CN107547480A - A kind of method, apparatus and virtual desktop management system of virtual desktop security control - Google Patents
A kind of method, apparatus and virtual desktop management system of virtual desktop security control Download PDFInfo
- Publication number
- CN107547480A CN107547480A CN201610488502.2A CN201610488502A CN107547480A CN 107547480 A CN107547480 A CN 107547480A CN 201610488502 A CN201610488502 A CN 201610488502A CN 107547480 A CN107547480 A CN 107547480A
- Authority
- CN
- China
- Prior art keywords
- access device
- server
- security strategy
- data
- management node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The present invention provides a kind of method of virtual desktop security control, the preset safety control strategy in management node, safety control strategy includes at least one typical scene and the security strategy corresponding to each typical scene, each typical scene is the combination of user type, access device type and remote desktop type, and each security strategy includes at least one security control item;Methods described includes:The connection request that access device is sent is received, connection request is used for access device request and server is established and connected;User type, access device type, the remote desktop type entrained by connection request are obtained, and compared with typical scene in safety control strategy, it is determined that typical scene and security strategy corresponding with the typical scene of matching with connection request matching;Configured information is sent to access device according to the security strategy of determination, configured information is used to indicate that access device establishes connection with server, and the information security of business event is improved with this.
Description
Technical field
The present invention relates to security fields, more particularly to a kind of method, apparatus of virtual desktop security control and
Virtual desktop management system.
Background technology
With the development of remote desktop and virtualization technology, increasing enterprise's selection uses virtual desktop
Routine office work is carried out, the efficiency of management of enterprise's office resource is improved with this.
In the prior art, virtual desktop architecture (Virtual Desktop Infrastructure, VDI)
In mainly include virtual desktop management system, server and access device.Virtual desktop management system is used for
Realize management and the control function of virtual desktop remote access, in server deployment virtualization software formed to
A few virtual machine, keeper can be in virtual desktop management systems in advance by server or virtual machine point
Provisioned user, each user can configure different authorities, and management system can be by multiple allocated clothes
Device or virtual robot arm be engaged in into desktop group, the long-range of server in desktop group or virtual machine is controlled by desktop group
The operating right of access, server or virtual machine such as whether is allowed to use general string in long-range connection procedure
The external devices such as row bus (Universal Serial Bus) flash memory register.Thus, user remotely accesses
When server or virtual machine, the implementation of safety control strategy depends on the operating right of user, and service
Device or virtual machine allow the operating right of remote access.But for the continuous of virtual desktop application scenarios
Expand, only closed by the control of authority between user and the allocated server of the user or virtual machine
System can not meet in the case where differentiation accesses scene, and the purpose of differentiation control is carried out to access safety,
The information security of business event is unable to reach effective guarantee.
The content of the invention
The embodiments of the invention provide a kind of method, apparatus of virtual desktop security control and virtual desktop pipe
Reason system, can in management node preset safety control strategy, management node is according to each connection request
Entrained user type, access device type and remote desktop type compared with safety control strategy,
It is determined that typical scene and safe plan corresponding with the typical scene of the matching with the matching of this connection request
Slightly, differentiation control is implemented to different connection requests with this, improves the information security of business event.
In order to achieve the above object, the present invention adopts the following technical scheme that:
First aspect, there is provided a kind of method of virtual desktop security control, it is characterised in that saved in management
Preset safety control strategy in point, the safety control strategy include at least one typical scene and with it is each
Security strategy corresponding at least one typical scene, each at least one typical scene are use
The combination of family type, access device type and remote desktop type, each security strategy are included at least
One security control item;Methods described includes:
The management node receives the connection request that access device is sent, and the connection request is used for described connect
Enter device request and establish connection with server;
The management node obtains user type entrained by the connection request, access device type, remote
Journey table-top type;
The management node is by the user type entrained by the connection request, access device type, long-range
Table-top type compared with least one typical scene in the safety control strategy, it is determined that with
The typical scene of the connection request matching and security strategy corresponding with the typical scene of the matching;
The management node sends configured information according to the security strategy of the determination to the access device,
The configured information is used to indicate that the access device establishes connection with the server.
Specifically, keeper can also preset safety be controlled in virtual desktop management system by management node
System strategy.Specifically, can be according to user type, access device type and the preset peace of remote desktop type
Full control strategy, wherein, safety control strategy includes credit rank, security strategy and typical scene.
Keeper can be according to the demand of business scenario in specific implementation process, according to user type, access device
Type and remote desktop type determine typical scene, and each typical scene corresponds to a kind of security strategy, each
Security strategy corresponds to a credit rank again.
Alternatively, can also be according to user type, access device type, remote desktop type and access network
The preset safety control strategy of network environmental form.
What deserves to be explained is the preset safety control strategy of keeper can be stored in it is preset in management node
In the file or database table of definition, it can also be stored with other storage forms, the present invention is not restricted.
Alternatively, keeper can add after the preset safety control strategy of management node according to business demand
Add or update credit rank, security strategy and typical scene, adapt to what enterprise was required information security with this
Change.It should be noted that the safety control strategy after renewal is only given birth to the new connection request after renewal
Effect.
