Methods and systems for network-based management of application security
First Claim
1. For modifying access to securable objects, a method comprising:
- A) providing a rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, the rule specifying at least one group to be added to a token of a process that satisfies the application-criterion set and whose access to securable objects is controlled by an operating system in accordance with the token, at least one said specified group being a group other than the Administrators group; and
B) before the operating system employs a process'"'"'s token to determine that process'"'"'s access to securable objects;
i) making a determination of whether that process satisfies the criterion set; and
ii) if and only if that determination is affirmative, adding to that process'"'"'s token in response to that rule each group that the rule specifies.
16 Assignments
0 Petitions
Accused Products
Abstract
To control privileges and access to resources on a per-process basis, an administrator creates a rule that may be applied to modify a process'"'"'s token. The rule includes an application-criterion set and changes to be made to the groups and/or privileges of a token. The rule is set as a policy within a group policy object (GPO), where a GPO is associated with one or more groups of computers. When a GPO containing a rule is applied to a computer, a driver installed on the computer accesses the rule(s) anytime a logged-on user executes a process. If the executed process satisfies the criterion set of a rule the changes contained within the rule are made to the process token, and the user has expanded and/or contracted access and/or privileges for only that process.
100 Citations
38 Claims
-
1. For modifying access to securable objects, a method comprising:
-
A) providing a rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, the rule specifying at least one group to be added to a token of a process that satisfies the application-criterion set and whose access to securable objects is controlled by an operating system in accordance with the token, at least one said specified group being a group other than the Administrators group; and
B) before the operating system employs a process'"'"'s token to determine that process'"'"'s access to securable objects;
i) making a determination of whether that process satisfies the criterion set; and
ii) if and only if that determination is affirmative, adding to that process'"'"'s token in response to that rule each group that the rule specifies. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. For modifying a user'"'"'s privileges to perform systems-related operations, a method comprising:
-
A) providing a rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, the rule specifying at least one privilege to be added to a token of a process that satisfies the application-criterion set and whose performance of system operations is controlled by an operating system in accordance with the token; and
B) before the operating system employs a process'"'"'s token to determine that process'"'"'s privileges;
i) making a determination of whether that process satisfies the criterion set; and
ii) if and only if that determination is affirmative, adding to that process'"'"'s token in response to that rule each privilege that the rule specifies. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. For blocking inheritance of a modified token of a process, a method comprising:
-
A) providing at least one rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, the rule specifying (1) at least one change to be made to a token of a process that satisfies the application-criterion set and whose privileges and access to securable objects are controlled by an operating system in accordance with the token, and (2) an inheritance option set to either block or allow inheritance, by any child process, of any changes made to the token of a parent process; and
B) if the inheritance option is set to block and the process does not satisfy any said rule'"'"'s application-criterion set, before the operating system of the computer employs a process'"'"'s token to determine that process'"'"'s privileges and access to securable objects, determining if the process is the child of another process and if the process is the grandchild of another process, and if both determinations are affirmative, make that process'"'"'s token the same as the token of its grandparent process, and if not, make that process'"'"'s token the same as an unmodified access token. - View Dependent Claims (17, 18, 19)
-
-
20. For limiting changes made to a token of a process, a method comprising:
-
A) providing a rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, wherein one said criterion is that the user match a user identifier specified by that criterion, the rule specifying at least one change to be made to a token of a process that satisfies the application-criterion set and whose access to securable objects and privileges is controlled by an operating system in accordance with the token; and
B) before the operating system employs a process'"'"'s token to determine that process'"'"'s access to securable objects and privileges;
i) making a determination of whether that process satisfies the criterion set; and
ii) if and only if that determination is affirmative, changing that process'"'"'s token in response to that rule according to each change that the rule specifies. - View Dependent Claims (21, 22, 23, 24)
-
-
25. For managing, over a network, changes to process tokens created in computers operatively coupled to the network, where the computers on the network are organized into groups, a method comprising:
-
A) creating a rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, the rule specifying at least one change to be made to a token of a process that satisfies the application-criterion set and whose access to securable objects and privileges is controlled by an operating system in accordance with the token;
B) associating each created rule to respective selected ones of group policy objects, where at least one selected group policy object applies to at least one of the groups of computers;
C) applying each group policy object to its group of computers; and
D) for each computer in each group, before the operating system of that computer employs a process'"'"'s token to determine that process'"'"'s access to securable objects and privileges;
i) making a determination of whether that process satisfies the criterion set; and
ii) if and only if that determination is affirmative, changing that process'"'"'s token in response to that rule according to each change that the rule specifies. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. A computer program product to modify access to securable objects on a computer, the computer program product comprising computer code to:
-
A) receive a rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, the rule specifying at least one group to be added to a token of a process that satisfies the application-criterion set and whose access to securable objects is controlled by an operating system of the computer in accordance with the token, at least one said specified group being a group other than the Administrators group; and
B) before the operating system of the computer employs a process'"'"'s token to determine that process'"'"'s access to securable objects;
i) make a determination of whether that process satisfies the criterion set; and
ii) if and only if that determination is affirmative, add to that process'"'"'s token in response to that rule each group that the rule specifies.
