Enhancing computer system security via multiple user desktops

US 7,246,374 B1
Filed: 03/13/2000
Issued: 07/17/2007
Est. Priority Date: 03/13/2000
Status: Expired due to Fees

First Claim

Patent Images

1. One or more computer-readable media having stored thereon a computer program that, when executed by one or more processors, causes the one or more processors to perform functions including:

maintaining a plurality of desktops corresponding to a user;

associating each of a plurality of objects with at least one of the plurality of desktops;

associating each of a plurality of processes with at least one of the plurality of desktops; and

allowing each of the plurality of processes to access an object of the plurality of objects only if a security descriptor for the object has a desktop identifier that is the same as a desktop identifier in an access token for the process, the security descriptor including the desktop identifier, an owner identifier that identifies the process that created the object, and an access control list.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Users can create multiple different desktops for themselves and easily switch between these desktops. These multiple desktops are “walled off” from one another, limiting the ability of processes and other subjects in one desktop from accessing objects, such as data files or other processes, in another desktop. According to one aspect, each time a process is launched it is associated with the desktop that it is launched in. Similarly, objects, such as data files or resources, are associated with the same desktop as the process that created them. The operating system allows a process to access only those objects that are either associated with the same desktop as the process or associated with no desktop.

135 Citations

41 Claims

1. One or more computer-readable media having stored thereon a computer program that, when executed by one or more processors, causes the one or more processors to perform functions including:
- maintaining a plurality of desktops corresponding to a user;
  
  associating each of a plurality of objects with at least one of the plurality of desktops;
  
  associating each of a plurality of processes with at least one of the plurality of desktops; and
  
  allowing each of the plurality of processes to access an object of the plurality of objects only if a security descriptor for the object has a desktop identifier that is the same as a desktop identifier in an access token for the process, the security descriptor including the desktop identifier, an owner identifier that identifies the process that created the object, and an access control list.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. One or more computer-readable media as recited in claim 1, wherein the allowing comprises allowing each of the plurality of processes to perform read accesses to the object.
  - 3. One or more computer-readable media as recited in claim 1, wherein the allowing comprises allowing each of the plurality of processes to perform write accesses to the object.
  - 4. One or more computer-readable media as recited in claim 1, wherein the computer program further causes the one or more processors to perform functions including:
    - receiving a request from one of the plurality of processes to access a network address;
      
      checking whether access to the network address by the desktop that the process is associated with is permitted; and
      
      permitting access to the network address by the process if access to the network address by the desktop that the process is associated with is permitted, otherwise denying access to the network address by the process.
  - 5. One or more computer-readable media as recited in claim 1, wherein each of the plurality of objects comprises one of:
    - a file, a communications endpoint, a process, or a thread.
  - 6. One or more computer-readable media as recited in claim 1, wherein the computer program comprises an operating system.
  - 7. One or more computer-readable media as recited in claim 1, wherein:
    - the associating each of the plurality of objects with at least one of the plurality of desktops comprises adding to the security descriptor, for each of the plurality of objects, at least one desktop identifier identifying the at least one of the plurality of desktops;
      
      the associating each of the plurality of processes with at least one of the plurality of desktops comprises adding to a process token, for each of the plurality of processes, at least one desktop identifier identifying the at least one of the plurality of desktops; and
      
      the allowing comprises allowing each of the plurality of processes to access one of the objects of the plurality of objects only if the process has a desktop identifier in the process token for the process that is the same as a desktop identifier in the security descriptor for the one object.
  - 8. One or more computer-readable media as recited in claim 1, wherein the associating each of the plurality of objects comprises:
    - for each object adding, to the security descriptor corresponding to the object, the desktop identifier identifying the desktop of the plurality of desktops to which the object is associated.
  - 9. One or more computer-readable media as recited in claim 8, wherein the adding comprises adding the desktop identifier to the security descriptor when the object is created.
  - 10. One or more computer-readable media as recited in claim 8, wherein the associating each of the plurality of objects further comprises:
    - for each object adding, to the security descriptor corresponding to the object, a flag indicating whether the object is associated with any of the plurality of desktops.
  - 11. One or more computer-readable media as recited in claim 1, wherein the associating each of the plurality of processes comprises:
    - for each process adding, to the access token corresponding to the process, the desktop identifier identifying the desktop of the plurality of desktops to which the process is associated.
  - 12. One or more computer-readable media as recited in claim 11, wherein the adding comprises adding the desktop identifier to the access token when the process is launched.
  - 13. One or more computer-readable media as recited in claim 1, wherein the computer program further causes the one or more processors to perform functions including receiving a request from one of the plurality of processes to associate one of the plurality of objects with the same desktop as the process is associated with.
  - 14. One or more computer-readable media as recited in claim 13, wherein the computer program further causes the one or more processors to perform functions including:
    - querying the user as to whether it is acceptable to associate the one of the plurality of objects with the same desktop as the process is associated with;
      