Alternatively, if user type, access device type, access network environment will be carried in connection request
Type and remote desktop type and preset safety control strategy relatively after, the typical scene of no matching, then may be used
To implement the security strategy of preset acquiescence.
It will be understood by those skilled in the art that virtual desktop is one kind of remote desktop, virtual desktop pipe
After the relations of distribution of user and virtual machine are established in reason system, user can be led to by any access device
The access network environment for crossing any type sends the request of connecting virtual machine to virtual desktop management system,
Credit rank only comes into force to this connection request.
By foregoing description content, keeper's preset safety control strategy in management node, that is, press
Combination according to user type, access device type and remote desktop type forms at least one typical scene,
Every kind of typical scene corresponds to a kind of security strategy, when user is established by access device request with remote desktop
During connection, according to user type, access device type and remote desktop entrained in this connection request
Type is compared with the typical scene in safety control strategy, it is determined that matching with this connection request
Typical scene and with the security strategy corresponding to the typical scene of matching, according to determination security strategy will
The security control item different with server implementation to access device is sought, the behaviour with relying on user in the prior art
Make authority and server or virtual machine allow remote access operating right security control, can be to not
Differentiation security control is carried out with connection request under scene, lifts the information security of virtual desktop architecture.
It is described in the first possible mode of first aspect with reference to the possibility implementation of first aspect
Method also includes:
The management node sends the security strategy of the determination, the safety of the determination to the server
Strategy includes gathering gps data, camera data, the microphone data of the access device
At least one of;
The management node receives the access device data that the server is sent, the access device data
The access device is notified to be obtained according to the security strategy of the determination for the server;
The management node preserves the access device data.
With reference to the first possible implementation of first aspect, second in first aspect may realization side
In formula, the access device obtains the access device data according to the security strategy of the determination and is specially:
The access device receives the security strategy for the determination that the server is sent;
The access device gathers the access device data according to the requirement of the security strategy of the determination;
The access device sends the access device data to the server.
With reference to the possibility implementation of first aspect, in the third possible implementation of first aspect,
Methods described also includes:
The management node sends the security strategy of the determination, the safety of the determination to the server
Strategy includes at least one in file system redirection, shear plate redirection, digital watermarking, to cause
Security strategy of the server based on the determination:
The file system of the server is mapped to the access device;Or
The shear plate content of the server is passed into the access device;Or
Watermark is added in the image that the server is sent to the access device.
With reference to the third possible implementation of first aspect, the 4th kind in first aspect may realization side
In formula, methods described also includes:
The server sends the security strategy of the determination to the access device, to cause the access
Security strategy of the equipment based on the determination:
The file system of the access device is mapped to the server;Or
The access device shear plate content is passed into the server;Or
Watermark is added in the image of the access device.
By the description of the above, for the requirement of the security strategy to match with this connection request,
Gather global positioning system (Global Positioning System, GPS) data of access device, take the photograph
As head data, microphone data, and it is stored in management node, compared with prior art, gathers and protect
Safe examine can periodically be carried out to the connection request in virtual desktop management system by depositing access device data
Meter, improve enterprise information security.On the other hand, for each connection request, to access device and service
Device implements different security control items respectively, and being solved with this in the prior art can not be in different access scene
Under realize differentiation control the problem of, thus, improve the information security of business event.
Alternatively, in the alternatively possible embodiment of the present invention, in preset safety control strategy,
The fraction section preset to every kind of credit grade setting, for user type entrained in connection request, connect
Enter each type mark fraction in device type, access network environment type and remote desktop type, such as connect
Enter to mark 5 points when equipment is mobile device, access device marks 10 when being personal computer, thin client
Point;Domestic consumer marks 5 points, and special user marks 10 points;10 points of Intranet access mark;Outer net connects
Enter 5 points of mark;General Virtual Machine marks 5 points;Special virtual machine marks 10 points, is accessed by obtaining
Information type, to the user type entrained by this connection request, access device type, access network rings
Border type and remote desktop type are given a mark, and compare the total score of this connection request and preset fraction section,
It is determined that with fraction section that this connection request matches and security strategy corresponding with the fraction section, to access
Equipment and the server implementation security strategy, using the above method, can equally solve in the prior art without
Method distinguishes the problem of different connection requests carry out differentiation security control, improves the information security of enterprise.
It should be understood that in various embodiments of the present invention, the size of the sequence number of above-mentioned each process is not intended to
The priority of execution sequence, the execution sequence of each process should be determined with its function and internal logic, without answering
Any restriction is formed to the implementation process of the embodiment of the present invention.
In summary, the method for security control provided in an embodiment of the present invention, by pre- in management node
Put safety control strategy, according to user type entrained in each connection request, access device type,
Remote desktop type is compared with preset safety control strategy, it is determined that matching with this connection request
Security strategy corresponding to typical scene and the typical scene, to the access device kimonos in this connection request
Business device implements different security strategies, and compared with prior art, solving can not under different access scenes
The problem of carrying out differentiation control to the safety of connection request, improves the information security of enterprise.In addition,
According to the requirement of security strategy, gps data, camera data, microphone are gathered in access device
The access device data such as data, connection request that can be relatively low to credit rank in virtual desktop architecture
Security audit is carried out, with this, enhances the protection of business event information security.
