CN107547480A

CN107547480A - A kind of method, apparatus and virtual desktop management system of virtual desktop security control

Info

Publication number: CN107547480A
Application number: CN201610488502.2A
Authority: CN
Inventors: 许天锡; 陈普
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2016-06-28
Filing date: 2016-06-28
Publication date: 2018-01-05
Also published as: WO2018000891A1

Abstract

The present invention provides a kind of method of virtual desktop security control, the preset safety control strategy in management node, safety control strategy includes at least one typical scene and the security strategy corresponding to each typical scene, each typical scene is the combination of user type, access device type and remote desktop type, and each security strategy includes at least one security control item；Methods described includes：The connection request that access device is sent is received, connection request is used for access device request and server is established and connected；User type, access device type, the remote desktop type entrained by connection request are obtained, and compared with typical scene in safety control strategy, it is determined that typical scene and security strategy corresponding with the typical scene of matching with connection request matching；Configured information is sent to access device according to the security strategy of determination, configured information is used to indicate that access device establishes connection with server, and the information security of business event is improved with this.

Description

A kind of method, apparatus and virtual desktop management system of virtual desktop security control

Technical field

The present invention relates to security fields, more particularly to a kind of method, apparatus of virtual desktop security control and Virtual desktop management system.

Background technology

With the development of remote desktop and virtualization technology, increasing enterprise's selection uses virtual desktop Routine office work is carried out, the efficiency of management of enterprise's office resource is improved with this.

In the prior art, virtual desktop architecture (Virtual Desktop Infrastructure, VDI) In mainly include virtual desktop management system, server and access device.Virtual desktop management system is used for Realize management and the control function of virtual desktop remote access, in server deployment virtualization software formed to A few virtual machine, keeper can be in virtual desktop management systems in advance by server or virtual machine point Provisioned user, each user can configure different authorities, and management system can be by multiple allocated clothes Device or virtual robot arm be engaged in into desktop group, the long-range of server in desktop group or virtual machine is controlled by desktop group The operating right of access, server or virtual machine such as whether is allowed to use general string in long-range connection procedure The external devices such as row bus (Universal Serial Bus) flash memory register.Thus, user remotely accesses When server or virtual machine, the implementation of safety control strategy depends on the operating right of user, and service Device or virtual machine allow the operating right of remote access.But for the continuous of virtual desktop application scenarios Expand, only closed by the control of authority between user and the allocated server of the user or virtual machine System can not meet in the case where differentiation accesses scene, and the purpose of differentiation control is carried out to access safety, The information security of business event is unable to reach effective guarantee.

The content of the invention

The embodiments of the invention provide a kind of method, apparatus of virtual desktop security control and virtual desktop pipe Reason system, can in management node preset safety control strategy, management node is according to each connection request Entrained user type, access device type and remote desktop type compared with safety control strategy, It is determined that typical scene and safe plan corresponding with the typical scene of the matching with the matching of this connection request Slightly, differentiation control is implemented to different connection requests with this, improves the information security of business event.

In order to achieve the above object, the present invention adopts the following technical scheme that：

First aspect, there is provided a kind of method of virtual desktop security control, it is characterised in that saved in management Preset safety control strategy in point, the safety control strategy include at least one typical scene and with it is each Security strategy corresponding at least one typical scene, each at least one typical scene are use The combination of family type, access device type and remote desktop type, each security strategy are included at least One security control item；Methods described includes：

The management node receives the connection request that access device is sent, and the connection request is used for described connect Enter device request and establish connection with server；

The management node obtains user type entrained by the connection request, access device type, remote Journey table-top type；

The management node is by the user type entrained by the connection request, access device type, long-range Table-top type compared with least one typical scene in the safety control strategy, it is determined that with The typical scene of the connection request matching and security strategy corresponding with the typical scene of the matching；

The management node sends configured information according to the security strategy of the determination to the access device, The configured information is used to indicate that the access device establishes connection with the server.

Specifically, keeper can also preset safety be controlled in virtual desktop management system by management node System strategy.Specifically, can be according to user type, access device type and the preset peace of remote desktop type Full control strategy, wherein, safety control strategy includes credit rank, security strategy and typical scene. Keeper can be according to the demand of business scenario in specific implementation process, according to user type, access device Type and remote desktop type determine typical scene, and each typical scene corresponds to a kind of security strategy, each Security strategy corresponds to a credit rank again.

Alternatively, can also be according to user type, access device type, remote desktop type and access network The preset safety control strategy of network environmental form.

What deserves to be explained is the preset safety control strategy of keeper can be stored in it is preset in management node In the file or database table of definition, it can also be stored with other storage forms, the present invention is not restricted.

Alternatively, keeper can add after the preset safety control strategy of management node according to business demand Add or update credit rank, security strategy and typical scene, adapt to what enterprise was required information security with this Change.It should be noted that the safety control strategy after renewal is only given birth to the new connection request after renewal Effect.

Alternatively, if user type, access device type, access network environment will be carried in connection request Type and remote desktop type and preset safety control strategy relatively after, the typical scene of no matching, then may be used To implement the security strategy of preset acquiescence.

It will be understood by those skilled in the art that virtual desktop is one kind of remote desktop, virtual desktop pipe After the relations of distribution of user and virtual machine are established in reason system, user can be led to by any access device The access network environment for crossing any type sends the request of connecting virtual machine to virtual desktop management system, Credit rank only comes into force to this connection request.

By foregoing description content, keeper's preset safety control strategy in management node, that is, press Combination according to user type, access device type and remote desktop type forms at least one typical scene, Every kind of typical scene corresponds to a kind of security strategy, when user is established by access device request with remote desktop During connection, according to user type, access device type and remote desktop entrained in this connection request Type is compared with the typical scene in safety control strategy, it is determined that matching with this connection request Typical scene and with the security strategy corresponding to the typical scene of matching, according to determination security strategy will The security control item different with server implementation to access device is sought, the behaviour with relying on user in the prior art Make authority and server or virtual machine allow remote access operating right security control, can be to not Differentiation security control is carried out with connection request under scene, lifts the information security of virtual desktop architecture.

It is described in the first possible mode of first aspect with reference to the possibility implementation of first aspect Method also includes：

The management node sends the security strategy of the determination, the safety of the determination to the server Strategy includes gathering gps data, camera data, the microphone data of the access device At least one of；

The management node receives the access device data that the server is sent, the access device data The access device is notified to be obtained according to the security strategy of the determination for the server；

The management node preserves the access device data.

With reference to the first possible implementation of first aspect, second in first aspect may realization side In formula, the access device obtains the access device data according to the security strategy of the determination and is specially：

The access device receives the security strategy for the determination that the server is sent；

The access device gathers the access device data according to the requirement of the security strategy of the determination；

The access device sends the access device data to the server.

With reference to the possibility implementation of first aspect, in the third possible implementation of first aspect, Methods described also includes：

The management node sends the security strategy of the determination, the safety of the determination to the server Strategy includes at least one in file system redirection, shear plate redirection, digital watermarking, to cause Security strategy of the server based on the determination：

The file system of the server is mapped to the access device；Or

The shear plate content of the server is passed into the access device；Or

Watermark is added in the image that the server is sent to the access device.

