System for and methods of controlling user access to applications and/or programs of a computer
First Claim
1. A method for controlling user access to applications, the method comprising:
- setting up a kernel-mode address space in memory;
identifying that a user is authorized to access the requested application when the user is a member of a select group of users by a hardware processor executing instructions out of the kernel-mode address space setup in the memory;
receiving a list of required applications that the select group of users are allowed to access from a file, the list of required applications including information that associates one or more users of the select group of users with the required applications, and the file is stored in a user-mode address space;
storing the information that associates the one or more users of the select group of users with the required applications in a data structure in the kernel-mode address space accessible by a hardware processor when executing program code of an operating system kernel,publishing the required applications to the select group of users by creating one or more shortcuts that identify the required applications;
receiving a request to access an application of the required applications from a computer operated by the user of the select group of users over a network interface;
identifying that the user of the select group of users is authorized to access the requested application when the requested application is in the list of required applications, wherein the identifying that the user of the select group of users is authorized to access the requested application includes the hardware processor executing the program code of the operating system kernel to search the data structure stored in the kernel-mode address space;
accessing the requested application according to a shortcut of the one or more shortcuts, wherein the shortcut of the one or more shortcuts identifies a folder where the requested application resides, the requested application is accessed by the hardware processor executing the program code of the operating system kernel to access an application module stored in the user-mode address space, the user-mode address space is accessible to the required applications, and the application module includes program code that is associated with the requested application; and
providing access to data associated with the requested application to the computer operated by the authorized user over the network interface.
4 Assignments
0 Petitions
Accused Products
Abstract
A system includes an application access manager driver and an operating system (OS) kernel module in a kernel-mode address space of an OS. The system also includes application modules, a public application whitelist, a public application whitelist manager, a user/group application whitelist, and a user/group application whitelist manager in a user-mode address space of the OS. A method includes receiving a request to launch an application, calling a “create process” function in the OS kernel module, calling a pre-registered “create process” callback function to the application access manager driver, and determining whether the application is allowed to execute based on whether the application access manager driver identifies the application as an allowable process in either public application whitelist or user/group application whitelist.
208 Citations
17 Claims
-
1. A method for controlling user access to applications, the method comprising:
-
setting up a kernel-mode address space in memory; identifying that a user is authorized to access the requested application when the user is a member of a select group of users by a hardware processor executing instructions out of the kernel-mode address space setup in the memory; receiving a list of required applications that the select group of users are allowed to access from a file, the list of required applications including information that associates one or more users of the select group of users with the required applications, and the file is stored in a user-mode address space; storing the information that associates the one or more users of the select group of users with the required applications in a data structure in the kernel-mode address space accessible by a hardware processor when executing program code of an operating system kernel, publishing the required applications to the select group of users by creating one or more shortcuts that identify the required applications; receiving a request to access an application of the required applications from a computer operated by the user of the select group of users over a network interface; identifying that the user of the select group of users is authorized to access the requested application when the requested application is in the list of required applications, wherein the identifying that the user of the select group of users is authorized to access the requested application includes the hardware processor executing the program code of the operating system kernel to search the data structure stored in the kernel-mode address space; accessing the requested application according to a shortcut of the one or more shortcuts, wherein the shortcut of the one or more shortcuts identifies a folder where the requested application resides, the requested application is accessed by the hardware processor executing the program code of the operating system kernel to access an application module stored in the user-mode address space, the user-mode address space is accessible to the required applications, and the application module includes program code that is associated with the requested application; and providing access to data associated with the requested application to the computer operated by the authorized user over the network interface. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory computer readable storage medium having embodied thereon a program executable by a hardware processor to perform a method for controlling user access to applications, the method comprising:
-
setting up a kernel-mode address space in memory; identifying that a user is authorized to access the requested application when the user is a member of a select group of users by a hardware processor executing instructions out of the kernel-mode address space setup in the memory; receiving a list of required applications that the select group of users are allowed to access from a file, the list of required applications including information that associates one or more users of the select group of users with the required applications, and the file is stored in a user-mode address space; storing the information that associates the one or more users of the select group of users with the required applications in a data structure in the kernel-mode address space accessible by the hardware processor when executing program code of an operating system kernel, publishing the required applications to the select group of users by creating one or more shortcuts that identify the required applications; receiving a request to access an application of the required applications from a computer operated by the user of the select group of users over a network interface; identifying that the user of the select group of users is authorized to access the requested application when the requested application is in the list of required applications, wherein the identifying that the user of the select group of users is authorized to access the requested application includes the hardware processor executing the program code of the operating system kernel to search the data structure stored in the kernel-mode address space; accessing the requested application according to a shortcut of the one or more shortcuts, wherein the shortcut of the one or more shortcuts identifies a folder where the requested application resides, the requested application is accessed by the hardware processor executing the program code of the operating system kernel to access an application module stored in the user-mode address space, the user-mode address space is accessible to the required, and the application module includes program code that is associated with the requested application; and providing access to data associated with the requested application to the computer operated by the authorized user over the network interface. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. An apparatus for controlling user access to applications, the apparatus comprising:
-
a user-mode data store that stores a file that includes a list of required applications that a select group of users are allowed to access, the list of required applications including information that associates one or more users of the select group of users with the required applications, and the file is stored in a user-mode address space; a memory; a hardware processor, wherein the hardware processor executing instructions out of the memory; sets up a kernel mode address space in the memory, identifies a user as being authorized to access the requested application when the user is a member of the select group of users by the hardware processor executing instructions out of the kernel mode memory address space setup in the memory, stores the information that associates the one or more users of the select group of users with the required applications in a data structure in the kernel-mode address space accessible by the hardware processor when executing program code of an operating system kernel, publishes the required applications to the select group of users by creating one or more shortcuts that identify the required applications; and a network interface that receives a request to access an application of the required applications from a computer operated by a user of the select group of users, wherein the hardware processor executing instructions out of the memory; identifies that the user of the select group of users is authorized to access the requested application when the requested application is in the list of required applications, wherein the identifying that the user of the select group of users is authorized to access the requested application includes the hardware processor executing the program code of the operating system kernel to search the data structure stored in the kernel-mode address space, accesses the requested application according to a shortcut of the one or more shortcuts, the shortcut of the one or more shortcuts identifies a folder where the requested application resides, wherein the requested application is accessed by the hardware processor executing the program code of the operating system kernel to access an application module stored in the user-mode address space, and the application module includes program code that is associated with the requested application, the user-mode address space is accessible to the required applications, and provides access to data associated with the requested application to the computer operated by the authorized user, the data provided over the network interface to the computer operated by the user. - View Dependent Claims (14, 15, 16, 17)
-
Specification