Second aspect, the embodiment of the present invention provide a kind of method of virtual desktop security control, methods described
Including:
Access device sends connection request to management node, and the connection request please for the access device
Ask to establish with server and connect, to cause the management node to determine the security strategy of the connection request,
And the security strategy of the determination is sent to the server;
The access device receives the security strategy for the determination that the server is sent, the determination
Security strategy includes at least one in collection gps data, camera data, microphone data
Kind;
The access device gathers access device data according to the requirement of the security strategy of the connection request;
The access device data are sent to the server by the access device.
What deserves to be explained is the camera data or microphone data of access device collection can be real-time numbers
According to or access device in the data that have stored;On the other hand, the camera of access device collection
Data or microphone data can be the parts in one section of complete data or partial data,
The present invention is not restricted.
Alternatively, when requiring passback access device data in the security strategy that access device receives, connect
Corresponding prompting can be provided and judge information by entering equipment interface, if user's selection allows to gather access device
During data, access device data are returned, and allow user to continue to complete the operation for logging in virtual machine;If with
When family selection does not allow to gather access device data, this connection request is interrupted.
With reference to the possible implementation of second aspect, in the first possible implementation of second aspect,
The security strategy of the determination also includes file system redirection, shear plate redirects, in digital watermarking
At least one of, then
Security strategy of the access device based on the connection request:
The file system of the access device is mapped to the server;Or
The access device shear plate content is passed into the server;Or
Watermark is added in the image of the access device.
By the description of the above, what access device can be based on the security strategy of management node determination will
Ask, the access device numbers such as gps data, camera data, microphone data are gathered in access device
According to, connection request that can be relatively low to credit rank in virtual desktop architecture carries out security audit, with
This, improves the information security of business event.
The third aspect, the embodiment of the present invention provide a kind of method of virtual desktop security control, methods described
Including:
Server receives the security strategy that management node is sent, and the security strategy includes global positioning system
At least one of data, camera data, microphone data;
The security strategy is sent to the access device by the server, to cause the access device
Access device data are gathered according to the requirement of the security strategy;
The server receives the access device data that the access device is sent;
The access device is sent to the management node by the server, to cause the management node
Preserve the access device data.
With reference to the possibility implementation of the third aspect, in the first possible implementation of the third aspect,
The security strategy also includes:In file system redirection, shear plate redirection, digital watermarking at least
One, then
The server is based on the security strategy:
The file system of the server is mapped to the access device;Or
The shear plate content of the server is passed into the access device;Or
Watermark is added in the image that the server is sent to the access device.
By the description of the above, server can be implemented not based on the security strategy that management node determines
Access device is sent to safe control item, and by the security strategy, and is connect what access device returned
Enter device data and be sent to management node, the access device data are preserved by management node, with existing skill
Art is compared, and virtual desktop management system can implement different safe plans according to the access information of access device
Slightly, and the access device data of access device passback are stored, is easy to connection subsequently relatively low to credit rank
Request carries out security audit, improves the information security of business event.
Fourth aspect, the present invention provide a kind of virtual desktop management system, the virtual desktop management system
Including:Server, management node, access device:
The management node is used for, preset safety control strategy, and the safety control strategy includes at least one
Individual typical scene and the security strategy corresponding to each at least one typical scene, it is each described extremely
Lack the combination that a typical scene is user type, access device type and remote desktop type, Mei Gesuo
Stating security strategy includes at least one security control item;
The management node, is additionally operable to:Obtain the use entrained by the connection request that the access device is sent
Family type, access device type, remote desktop type;By the user type entrained by the connection request,
Access device type, remote desktop type and at least one typical field in the safety control strategy
Scape is compared, it is determined that the typical scene that is matched with the connection request and the typical field with the matching
Security strategy corresponding to scape;Configured information is sent to the access device according to the security strategy of the determination,
The configured information is used to indicate that the access device establishes connection with the server;
The access device, for sending connection request to the management node, the connection request is used for
The access device request is established with server to be connected;It is additionally operable to:Receive the institute that the management node is sent
Configured information is stated, the configured information is used to indicate that the access device establishes connection with the server.
The server, connected for being established according to the configured information and the access device.
With reference to the possibility implementation of fourth aspect, in the first possible implementation of fourth aspect,
Methods described also includes:
The management node, it is additionally operable to send the security strategy of the determination, the company to the server
Connecing the security strategy of request is included in collection gps data, camera data, microphone data
At least one;The access device data that the server is sent are received, the access device data are institute
Stating server notifies the access device to be obtained according to the requirement of the security strategy of the determination;Described in preservation
Access device data;
The server, it is additionally operable to receive the security strategy for the determination that the management node is sent;To
The virtual machine sends the security strategy of the determination;The access device data are sent to the management
Node;
The access device, it is additionally operable to receive the security strategy for the determination that the server is sent;Press
Requirement according to the security strategy of the determination gathers the access device data;By the access device data
It is sent to the server.
