Remote configuration of software component using proxy

US 20080028457A1
Filed: 07/28/2006
Published: 01/31/2008
Est. Priority Date: 07/28/2006
Status: Active Grant

First Claim

Patent Images

1. A system for enabling a first software object to be configured remotely by an entity, the system comprising:

a second software object that executes on a machine on which said first software object executes, that receives one or more instructions from said entity through a network, that performs one or more authentications on said entity, and that configures said first software object in accordance with said one or more instructions if said entity satisfies said one or more authentications;

one or more stored rules that specify that said second software object is not to engage in outbound communication over said network, and that further specify that said first software object is not to engage in communication over said network, wherein said one or more stored rules govern behavior of said first software object and of said second software object.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A proxy service receives requests from a remote caller to configure a main service. The proxy service authenticates the caller and validates the request. The proxy service then passes the request along to the main service if the caller can be authenticated and if the request can be validated. The proxy service runs at a non-privileged level, but when the proxy service passes the request to the main service, the proxy service impersonates the caller so that the request to the main service is made at the original caller'"'"'s level of privilege. The main service can block all inbound network traffic, since network requests to configure the main service are received by the proxy, which is a local object from the perspective of the main service. Additionally, the proxy can block inbound traffic other than a certain class of requests (e.g., Remote Procedure Calls).

31 Citations

View as Search Results

20 Claims

1. A system for enabling a first software object to be configured remotely by an entity, the system comprising:
- a second software object that executes on a machine on which said first software object executes, that receives one or more instructions from said entity through a network, that performs one or more authentications on said entity, and that configures said first software object in accordance with said one or more instructions if said entity satisfies said one or more authentications;
  
  one or more stored rules that specify that said second software object is not to engage in outbound communication over said network, and that further specify that said first software object is not to engage in communication over said network, wherein said one or more stored rules govern behavior of said first software object and of said second software object.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein said first software object exposes a first interface through which said first software object is configurable, and wherein said second software object exposes a second interface that is isomorphic to said first interface, said second software object receiving said one or more instructions by way of said second interface and configuring said first software object through said first interface.
  - 3. The system of claim 1, wherein said one or more instructions are received by said second software object in the form of a collection of data that comprises said one or more instructions, wherein said second software object determines, as a condition to said second software object'"'"'s configuring said first software object, that said collection of data satisfies at least one validity criterion.
  - 4. The system of claim 1, wherein said second software object impersonates an identity of the entity while configuring said first software object, and wherein said first software object validates an identity of said second software object as a condition to allowing said second software object to configure said first software object.
  - 5. The system of claim 1, wherein said entity is capable of having either a high-privileged status or a low- or non-privileged status, and wherein at least one of said one or more authentications is satisfied only if said entity has said high-privileged status.
  - 6. The system of claim 1, wherein said second software object is configured to require a user to perform a first action in order for said second software object to be operational, and wherein said second software object is further configured to require a user to perform a second action in order for said second software object to receive communication via a network.
  - 7. The system of claim 1, wherein said first software object is configurable only via an interface that is accessible only from said machine on which said first software object is running.

8. A method of configuring a first software object based on instructions received remotely from an entity, the method being performed by a second software object, the method comprising:
- receiving, from the entity through a network, data comprising one or more instructions to configure the first software object;
  
  acting in accordance with a first rule that specifies that said second software object is not to engage in any outbound communication over said network;
  
  determining that the entity satisfies at least one identity criterion;
  
  determining that the data satisfy at least one validity criterion;
  
  impersonating the entity;
  
  configuring said the first software object in accordance with said one or more instructions.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein said first software object exposes an first interface through which said first software object is configurable, wherein said second software object exposes a second interface that is isomorphic to said first interface, and wherein said data comprising one or more instructions are received by way of said second interface, and wherein said configuring is performed by the second software object interacting with the first software object through the first interface.
  - 10. The method of claim 8, wherein said first software object acts in accordance with a second rule that specifies that said first software object is not to engaging in any communication over said network.
  - 11. The method of claim 8, wherein said entity is capable of having either a high-privileged status or a low- or non-privileged status, and wherein said determining that the entity satisfies at least one identity criterion comprises determining that said entity has said high-privileged status.
  - 12. The method of claim 8, further comprising:
    - receiving a first direction to enable operation of said second software object; and
      
      receiving a second direction user to enable said second software object to accept communication from said network, said second software object rejecting communication from said network unless said second direct has been received, said first direction and said second direct being initiated by one or more users.
  - 13. The method of claim 8, wherein said first software object and said second software object both run on one machine, and wherein said first software object is configurable only via an interface that is accessible only from said machine.
  - 14. The method of claim 8, wherein said determining that the entity satisfies at least one identity criterion is performed before said determining that the data satisfy at least one validity criterion.

15. One or more computer-readable storage media having stored thereon:
- first executable instructions that implement a first software object, said first software object exposing a first interface that enables configuration parameters of said first software object to be set;
  
  second executable instructions that implement a second software object, said second software object exposing a second interface that is isomorphic to said first interface, said second software object receiving one or more configuration instructions from an entity through a network and using said first interface to set said configuration parameters of said first software object based on said one or more configuration instructions, said second executable instructions behaving in accordance with at least one rule governing communication over said network.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The one or more computer-readable storage media of claim 15, wherein said at least one rule comprises a rule that said second software object is not permitted to engage in outbound communication over said network.
  - 17. The one or more computer-readable storage media of claim 15, wherein said second software object is configured not to operate until a first action with respect to said second software object has been performed, and wherein said at least one rule comprises a rule that said second software object is not permitted to accept communication from said network until a first action with respect to said second software object has been performed.
  - 18. The one or more computer-readable storage media of claim 15, wherein said second software object performs at least one identity test on said entity and that further performs at least one validity test on data that comprises said configuration instructions prior to setting said configuration parameters of said first software object.
  - 19. The one or more computer-readable storage media of claim 15, wherein said entity is capable of having a privileged status or a non-privileged status, wherein said second software object determines that said entity has said privileged status prior to setting said configuration parameters of said first software object, and wherein said second software object impersonates said entity when setting said configuration parameters.
  - 20. The one or more computer-readable storage media of claim 15, wherein said first software object allows said configuration parameters to be set through said first interface only when said first interface is accessed from a machine on which said first software object is running.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Yariv, Eran, Abzarian, David, Diaz-Cuellar, Gerardo

Granted Patent

US 7,836,495 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/1441 Countermeasures against mal...

Remote configuration of software component using proxy

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Remote configuration of software component using proxy

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links