 22. The method according to claim 20, wherein:
    - A) the rule is one of a plurality of such rules;
      
      B) the method includes assigning relative priorities to the rules; and
      
      C) the method includes changing the process'"'"'s token in response to a given rule only if the process satisfies the application-criterion set of no rule whose priority is higher than the given rule'"'"'s.
  - 23. The method according to claim 20, wherein:
    - A) the process executes an executable entity; and
      
      B) at least one said criterion further includes that the executable entity match an executable-entity identifier specified by that criterion.
  - 24. The method according to claim 20, wherein:
    - A) the rule further includes an inheritance option set to either block or allow inheritance, by any child process, of any changes made to the token of a parent process; and
      
      B) if the inheritance option is set to block and the process does not satisfy any said rule'"'"'s application-criterion set, the method further comprises determining if the process is the child of another process and if the process is the grandchild of another process, and if both determinations are affirmative, make that process'"'"'s token the same as the token of its grandparent process, and if not, make that process'"'"'s token the same as an unmodified access token.

25. For managing, over a network, changes to process tokens created in computers operatively coupled to the network, where the computers on the network are organized into groups, a method comprising:
- A) creating a rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, the rule specifying at least one change to be made to a token of a process that satisfies the application-criterion set and whose access to securable objects and privileges is controlled by an operating system in accordance with the token;
  
  B) associating each created rule to respective selected ones of group policy objects, where at least one selected group policy object applies to at least one of the groups of computers;
  
  C) applying each group policy object to its group of computers; and
  
  D) for each computer in each group, before the operating system of that computer employs a process'"'"'s token to determine that process'"'"'s access to securable objects and privileges;
  
  i) making a determination of whether that process satisfies the criterion set; and
  
  ii) if and only if that determination is affirmative, changing that process'"'"'s token in response to that rule according to each change that the rule specifies.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33)
- - 26. The method according to claim 25, where the at least one change is one of adding a group, removing a group, adding a privilege, and removing a privilege.
  - 27. The method according to claim 25, wherein:
    - A) a plurality of rules are created;
      
      B) the method includes assigning relative priorities to the rules; and
      
      C) the method includes changing the process'"'"'s token in response to a given rule only if the process satisfies the application-criterion set of no rule whose priority is higher than the given rule'"'"'s.
  - 28. The method according to claim 25, wherein:
    - A) the process executes an executable entity; and
      
      B) at least one said criterion further includes that the executable entity match an executable-entity identifier specified by that criterion.
  - 29. The method according to claim 25, wherein:
    - A) the rule further includes an inheritance option set to either block or allow inheritance, by any child process, of any changes made to the token of a parent process; and
      
      B) if the inheritance option is set to block and the process does not satisfy any said rule'"'"'s application-criterion set, the method further comprises determining if the process is the child of another process and if the process is the grandchild of another process, and if both determinations are affirmative, make that process'"'"'s token the same as the token of its grandparent process, and if not, make that process'"'"'s token the same as an unmodified access token.
  - 30. The method according to claim 25, wherein one said criterion is that the user match a user identifier specified by that criterion.
  - 31. The method according to claim 25, further comprising:
    - adding, in response to user input, at least one user-defined filter criterion to a selected group policy object.
  - 32. The method according to claim 31, wherein applying each group policy object to its group of computers further comprises applying each group policy object to each computer in its associated group of computers if that computer satisfies the user-defined filter criterion.
  - 33. The method according to claim 32, wherein the at least one user-defined criterion includes at least one user identifier.

34. A computer program product to modify access to securable objects on a computer, the computer program product comprising computer code to:
- A) receive a rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, the rule specifying at least one group to be added to a token of a process that satisfies the application-criterion set and whose access to securable objects is controlled by an operating system of the computer in accordance with the token, at least one said specified group being a group other than the Administrators group; and
  
  B) before the operating system of the computer employs a process'"'"'s token to determine that process'"'"'s access to securable objects;
  
  i) make a determination of whether that process satisfies the criterion set; and
  
  ii) if and only if that determination is affirmative, add to that process'"'"'s token in response to that rule each group that the rule specifies.

35. A computer program product to modify a user'"'"'s privileges to perform systems-related operations on a computer, the computer program product comprising computer code to:
- A) receive a rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, the rule specifying at least one privilege to be added to a token of a process that satisfies the application-criterion set and whose performance of system operations is controlled by an operating system of the computer in accordance with the token; and
  
  B) before the operating system of the computer employs a process'"'"'s token to determine that process'"'"'s privileges;
  
  i) make a determination of whether that process satisfies the criterion set; and
  
  ii) if and only if that determination is affirmative, add to that process'"'"'s token in response to that rule each privilege that the rule specifies.

36. A computer program product to block inheritance of a modified token of a process on a computer, the computer program product comprising computer code to:
- A) receive at least one rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, the rule specifying (1) at least one change to be made to a token of a process that satisfies the application-criterion set and whose privileges and access to securable objects are controlled by an operating system of the computer in accordance with the token, and (2) an inheritance option set to either block or allow inheritance, by any child process, of any changes made to the token of a parent process; and
  
  B) if the inheritance option is set to block and the process does not satisfy any said rule'"'"'s application-criterion set, before the operating system of the computer employs a process'"'"'s token to determine that process'"'"'s privileges and access to securable objects, determine if the process is the child of another process and if the process is the grandchild of another process, and if both determinations are affirmative, make that process'"'"'s token the same as the token of its grandparent process, and if not, make that process'"'"'s token the same as an unmodified access token.

37. A computer program product to limit changes made to a token of a process on a computer, the computer program product comprising computer code to:
- A) receive a rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, wherein one said criterion is that the user match a user identifier specified by that criterion, the rule specifying at least one change to be made to a token of a process that satisfies the application-criterion set and whose access to securable objects and privileges is controlled by an operating system in accordance with the token; and
  
  B) before the operating system employs a process'"'"'s token to determine that process'"'"'s access to securable objects and privileges;
  
  i) making a determination of whether that process satisfies the criterion set; and
  
  ii) if and only if that determination is affirmative, changing that process'"'"'s token in response to that rule according to each change that the rule specifies.

38. A computer program product to manage, over a network, changes to process tokens created in computers operatively coupled to the network, where the computers on the network are organized into groups, the computer program product comprising computer code to:
- A) create a rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, the rule specifying at least one change to be made to a token of a process that satisfies the application-criterion set and whose access to securable objects and privileges is controlled by an operating system in accordance with the token;
  
  B) associate each created rule to respective selected ones of group policy objects, where at least one selected group policy object applies to at least one of the groups of computers;
  
  C) apply each group policy object to its group of computers; and
  
  D) for each computer in each group, before the operating system of that computer employs a process'"'"'s token to determine that process'"'"'s access to securable objects and privileges;
  
  i) make a determination of whether that process satisfies the criterion set; and
  
  ii) if and only if that determination is affirmative, change that process'"'"'s token in response to that rule according to each change that the rule specifies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BeyondTrust Corp.
Original Assignee
Capitalsource Incorporated
Inventors
Peretti, Marco

Granted Patent

US 8,006,088 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/167
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Methods and systems for network-based management of application security

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

100 Citations

38 Claims

Specification

Use Cases

Quick Links

Others

Methods and systems for network-based management of application security

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

38 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others