With reference to the third possible implementation of first aspect, the 4th kind in first aspect may realization side In formula, methods described also includes：

The server sends the security strategy of the determination to the access device, to cause the access Security strategy of the equipment based on the determination：

The file system of the access device is mapped to the server；Or

The access device shear plate content is passed into the server；Or

Watermark is added in the image of the access device.

By the description of the above, for the requirement of the security strategy to match with this connection request, Gather global positioning system (Global Positioning System, GPS) data of access device, take the photograph As head data, microphone data, and it is stored in management node, compared with prior art, gathers and protect Safe examine can periodically be carried out to the connection request in virtual desktop management system by depositing access device data Meter, improve enterprise information security.On the other hand, for each connection request, to access device and service Device implements different security control items respectively, and being solved with this in the prior art can not be in different access scene Under realize differentiation control the problem of, thus, improve the information security of business event.

Alternatively, in the alternatively possible embodiment of the present invention, in preset safety control strategy, The fraction section preset to every kind of credit grade setting, for user type entrained in connection request, connect Enter each type mark fraction in device type, access network environment type and remote desktop type, such as connect Enter to mark 5 points when equipment is mobile device, access device marks 10 when being personal computer, thin client Point；Domestic consumer marks 5 points, and special user marks 10 points；10 points of Intranet access mark；Outer net connects Enter 5 points of mark；General Virtual Machine marks 5 points；Special virtual machine marks 10 points, is accessed by obtaining Information type, to the user type entrained by this connection request, access device type, access network rings Border type and remote desktop type are given a mark, and compare the total score of this connection request and preset fraction section, It is determined that with fraction section that this connection request matches and security strategy corresponding with the fraction section, to access Equipment and the server implementation security strategy, using the above method, can equally solve in the prior art without Method distinguishes the problem of different connection requests carry out differentiation security control, improves the information security of enterprise.

It should be understood that in various embodiments of the present invention, the size of the sequence number of above-mentioned each process is not intended to The priority of execution sequence, the execution sequence of each process should be determined with its function and internal logic, without answering Any restriction is formed to the implementation process of the embodiment of the present invention.

In summary, the method for security control provided in an embodiment of the present invention, by pre- in management node Put safety control strategy, according to user type entrained in each connection request, access device type, Remote desktop type is compared with preset safety control strategy, it is determined that matching with this connection request Security strategy corresponding to typical scene and the typical scene, to the access device kimonos in this connection request Business device implements different security strategies, and compared with prior art, solving can not under different access scenes The problem of carrying out differentiation control to the safety of connection request, improves the information security of enterprise.In addition, According to the requirement of security strategy, gps data, camera data, microphone are gathered in access device The access device data such as data, connection request that can be relatively low to credit rank in virtual desktop architecture Security audit is carried out, with this, enhances the protection of business event information security.

Second aspect, the embodiment of the present invention provide a kind of method of virtual desktop security control, methods described Including：

Access device sends connection request to management node, and the connection request please for the access device Ask to establish with server and connect, to cause the management node to determine the security strategy of the connection request, And the security strategy of the determination is sent to the server；

The access device receives the security strategy for the determination that the server is sent, the determination Security strategy includes at least one in collection gps data, camera data, microphone data Kind；

The access device gathers access device data according to the requirement of the security strategy of the connection request；

The access device data are sent to the server by the access device.

What deserves to be explained is the camera data or microphone data of access device collection can be real-time numbers According to or access device in the data that have stored；On the other hand, the camera of access device collection Data or microphone data can be the parts in one section of complete data or partial data, The present invention is not restricted.

Alternatively, when requiring passback access device data in the security strategy that access device receives, connect Corresponding prompting can be provided and judge information by entering equipment interface, if user's selection allows to gather access device During data, access device data are returned, and allow user to continue to complete the operation for logging in virtual machine；If with When family selection does not allow to gather access device data, this connection request is interrupted.

With reference to the possible implementation of second aspect, in the first possible implementation of second aspect, The security strategy of the determination also includes file system redirection, shear plate redirects, in digital watermarking At least one of, then

Security strategy of the access device based on the connection request：

The file system of the access device is mapped to the server；Or

The access device shear plate content is passed into the server；Or

Watermark is added in the image of the access device.

By the description of the above, what access device can be based on the security strategy of management node determination will Ask, the access device numbers such as gps data, camera data, microphone data are gathered in access device According to, connection request that can be relatively low to credit rank in virtual desktop architecture carries out security audit, with This, improves the information security of business event.

The third aspect, the embodiment of the present invention provide a kind of method of virtual desktop security control, methods described Including：

Server receives the security strategy that management node is sent, and the security strategy includes global positioning system At least one of data, camera data, microphone data；

The security strategy is sent to the access device by the server, to cause the access device Access device data are gathered according to the requirement of the security strategy；

The server receives the access device data that the access device is sent；

The access device is sent to the management node by the server, to cause the management node Preserve the access device data.

With reference to the possibility implementation of the third aspect, in the first possible implementation of the third aspect, The security strategy also includes：In file system redirection, shear plate redirection, digital watermarking at least One, then

The server is based on the security strategy：

The file system of the server is mapped to the access device；Or

The shear plate content of the server is passed into the access device；Or

Watermark is added in the image that the server is sent to the access device.

By the description of the above, server can be implemented not based on the security strategy that management node determines Access device is sent to safe control item, and by the security strategy, and is connect what access device returned Enter device data and be sent to management node, the access device data are preserved by management node, with existing skill Art is compared, and virtual desktop management system can implement different safe plans according to the access information of access device Slightly, and the access device data of access device passback are stored, is easy to connection subsequently relatively low to credit rank Request carries out security audit, improves the information security of business event.

Fourth aspect, the present invention provide a kind of virtual desktop management system, the virtual desktop management system Including：Server, management node, access device：

The management node is used for, preset safety control strategy, and the safety control strategy includes at least one Individual typical scene and the security strategy corresponding to each at least one typical scene, it is each described extremely Lack the combination that a typical scene is user type, access device type and remote desktop type, Mei Gesuo Stating security strategy includes at least one security control item；

The management node, is additionally operable to：Obtain the use entrained by the connection request that the access device is sent Family type, access device type, remote desktop type；By the user type entrained by the connection request, Access device type, remote desktop type and at least one typical field in the safety control strategy Scape is compared, it is determined that the typical scene that is matched with the connection request and the typical field with the matching Security strategy corresponding to scape；Configured information is sent to the access device according to the security strategy of the determination, The configured information is used to indicate that the access device establishes connection with the server；

The access device, for sending connection request to the management node, the connection request is used for The access device request is established with server to be connected；It is additionally operable to：Receive the institute that the management node is sent Configured information is stated, the configured information is used to indicate that the access device establishes connection with the server.

The server, connected for being established according to the configured information and the access device.

With reference to the possibility implementation of fourth aspect, in the first possible implementation of fourth aspect, Methods described also includes：

The management node, it is additionally operable to send the security strategy of the determination, the company to the server Connecing the security strategy of request is included in collection gps data, camera data, microphone data At least one；The access device data that the server is sent are received, the access device data are institute Stating server notifies the access device to be obtained according to the requirement of the security strategy of the determination；Described in preservation Access device data；

The server, it is additionally operable to receive the security strategy for the determination that the management node is sent；To The virtual machine sends the security strategy of the determination；The access device data are sent to the management Node；

The access device, it is additionally operable to receive the security strategy for the determination that the server is sent；Press Requirement according to the security strategy of the determination gathers the access device data；By the access device data It is sent to the server.