      receiving a response from the user indicating whether it is acceptable to associate the one of the plurality of objects with the same desktop as the process is associated with; and
      
      associating the one of the plurality of objects with the same desktop as the process is associated with if the response indicates it is acceptable to associate the one of the plurality of objects with the same desktop as the process is associated with, and otherwise not associating the one of the plurality of objects with the same desktop as the process is associated with.

15. A method comprising:
- maintaining a record of a plurality of desktops corresponding to a user and, for each of the plurality of desktops, a set of objects that corresponds to the desktop; and
  
  for each of a plurality of subjects;
  
  checking whether an object to be accessed by the subject is confined to one of the plurality of desktops, andif the object is confined to one of the plurality of desktops, then checking whether the object corresponds to the same desktop as the subject based on a desktop identifier that identifies the desktop that corresponds to the object and that is included in a security descriptor for the object along with an owner identifier that identifies the owner of the object and an access control list for the object, and allowing the subject to access the object only if the object corresponds to the same desktop as the subject.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. A method as recited in claim 15, wherein an object of the set of objects corresponds to multiple desktops of the plurality of desktops.
  - 17. A method as recited in claim 15, wherein the allowing comprises:
    - checking, in response to a request from the subject to access an object of the set of objects, whether the subject and the object correspond to the same desktop; and
      
      allowing the subject to access the object if the subject and the object correspond to the same desktop, otherwise prohibiting the subject from accessing the object.
  - 18. A method as recited in claim 15, wherein the maintaining comprises maintaining a security descriptor for each object of the set of objects and including the desktop identifier in the security descriptor of the desktop to which the object corresponds.
  - 19. A method as recited in claim 15, wherein each object in the set of objects comprises one or more of:
    - a file, a communications endpoint, a process, or a thread.
  - 20. A method as recited in claim 15, further comprising:
    - receiving a request from one of the plurality of subjects to access a network address;
      
      checking whether access to the network address by the desktop that the subject corresponds to is permitted; and
      
      allowing the subject to access the network address if access to the network address by the desktop that the subject corresponds to is permitted, otherwise denying access to the network address by the subject.
  - 21. A method as recited in claim 15, wherein each of the plurality of subjects comprises one of a process or a thread.
  - 22. A method as recited in claim 15, wherein the checking whether an object to be accessed by the subject is confined to one of the plurality of desktops comprises checking whether a confinement flag corresponding to the object is set.

23. A method comprising:
- allowing a plurality of processes to be launched from a plurality of desktops;
  
  identifying, when a user logs on to a computer, the plurality of desktops corresponding to the user; and
  
  for each process of the plurality of processes,checking whether the process is associated with the one of the plurality of desktops that the process was launched from,preventing the process from accessing an object if the object is associated with one of the plurality of desktops but is not associated with the desktop the process was launched from, andcomparing an access token of the process with an access control list of a security descriptor of the object only if the process is not associated with any of the plurality of desktops or if the process is associated with the one of the plurality of desktops that the process was launched from.
- View Dependent Claims (24, 25, 26)
- - 24. A method as recited in claim 23, further comprising:
    - receiving a request from the user to create an additional desktop;
      
      creating the additional desktop; and
      
      preventing a process launched from the additional desktop from accessing an object if the object is associated with one of the plurality of desktops but is not associated with the additional desktop.
  - 25. At least one computer-readable memory containing a computer program that is executable by a processor to perform the method recited in claim 23.
  - 26. A method as recited in claim 23, wherein the object comprises one of:
    - a file, a communications endpoint, a process, or a thread.