By the preset safety control strategy in management node, when user by the request of different access devices with
When server establishes connection, management node can be according to user type, access device type and remote desktop
Type is compared with the typical scene in safety control strategy, it is determined that the allusion quotation matched with this connection request
Security strategy corresponding to type scene and the typical scene of the matching, with only passing through user or void in the prior art
The safety of plan machine operating right control connection request is compared, and realizes that the connection request progress to different scenes is poor
Alienation controls, and enhances the information safety protection of enterprise;On the other hand, according to the requirement of security strategy,
The access device data such as gps data, camera data, microphone data are gathered in access device,
Connection request that can be relatively low to credit rank in virtual desktop architecture carries out security audit, with this,
Improve the information security of business event.
5th aspect, the present invention provide a kind of management node, and the management node includes processor, storage
Device, communication interface, system bus, it is total by system between the processor, memory and communication interface
Line connects and completes mutual communication, is used to store computer executed instructions in the memory, described
When virtual desktop management system is run, the computer executed instructions in memory described in the computing device
With using the hardware resource in the virtual desktop management system perform first aspect, first aspect the first
The method described in any one in the third possible implementation of possible implementation and first aspect.
By the preset safety control strategy in management node, when user by the request of different access devices with
When server establishes connection, management node can be according to user type entrained in connection request, access
Device type, access network environment type and remote desktop type and preset safety control strategy progress
Match somebody with somebody, determine the security strategy of this connection request, compared with prior art, realize the company to different scenes
Connect request and carry out differentiation control, enhance the information safety protection dynamics of enterprise;On the other hand, according to
The requirement of security strategy, gps data, camera data, microphone data are gathered in access device
Deng access device data, connection request that can be relatively low to credit rank in virtual desktop architecture is carried out
Security audit, with this, improve the information security of business event.
6th aspect, the present invention provide a kind of access device, and the access device includes processor, storage
Device, communication interface, system bus, it is total by system between the processor, memory and communication interface
Line connects and completes mutual communication, is used to store computer executed instructions in the memory, described
When virtual desktop management system is run, the computer executed instructions in memory described in the computing device
To perform the of second aspect and second aspect using the hardware resource in the virtual desktop management system
A kind of described method in possible implementation.
By the description of above content, access device can determine the requirement of security strategy based on management node,
The access device data such as gps data, camera data, microphone data are gathered in access device,
Management node preservation is returned to, compared with prior art, by preserving access device data in management node,
Security audit periodically can be carried out to the connection request in virtual desktop architecture, with this, improve enterprise
The information security of industry business.
7th aspect, the present invention provide a kind of server, the server include processor, memory,
Communication interface, system bus, connected between the processor, memory and communication interface by system bus
Connect and complete mutual communication, be used to store computer executed instructions in the memory, it is described virtual
When desktop management system is run, the computer executed instructions in memory described in the computing device are with profit
Performing the third aspect and the third aspect with the hardware resource in the virtual desktop management system, the first can
Described method in energy implementation.
Server can implement different security control items based on the security strategy that management node determines, and by institute
State security strategy and be sent to access device, and the access device data that access device is returned are sent to management
Node, the access device data, compared with prior art, virtual desktop management are preserved by management node
System can implement different security strategies according to the access information of access device, and store access device and return
The access device data of biography, it is easy to connection request subsequently relatively low to credit rank to carry out security audit, carries
The information security of high business event.
Eighth aspect, there is provided a kind of computer-readable medium, for storing computer program, the calculating
Machine program includes being used to perform the method in any possible implementation of first aspect or first aspect
Instruction.
In summary, by the preset safety control strategy in management node, when user passes through different accesses
When device request establishes connection with server, management node can be according to user entrained in connection request
Type, access device type, access network environment type and remote desktop type and preset security control
Strategy is matched, and determines the security strategy of this connection request, compared with prior art, is realized to not
Connection request with scene carries out differentiation control, enhances the information safety protection dynamics of enterprise;It is another
Aspect, according to the requirement of security strategy, gathered in access device gps data, camera data,
The access device data such as microphone data, company that can be relatively low to credit rank in virtual desktop architecture
Connect request and carry out security audit, with this, improve the information security of business event.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will be in the embodiment of the present invention
The required accompanying drawing used is briefly described, it should be apparent that, drawings described below is only this
Some embodiments of invention, for those of ordinary skill in the art, are not paying creative work
Under the premise of, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is the schematic diagram of virtual desktop architecture in the prior art;
Fig. 2 is a kind of schematic flow sheet of the method for virtual desktop security control provided in an embodiment of the present invention;
Fig. 3 is the schematic flow sheet of another virtual desktop method of controlling security provided in an embodiment of the present invention;
Fig. 4 is a kind of schematic diagram of virtual desktop management system provided in an embodiment of the present invention;
Fig. 5 is a kind of schematic diagram of management node provided in an embodiment of the present invention;
Fig. 6 is a kind of schematic diagram of access device provided in an embodiment of the present invention;
Fig. 7 is a kind of schematic diagram of virtual machine provided in an embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out
Clearly and completely describing, it is clear that described embodiment is the part of the embodiment of the present invention, without
It is whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making wound
The every other embodiment that the property made is obtained on the premise of working, should all belong to the scope of protection of the invention.
