System and method for providing private session-based access to a redirected USB device or local device

US 9,319,452 B2
Filed: 04/29/2015
Issued: 04/19/2016
Est. Priority Date: 11/02/2011
Status: Active Grant

First Claim

Patent Images

1. A method for restricting access to a device from a server, the method comprising:

intercepting, at the server, a request to create a symbolic link;

determining that the intercepted request corresponds to a device object associated with a device remote to the server by;

traversing a device stack associated with the device object to identify a lowest bus driver associated with the device object; and

determining, based on the identified bus driver, that the device associated with the device object is remote to the server and connected locally to a client that is remote to the server;

obtaining configuration data of the device;

creating the symbolic link in an object manager namespace of the server based on the configuration data for the device;

creating the symbolic link in a local namespace associated with a first user session if the configuration data of the device indicates that access to the device is to be restricted;

receiving, at the server, a request including the created symbolic link from a second user session;

determining whether the created symbolic link is in a local namespace associated with the second user session or in a global namespace; and

blocking the received request upon determining that the created symbolic link is not in the local namespace associated with the second user session and not in the global namespace.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Restricting access to a device from a server, where the device is remote to the server and is connected locally to a client that is remote to the server, is described. The operations may include facilitating interception, at the server, of a function call to create a symbolic link; facilitating determination that the intercepted function call to create the symbolic link corresponds to a device object associated with the device that is remote to the server and is connected locally to a client that is remote to the server; facilitating obtaining configuration data indicating whether access to the device is to be restricted; and facilitating creation of the symbolic link in a local namespace of an object manager namespace of the server, upon obtaining configuration data indicating that access to the device is to be restricted.

27 Citations

View as Search Results

15 Claims

1. A method for restricting access to a device from a server, the method comprising:
- intercepting, at the server, a request to create a symbolic link;
  
  determining that the intercepted request corresponds to a device object associated with a device remote to the server by;
  
  traversing a device stack associated with the device object to identify a lowest bus driver associated with the device object; and
  
  determining, based on the identified bus driver, that the device associated with the device object is remote to the server and connected locally to a client that is remote to the server;
  
  obtaining configuration data of the device;
  
  creating the symbolic link in an object manager namespace of the server based on the configuration data for the device;
  
  creating the symbolic link in a local namespace associated with a first user session if the configuration data of the device indicates that access to the device is to be restricted;
  
  receiving, at the server, a request including the created symbolic link from a second user session;
  
  determining whether the created symbolic link is in a local namespace associated with the second user session or in a global namespace; and
  
  blocking the received request upon determining that the created symbolic link is not in the local namespace associated with the second user session and not in the global namespace.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein creating the symbolic link in an object manager namespace of the server based on the configuration data for the device comprises:
    - creating the symbolic link in a local namespace of an object manager namespace of the server if the configuration data of the device indicates that access to the device is to be restricted; and
      
      creating the symbolic link in a global namespace of an object manager namespace of the server if the configuration data of the device indicates that access to the device is not to be restricted.
  - 3. The method of claim 2, wherein creating the symbolic link in the local namespace of the object manager namespace of the server comprises creating the symbolic link in a local namespace associated with the client'"'"'s user session on the server.
  - 4. The method of claim 3, further comprising providing secure session-based access to the device using the symbolic link created in the local namespace of the object manager namespace of the server.
  - 5. The method of claim 1, wherein intercepting the request comprises:
    - modifying a system service description table (SSDT) of the server to redirect requests to create symbolic links to an intercept module; and
      
      redirecting the request to create the symbolic link to the intercept module.

