Dynamic remediation of a client computer seeking access to a network with a quarantine enforcement policy

US 7,827,545 B2
Filed: 12/15/2005
Issued: 11/02/2010
Est. Priority Date: 12/15/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of operating a computer system according to a quarantine enforcement policy, the computer system having a client, a first server and a second server, the method comprising:

determining, by the client, at least two statuses selected from a group including a status of antivirus software executing on the client, a status of antispyware software executing on the client, a status of firewall software executing on the client, and a status of patches of operating system software on the client,aggregating, by the client computer, the determined at least two statuses,sending from the client to the first server a request for access to a managed network, the request for access comprising status information including information about the aggregated at least two statuses concerning the client;

receiving at the client a communication from the first server, the communication including information for displaying to a user, the information including information regarding the quarantine enforcement policy and a first link capable of being activated by the user to cause instructions for downloading to be displayed to the user, the information regarding the quarantine enforcement policy including information regarding one or more aspects of the quarantine enforcement policy with which at least one of the at least two statuses is not in compliance, wherein, when the quarantine enforcement policy allows a quarantined client restricted access to the managed network, receiving at the client the communication from the first server notifies the client that the client is granted restricted access to the managed network for a period of time;

displaying, by the client to the user, the information included in the communication from the first server; and

using an address of the second server included in the communication from the first server, in response to the user activating the first link, to download computer-executable instructions or data to qualify the client for access to the managed network in accordance with the quarantine enforcement policy, wherein when the client is granted restricted access and the client does not qualify for access to the managed network in accordance with the quarantine enforcement policy by the end of the period of time, the restricted access is revoked.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network in which remediation is provided to keep protective software in network clients up-to-date. As network clients connect to an access control server, the clients provide status information concerning their protective software. The access server determines whether the clients comply with a quarantine enforcement policy. Clients that comply with the policy are granted access to the network. Those that do not comply with the quarantine enforcement policy are either denied access or given limited access to the network for purposes of remediation. When the access control server denies access to a client, it determines remediation steps required to bring the client into compliance with the quarantine enforcement policy. This remediation information is communicated to the client to facilitate remediation of the client on either an automated or a manual basis. The remediation information may be communicated in the form of an address from which the client may obtain software updates, executable software, human-usable information or both remediation information.

Citations

20 Claims

1. A computer-implemented method of operating a computer system according to a quarantine enforcement policy, the computer system having a client, a first server and a second server, the method comprising:
- determining, by the client, at least two statuses selected from a group including a status of antivirus software executing on the client, a status of antispyware software executing on the client, a status of firewall software executing on the client, and a status of patches of operating system software on the client,aggregating, by the client computer, the determined at least two statuses,sending from the client to the first server a request for access to a managed network, the request for access comprising status information including information about the aggregated at least two statuses concerning the client;
  
  receiving at the client a communication from the first server, the communication including information for displaying to a user, the information including information regarding the quarantine enforcement policy and a first link capable of being activated by the user to cause instructions for downloading to be displayed to the user, the information regarding the quarantine enforcement policy including information regarding one or more aspects of the quarantine enforcement policy with which at least one of the at least two statuses is not in compliance, wherein, when the quarantine enforcement policy allows a quarantined client restricted access to the managed network, receiving at the client the communication from the first server notifies the client that the client is granted restricted access to the managed network for a period of time;
  
  displaying, by the client to the user, the information included in the communication from the first server; and
  
  using an address of the second server included in the communication from the first server, in response to the user activating the first link, to download computer-executable instructions or data to qualify the client for access to the managed network in accordance with the quarantine enforcement policy, wherein when the client is granted restricted access and the client does not qualify for access to the managed network in accordance with the quarantine enforcement policy by the end of the period of time, the restricted access is revoked.
- View Dependent Claims (2, 3, 4, 5, 6, 19)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving, from the user, input controlling a modification of a configuration of protective software within the client.
  - 3. The computer-implemented method of claim 1, wherein using the address of the second server to download computer-executable instructions or data further comprises downloading a computer-executable script.
  - 4. The computer-implemented method of claim 3, wherein the method further comprises:
    - executing the script; and
      
      receiving user input as the script executes.
  - 5. The computer-implemented method of claim 1, wherein using the address of the second server to download computer-executable instructions or data further comprises accessing the second server to download a software update.
  - 6. The computer-implemented method of claim 5, further comprising:
    - installing the software update; and
      
      sending from the client to the first server a second request for access to the managed network, the second request for access comprising second status information concerning the client, the second status information reflecting the installed software update.
  - 19. The computer-implemented method of claim 1, wherein:
    - the information included in the communication from the first server includes a second link capable of being activated by the user for requesting assistance via an email message.

