Managed control of processes including privilege escalation
First Claim
Patent Images
1. A method comprising:
- receiving, from a driver executing on a computing device, a request for an execution role of a process selected by a user for execution on the computing device, said user having limited access to system resources and said process having limited access to system resources;
accessing configuration data relating to the process, said accessed configuration data defining rights for execution of the process;
determining the rights for the process based on the accessed configuration data;
accessing privilege data stored in a memory area to retrieve the execution role associated with the process based on the determined rights;
providing the retrieved execution role to the driver executing on the computing device, wherein the driver considers the provided execution role when determining whether to allow the process to execute on the computing device;
receiving a request from the user for modification of the provided execution role for the process; and
modifying the provided execution role based on the determined rights to enable the process greater access to the system resources.
3 Assignments
0 Petitions
Accused Products
Abstract
Determining execution rights for a process. A user selects a process for execution. A driver intercepts the execution and communicates with a service or its remote agent. Configuration data is accessed to determine an execution role specifying whether the process should be denied execution or should execute with particular rights to access or modify system resources. The execution role is provided to the driver, and the driver allows or denies execution of the process in accordance with the provided execution role.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving, from a driver executing on a computing device, a request for an execution role of a process selected by a user for execution on the computing device, said user having limited access to system resources and said process having limited access to system resources; accessing configuration data relating to the process, said accessed configuration data defining rights for execution of the process; determining the rights for the process based on the accessed configuration data; accessing privilege data stored in a memory area to retrieve the execution role associated with the process based on the determined rights; providing the retrieved execution role to the driver executing on the computing device, wherein the driver considers the provided execution role when determining whether to allow the process to execute on the computing device; receiving a request from the user for modification of the provided execution role for the process; and modifying the provided execution role based on the determined rights to enable the process greater access to the system resources. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method comprising:
-
storing a local copy of configuration data relating to a plurality of processes, said configuration data indicating whether each of said processes has an administrative execution role or a user execution role associated therewith; receiving, from a driver executing on a computing device, a request for an execution role associated with one of the plurality of processes, said one of the plurality of processes being selected by a user for execution on the computing device, said user having limited access to system resources and said one of the plurality of processes having limited access to system resources; performing a process lookup for the selected executing process in the stored configuration data, said performing comprising, when the performed process lookup does not yield the selected process, receiving and searching an updated copy of the configuration data; determining, based on the searched configuration data, rights for execution of the selected process; retrieving, based on the determined rights, the requested execution role for the selected process as either the administrative execution role or the user execution role; providing the determined execution role to the driver executing on the computing device, wherein the driver considers the determined execution role when determining whether to allow the selected process to execute according to the provided execution role; receiving a request for modification of the determined execution role for the selected process; and modifying the determined execution role based on the determined rights to enable the selected process greater access to the system resources. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A system comprising:
-
a memory area on a first computing device for storing privilege data relating to a plurality of processes for execution on a second computing device, said privilege data defining access by each of the plurality of processes to resources associated with the second computing device, said privilege data including an execution role for each of the plurality of processes; a processor configured on the first computing device to execute computer-executable instructions for; receiving, from a driver executing on the second computing device, a request for an execution role of a particular process to be executed on the second computing device, said particular process being one of the plurality of processes and having limited access to system resources; accessing the privilege data stored in the memory area for the particular process to retrieve the execution role associated therewith; providing the retrieved execution role to the driver executing on the second computing device, wherein the driver considers the provided execution role when determining whether to allow the particular process to execute on the second computing device; and receiving a request from a user for modification of the provided execution role for the process to enable greater access to the system resources associated with the second computing device, said user having limited access to system resources; in response to receiving the request, accessing configuration data relating to the user, the second computing device, and the process, said accessed configuration data defining rights for execution of the process; determining the rights based on the accessed configuration data for the process, said determined rights enabling the process greater access to the system resources; and modifying the provided execution role based on the determined rights. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
Specification