Fig. 1 is the signal of virtual desktop architecture (Virtual Desktop Infrastructure, VDI)
Figure, as illustrated, virtual desktop architecture includes virtual desktop management system, access gateway, access
Equipment and server, wherein, access device include personal computer (Personal Computer, PC),
Thin client (Thin Client, TC), mobile device.
Virtual desktop management system is used for the management and control function for realizing that remote desktop accesses, virtual desktop
In management system can include management node, domain server, log server, network access server,
Licensing Authority server, can also include other kinds of management assembly, each management assembly in management system
Server disposition can be used, deploying virtual machine can also be used, the present invention is not restricted.
User can access remote desktop by virtual desktop management system, and remote desktop can be server
The behaviour for the virtual machine that virtualization software is formed is disposed in the operating system or server of upper installation
Make system.Specifically, remote desktop can be according to its Attribute transposition into polytype, for example, can be by
According to the effect of remote desktop, office class remote desktop and the long-range table of meeting class for connecting meeting are divided into
Face;Can also according to the network planning of data center where remote desktop, be divided into general remote desktop and
Special remote desktop;Safety long-distance desktop can also be divided into according to whether operating system is encrypted
With general remote desktop.
Server or virtual machine can be distributed to user by keeper in virtual desktop management system in advance,
And the relations of distribution are recorded, when the webpage that user is provided using account and password by network access server
When interface logs in, virtual desktop management system can show all clothes for having distributed to the user in web interface
Business device or virtual machine information, user can select any server or virtual machine to conduct interviews, wherein, use
Family can be domestic consumer and special user according to authority different demarcation.
Illustratively, virtual desktop management system gives domestic consumer A distribution one General Virtual Machine and one respectively
The special virtual machine of platform, give special user B to distribute a special virtual machine, then user A using account and
Password shows all distributed when the web interface that network access server provides logs in web interface
To user A 2 virtual machines, user can select any virtual machine to conduct interviews.Management system meeting
Security strategy is sent to the virtual machine that access device and user's needs access, needed in access device and user
After the virtual machine to be accessed tactful control item with high safety, user can log in virtual machine internal and be done
Public affairs operation.
Deploy virtual desktop agency respectively in each remote desktop and access device, wherein, long-range table
Virtual desktop agency in face be service end, and it is client that the virtual desktop in access device, which is acted on behalf of,;Management
System can be managed and monitored to access device and remote desktop by desktop agents, remote desktop and
Between access device, the processing of virtual desktop agreement can also be completed by desktop agents.
Thus, user can utilize access device by Ethernet via access gateway and virtual desktop management
System and remote desktop communicate, and realize virtual desktop remote access function.In specific implementation process,
Different access network environment types can be distinguished according to the difference of access gateway, such as by virtual desktop
Network type is divided into Intranet and outer net according to the security of LAN.
In addition, keeper can also in management node preset safety control strategy.Specifically, Ke Yigen
According to user type, access device type and the preset safety control strategy of remote desktop type, wherein, safety
Control strategy includes credit rank, security strategy and typical scene.Keeper can be according to specific implementation
During business scenario demand, according to user type, access device type and remote desktop type determine
Typical scene, each typical scene correspond to a kind of security strategy, the corresponding credit again of each security strategy
Rank.
Alternatively, can also be according to user type, access device type, remote desktop type and access network
The preset safety control strategy of network environmental form.
Illustratively, table 1 is the particular content of one embodiment of safety control strategy.
The safety control strategy of table 1
As shown in table 1, keeper is according to user type, access network environment type, access device type
With remote desktop type in management node preset safety control strategy, if it is common to assume that user type includes
User and special user;Access network environment includes Intranet and outer net;Access device include mobile device,
PC, thin client;Remote desktop is virtual machine, and the type of remote desktop includes General Virtual Machine
With special virtual machine;Then the example of typical scene is as shown in table 1:
Typical scene one:Special user accesses special virtual machine, its typical field using mobile device in outer net
Scape qualifications include four kinds of user type, access network environment, access device and remote desktop type,
Then to security strategy corresponding to the connection request implementation of the typical scene, i.e., user is not allowed to access long-range table
Face, its credit rank are minimum.
Typical scene two:Special user accesses General Virtual Machine, its typical field using mobile device in outer net
Scape qualifications include four kinds of user type, access network environment, access device and remote desktop type,
Its corresponding security strategy then is implemented to the connection request of the typical scene, its credit rank is extremely low.
Typical scene three:Using mobile device in outer net access of virtual machine, user type and remote is limited
Journey table-top type, then the typical scene specifically include:Domestic consumer is accessed general using mobile device in outer net
Logical virtual machine, domestic consumer use shifting using mobile device in the special virtual machine of outer net access, special user
Dynamic equipment accesses General Virtual Machine and special user in outer net and accesses special void in outer net using mobile device
Plan machine, wherein, it is that credit rank is most that special user accesses special virtual machine using mobile device in outer net
Low typical scene, it is that credit rank is that special user accesses General Virtual Machine using mobile device in outer net
Extremely low typical scene, then, it is necessary to use mobile device outside to domestic consumer in addition to both the above scene
Net access General Virtual Machine, domestic consumer access special two kinds of typical cases of virtual machine using mobile device in outer net
The connection request of scene implements security strategy corresponding with its typical scene, and its credit rank is low.
