Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-04-12
2003-06-24
Hua, Ly V. (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000, C713S156000, C713S167000, C713S183000, C705S032000, C705S044000, C705S059000, C705S077000, C380S028000, C380S030000
Reexamination Certificate
active
06584568
ABSTRACT:
MICROFICHE APPENDIX
This application includes by reference the microfiche appendix of U.S. patent application Ser. No. 08/509,688, having 722 frames, and the microfiche appendix of U.S. patent application Ser. No. 08/854,490, having 1070 frames. This application also includes a microfiche appendix of 568 frames. A portion of the disclosure of this patent document contains material which is the subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all copyright rights whatsoever.
BACKGROUND OF THE INVENTION
1. Field of the Invention
The invention relates to network administration software. More specifically, the field of the invention is that of network administration software for managing user workstations access to resources on a network.
2. Description of the Related Art
Computer networks are arranged so that a multitude of users can access common network resources. Each user has a workstation, typically a stand alone personal computer which is connected through a suitable communications link to the other computers of the network. The network administrator is a program which runs on the network server or an administrator workstation which coordinates and manages the access and security of the users on the network. The management of users involves allocating and facilitating access to resources such as programs and data files which are needed or desired by particular users. In the process of a user connecting to the network, a network interface program is used to identify, verify, and authorize a network user access to various network resources. The security provisions involve allowing only the appropriate users access to certain programs and data files to maintain the integrity and privacy of the network system.
Networks can be administered by a single operating system running on the components of a network can coordinate desktop and servers, for example a version of the Windows NT operating system by Microsoft Corporation. Alternatively, a combination of single computer operating systems, including both desktop client and server based operating systems, interacting through a communications layer supported by a network operating system, for example a version of the Windows operating system by Microsoft Corporation and a version of the Netware operating system by Novell Corporation. In either situation, first a network user must gain access, or logon, to the computer network and second the network user must gain access to program(s) on the server. A logon interface package termed a GINA (Graphical Identification aNd Authentication) is used to obtain the user name and password from the workstation and assign operating system SIDs (Security Identifiers) to the user's workstation session. For the single operating system, the GINA provides a high level of security, but for the combination of single machine operating systems, a possible security breach may exist between the workstation logon and the network logon.
Desktop administration programs provide each user with an individual view of the user's workstation configuration, the network, and the resources available over the network. Such programs conventionally provide a graphic user interface and operate under several constraints. One constraint involves the transparency of the desktop administration program. Transparency in this context means the ability of a user to ascertain the presence of the program merely from observing the operation of the user's workstation. Ideally, a user should not be able to detect the presence of the desktop administration program. Another constraint involves the underlying operating system of the workstation computer and the network. Ideally, the desktop administration program should not interfere with the operation of any portion of the underlying operating system. The management of individual user preferences also constrains desktop administration programs. Ideally, the user's modifications of a desktop configuration should not corrupt the desktop administration program's management of user desktops. Known desktop replacement or administration programs have difficulties in one or more of these constraints.
In order for the desktop administration program to provide access to a network resource, the desktop user must create an authenticated connection over the network. A Registry program on the workstation sets up and helps to administer the authenticated connection, allowing the desktop user to operate with the network resources. The Registry maintains a list of network resources and identifiers so that the workstation can determine when a network message is intended for the local desktop. Also, the Registry may include access information relating to the user. Conventionally, the operating system is entered as the “primary process” and has precedence over all the other processes in the multi-tasking environment. All other processes are secondary processes, and can be interrupted, terminated, or otherwise controlled by the primary process. For secure communications with network resources, the Registry may include security identifiers (SIDs) such as session encryption keys, passwords, or the like. One potential problem with the aforementioned possible security breach involves corruption and manipulation of the Registry list and the information and codes contained within the Registry list.
What is needed is a desktop administration program which alleviates the above identified constraints, works in concert with the operating system and its standard graphic user interface, and mitigates the risks involved with the possible security breach between the workstation logon and the network logon.
SUMMARY OF THE INVENTION
The present invention is a desktop administration system and method which allows a network administrator to remotely create, protect, and manage desktops across a network. The invention operates to fill the gap between the workstation and network logon procedures so that the local user stays within the predefined security profiles. The methodology used involves the program of the present invention installing itself as the controlling process invoked by the workstation and preventing any other process from gaining control of the user terminal. The invention then provides a graphic user interface to construct user desktops, apply restriction options, maintain transaction logs, and password protect any object accessible from the user workstation. The invention allows these functions without altering how a user works on the desktop, or the capacities of the underlying operating system or network.
Each workstation includes a personal desktop facility (PDF) and a Daemon which protects the user's desktop. The personal desktop facility receives desktop information from the network server and builds a desktop which the user manipulates to invoke local and/or network programs and access local and/or network utilities. The PDF further creates the expected links and interfaces with network resources for the user's profile, while the other programs running on the workstation have no cognition of the change of control. The Daemon serves as an interface for the personal desktop facility by channeling any communication to or from the user or the network, preventing unauthorized transactions at either the workstation or network level.
The personal desktop facility (PDF) provides a graphic user interface using objects that represent collections of programs and data, such as user preferences, default directories, and access privileges. The PDF can create objects, remove objects, and alter object settings. Providing a user with the proper collection of objects with the proper settings creates a workstation tailored to the users needs, thus increasing the efficiency of the user.
The daemon has many tasks, including starting the PDF, enumerating the windows of the graphic user
Dircks Charles E.
Osmann Eric E.
Baker & Daniels
Hua Ly V.
Pinnacle Technology Inc.
LandOfFree
Network provider loop security system and method does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Network provider loop security system and method, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Network provider loop security system and method will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3110947