Secure privilege elevation by way of secure desktop on computing device

US 7,832,004 B2
Filed: 08/10/2006
Issued: 11/09/2010
Est. Priority Date: 08/10/2006
Status: Active Grant

First Claim

Patent Images

1. A method with regard to a computing device having a user desktop on which a relatively less-secure user application is executed during normal operation of the computing device, and also having a secure desktop instantiated as a system level process by the operating system and having a security level elevated from a security level of the user desktop on which a relatively more-secure secure application is executed upon a request thereto from the user application, the method for securely collecting information from a user at the computing device with regard to the secure application at the secure desktop, and comprising:

accessing the secure desktop using an access interface executing on the secure desktop of the computing device to securely collect the information from the user;

receiving the request from the user application on the user desktop and in response thereto generating a background display image including a visual representation of the user application;

visually presenting the access interface on the secure desktop in conjunction with the requesting user application of the user desktop such that the access interface is visually coupled to the requesting user application and is visually perceived by the user along with such requesting user application, further comprising;

automatically switching the computing device from the user desktop to the secure desktop after the background display image has been generated; and

after switching to a secure desktop;

executing the access interface on the secure desktop and in conjunction therewith securely displaying a visual representation of the access interface in a foreground on the secure desktop on the monitor, the visual representation of the access interface including one or more prompts for securely collecting the information from the user, whereby the visual representation of the access interface is in the foreground of the monitor and the visual representation of the requesting user application is in the background display image in the background of the monitor such that the access interface is visually coupled to the requesting user application and is visually perceived by the user along with such requesting user application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device has a user desktop on which a relatively less-secure user application is executed and a secure desktop elevated from the user desktop on which a relatively more-secure secure application is executed upon a request thereto from the user application. To securely collect information from a user at the computer device with regard to the secure application at the secure desktop, an access interface is securely executed on the secure desktop and is visually presented in conjunction with the requesting user application of the user desktop such that the access interface is visually coupled to the requesting user application and is visually perceived by the user along with such requesting user application.

27 Citations

View as Search Results

14 Claims

1. A method with regard to a computing device having a user desktop on which a relatively less-secure user application is executed during normal operation of the computing device, and also having a secure desktop instantiated as a system level process by the operating system and having a security level elevated from a security level of the user desktop on which a relatively more-secure secure application is executed upon a request thereto from the user application, the method for securely collecting information from a user at the computing device with regard to the secure application at the secure desktop, and comprising:
- accessing the secure desktop using an access interface executing on the secure desktop of the computing device to securely collect the information from the user;
  
  receiving the request from the user application on the user desktop and in response thereto generating a background display image including a visual representation of the user application;
  
  visually presenting the access interface on the secure desktop in conjunction with the requesting user application of the user desktop such that the access interface is visually coupled to the requesting user application and is visually perceived by the user along with such requesting user application, further comprising;
  
  automatically switching the computing device from the user desktop to the secure desktop after the background display image has been generated; and
  
  after switching to a secure desktop;
  
  executing the access interface on the secure desktop and in conjunction therewith securely displaying a visual representation of the access interface in a foreground on the secure desktop on the monitor, the visual representation of the access interface including one or more prompts for securely collecting the information from the user, whereby the visual representation of the access interface is in the foreground of the monitor and the visual representation of the requesting user application is in the background display image in the background of the monitor such that the access interface is visually coupled to the requesting user application and is visually perceived by the user along with such requesting user application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 for securely collecting information from the user at the computing device including collecting information for one of setting a password, setting a security setting, performing an access decision, receiving sensitive information, accessing a cryptographic key, determining policy for a sensitive manner, and assigning a privilege to a user or an application.
  - 3. The method of claim 1 for securely collecting information from the user at the computing device including collecting information including at least one of a credential and a confirmatory selection.
  - 4. The method of claim 1 wherein generating the background display image includes obtaining a visual image of the user desktop including the visual representation of the user application and producing the background display image based on the obtained visual image.
  - 5. The method of claim 4 wherein generating the background display image includes obtaining a visual image of the user desktop substantially contemporaneously with respect to the request from the user application.
  - 6. The method of claim 4 wherein the visual image of the user desktop includes the visual representation of the user application and other elements, and wherein producing the background display image based on the obtained visual image comprises emphasizing the visual representation of the user application in the obtained visual image and de-emphasizing the other elements of such obtained visual image.
  - 7. The method of claim 6 wherein emphasizing the visual representation of the user application in the obtained visual image comprises brightening the visual representation.
  - 8. The method of claim 6 wherein de-emphasizing the other elements of the obtained visual image comprises at least one of dimming the other elements and graying the other elements.
  - 9. The method of claim 1 comprising employing the generated background display image as the background of the secure desktop on the monitor such that items in the background are for display only and cannot be selected, executed, or operated on.
  - 10. The method of claim 1 further comprising the user securely providing the information to be collected by way of the visual representation of the access interface, and the secure application on the secure desktop acting upon the provided information.
  - 11. The method of claim 1 wherein the information to be collected from the user includes a permission to effectuate a change by way of the secure application, the method further comprising the user securely providing the permission by way of the visual representation of the access interface, and the secure application on the secure desktop effectuating the change only after the user securely provides the permission by way of the visual representation of the access interface.
  - 12. The method of claim 1 further comprising the user securely providing the information to be collected by way of the access interface, and the secure application on the secure desktop acting upon the provided information.
  - 13. The method of claim 1 wherein the information to be collected from the user includes a permission to effectuate a change by way of the secure application, the method further comprising the user securely providing the permission by way of the access interface, and the secure application on the secure desktop effectuating the change only after the user securely provides the permission by way of the access interface.
  - 14. The method of claim 1 further comprising the access interface responding to the requesting user application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Perlin, Eric C., Scallen, Stephen F., Iskin, Sermet, Schwartz, Jonathan D., Hong, James H.
Primary Examiner(s)
Truong; Thanhnga B

Application Number

US11/502,813
Publication Number

US 20080040797A1
Time in Patent Office

1,552 Days
Field of Search

726/19, 726/18, 726/5, 726 27- 30, 726 16- 17, 713/183, 713/167, 709/229
US Class Current

726/19
CPC Class Codes

G06F 21/74 operating in dual or compar...

Secure privilege elevation by way of secure desktop on computing device

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Secure privilege elevation by way of secure desktop on computing device

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links