Typical scene four:Special virtual machine is accessed in outer net using thin client, does not limit user type,
Then the typical scene specifically includes:Domestic consumer accesses special virtual machine and spy using thin client in outer net
Different user's thin client accesses special virtual machine in outer net, and not with other typical fields in safety control strategy
Scape repeats, then is to security strategy, its credit rank corresponding to the connection request implementation of above-mentioned typical scene
In.
Typical scene five:Using PC in Intranet access of virtual machine, user type and virtual is not limited
Machine type, its typical scene specifically include:Domestic consumer is accessed common empty using PC in Intranet
Plan machine, domestic consumer use personal electricity using PC in the special virtual machine of Intranet access, special user
Brain accesses special virtual machine using PC in Intranet access General Virtual Machine, special user in Intranet,
And above typical scene is not overlapping with the typical scene in other safety control strategies, then to above-mentioned typical field
The connection request of scape implements its corresponding security strategy, and its credit rank is height.
Typical scene six:Using thin client in Intranet access of virtual machine, user type and virtual is not limited
Machine type, then the typical scene specifically include:Domestic consumer is accessed common empty using thin client in Intranet
Plan machine, domestic consumer use Thin clients using thin client in the special virtual machine of Intranet access, special user
Machine accesses special virtual machine using thin client in Intranet access General Virtual Machine, special user in Intranet,
And above typical scene does not repeat with other typical scenes in safety control strategy, then to above-mentioned typical field
Security strategy corresponding to the connection request implementation of scape, its credit rank are high.
What deserves to be explained is typical scene can be user type, access device type, access in table 1
The combination of network environment type and remote desktop type, every kind of typical scene correspond to a kind of security strategy, often
Individual security strategy includes at least one security control item.
In addition, typical scene cited in table 1 is only a kind of example, can root in specific implementation process
Corresponding typical scene is established according to the information security requirement of specific business scenario, the present invention is not restricted.
The present invention's the following specifically describes, and will be described in detail by taking safety control strategy shown in table 1 as an example.
Further, minimum, extremely low, basic, normal, high, high totally six kinds of credit ranks are predefined, are awarded
Believing that rank is lower, then the access device to this connection request and the security control Xiang Yue of server implementation are more,
Security control item in every kind of security strategy is identified as out, then it represents that the access device of this connection request or
Server needs to perform the function of corresponding security control item;Security control item is identified as pass, then it represents that this
The access device or server of connection request need not perform the function of corresponding security control item.
Specifically, following security control item can be included in security strategy:
Return global positioning system (Global Positioning System, GPS) data:Access device
By its GPS location data back to management node.
Return camera data:Access device acquisition camera data back is to management node.
Return microphone data:Access device collection microphone data returns to management node.
Digital watermarking:Digital watermarking is added in the picture.
Shear plate redirects:For by the data transfer of shear plate in access device into server or will clothes
The data transfer of shear plate is to access device in business device, to be realized between access device and server
The mutual copy of data.
File redirection:For the file system of access device to be mapped into server or the text by server
Part system is mapped to access device, to use mapped file between access device and server
System is written and read operation.
What deserves to be explained is safety control strategy shown in table 1 is only a kind of citing, the present invention is not formed
A kind of limitation.In addition, shear plate redirects and file redirection function can be unidirectional policy control,
Different control methods can be taken, i.e., between access device and server, a direction is opened, another
Close in direction.For example, the content of shear plate is delivered to access device by server, the content of access device is not
It is delivered to server.In addition to this it is possible to other possible security control items are added, or other safety
Strategy combination.For example if the use of the mobile device or operating system of IOS is Android
Mobile device connection server when, can be read according to whether having cracked in IOS user and having stored
Write permission or unblock administrator right, take different credit ranks and security strategy, in specific implementation process,
Different Strategies can be set according to specifying information safety requirements, the present invention is not restricted.
Also what deserves to be explained is, the preset safety control strategy of keeper can be stored in management node in advance
Put in file or the database table of definition, can also be stored with other storage forms, the present invention is not restricted.
Alternatively, keeper can add after the preset safety control strategy of management node according to business demand
Add or update credit rank, security strategy and typical scene, adapt to what enterprise was required information security with this
Change.It should be noted that the safety control strategy after renewal is only given birth to the new connection request after renewal
Effect.
Next, with reference to foregoing description content, Fig. 2 describes virtual machine table provided by the present invention in detail
Face method of controlling security, methods described include:
S201, the preset safety control strategy in management node, the safety control strategy are included at least
One typical scene and the security strategy corresponding to each at least one typical scene, it is each described
At least one typical scene is the combination of user type, access device type and remote desktop type, each
The security strategy includes at least one security control item, wherein, each security strategy include to
A few security control item.
Alternatively, the safety control strategy can also include credit rank.