6. A non-transitory machine-readable storage medium encoded with instructions executable by one or more processors to perform one or more operations, the one or more operations comprising:
- intercepting, at the server, a request to create a symbolic link;
  
  determining that the intercepted request corresponds to a device object associated with a device remote to the server by;
  
  traversing a device stack associated with the device object to identify a lowest bus driver associated with the device object; and
  
  determining, based on the identified bus driver, that the device associated with the device object is remote to the server and connected locally to a client that is remote to the server;
  
  obtaining configuration data of the device;
  
  creating the symbolic link in an object manager namespace of the server based on the configuration data for the device;
  
  creating the symbolic link in a local namespace associated with a first user session if the configuration data of the device indicates that access to the device is to be restricted;
  
  receiving, at the server, a request including the created symbolic link from a second user session;
  
  determining whether the created symbolic link is in a local namespace associated with the second user session or in a global namespace; and
  
  blocking the received request upon determining that the created symbolic link is not in the local namespace associated with the second user session and not in the global namespace.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The machine-readable storage medium of claim 6, wherein creating the symbolic link in an object manager namespace of the server based on the configuration data for the device comprises:
    - creating the symbolic link in a local namespace of an object manager namespace of the server if the configuration data of the device indicates that access to the device is to be restricted; and
      
      creating the symbolic link in a global namespace of an object manager namespace of the server if the configuration data of the device indicates that access to the device is not to be restricted.
  - 8. The machine-readable storage medium according to claim 7, wherein creating the symbolic link in the local namespace of the object manager namespace of the server comprises creating the symbolic link in a local namespace associated with the client'"'"'s user session on the server.
  - 9. The machine-readable storage medium of claim 7, wherein the one or more operations further comprise providing secure session-based access to the device using the symbolic link created in the local namespace of the object manager namespace of the server.
  - 10. The machine-readable storage medium of claim 6, wherein intercepting the request comprises:
    - modifying a system service description table (SSDT) of the server to redirect requests to create symbolic links to an intercept module; and
      
      redirecting the request to create the symbolic link to the intercept module.

11. A hardware apparatus, comprising:
- a processor; and
  
  a memory encoded with instructions executable by the processor to perform one or more operations comprising;
  
  intercepting, at the server, a request to create a symbolic link;
  
  determining that the intercepted request corresponds to a device object associated with a device remote to the server by;
  
  traversing a device stack associated with the device object to identify a lowest bus driver associated with the device object; and
  
  determining, based on the identified bus driver, that the device associated with the device object is remote to the server and connected locally to a client that is remote to the server;
  
  obtaining configuration data of the device;
  
  creating the symbolic link in an object manager namespace of the server based on the configuration data for the device;
  
  creating the symbolic link in a local namespace associated with a first user session if the configuration data of the device indicates that access to the device is to be restricted;
  
  receiving, at the server, a request including the created symbolic link from a second user session;
  
  determining whether the created symbolic link is in a local namespace associated with the second user session or in a global namespace; and
  
  blocking the received request upon determining that the created symbolic link is not in the local namespace associated with the second user session and not in the global namespace.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The hardware apparatus of claim 11, wherein creating the symbolic link in an object manager namespace of the server based on the configuration data for the device comprises:
    - creating the symbolic link in a local namespace of an object manager namespace of the server if the configuration data of the device indicates that access to the device is to be restricted; and
      
      creating the symbolic link in a global namespace of an object manager namespace of the server if the configuration data of the device indicates that access to the device is not to be restricted.
  - 13. The hardware apparatus of claim 12, wherein creating the symbolic link in the local namespace of the object manager namespace of the server comprises creating the symbolic link in a local namespace associated with the client'"'"'s user session on the server.
  - 14. The hardware apparatus of claim 12, wherein the one or more operations further comprise providing secure session-based access to the device using the symbolic link created in the local namespace of the object manager namespace of the server.
  - 15. The hardware apparatus of claim 11, wherein intercepting the request comprises:
    - modifying a system service description table (SSDT) of the server to redirect requests to create symbolic links to an intercept module; and
      
      redirecting the request to create the symbolic link to the intercept module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell Marketing Corporation (Dell Technologies Inc.)
Original Assignee
Wyse Technology L.L.C. (Dell Technologies Inc.)
Inventors
Kaushik, Puneet
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US14/699,849
Publication Number

US 20150244766A1
Time in Patent Office

356 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 3/0601   Interfaces specially adapte...

G06F 3/0622   in relation to access

G06F 3/0664   at device level, e.g. emula...

G06F 3/067   Distributed or networked st...

H04L 41/00   Arrangements for maintenanc...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/59   Providing operational suppo...

System and method for providing private session-based access to a redirected USB device or local device

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing private session-based access to a redirected USB device or local device

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links