Method and system of security location discrimination
First Claim
1. In a computer network wherein a user may selectively connect to the network from one of a plurality of virtual locations, a method of providing improved network security, comprising the steps of, determining a location from where the user is connecting, selecting an access level for the user from at least two distinct access levels based on criteria including the virtual location, connecting the user to the network, creating a restricted token that has reduced access relative to a parent token, the restricted token derived from the parent token and information including the access level, and determining access of the user to network resources based on information in the restricted token.
2 Assignments
0 Petitions
Accused Products
Abstract
An improved computer network security system and method wherein access to network resources is based on information that includes the location of the connecting user. In general, the less trusted the location of the user, the more the access rights assigned to the user are restricted. A discrimination mechanism and process determines the location of a user with respect to categories of a security policy, such as to distinguish local users, intranet users and dial-up users from one another. Based on information including the location and the user'"'"'s credentials, an access token is set up that may restrict the user'"'"'s normal access in accordance with the security policy, such as to not restrict a user'"'"'s processes beyond the user-based security information in the user'"'"'s normal access token, while further restricting the same user'"'"'s access to resources when connecting via a dial-up connection. Restricted tokens are preferably used to implement the location-based discrimination by restricting the security context of users connecting from less trusted locations.
695 Citations
43 Claims
- 1. In a computer network wherein a user may selectively connect to the network from one of a plurality of virtual locations, a method of providing improved network security, comprising the steps of, determining a location from where the user is connecting, selecting an access level for the user from at least two distinct access levels based on criteria including the virtual location, connecting the user to the network, creating a restricted token that has reduced access relative to a parent token, the restricted token derived from the parent token and information including the access level, and determining access of the user to network resources based on information in the restricted token.
- 21. In a computer network wherein a user may selectively connect to the network from one of a plurality of virtual locations, a system for providing improved network security, comprising, a discrimination mechanism configured to determine a virtual location from where the user is connecting and to select an access level from at least two distinct access levels based thereon, a security provider configured to create a restricted token including information from a parent token associated with the user and information including the access level, the restricted token having less access rights relative to the parent token, and an enforcement mechanism configured to determine user access to network resources according to the restricted token.
- 34. In a computer server having files thereon, a method of selectively restricting access to the files, comprising, receiving a request from an entity to access a file, selecting an access level for the entity from at least two distinct access levels based on criteria including the type of entity and a virtual location of the entity, deriving a restricted token from data in a parent access token associated with the entity and data corresponding to the access level, and determining access of the entity to the file based on information in the restricted token versus an access control list associated with the file.
-
42. A computer-readable medium having computer-executable instructions, which, when executed on a computer, perform a method comprising:
-
determining a virtual location from where a remote computer is connecting to a computer network, wherein the remote computer may selectively connect to the computer network from one of a plurality of virtual locations;
selecting an access level for the remote computer from at least two distinct access levels based on criteria including the virtual location;
connecting the remote computer to the network;
creating a restricted token that has reduced access relative to a parent token associated with a user of the remote computer, the restricted token derived from the parent token and information including the access level; and
determining access of the remote computer to network resources based on information in the restricted token.
-
-
43. A computer-readable medium having computer-executable instructions, which, when executed on a computer, perform a method comprising:
-
receiving a request from an entity to access a file of a computer server;
selecting an access level for the entity from at least two distinct access levels based on criteria including the type of entity and a virtual location of the entity;
deriving a restricted token from data in a parent access token associated with the entity and data corresponding to the access level; and
determining access of the entity to the file based on information in the restricted token versus an access control list associated with the file.
-
Specification