By the preset safety control strategy in management node, when user by the request of different access devices with When server establishes connection, management node can be according to user type, access device type and remote desktop Type is compared with the typical scene in safety control strategy, it is determined that the allusion quotation matched with this connection request Security strategy corresponding to type scene and the typical scene of the matching, with only passing through user or void in the prior art The safety of plan machine operating right control connection request is compared, and realizes that the connection request progress to different scenes is poor Alienation controls, and enhances the information safety protection of enterprise；On the other hand, according to the requirement of security strategy, The access device data such as gps data, camera data, microphone data are gathered in access device, Connection request that can be relatively low to credit rank in virtual desktop architecture carries out security audit, with this, Improve the information security of business event.

5th aspect, the present invention provide a kind of management node, and the management node includes processor, storage Device, communication interface, system bus, it is total by system between the processor, memory and communication interface Line connects and completes mutual communication, is used to store computer executed instructions in the memory, described When virtual desktop management system is run, the computer executed instructions in memory described in the computing device With using the hardware resource in the virtual desktop management system perform first aspect, first aspect the first The method described in any one in the third possible implementation of possible implementation and first aspect.

By the preset safety control strategy in management node, when user by the request of different access devices with When server establishes connection, management node can be according to user type entrained in connection request, access Device type, access network environment type and remote desktop type and preset safety control strategy progress Match somebody with somebody, determine the security strategy of this connection request, compared with prior art, realize the company to different scenes Connect request and carry out differentiation control, enhance the information safety protection dynamics of enterprise；On the other hand, according to The requirement of security strategy, gps data, camera data, microphone data are gathered in access device Deng access device data, connection request that can be relatively low to credit rank in virtual desktop architecture is carried out Security audit, with this, improve the information security of business event.

6th aspect, the present invention provide a kind of access device, and the access device includes processor, storage Device, communication interface, system bus, it is total by system between the processor, memory and communication interface Line connects and completes mutual communication, is used to store computer executed instructions in the memory, described When virtual desktop management system is run, the computer executed instructions in memory described in the computing device To perform the of second aspect and second aspect using the hardware resource in the virtual desktop management system A kind of described method in possible implementation.

By the description of above content, access device can determine the requirement of security strategy based on management node, The access device data such as gps data, camera data, microphone data are gathered in access device, Management node preservation is returned to, compared with prior art, by preserving access device data in management node, Security audit periodically can be carried out to the connection request in virtual desktop architecture, with this, improve enterprise The information security of industry business.

7th aspect, the present invention provide a kind of server, the server include processor, memory, Communication interface, system bus, connected between the processor, memory and communication interface by system bus Connect and complete mutual communication, be used to store computer executed instructions in the memory, it is described virtual When desktop management system is run, the computer executed instructions in memory described in the computing device are with profit Performing the third aspect and the third aspect with the hardware resource in the virtual desktop management system, the first can Described method in energy implementation.

Server can implement different security control items based on the security strategy that management node determines, and by institute State security strategy and be sent to access device, and the access device data that access device is returned are sent to management Node, the access device data, compared with prior art, virtual desktop management are preserved by management node System can implement different security strategies according to the access information of access device, and store access device and return The access device data of biography, it is easy to connection request subsequently relatively low to credit rank to carry out security audit, carries The information security of high business event.

Eighth aspect, there is provided a kind of computer-readable medium, for storing computer program, the calculating Machine program includes being used to perform the method in any possible implementation of first aspect or first aspect Instruction.

In summary, by the preset safety control strategy in management node, when user passes through different accesses When device request establishes connection with server, management node can be according to user entrained in connection request Type, access device type, access network environment type and remote desktop type and preset security control Strategy is matched, and determines the security strategy of this connection request, compared with prior art, is realized to not Connection request with scene carries out differentiation control, enhances the information safety protection dynamics of enterprise；It is another Aspect, according to the requirement of security strategy, gathered in access device gps data, camera data, The access device data such as microphone data, company that can be relatively low to credit rank in virtual desktop architecture Connect request and carry out security audit, with this, improve the information security of business event.

Brief description of the drawings

In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will be in the embodiment of the present invention The required accompanying drawing used is briefly described, it should be apparent that, drawings described below is only this Some embodiments of invention, for those of ordinary skill in the art, are not paying creative work Under the premise of, other accompanying drawings can also be obtained according to these accompanying drawings.

Fig. 1 is the schematic diagram of virtual desktop architecture in the prior art；

Fig. 2 is a kind of schematic flow sheet of the method for virtual desktop security control provided in an embodiment of the present invention；

Fig. 3 is the schematic flow sheet of another virtual desktop method of controlling security provided in an embodiment of the present invention；

Fig. 4 is a kind of schematic diagram of virtual desktop management system provided in an embodiment of the present invention；

Fig. 5 is a kind of schematic diagram of management node provided in an embodiment of the present invention；

Fig. 6 is a kind of schematic diagram of access device provided in an embodiment of the present invention；

Fig. 7 is a kind of schematic diagram of virtual machine provided in an embodiment of the present invention.

Embodiment

Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out Clearly and completely describing, it is clear that described embodiment is the part of the embodiment of the present invention, without It is whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making wound The every other embodiment that the property made is obtained on the premise of working, should all belong to the scope of protection of the invention.

Fig. 1 is the signal of virtual desktop architecture (Virtual Desktop Infrastructure, VDI) Figure, as illustrated, virtual desktop architecture includes virtual desktop management system, access gateway, access Equipment and server, wherein, access device include personal computer (Personal Computer, PC), Thin client (Thin Client, TC), mobile device.

Virtual desktop management system is used for the management and control function for realizing that remote desktop accesses, virtual desktop In management system can include management node, domain server, log server, network access server, Licensing Authority server, can also include other kinds of management assembly, each management assembly in management system Server disposition can be used, deploying virtual machine can also be used, the present invention is not restricted.

User can access remote desktop by virtual desktop management system, and remote desktop can be server The behaviour for the virtual machine that virtualization software is formed is disposed in the operating system or server of upper installation Make system.Specifically, remote desktop can be according to its Attribute transposition into polytype, for example, can be by According to the effect of remote desktop, office class remote desktop and the long-range table of meeting class for connecting meeting are divided into Face；Can also according to the network planning of data center where remote desktop, be divided into general remote desktop and Special remote desktop；Safety long-distance desktop can also be divided into according to whether operating system is encrypted With general remote desktop.

Server or virtual machine can be distributed to user by keeper in virtual desktop management system in advance, And the relations of distribution are recorded, when the webpage that user is provided using account and password by network access server When interface logs in, virtual desktop management system can show all clothes for having distributed to the user in web interface Business device or virtual machine information, user can select any server or virtual machine to conduct interviews, wherein, use Family can be domestic consumer and special user according to authority different demarcation.

Illustratively, virtual desktop management system gives domestic consumer A distribution one General Virtual Machine and one respectively The special virtual machine of platform, give special user B to distribute a special virtual machine, then user A using account and Password shows all distributed when the web interface that network access server provides logs in web interface To user A 2 virtual machines, user can select any virtual machine to conduct interviews.Management system meeting Security strategy is sent to the virtual machine that access device and user's needs access, needed in access device and user After the virtual machine to be accessed tactful control item with high safety, user can log in virtual machine internal and be done Public affairs operation.