7. A computer-readable medium adapted for use on a client computer, the computer-readable medium having computer-executable instructions for performing steps comprising:
- determining, by each one of a plurality of agents executing on the client computer, a respective specific type of status information;
  
  aggregating, on the client computer, the respective specific types of status information;
  
  generating, by the client computer, a request for access to a network implementing a quarantine enforcement policy, the request for access including information on the aggregated respective specific types of status information of the client computer;
  
  receiving, by the client computer, a response to the request for access, the response including an aspect of the quarantine enforcement policy with which at least one of the respective types of status information is not in compliance, wherein, when the quarantine enforcement policy allows a quarantined client restricted access to the network, receiving, by the client computer, the response notifies the client computer that the client computer is granted restricted access to the network for a period of time; and
  
  performing, by the client computer, a remediation action, the remediation action selected based on information in the response, and the remediation action comprising using remediation information communicated in conjunction with the response to do at least one of;
  
  i) automatically obtain updates for protective software;
  
  ii) display information to a human user; and
  
  iii) obtain a computer-executable script,wherein when the client computer is granted restricted access and the client computer does not qualify for access to the network by the end of the period of time, the restricted access is revoked.
- View Dependent Claims (8, 9, 10, 11, 20)
- - 8. The computer-readable medium of claim 7, wherein the computer executable instructions further comprise a web browser and performing a remediation action comprises displaying information obtained from a web page specified in the remediation information to a human user using the web browser.
  - 9. The computer-readable medium of claim 8, wherein displaying information obtained from the web page comprises displaying a link to at least one fourth web page.
  - 10. The computer-readable medium of claim 8, wherein displaying information obtained from the web page comprises displaying information describing the quarantine enforcement policy.
  - 11. The computer-readable medium of claim 7, wherein performing a remediation action comprises selectively displaying information to a human user when automatic updates for the client computer cannot be obtained.
  - 20. The computer-readable medium of claim 7, wherein determining a respective specific type of status information further comprises:
    - determining, by the client computer, at least two statuses selected from a group including a status of antivirus software executing on the client computer, a status of antispyware software executing on the client computer, a status of firewall software executing on the client computer, and a status of patches of operating system software within the client computer.

12. A computer-implemented method of operating a computer system according to a quarantine enforcement policy, the computer system having a client, a first server and a second server, the method comprising:
- receiving, at the first server, status information originating from the client, the status information including information about at least two statuses selected from a group including a status of antivirus software executing on the client, a status of antispyware software executing on the client, a status of firewall software executing on the client, and a status of patches of operating system software within the client;
  
  determining, at the first server, whether the client complies with the quarantine enforcement policy;
  
  when the client does not comply with the quarantine enforcement policy, identifying, at the first server, a reason why the client does not comply with the quarantine enforcement policy and, when the quarantine enforcement policy allows a quarantined client restricted access to a managed network, granting to the client restricted access to a managed network for a period of time; and
  
  using, by the first server, the identified reason to select an address of remediation information from a table mapping a rule that forms a portion of the quarantine enforcement policy to an address that includes information on how a client can comply with the rule; and
  
  sending, by the first server, the selected address to the clientwherein when the client is granted restricted access and the client does not comply with the quarantine enforcement policy by the end of the period of time, the restricted access is revoked.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The computer-implemented method of claim 12, wherein the first server is an access control server and receiving status information comprises receiving status information in conjunction with a request for access.
  - 14. The computer-implemented method of claim 12, further comprising, when the first server determines that the client complies with the quarantine enforcement policy, the first server grants the client access to a managed network.
  - 15. The computer-implemented method of claim 14, wherein:
    - sending the address of remediation information comprises sending a URL of a server within the managed network, andthe method further comprises granting the client limited access to the managed network.
  - 16. The computer-implemented method of claim 14, wherein sending the selected address comprises sending a URL for a server outside the managed network.
  - 17. The computer-implemented method of claim 12, further comprising:
    - at the client, downloading software updates using the selected address.
  - 18. The computer-implemented method of claim 12, further comprising:
    - at the client, downloading information describing the quarantine enforcement policy using the selected address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Pickford, Misty Louise, Choe, Calvin Choon-Hwan
Primary Examiner(s)
Zhen; Wei Y
Assistant Examiner(s)
Nguyen; Phillip H

Application Number

US11/304,420
Publication Number

US 20070143392A1
Time in Patent Office

1,783 Days
Field of Search

717168-178, 717/173
US Class Current

717/168
CPC Class Codes

G06F 21/57 Certifying or maintaining t...

H04L 63/101 Access control lists [ACL]

Dynamic remediation of a client computer seeking access to a network with a quarantine enforcement policy

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic remediation of a client computer seeking access to a network with a quarantine enforcement policy

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links