Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
2000-07-20
2004-08-10
Peeso, Thomas R. (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000
Reexamination Certificate
active
06775781
ABSTRACT:
TECHNICAL FIELD
This invention relates to the administrative security of an operating system on a computer and/or a computer network appliance.
BACKGROUND
A computer appliance or network appliance is a computing device that is similar in many respects to a general purpose computer. A computer appliance typically has many of the same components that a general purpose computer has such as one or more microprocessors, storage devices, memory, an operating system, and the like. Computer appliances are different, however, because they typically have a fixed function or purpose that does not or cannot vary. Specifically, computer appliances are designed and programmed to implement specific types of functionality.
Many different types of computer appliances are in use today. For example, a server appliance may be designed to implement functions that include file sharing, Internet sharing, print sharing, or some combination of these functions. As another example, a computer appliance may be implemented as a network attached storage device to store and maintain information. Other types of appliances include set top boxes that are used in connection with viewing multimedia presentations on a television, or hardware systems that are designed to control a home security system.
A frequent characteristic of computer appliances is that they do not rely on local user interaction mechanisms such as a display, a keyboard, and/or a mouse input. Computer appliance interaction is functionally different from a general purpose computer that typically does have a display, a keyboard, and a mouse input.
Computer appliances are generally designed to operate in conjunction with computing devices and with other computer appliances in a networked environment. Computer appliance software applications and operating systems are designed to be remotely accessible from a networked computing device so that the operational and administrative functions of a computer appliance can be accessed remotely.
The operational and administrative functions of a computer appliance may vary with the functionality and purpose of the appliance. Such functions include updating and deleting information stored on the computer appliance, formatting the storage media, and accessing a computer appliance's operating system facilities to administratively manage the appliance.
Because the functionalities of computer appliances can vary widely, so too can the adaptation requirements of the software applications and operating systems implemented for use on the appliances. Typically, the software applications for computer appliances are, designed, adapted, and/or implemented by parties other than the computer hardware or operating system manufacturers. These parties are referred to herein as original equipment manufacturers (OEMs).
It is desirable that the software applications and operating systems be designed and/or configured to limit a user's access to only those operational and administrative functions of a computer appliance that the OEM intended a user to have access to. Accordingly, operating systems are designed with security in mind to limit a user's access to the operational and administrative functions of a computer appliance. However, the operating system is typically purchased from a software manufacturer and is not designed for the specific purpose being performed by the computer appliance. Accordingly, it is desirable for the operating system to be configurable by the OEM to control various aspects of computer operation.
FIG. 1
illustrates a conventional networked system
100
. The system
100
has a network
110
that connects a network domain administrator
112
, a client computer
114
, multiple computer appliances
116
, and a network attached storage device
118
which is a specific implementation of a computer appliance. The client computer
114
is a conventional general purpose computer, configured to serve as a data repository. The multiple computer appliances
116
are implemented to accommodate various functions within the networked system
100
and typically have many of the same components that the client computer
114
has such as one or more microprocessors, storage devices, memory, and an operating system.
Generally, the multiple computer appliances
116
and the network attached storage device
118
do not need to be implemented with user interaction mechanisms such as a display, a keyboard, and/or a mouse input because the devices are accessible via the network
110
. The computer appliances
116
and
118
can be accessed by the client computer
114
via the network
110
utilizing well-known technologies such as Telnet and Hypertext Transport Protocol (HTTP).
The network attached storage device
118
is a networked computer appliance having a network interface card
120
, volatile memory
122
such as read only memory (ROM) and random access memory (RAM), a mass storage medium
124
such as a hard disk drive, and a processor
126
. The processor
126
executes an operating system
128
.
In this example, the operating system
128
has a typical operating system security hierarchy
130
. The security hierarchy
130
is depicted having a root node security level
132
that is intended to be accessed only by the computer appliance OEM or operating system manufacturer. The security hierarchy
130
has three other levels of security access to the operating system
128
: a high security level
134
, an intermediate security level
136
, and a low security level
138
. A user having access privileges to the operating system
128
at the high security level
134
would typically be able to administer and manage the computer appliance's network configuration parameters, delete files, allocate user accounts and access privilege levels to other users, and the like. A user having access privileges to the operating system
128
at the low security level
138
would typically only be able to read information stored on the computer appliance
118
. A user having access privileges to the operating system
128
at the intermediate security level
136
would have access to the same aspects of the computer appliance
118
that the user having access to the low security level
138
would have, but the user having access to the intermediate security level
136
would not be able to access the high-level operational and administrative functions that a user having access to the high security level
134
would have.
Conventionally, access privileges to an operating system
128
are top-down, meaning that a user with a high access privilege level will have access to the operating system
128
at the high security level
134
and also at any level below the high security level (e.g., the user will also have access at the intermediate security level
136
and at the low security level
138
). Similarly, a network domain administrator
112
typically has high access privilege rights to every computer and device joined to a network, thus having complete access to the network attached storage device
118
. In addition, an “administrator” can log on to a client computer such as client computer
114
, and thereby gain access to the administrative functionality of a computer appliance under a high security level
134
.
FIG. 2
shows a prior art computer appliance
200
that employs a popular method of administrative control. Specifically, administrative control of the computer appliance
200
is performed through a client computer
202
, which can comprise any network workstation having an HTML browser
204
.
In this example, an administrative user interface
206
is implemented as a plurality of hyperlinked HTML documents
208
. Many of these individual documents or pages comprise active content such as Active Server Pages (ASPs), Common Gateway Interface (GCI) or other Web server extensions. ASPs are a commonly used technology in the Internet and HTML environments.
The HTML-based user interface
206
is accessible to the administrative user through a normal HTML browser
204
, i.e., different pages of the interfac
Phillips Thomas G.
Sutton Paul C.
Wang Gang
Lee & Hayes PLLC
Microsoft Corporation
Peeso Thomas R.
LandOfFree
Administrative security systems and methods does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Administrative security systems and methods, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Administrative security systems and methods will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3345270