Deploy virtual desktop agency respectively in each remote desktop and access device, wherein, long-range table Virtual desktop agency in face be service end, and it is client that the virtual desktop in access device, which is acted on behalf of,；Management System can be managed and monitored to access device and remote desktop by desktop agents, remote desktop and Between access device, the processing of virtual desktop agreement can also be completed by desktop agents.

Thus, user can utilize access device by Ethernet via access gateway and virtual desktop management System and remote desktop communicate, and realize virtual desktop remote access function.In specific implementation process, Different access network environment types can be distinguished according to the difference of access gateway, such as by virtual desktop Network type is divided into Intranet and outer net according to the security of LAN.

In addition, keeper can also in management node preset safety control strategy.Specifically, Ke Yigen According to user type, access device type and the preset safety control strategy of remote desktop type, wherein, safety Control strategy includes credit rank, security strategy and typical scene.Keeper can be according to specific implementation During business scenario demand, according to user type, access device type and remote desktop type determine Typical scene, each typical scene correspond to a kind of security strategy, the corresponding credit again of each security strategy Rank.

Illustratively, table 1 is the particular content of one embodiment of safety control strategy.

The safety control strategy of table 1

As shown in table 1, keeper is according to user type, access network environment type, access device type With remote desktop type in management node preset safety control strategy, if it is common to assume that user type includes User and special user；Access network environment includes Intranet and outer net；Access device include mobile device, PC, thin client；Remote desktop is virtual machine, and the type of remote desktop includes General Virtual Machine With special virtual machine；Then the example of typical scene is as shown in table 1：

Typical scene one：Special user accesses special virtual machine, its typical field using mobile device in outer net Scape qualifications include four kinds of user type, access network environment, access device and remote desktop type, Then to security strategy corresponding to the connection request implementation of the typical scene, i.e., user is not allowed to access long-range table Face, its credit rank are minimum.

Typical scene two：Special user accesses General Virtual Machine, its typical field using mobile device in outer net Scape qualifications include four kinds of user type, access network environment, access device and remote desktop type, Its corresponding security strategy then is implemented to the connection request of the typical scene, its credit rank is extremely low.

Typical scene three：Using mobile device in outer net access of virtual machine, user type and remote is limited Journey table-top type, then the typical scene specifically include：Domestic consumer is accessed general using mobile device in outer net Logical virtual machine, domestic consumer use shifting using mobile device in the special virtual machine of outer net access, special user Dynamic equipment accesses General Virtual Machine and special user in outer net and accesses special void in outer net using mobile device Plan machine, wherein, it is that credit rank is most that special user accesses special virtual machine using mobile device in outer net Low typical scene, it is that credit rank is that special user accesses General Virtual Machine using mobile device in outer net Extremely low typical scene, then, it is necessary to use mobile device outside to domestic consumer in addition to both the above scene Net access General Virtual Machine, domestic consumer access special two kinds of typical cases of virtual machine using mobile device in outer net The connection request of scene implements security strategy corresponding with its typical scene, and its credit rank is low.

Typical scene four：Special virtual machine is accessed in outer net using thin client, does not limit user type, Then the typical scene specifically includes：Domestic consumer accesses special virtual machine and spy using thin client in outer net Different user's thin client accesses special virtual machine in outer net, and not with other typical fields in safety control strategy Scape repeats, then is to security strategy, its credit rank corresponding to the connection request implementation of above-mentioned typical scene In.

Typical scene five：Using PC in Intranet access of virtual machine, user type and virtual is not limited Machine type, its typical scene specifically include：Domestic consumer is accessed common empty using PC in Intranet Plan machine, domestic consumer use personal electricity using PC in the special virtual machine of Intranet access, special user Brain accesses special virtual machine using PC in Intranet access General Virtual Machine, special user in Intranet, And above typical scene is not overlapping with the typical scene in other safety control strategies, then to above-mentioned typical field The connection request of scape implements its corresponding security strategy, and its credit rank is height.

Typical scene six：Using thin client in Intranet access of virtual machine, user type and virtual is not limited Machine type, then the typical scene specifically include：Domestic consumer is accessed common empty using thin client in Intranet Plan machine, domestic consumer use Thin clients using thin client in the special virtual machine of Intranet access, special user Machine accesses special virtual machine using thin client in Intranet access General Virtual Machine, special user in Intranet, And above typical scene does not repeat with other typical scenes in safety control strategy, then to above-mentioned typical field Security strategy corresponding to the connection request implementation of scape, its credit rank are high.

What deserves to be explained is typical scene can be user type, access device type, access in table 1 The combination of network environment type and remote desktop type, every kind of typical scene correspond to a kind of security strategy, often Individual security strategy includes at least one security control item.

In addition, typical scene cited in table 1 is only a kind of example, can root in specific implementation process Corresponding typical scene is established according to the information security requirement of specific business scenario, the present invention is not restricted. The present invention's the following specifically describes, and will be described in detail by taking safety control strategy shown in table 1 as an example.

Further, minimum, extremely low, basic, normal, high, high totally six kinds of credit ranks are predefined, are awarded Believing that rank is lower, then the access device to this connection request and the security control Xiang Yue of server implementation are more, Security control item in every kind of security strategy is identified as out, then it represents that the access device of this connection request or Server needs to perform the function of corresponding security control item；Security control item is identified as pass, then it represents that this The access device or server of connection request need not perform the function of corresponding security control item.

Specifically, following security control item can be included in security strategy：

Return global positioning system (Global Positioning System, GPS) data：Access device By its GPS location data back to management node.

Return camera data：Access device acquisition camera data back is to management node.

Return microphone data：Access device collection microphone data returns to management node.

Digital watermarking：Digital watermarking is added in the picture.

Shear plate redirects：For by the data transfer of shear plate in access device into server or will clothes The data transfer of shear plate is to access device in business device, to be realized between access device and server The mutual copy of data.

File redirection：For the file system of access device to be mapped into server or the text by server Part system is mapped to access device, to use mapped file between access device and server System is written and read operation.

What deserves to be explained is safety control strategy shown in table 1 is only a kind of citing, the present invention is not formed A kind of limitation.In addition, shear plate redirects and file redirection function can be unidirectional policy control, Different control methods can be taken, i.e., between access device and server, a direction is opened, another Close in direction.For example, the content of shear plate is delivered to access device by server, the content of access device is not It is delivered to server.In addition to this it is possible to other possible security control items are added, or other safety Strategy combination.For example if the use of the mobile device or operating system of IOS is Android Mobile device connection server when, can be read according to whether having cracked in IOS user and having stored Write permission or unblock administrator right, take different credit ranks and security strategy, in specific implementation process, Different Strategies can be set according to specifying information safety requirements, the present invention is not restricted.

Also what deserves to be explained is, the preset safety control strategy of keeper can be stored in management node in advance Put in file or the database table of definition, can also be stored with other storage forms, the present invention is not restricted.

Next, with reference to foregoing description content, Fig. 2 describes virtual machine table provided by the present invention in detail Face method of controlling security, methods described include：

S201, the preset safety control strategy in management node, the safety control strategy are included at least One typical scene and the security strategy corresponding to each at least one typical scene, it is each described At least one typical scene is the combination of user type, access device type and remote desktop type, each The security strategy includes at least one security control item, wherein, each security strategy include to A few security control item.