-
-
35. A computer program product to modify a user'"'"'s privileges to perform systems-related operations on a computer, the computer program product comprising computer code to:
-
A) receive a rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, the rule specifying at least one privilege to be added to a token of a process that satisfies the application-criterion set and whose performance of system operations is controlled by an operating system of the computer in accordance with the token; and
B) before the operating system of the computer employs a process'"'"'s token to determine that process'"'"'s privileges;
i) make a determination of whether that process satisfies the criterion set; and
ii) if and only if that determination is affirmative, add to that process'"'"'s token in response to that rule each privilege that the rule specifies.
-
-
36. A computer program product to block inheritance of a modified token of a process on a computer, the computer program product comprising computer code to:
-
A) receive at least one rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, the rule specifying (1) at least one change to be made to a token of a process that satisfies the application-criterion set and whose privileges and access to securable objects are controlled by an operating system of the computer in accordance with the token, and (2) an inheritance option set to either block or allow inheritance, by any child process, of any changes made to the token of a parent process; and
B) if the inheritance option is set to block and the process does not satisfy any said rule'"'"'s application-criterion set, before the operating system of the computer employs a process'"'"'s token to determine that process'"'"'s privileges and access to securable objects, determine if the process is the child of another process and if the process is the grandchild of another process, and if both determinations are affirmative, make that process'"'"'s token the same as the token of its grandparent process, and if not, make that process'"'"'s token the same as an unmodified access token.
-
-
37. A computer program product to limit changes made to a token of a process on a computer, the computer program product comprising computer code to:
-
A) receive a rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, wherein one said criterion is that the user match a user identifier specified by that criterion, the rule specifying at least one change to be made to a token of a process that satisfies the application-criterion set and whose access to securable objects and privileges is controlled by an operating system in accordance with the token; and
B) before the operating system employs a process'"'"'s token to determine that process'"'"'s access to securable objects and privileges;
i) making a determination of whether that process satisfies the criterion set; and
ii) if and only if that determination is affirmative, changing that process'"'"'s token in response to that rule according to each change that the rule specifies.
-
-
38. A computer program product to manage, over a network, changes to process tokens created in computers operatively coupled to the network, where the computers on the network are organized into groups, the computer program product comprising computer code to:
-
A) create a rule that includes an application-criterion set including at least one criterion for token modification in accordance with the rule, the rule specifying at least one change to be made to a token of a process that satisfies the application-criterion set and whose access to securable objects and privileges is controlled by an operating system in accordance with the token;
B) associate each created rule to respective selected ones of group policy objects, where at least one selected group policy object applies to at least one of the groups of computers;
C) apply each group policy object to its group of computers; and
D) for each computer in each group, before the operating system of that computer employs a process'"'"'s token to determine that process'"'"'s access to securable objects and privileges;
i) make a determination of whether that process satisfies the criterion set; and
ii) if and only if that determination is affirmative, change that process'"'"'s token in response to that rule according to each change that the rule specifies.
-
Specification