Specifically, the credit rank is used for the security control rank for identifying this connection request, Mei Gesuo
State the corresponding credit rank of at least one typical scene.
Alternatively, management node can also be preset according to the preset safety control strategy of access network environment type
Security strategy.
Illustratively, keeper can be typical in preset safety control strategy as shown in table 1 in management node
Scene, security strategy and credit rank.
S202, the management node receive the connection request that access device is sent.
Specifically, the connection request is used for access device request and server foundation connection.
S203, the management node obtain user type, the access device class entrained by the connection request
Type, remote desktop type.
Alternatively, the management node can also obtain the access network environment entrained by the connection request
Type.
Illustratively, accessed if special user is sent using mobile device in outer net to virtual desktop management system
The request message of General Virtual Machine, then virtual desktop management system obtains wraps in the access message of connection request
Include special user, mobile device, outer net and General Virtual Machine.
S204, by the user type entrained by the connection request, access device type, remote desktop class
Type compared with least one typical scene in the safety control strategy, it is determined that with the company
Connect the typical scene of request matching and security strategy corresponding with the typical scene of the matching.
Specifically, user of the management node according to entrained by the connection request obtained in step S202
Type, access device type, remote desktop type, itself and typical scene in safety control strategy are carried out
Compare, if matching with one of which typical scene, it is determined that this connection request needs the safety implemented
Strategy is right for the typical scene of matching for security strategy, its credit rank corresponding to the typical scene of matching
The credit rank answered.
Illustratively, safety control strategy as shown in table 1, if special user uses mobile device in outer net
The connection request of access General Virtual Machine is sent, compared with the typical scene of each credit rank in table 1,
With credit rank be extremely low typical scene match, i.e., with " special user using mobile device in outer net
The typical scene of access General Virtual Machine " matches, it is determined that safety corresponding to the typical scene of the matching
Strategy is the security strategy of this connection request, and its credit rank is extremely low.If domestic consumer uses movement
Equipment sends the connection request of access General Virtual Machine in outer net, with the allusion quotation in safety control strategy in table 1
Type scene compares, with matching " using mobile device in outer net access of virtual machine ", it is determined that the matching
Typical scene corresponding to security strategy be this connection request security strategy, its credit rank is low.
Alternatively, if user type, access device type, access network environment will be carried in connection request
Type and remote desktop type and preset safety control strategy relatively after, the typical scene of no matching, then may be used
To implement the security strategy of preset acquiescence.
Illustratively, management node " can use thin client by typical scene of the security strategy of preset acquiescence
Access special virtual machine in outer net " corresponding to security strategy, then during the credit rank given tacit consent to is, if general
General family sends the connection request of access General Virtual Machine using mobile device in Intranet, then management node ratio
Compared with the user type entrained by this connection request, access device type, access network environment type, remote
Journey table-top type determines that none matches with typical scene cited in table 1, then to this connection request
Access device and the predefined acquiescence of server implementation security strategy, that is, implement typical scene " using thin
Client computer accesses special virtual machine in outer net " corresponding to security strategy, during its credit rank is.
It will be understood by those skilled in the art that virtual desktop is one kind of remote desktop, virtual desktop pipe
After the relations of distribution of user and virtual machine are established in reason system, user can be led to by any access device
The access network environment for crossing any type sends the request of connecting virtual machine to virtual desktop management system,
Credit rank only comes into force to this connection request.
Illustratively, domestic consumer A by mobile device outer net connect special virtual machine when, management node
It is right for " using mobile device in outer net access of virtual machine " to determine that this connection request implements typical scene
The security strategy answered, its credit rank are low;When domestic consumer A connects again by thin client in Intranet
When connecing special virtual machine, management node determines that this connection request implements typical scene " to use Thin clients
Machine is in Intranet access of virtual machine " corresponding to security strategy, its credit rank for height.
S205, the management node send configured information according to the security strategy to the access device,
The configured information is used to indicate that the access device establishes connection with the server.
Specifically, when the security strategy, which allows the access device to be established with the virtual machine, to be connected,
The management node sends configured information to the access device, and the configured information is used to indicate described connect
Enter equipment and establish connection with the virtual machine.If management node is true according to access information and safety control strategy
When fixed security strategy does not allow access device with server foundation connection, then this connection request terminates.
Illustratively, safety control strategy as shown in table 1, if special user using mobile device outer net to
Virtual desktop management system sends the connection request for accessing special virtual machine, then management node determines this company
The security strategy for connecing request is limitation access, does not allow shown special user to connect the General Virtual Machine,
This connection request can be terminated.
Further, the access device is established with the server and connected.
Specifically, establish and communicate between the desktop agents of the access device and the desktop agents of the server
Connection.
It should be understood by those skilled in the art that in virtual desktop architecture, the access device
It is only the communication connection between desktop agents with the connection that the server is established, for transfer management node
Instruction, message between desktop agents, now, virtual machine and access device need safety corresponding to implementation
After strategy, user can be just logged in inside the operating system of remote desktop.