Alternatively, the safety control strategy can also include credit rank.

Specifically, the credit rank is used for the security control rank for identifying this connection request, Mei Gesuo State the corresponding credit rank of at least one typical scene.

Alternatively, management node can also be preset according to the preset safety control strategy of access network environment type Security strategy.

Illustratively, keeper can be typical in preset safety control strategy as shown in table 1 in management node Scene, security strategy and credit rank.

S202, the management node receive the connection request that access device is sent.

Specifically, the connection request is used for access device request and server foundation connection.

S203, the management node obtain user type, the access device class entrained by the connection request Type, remote desktop type.

Alternatively, the management node can also obtain the access network environment entrained by the connection request Type.

Illustratively, accessed if special user is sent using mobile device in outer net to virtual desktop management system The request message of General Virtual Machine, then virtual desktop management system obtains wraps in the access message of connection request Include special user, mobile device, outer net and General Virtual Machine.

S204, by the user type entrained by the connection request, access device type, remote desktop class Type compared with least one typical scene in the safety control strategy, it is determined that with the company Connect the typical scene of request matching and security strategy corresponding with the typical scene of the matching.

Specifically, user of the management node according to entrained by the connection request obtained in step S202 Type, access device type, remote desktop type, itself and typical scene in safety control strategy are carried out Compare, if matching with one of which typical scene, it is determined that this connection request needs the safety implemented Strategy is right for the typical scene of matching for security strategy, its credit rank corresponding to the typical scene of matching The credit rank answered.

Illustratively, safety control strategy as shown in table 1, if special user uses mobile device in outer net The connection request of access General Virtual Machine is sent, compared with the typical scene of each credit rank in table 1, With credit rank be extremely low typical scene match, i.e., with " special user using mobile device in outer net The typical scene of access General Virtual Machine " matches, it is determined that safety corresponding to the typical scene of the matching Strategy is the security strategy of this connection request, and its credit rank is extremely low.If domestic consumer uses movement Equipment sends the connection request of access General Virtual Machine in outer net, with the allusion quotation in safety control strategy in table 1 Type scene compares, with matching " using mobile device in outer net access of virtual machine ", it is determined that the matching Typical scene corresponding to security strategy be this connection request security strategy, its credit rank is low.

Illustratively, management node " can use thin client by typical scene of the security strategy of preset acquiescence Access special virtual machine in outer net " corresponding to security strategy, then during the credit rank given tacit consent to is, if general General family sends the connection request of access General Virtual Machine using mobile device in Intranet, then management node ratio Compared with the user type entrained by this connection request, access device type, access network environment type, remote Journey table-top type determines that none matches with typical scene cited in table 1, then to this connection request Access device and the predefined acquiescence of server implementation security strategy, that is, implement typical scene " using thin Client computer accesses special virtual machine in outer net " corresponding to security strategy, during its credit rank is.

Illustratively, domestic consumer A by mobile device outer net connect special virtual machine when, management node It is right for " using mobile device in outer net access of virtual machine " to determine that this connection request implements typical scene The security strategy answered, its credit rank are low；When domestic consumer A connects again by thin client in Intranet When connecing special virtual machine, management node determines that this connection request implements typical scene " to use Thin clients Machine is in Intranet access of virtual machine " corresponding to security strategy, its credit rank for height.

S205, the management node send configured information according to the security strategy to the access device, The configured information is used to indicate that the access device establishes connection with the server.

Specifically, when the security strategy, which allows the access device to be established with the virtual machine, to be connected, The management node sends configured information to the access device, and the configured information is used to indicate described connect Enter equipment and establish connection with the virtual machine.If management node is true according to access information and safety control strategy When fixed security strategy does not allow access device with server foundation connection, then this connection request terminates.

Illustratively, safety control strategy as shown in table 1, if special user using mobile device outer net to Virtual desktop management system sends the connection request for accessing special virtual machine, then management node determines this company The security strategy for connecing request is limitation access, does not allow shown special user to connect the General Virtual Machine, This connection request can be terminated.

Further, the access device is established with the server and connected.

Specifically, establish and communicate between the desktop agents of the access device and the desktop agents of the server Connection.

It should be understood by those skilled in the art that in virtual desktop architecture, the access device It is only the communication connection between desktop agents with the connection that the server is established, for transfer management node Instruction, message between desktop agents, now, virtual machine and access device need safety corresponding to implementation After strategy, user can be just logged in inside the operating system of remote desktop.

The content described by above-mentioned steps S201 to step S205, keeper are preset in management node Safety control strategy, i.e., formed according to the combination of user type, access device type and remote desktop type At least one typical scene, every kind of typical scene correspond to a kind of security strategy, when user passes through access device When request establishes connection with remote desktop, according to user type entrained in this connection request, access Device type and remote desktop type compared with the typical scene in safety control strategy, it is determined that with this Typical scene that secondary connection request matches and with the security strategy corresponding to the typical scene of matching, according to The requirement of the security strategy of the determination security control item different with server implementation to access device, it is and existing The operating right of dependence user and server or virtual machine allow the operating right of remote access in technology Security control, can under different scenes connection request carry out differentiation security control, lift virtual table The information security of face architecture.

Further, the specific implementation process of the security strategy of the determination is as shown in figure 3, methods described Including：

S301, management node send the security strategy of the determination to server.

Specifically, the security strategy of the determination is the security strategy that method determines described in Fig. 2.

Illustratively, safety control strategy as shown in table 1, if special user uses mobile device in outer net General Virtual Machine is accessed, then management node can send following security strategy to server：

Return gps data；

Return camera data；

Return microphone data；

Digital watermarking is added in image；

Close shear plate redirection function；

Close file system redirection function.

S302, the server send the security strategy of the determination to access device.

Specifically, the server and the access device are communicated by desktop agents, the server The peace of the determination in desktop agents forwarding step S301 of from the middle desktop agents to the access device Full strategy.

S303, the access device gather access device data according to the requirement of the security strategy of the determination.

Specifically, the security strategy of the determination includes collection gps data, camera data, Mike At least one of wind data, the access device gather according to the requirement in the security strategy of the determination Access device data., can be according to the demand of specific business scenario, in such as table in specific implementation process Different security strategies are configured in preset safety control strategy shown in 1, it is desirable to whether need passback to access Device data.

Illustratively, if the security strategy corresponding to the typical scene to match with connection request requires passback Gps data, camera data, microphone data, then：

When access device has GPS device, the GPS of the GPS module collection access device in access device Address information, server is sent to by desktop agents；

When access device has camera and/or microphone, camera and/or microphone in access device Module is used for the camera image and/or microphone voice for gathering access device, the table being sent in virtual machine Act on behalf of in face.

Alternatively, access device data can also include access device MAC Address.

S304, the access device send the access device data to the server.

The access device data are sent to the management node by S305, the server.

S306, the management node preserve the access device data.

Specifically, the management node preserves the access device data of the access device passback, to each The access device data of the connection request of access device are recorded, and are examined to carry out the periodical safety of system Meter.

S307, the access device implement the security strategy of the determination.

Specifically, the requirement of security strategy of the access device based on the determination, set in the access It is standby to be above turned on and off corresponding function, i.e., whether the access device client file systems are mapped to clothes Business device, whether the content of access device clipbook pass to server, whether access device image Middle addition watermark.