27. An apparatus comprising:
- a bus;
  
  a processor coupled to the bus; and
  
  a memory, coupled to the bus, to store a plurality of instructions that are executed by the processor, wherein the plurality of instructions, when executed, cause the processor to,identify which of a plurality of objects are associated with which of a plurality of desktops,identify which of a plurality of processes are associated with which of the plurality of desktops, andrestrict, based on desktop identifiers of the plurality of processes and desktop identifiers of the plurality of objects, the plurality of processes to accessing only objects which are either associated with the same desktop as the process or associated with no desktop, the desktop identifiers of the plurality of objects being included in security descriptors for the plurality of objects along with owner identifiers that identify owners of the plurality of objects and access control lists of the objects.
- View Dependent Claims (28, 29, 30, 31)
- - 28. An apparatus as recited in claim 27, wherein the plurality of instructions, when executed, further cause the processor to receive a request from one of the plurality of processes to change the association of one of the plurality of objects so that the object is associated with the same desktop as the process.
  - 29. An apparatus as recited in claim 28, wherein the plurality of instructions, when executed, further cause the processor to:
    - receive an indication from a user whether it is acceptable to the user to change the association of the object; and
      
      in accordance with the indication, either change the association of the object or leave the association of the object unchanged.
  - 30. An apparatus as recited in claim 27, wherein the plurality of instructions, when executed, further cause the processor to restrict the plurality of processes to accessing computers over a network by using a plurality of network address restrictions corresponding to the plurality of desktops.
  - 31. An apparatus as recited in claim 30, wherein the plurality of instructions, when executed, further cause the processor to maintain a record of network address restrictions corresponding to each of the plurality of desktops.

32. A computer-readable storage medium comprising computer-executable instructions that implement an interface method, the interface method performing a function comprising:
- checking which of a plurality of desktops corresponding to a user is associated with an identified object, the checking being based at least in part on a desktop identifier included in a security descriptor of the identified object along with an owner identifier of the object and an access control list of the object.
- View Dependent Claims (33, 34, 35)
- - 33. A computer-readable storage medium as recited in claim 32, the interface method further performing a function comprising returning an indication of the desktop that is associated with the identified object.
  - 34. A computer-readable storage medium as recited in claim 32, the computer-executable instructions further implementing an interface method performing a function comprising:
    - associating an identified object with a same desktop as a process that requested the associating occur.
  - 35. A computer-readable storage medium as recited in claim 32, wherein the object comprises one of:
    - a file, a communications endpoint, a process, or a thread.

36. In a computer system having a graphical user interface including a display and a user interface selection device, a method comprising:
- limiting access to a plurality of objects in the computer system based on desktop identifiers of the plurality of objects, the desktop identifiers being included in security descriptors of the plurality of objects along with owner identifiers that identify owners of the plurality of objects and access control lists of the objects;
  
  displaying a set of desktops corresponding to a user;
  
  receiving a selection of one of the set of desktops from the user; and
  
  changing the access to the plurality of objects based on the selected desktop.

37. One or more computer-readable media having stored thereon a computer program that, when executed by one or more processors, causes the one or more processors to:
- maintain a record of a plurality of desktops corresponding to a user and, for each of the plurality of desktops, a set of objects that corresponds to the desktop; and
  
  for each of a plurality of subjects;
  
  check whether an object to be accessed by the subject is confined to one of the plurality of desktops, andif the object is confined to one of the plurality of desktops, then check whether the object corresponds to the same desktop as the subject based on a desktop identifier that identifies the desktop that corresponds to the object and that is included in a security descriptor for the object along with an owner identifier that identifies the owner of the object and an access control list for the object, and allow the subject to access the object only if the object corresponds to the same desktop as the subject.
- View Dependent Claims (38, 39, 40, 41)
- - 38. One or more computer-readable media as recited in claim 37, wherein to check whether an object to be accessed by the subject is confined to one of the plurality of desktops is to check whether a confinement flag corresponding to the object is set.
  - 39. One or more computer-readable media as recited in claim 37, wherein to allow the subject to access the object only if the object corresponds to the same desktop as the subject is to:
    - check, in response to a request from the subject to access an object of the set of objects, whether the subject and the object correspond to the same desktop; and
      
      allow the subject to access the object if the subject and the object correspond to the same desktop, otherwise prohibit the subject from accessing the object.
  - 40. One or more computer-readable media as recited in claim 37, wherein each object in the set of objects comprises one or more of:
    - a file, a communications endpoint, a process, or a thread.
  - 41. One or more computer-readable media as recited in claim 37, wherein each of the plurality of subjects comprise one of a process or a thread.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Simon, Daniel R., Balfanz, Dirk
Primary Examiner(s)
Barrón, Jr.; Gilberto
Assistant Examiner(s)
Lipman; Jacob

Application Number

US09/524,124
Time in Patent Office

2,682 Days
Field of Search

713/200, 713/167, 709/224, 726 16- 21
US Class Current

726/16
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/60   Protecting data

G06F 9/543   User-generated data transfe...

Enhancing computer system security via multiple user desktops

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

135 Citations

41 Claims

Specification

Use Cases

Quick Links

Others

Enhancing computer system security via multiple user desktops

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

135 Citations

41 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others