AUTHENTICATION IN A NETWORK USING CLIENT HEALTH ENFORCEMENT FRAMEWORK

US 20100115578A1
Filed: 12/18/2008
Published: 05/06/2010
Est. Priority Date: 11/03/2008
Status: Active Grant

First Claim

Patent Images

1. A method of operating a client computer configured to provide a statement of health to a server that selectively authorizes network access based on the health of the client computer, the method comprising:

obtaining authentication information indicating that the client computer is authenticated to access the network;

formatting a statement of health to include the authentication information; and

providing the statement of health to the server in connection with a request for network access.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network with authentication implemented using a client health enforcement framework. The framework is adapted to receive plug-ins on clients that generate health information. Corresponding plug-ins on a server validate that health information. Based on the results of validation, the server may instruct the client to remediate or may authorize an underlying access enforcement mechanism to allow access. A client plug-in that generates authentication information formatted as a statement of health may be incorporated into such a framework. Similarly, on the server, a validator to determine, based on the authentication information, whether the client should be granted network access can be incorporated into the framework. Authentication can be simply applied or modified by changing the plug-ins, while relying on the framework to interface with an enforcement mechanism. Functions of the health enforcement framework can be leveraged to provide authentication-based functionality, such as revoking authorized access after a period of user inactivity or in response to a user command.

95 Citations

View as Search Results

20 Claims

1. A method of operating a client computer configured to provide a statement of health to a server that selectively authorizes network access based on the health of the client computer, the method comprising:
- obtaining authentication information indicating that the client computer is authenticated to access the network;
  
  formatting a statement of health to include the authentication information; and
  
  providing the statement of health to the server in connection with a request for network access.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the server comprises a health policy server.
  - 3. The method of claim 1, wherein the authentication information comprises a security token.
  - 4. The method of claim 3, wherein the security token comprises an X.509 certificate.
  - 5. The method of claim 3, further comprising:
    - authenticating the client to a second server; and
      
      receiving the security token from the second server.
  - 6. The method of claim 1, wherein:
    - the method further comprises generating anti-virus configuration information indicating a configuration of anti-virus software on the client computer; and
      
      formatting the statement of health further comprises formatting the statement of health to include the anti-virus configuration information.
  - 7. The method of claim 1, further comprising:
    - monitoring user interactions with the client computer; and
      
      when user interactions are not detected for a period of time exceeding a threshold, sending to the server an indication that the statement of health of the client has changed.
  - 8. The method of claim 1, further comprising:
    - receiving user input indicating a network logoff; and
      
      in response to the user input, sending to the server an indication that the statement of health of the client has changed.

9. A client computer configured with a client health enforcement framework comprising a client health access agent adapted to obtain information from one or more statement of health agents through an interface and send a statement of health to a health policy server adapted to validate the statement of health and, when the statement of health is validated, to authorize access to a network, the client computer further comprising:
- an authentication agent comprising computer-executable instructions stored on a computer storage media for authenticating the client computer for access to the network and for providing information indicating authentication status of the client computer to the client health access agent through the interface,whereby the client health access agent sends a statement of health including authentication information to the health policy server.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The client computer of claim 9, wherein the authentication agent is adapted to authenticate the client computer by authenticating with a second server.
  - 11. The client computer of claim 10, wherein the client health enforcement framework is configured to authorize access that times out, and the client health access agent is adapted to poll each of the one or more statement of health agents and the authentication agent for status information when the authorization times out.
  - 12. The client computer of claim 11, wherein, the authentication agent is adapted to re-authenticating the client computer in response to being polled by the client health access agent for status information.
  - 13. The client computer of claim 11, wherein:
    - the one or more statement of health agents is each adapted to communicate a change of health status indication through the interface;
      
      the client health access agent is adapted to communicate a health status change to the health policy server in response to a change of health status indication through the interface; and
      
      the authentication agent is adapted to communicate a change of health status indication through the interface in response to detecting user inactivity exceeding a threshold period of time.
  - 14. The client computer of claim 13, wherein the authentication agent is further adapted to communicate a change of health status indication through the interface in response to user input indicating a network logoff.
  - 15. The client computer of claim 14, wherein the one or more statement of health agents comprise an anti-virus agent adapted to indicate a configuration of anti-virus software executing on the client computer.

16. A method of operating a network comprising a client computer and a health policy server, the client comprising a client health access agent being adapted to obtain health information from one or more statement of health agents executing on the client and to provide, based on the obtained health information, a statement of health to the health policy server, and the health policy server being adapted to provide a portion of the statement of health to each of one or more component health validators and to selectively authorize network access based on results of processing of respective portions of the statement of health by the one or more component health validators, the method comprising:
- in an authentication agent on the client computer, generating authentication information indicating whether the client computer is authorized for network access and providing the authentication information to the client health access agent;
  
  in the client health access agent, generating a statement of health for the client computer including the authentication information and the health information from the one or more statement of health agents; and
  
  in the health policy server, providing a portion of the statement of health corresponding to the authentication information to an authentication validator and selectively authorizing network access based in part on processing of the authentication information within the authentication validator.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of operating a network of claim 16, wherein:
    - the one or more statement of health agents comprises a statement of health agent adapted to determine a configuration of at least one protective component on the client computer;
      
      generating the statement of health comprises incorporating configuration information identifying the configuration of the at least one protective component;
      
      the method further comprises, in the health policy server, providing a second portion of the statement of health corresponding to the configuration information to a component health validator; and
      
      selectively authorizing network access further comprises authorizing network access based in part on processing of the configuration information within the component health validator.
  - 18. The method of operating a network of claim 17, wherein:
    - the network further comprises an authentication server adapted to authenticate clients for access to the network and provide information to a client indicating the authentication status of the client, andthe authentication agent generates the authentication information from the information indicating authentication status obtained from the authentication server.
  - 19. The method of claim 18, wherein:
    - the authentication agent is configured as a plug-in for the client health access agent, andthe authentication agent provides a user interface to obtain authentication parameters from a user.
  - 20. The method of claim 18, wherein:
    - when the health policy server determines that one or more portions of the statement of health is out of compliance with an access policy, the health policy server responds with an instruction to remediate a component associated with each of the one or more portions; and
      
      when the instruction to remediate is associated with the authentication information in the statement of health, the instruction to remediate includes challenge information;
      
      following remediation by the authentication agent, when the client health access agent submits a subsequent statement of health to the health validation server, the subsequent statement of health includes the challenge information signed by the authentication server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Eyal, Anat, Nukala, Chandrasekhar, Neystadt, Eugene, Addagatla, Sreenivas, Nice, Nir

Granted Patent

US 9,443,084 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2129   Authenticate client device ...

H04L 63/08   for authentication of entit...

H04L 63/1441   Countermeasures against mal...

AUTHENTICATION IN A NETWORK USING CLIENT HEALTH ENFORCEMENT FRAMEWORK

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

95 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

AUTHENTICATION IN A NETWORK USING CLIENT HEALTH ENFORCEMENT FRAMEWORK

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links