Illustratively, safety control strategy as shown in table 1, if entrained by this connection request of access device " special user is set using movement for user type, access device type, access network type and typical scene It is standby to access General Virtual Machine in outer net " match, credit rank is extremely low, the then typical field based on matching The requirement of security strategy corresponding to scape：Access device needs to add watermark in the image of access device, The access device client file systems need not be mapped to server, it is not necessary to which access device is cut The content of pasting board passes to server；If user type entrained by this connection request of access device, connect Enter device type, access network type and typical scene " using PC in Intranet access of virtual machine " Match, then the requirement based on the security strategy corresponding to the typical scene of matching：Access device need by The content of shear plate passes to server, it is not necessary to adds watermark in the image of access device, it is not necessary to File system is mapped to server.

The security strategy determined described in S308, the server implementation.

Specifically, the requirement of security strategy of the server based on the determination, open or close on the server Corresponding function is closed, i.e., whether file system is mapped to access device, whether in server clipbook Appearance is delivered to access device, whether in the image of server of access device is passed to adds watermark.

Illustratively, safety control strategy as shown in table 1, if this connection request of access device determines and " spy Different user accesses General Virtual Machine using mobile device in outer net " typical scene match, then server Based on the security strategy corresponding to the typical scene of the matching：Need passing to the server of access device Image in add watermark, it is not necessary to file system is mapped to access device, it is not required that by shear plate Middle content passes to access device.If this connection request of access device is determined and " existed using PC The typical scene of Intranet access of virtual machine " matches, then typical scene of the server based on the matching is corresponding Security strategy, it is necessary to which file system is mapped into access device, it is not necessary to by shear plate content pass Pass access device, it is not required that add watermark in the picture of server of access device is passed to.

By the description of the above, for the requirement of the security strategy to match with this connection request, The gps data of collection access device, camera data, microphone data, and be stored in management node, Compared with prior art, gathering and preserve access device data can be periodically to virtual desktop management system In connection request carry out security audit, improve enterprise information security.On the other hand, for connection every time Request, implements different security control items to access device and server, solves existing skill with this respectively The problem of can not realizing differentiation control under different access scenes in art, thus, improve business event Information security.

Alternatively, in the alternatively possible embodiment of the present invention, in preset safety control strategy, Preset fraction section can also be set to every kind of typical scene, i.e., to user type, access device type, Every kind of combination of access network environment type and remote desktop type sets preset fraction section, and for connecting Connect user type, access device type, access network environment type and remote desktop entrained in request Each type marks fraction in type, and 5 points of mark, access device are when such as access device be mobile device 10 points are marked when personal computer, thin client；Domestic consumer marks 5 points, special user's mark 10 Point；10 points of Intranet access mark；5 points of outer net access mark；General Virtual Machine marks 5 points；It is special Virtual machine marks 10 points.When management node receives connection request, taken by obtaining in connection request User type, access device type, access network environment type and the remote desktop type of band, and to it Given a mark, compare this connection request total score and every kind of typical scene corresponding to preset fraction section, It is determined that with fraction section that this connection request matches and security strategy corresponding with the fraction section, to access Equipment and the server implementation security strategy, using the above method, can equally solve in the prior art without Method distinguishes the problem of different connection requests carry out differentiation security control, improves the information security of enterprise.

In summary, the method for security control provided in an embodiment of the present invention, by pre- in management node Put safety control strategy, according to user type entrained in each connection request, access device type, Remote desktop type is compared with preset safety control strategy, it is determined that matching with this connection request Security strategy corresponding to typical scene and the typical scene, to the access device kimonos in this connection request Business device implements different security strategies, and compared with prior art, solving can not under different access scenes The problem of carrying out differentiation control to the safety of connection request, improves the information security of enterprise.In addition, By configuring the function of passback access device data in security strategy, to the access device number in connection request According to preservation of putting on record is carried out, security audit is convenient for, also enhances the safeguard protection power of remote desktop access Degree.

Fig. 4 is a kind of schematic diagram of virtual desktop management system 400 in the embodiment of the present invention, as illustrated, The virtual desktop management system includes：Management node 401, server 402, access device 403, institute The method of stating includes：

The management node 401, for preset safety control strategy, the safety control strategy is included extremely A few typical scene and the security strategy corresponding to each at least one typical scene, Mei Gesuo The combination that at least one typical scene is user type, access device type and remote desktop type is stated, often The individual security strategy includes at least one security control item；

The management node 401, is additionally operable to：Obtain entrained by the connection request that the access device is sent User type, access device type, remote desktop type；By the user entrained by the connection request Type, access device type, remote desktop type with it is described at least one in the safety control strategy Typical scene is compared, it is determined that the typical scene that is matched with the connection request and with the matching Security strategy corresponding to typical scene；Sent and referred to the access device according to the security strategy of the determination Show information, the configured information is used to indicate that the access device establishes connection with the server；

The access device 403, for sending connection request, the connection request to the management node Establish and connect with server for access device request；

The access device 403, is additionally operable to：The configured information that the management node is sent is received, The configured information is used to indicate that the access device establishes connection with the server.

The server 402, connected for being established according to the configured information and the access device.

Alternatively, the management node 401, is additionally operable to：The peace of the determination is sent to the server Full strategy, the security strategy of the connection request include collection gps data, camera data, At least one of microphone data；Receive the access device data that the server is sent, the access Device data is that the server notifies requirement of the access device according to the security strategy of the determination Obtain；

The server 402, it is additionally operable to receive the security strategy for the determination that the management node is sent； The security strategy of the determination is sent to the virtual machine；The access device data are sent to the pipe Manage node；

The access device 403, it is additionally operable to receive the security strategy for the determination that the server is sent； Requirement according to the security strategy of the determination gathers the access device data；By the access device number According to being sent to the server.

What deserves to be explained is above-mentioned virtual desktop management system 400 is used to perform as Fig. 2 to Fig. 3 is any Methods described, it will not be repeated here.

By the preset safety control strategy in management node, when user by the request of different access devices with When server establishes connection, virtual desktop management system 400 can be according to user type, access device class Type, remote desktop type are compared with safety control strategy, it is determined that the allusion quotation matched with this connection request Security strategy corresponding to type scene and the typical scene of the matching, with only passing through user or void in the prior art The safety of plan machine operating right control connection request is compared, and realizes that the connection request progress to different scenes is poor Alienation controls, and enhances the information safety protection of enterprise；On the other hand, according to the requirement of security strategy, The access such as gps data, camera data, microphone data, MAC Address is gathered in access device Device data, connection request that can be relatively low to credit rank in virtual desktop architecture carry out safe examine Meter, with this, improve the information security of business event.

Above in conjunction with Fig. 1 to Fig. 4, the virtual table provided according to embodiments of the present invention is described in detail The method of face security control, below in conjunction with Fig. 5 to Fig. 6, description is provided according to embodiments of the present invention Virtual desktop security control device.

Fig. 5 is a kind of schematic diagram of management node 500 provided by the invention, as illustrated, the management Node 500 includes processor 501, memory 502, communication interface 503, system bus 504, described Connect and complete by system bus 504 between processor 501, memory 502 and communication interface 503 Mutual communication, it is used in the memory 502 store computer executed instructions, the virtual desktop When management system is run, the processor 501 performs the computer executed instructions in the memory 502 To perform Fig. 2 to any one described in Fig. 3 using the hardware resource in the virtual desktop management system Item method.

It should be understood that in embodiments of the present invention, the processor 501 can be CPU, the processor 501 Can also be other general processors, digital signal processor (DSP), application specific integrated circuit (ASIC), Ready-made programmable gate array (FPGA) either other PLDs, discrete gate or transistor Logical device, discrete hardware components etc..General processor can be that microprocessor or the processor also may be used To be any conventional processor etc..

The memory 502 can include read-only storage and random access memory, and to processor 510 Instruction and data is provided.The a part of of memory 502 can also include nonvolatile RAM. For example, memory 502 can be with the information of storage device type.

The system bus 504 can also include power bus, controlling bus in addition to including data/address bus With status signal bus in addition etc..But for the sake of clear explanation, various buses are all designated as system in figure Bus 504.

By the preset safety control strategy in management node, when user by the request of different access devices with When server establishes connection, management node 500 can according to user type entrained in connection request, Access device type and remote desktop type are matched with preset safety control strategy, determine this company The security strategy of request is connect, compared with prior art, realizes and difference is carried out to the connection request of different scenes Change control, enhance the information safety protection dynamics of enterprise；On the other hand, according to the requirement of security strategy, The access such as gps data, camera data, microphone data, MAC Address is gathered in access device Device data, connection request that can be relatively low to credit rank in virtual desktop architecture carry out safe examine Meter, with this, improve the information security of business event.

Fig. 6 is a kind of schematic diagram of access device 600, as illustrated, the access device 600 includes Processor 601, memory 602, communication interface 603, system bus 604, the processor 601, Connected between memory 602 and communication interface 603 by system bus 604 and complete mutual communication, It is used to store computer executed instructions in the memory 602, when the virtual desktop management system is run, The processor 601 performs the computer executed instructions in the memory 602, to cause：

Connection request is sent to management node, the connection request, which is used for the access device, to be asked and service Device establishes connection, to cause the management node to determine the security strategy of the connection request, and by described in The security strategy for connecing request is sent to the server；

Receive the security strategy for the connection request that the server is sent, the safety of the connection request Strategy includes at least one of collection gps data, camera data, microphone data；

Requirement according to the security strategy of the connection request gathers access device data；

The access device data are sent to the server.

It should be understood that in embodiments of the present invention, the processor 601 can be CPU, the processor 601 Can also be other general processors, digital signal processor (DSP), application specific integrated circuit (ASIC), Ready-made programmable gate array (FPGA) either other PLDs, discrete gate or transistor Logical device, discrete hardware components etc..General processor can be that microprocessor or the processor also may be used To be any conventional processor etc..

The memory 602 can include read-only storage and random access memory, and to processor 510 Instruction and data is provided.The a part of of memory 602 can also include nonvolatile RAM. For example, memory 602 can be with the information of storage device type.

The system bus 604 can also include power bus, controlling bus in addition to including data/address bus With status signal bus in addition etc..But for the sake of clear explanation, various buses are all designated as system in figure Bus 604.

Alternatively, the security strategy of the connection request also includes file system redirection, shear plate is reset At least one of into, digital watermarking, then

Security strategy of the access device based on the connection request：

The file system of the access device is mapped to the server；Or

The access device shear plate content is passed into the server；Or

Watermark is added in the image of the access device.

By the description of above content, access device 600 can determine security strategy based on management node It is required that gps data, camera data, microphone data, MAC are gathered in access device 600 The access device data such as address, management node preservation is returned to, compared with prior art, saved by managing Access device data are preserved in point, periodically the connection request in virtual desktop architecture can be carried out Security audit, with this, improve the information security of business event.

Fig. 7 is the schematic diagram of server 700, as illustrated, the server 700 includes：Including place Device 701, memory 702, communication interface 703, system bus 704 are managed, the processor 701, is deposited Connected between reservoir 702 and communication interface 703 by system bus 704 and complete mutual communication, It is used to store computer executed instructions in the memory 702, when the virtual desktop management system is run, The processor 701 performs the computer executed instructions in the memory 702, to cause：

Receive management node send security strategy, the security strategy include gps data, At least one of camera data, microphone data；

The security strategy is sent to the access device, to cause the access device according to the peace The requirement collection access device data of full strategy；

Receive the access device data that the access device is sent；

The access device is sent to the management node, to cause the management node to be connect described in preserving Enter device data.

It should be understood that in embodiments of the present invention, the processor 701 can be CPU, the processor 701 Can also be other general processors, digital signal processor (DSP), application specific integrated circuit (ASIC), Ready-made programmable gate array (FPGA) either other PLDs, discrete gate or transistor Logical device, discrete hardware components etc..General processor can be that microprocessor or the processor also may be used To be any conventional processor etc..

The memory 702 can include read-only storage and random access memory, and to processor 510 Instruction and data is provided.The a part of of memory 702 can also include nonvolatile RAM. For example, memory 702 can be with the information of storage device type.

The system bus 704 can also include power bus, controlling bus in addition to including data/address bus With status signal bus in addition etc..But for the sake of clear explanation, various buses are all designated as system in figure Bus 704.

Alternatively, the security strategy also includes：File system redirects, shear plate redirects, numeral At least one of in watermark, then

The server is based on the security strategy：

The file system of the server is mapped to the access device；Or

The shear plate content of the server is passed into the access device；Or

Watermark is added in the image that the server is sent to the access device.

By the description of the above, server 700 can be real based on the security strategy that management node determines Different security control items are applied, and the security strategy is sent to access device, and access device is returned Access device data be sent to management node, the access device data are preserved by management node, it is and existing There is technology to compare, management node can according to the user type entrained by connection request, access device type, Security strategy determined by remote desktop type, differentiation control is implemented to the connection request of different scenes, Improve the information security of business event.

Those of ordinary skill in the art with reference to the embodiments described herein it is to be appreciated that describe each The unit and algorithm steps of example, can be with electronic hardware or the knot of computer software and electronic hardware Close to realize.These functions are performed with hardware or software mode actually, spy depending on technical scheme Fixed application and design constraint.Professional and technical personnel can use not Tongfang to each specific application Method realizes described function, but this realization is it is not considered that beyond the scope of this invention.

It is apparent to those skilled in the art that for convenience and simplicity of description, it is above-mentioned to retouch The specific work process of system, device and the unit stated, may be referred to the correspondence in preceding method embodiment Process, it will not be repeated here.

In several embodiments provided herein, it should be understood that disclosed system, device and Method, it can realize by another way.For example, device embodiment described above is only to show Meaning property, for example, the division of the unit, only a kind of division of logic function can when actually realizing To there is other dividing mode, such as multiple units or component can combine or be desirably integrated into another System, or some features can be ignored, or not perform.Another, shown or discussed is mutual Coupling or direct-coupling or communication connection can be INDIRECT COUPLING by some interfaces, device or unit Or communication connection, can be electrical, mechanical or other forms.

The unit illustrated as separating component can be or may not be it is physically separate, make It can be for the part that unit is shown or may not be physical location, you can with positioned at a place, Or it can also be distributed on multiple NEs.Can select according to the actual needs part therein or Person's whole unit realizes the purpose of this embodiment scheme.

In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, Can also be that unit is individually physically present, can also two or more units be integrated in a list In member.

If the function is realized in the form of SFU software functional unit and as independent production marketing or made Used time, it can be stored in a computer read/write memory medium.Based on such understanding, the present invention The part that is substantially contributed in other words to prior art of technical scheme or the technical scheme portion Dividing can be embodied in the form of software product, and the computer software product is stored in a storage medium In, including some instructions to cause a computer equipment (can be personal computer, server, Or network equipment etc.) perform all or part of step of each embodiment methods described of the present invention.It is and preceding The storage medium stated includes：USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory), Random access memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can With the medium of store program codes.

The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited to In this, any one skilled in the art the invention discloses technical scope in, can be easily Expect change or replacement, should all be included within the scope of the present invention.Therefore, protection of the invention Scope described should be defined by scope of the claims.

Claims

A kind of 1. method of virtual desktop security control, it is characterised in that the preset peace in management node Full control strategy, the safety control strategy include at least one typical scene and with each described at least one Security strategy corresponding to individual typical scene, each at least one typical scene are user type, connect Enter the combination of device type and remote desktop type, each security strategy includes at least one safety and controlled Item processed；Methods described includes：

The management node receives the connection request that access device is sent, and the connection request is used for described connect Enter device request and establish connection with server；

The management node obtains user type entrained by the connection request, access device type, remote Journey table-top type；

The management node is by the user type entrained by the connection request, access device type, long-range Table-top type compared with least one typical scene in the safety control strategy, it is determined that with The typical scene of the connection request matching and security strategy corresponding with the typical scene of the matching；

The management node sends configured information according to the security strategy of the determination to the access device, The configured information is used to indicate that the access device establishes connection with the server.
2. method according to claim 1, it is characterised in that methods described also includes：

The management node sends the security strategy of the determination, the safety of the determination to the server Strategy includes gathering gps data, camera data, the microphone data of the access device At least one of；

The management node receives the access device data that the server is sent, the access device data The access device is notified to be obtained according to the security strategy of the determination for the server；

The management node preserves the access device data.
3. method according to claim 2, it is characterised in that the access device is according to described true Fixed security strategy obtains the access device data：

The access device receives the security strategy for the determination that the server is sent；

The access device gathers the access device data according to the requirement of the security strategy of the determination；

The access device sends the access device data to the server.
4. method according to claim 1, it is characterised in that methods described also includes：

The management node sends the security strategy of the determination, the safety of the determination to the server Strategy includes at least one in file system redirection, shear plate redirection, digital watermarking, to cause Security strategy of the server based on the determination：

The file system of the server is mapped to the access device；Or

The shear plate content of the server is passed into the access device；Or

Watermark is added in the image that the server is sent to the access device.
5. method according to claim 4, it is characterised in that methods described also includes：

The server sends the security strategy of the determination to the access device, to cause the access Security strategy of the equipment based on the determination：

The file system of the access device is mapped to the server；Or

The access device shear plate content is passed into the server；Or

Watermark is added in the image of the access device.
A kind of 6. method of virtual desktop security control, it is characterised in that methods described includes：

Access device sends connection request to management node, and the connection request please for the access device Ask to establish with server and connect, to cause the management node to determine the security strategy of the connection request, And the security strategy of the determination is sent to the server；

The access device receives the security strategy for the determination that the server is sent, the determination Security strategy includes at least one in collection gps data, camera data, microphone data Kind；

The access device gathers access device data according to the requirement of the security strategy of the connection request；

The access device data are sent to the server by the access device.
7. method according to claim 6, it is characterised in that the security strategy of the determination is also wrapped At least one in file system redirection, shear plate redirection, digital watermarking is included, then

Security strategy of the access device based on the connection request：

The file system of the access device is mapped to the server；Or

The access device shear plate content is passed into the server；Or

Watermark is added in the image of the access device.
A kind of 8. method of virtual desktop security control, it is characterised in that methods described includes：

Server receives the security strategy that management node is sent, and the security strategy includes global positioning system At least one of data, camera data, microphone data；

The security strategy is sent to the access device by the server, to cause the access device Access device data are gathered according to the requirement of the security strategy；

The server receives the access device data that the access device is sent；

The access device is sent to the management node by the server, to cause the management node Preserve the access device data.
9. method according to claim 8, it is characterised in that the security strategy also includes：Text At least one of in part system redirection, shear plate redirection, digital watermarking, then

The server is based on the security strategy：

The file system of the server is mapped to the access device；Or

The shear plate content of the server is passed into the access device；Or

Watermark is added in the image that the server is sent to the access device.
10. a kind of virtual desktop management system, it is characterised in that the virtual desktop management system includes： Server, management node, access device：

The management node is used for, preset safety control strategy, and the safety control strategy includes at least one Individual typical scene and the security strategy corresponding to each at least one typical scene, it is each described extremely Lack the combination that a typical scene is user type, access device type and remote desktop type, Mei Gesuo Stating security strategy includes at least one security control item；

The management node, is additionally operable to：Obtain the use entrained by the connection request that the access device is sent Family type, access device type, remote desktop type；By the user type entrained by the connection request, Access device type, remote desktop type and at least one typical field in the safety control strategy Scape is compared, it is determined that the typical scene that is matched with the connection request and the typical field with the matching Security strategy corresponding to scape；Configured information is sent to the access device according to the security strategy of the determination, The configured information is used to indicate that the access device establishes connection with the server；

The access device, for sending connection request to the management node, the connection request is used for The access device request is established with server to be connected；

The access device, is additionally operable to：The configured information that the management node is sent is received, it is described Configured information is used to indicate that the access device establishes connection with the server.

The server, connected for being established according to the configured information and the access device.
11. method according to claim 10, it is characterised in that methods described also includes：

The management node, it is additionally operable to send the security strategy of the determination to the server, it is described true Fixed security strategy is included in collection gps data, camera data, microphone data extremely Few one kind；The access device data that the server is sent are received, the access device data are the clothes Business device notifies the access device to be obtained according to the requirement of the security strategy of the determination；Preserve the access Device data；

The server, it is additionally operable to receive the security strategy for the determination that the management node is sent；To The virtual machine sends the security strategy of the determination；The access device data are sent to the management Node；

The access device, it is additionally operable to receive the security strategy for the determination that the server is sent；Press Requirement according to the security strategy of the determination gathers the access device data；By the access device data It is sent to the server.
A kind of 12. management node, it is characterised in that the management node include processor, memory, Communication interface, system bus, connected between the processor, memory and communication interface by system bus Connect and complete mutual communication, be used to store computer executed instructions in the memory, it is described virtual When desktop management system is run, the computer executed instructions in memory described in the computing device are with profit With any one in the hardware resource perform claim requirement 1,2 and 4 in the virtual desktop management system Described method.
A kind of 13. access device, it is characterised in that the access device include processor, memory, Communication interface, system bus, connected between the processor, memory and communication interface by system bus Connect and complete mutual communication, be used to store computer executed instructions in the memory, it is described virtual When desktop management system is run, the computer executed instructions in memory described in the computing device are with profit With the method described in the hardware resource perform claim requirement 6 and 7 in the virtual desktop management system.
14. a kind of server, it is characterised in that the server includes processor, memory, communication Interface, system bus, between the processor, memory and communication interface by system bus connection simultaneously Mutual communication is completed, is used to store computer executed instructions, the virtual desktop in the memory When management system is run, computer executed instructions in memory described in the computing device are to utilize institute State the method described in the hardware resource perform claim requirement 8 and 9 in virtual desktop management system.