The content described by above-mentioned steps S201 to step S205, keeper are preset in management node
Safety control strategy, i.e., formed according to the combination of user type, access device type and remote desktop type
At least one typical scene, every kind of typical scene correspond to a kind of security strategy, when user passes through access device
When request establishes connection with remote desktop, according to user type entrained in this connection request, access
Device type and remote desktop type compared with the typical scene in safety control strategy, it is determined that with this
Typical scene that secondary connection request matches and with the security strategy corresponding to the typical scene of matching, according to
The requirement of the security strategy of the determination security control item different with server implementation to access device, it is and existing
The operating right of dependence user and server or virtual machine allow the operating right of remote access in technology
Security control, can under different scenes connection request carry out differentiation security control, lift virtual table
The information security of face architecture.
Further, the specific implementation process of the security strategy of the determination is as shown in figure 3, methods described
Including:
S301, management node send the security strategy of the determination to server.
Specifically, the security strategy of the determination is the security strategy that method determines described in Fig. 2.
Illustratively, safety control strategy as shown in table 1, if special user uses mobile device in outer net
General Virtual Machine is accessed, then management node can send following security strategy to server:
Return gps data;
Return camera data;
Return microphone data;
Digital watermarking is added in image;
Close shear plate redirection function;
Close file system redirection function.
S302, the server send the security strategy of the determination to access device.
Specifically, the server and the access device are communicated by desktop agents, the server
The peace of the determination in desktop agents forwarding step S301 of from the middle desktop agents to the access device
Full strategy.
S303, the access device gather access device data according to the requirement of the security strategy of the determination.
Specifically, the security strategy of the determination includes collection gps data, camera data, Mike
At least one of wind data, the access device gather according to the requirement in the security strategy of the determination
Access device data., can be according to the demand of specific business scenario, in such as table in specific implementation process
Different security strategies are configured in preset safety control strategy shown in 1, it is desirable to whether need passback to access
Device data.
Illustratively, if the security strategy corresponding to the typical scene to match with connection request requires passback
Gps data, camera data, microphone data, then:
When access device has GPS device, the GPS of the GPS module collection access device in access device
Address information, server is sent to by desktop agents;
When access device has camera and/or microphone, camera and/or microphone in access device
Module is used for the camera image and/or microphone voice for gathering access device, the table being sent in virtual machine
Act on behalf of in face.
Alternatively, access device data can also include access device MAC Address.
What deserves to be explained is the camera data or microphone data of access device collection can be real-time numbers
According to or access device in the data that have stored;On the other hand, the camera of access device collection
Data or microphone data can be the parts in one section of complete data or partial data,
The present invention is not restricted.
Alternatively, when requiring passback access device data in the security strategy that access device receives, connect
Corresponding prompting can be provided and judge information by entering equipment interface, if user's selection allows to gather access device
During data, access device data are returned, and allow user to continue to complete the operation for logging in virtual machine;If with
When family selection does not allow to gather access device data, this connection request is interrupted.
S304, the access device send the access device data to the server.
The access device data are sent to the management node by S305, the server.
S306, the management node preserve the access device data.
Specifically, the management node preserves the access device data of the access device passback, to each
The access device data of the connection request of access device are recorded, and are examined to carry out the periodical safety of system
Meter.
S307, the access device implement the security strategy of the determination.
Specifically, the requirement of security strategy of the access device based on the determination, set in the access
It is standby to be above turned on and off corresponding function, i.e., whether the access device client file systems are mapped to clothes
Business device, whether the content of access device clipbook pass to server, whether access device image
Middle addition watermark.
Illustratively, safety control strategy as shown in table 1, if entrained by this connection request of access device
" special user is set using movement for user type, access device type, access network type and typical scene
It is standby to access General Virtual Machine in outer net " match, credit rank is extremely low, the then typical field based on matching
The requirement of security strategy corresponding to scape:Access device needs to add watermark in the image of access device,
The access device client file systems need not be mapped to server, it is not necessary to which access device is cut
The content of pasting board passes to server;If user type entrained by this connection request of access device, connect
Enter device type, access network type and typical scene " using PC in Intranet access of virtual machine "
Match, then the requirement based on the security strategy corresponding to the typical scene of matching:Access device need by
The content of shear plate passes to server, it is not necessary to adds watermark in the image of access device, it is not necessary to
File system is mapped to server.
The security strategy determined described in S308, the server implementation.
Specifically, the requirement of security strategy of the server based on the determination, open or close on the server
Corresponding function is closed, i.e., whether file system is mapped to access device, whether in server clipbook
Appearance is delivered to access device, whether in the image of server of access device is passed to adds watermark.
Illustratively, safety control strategy as shown in table 1, if this connection request of access device determines and " spy
Different user accesses General Virtual Machine using mobile device in outer net " typical scene match, then server
Based on the security strategy corresponding to the typical scene of the matching:Need passing to the server of access device
Image in add watermark, it is not necessary to file system is mapped to access device, it is not required that by shear plate
Middle content passes to access device.If this connection request of access device is determined and " existed using PC
The typical scene of Intranet access of virtual machine " matches, then typical scene of the server based on the matching is corresponding
Security strategy, it is necessary to which file system is mapped into access device, it is not necessary to by shear plate content pass
Pass access device, it is not required that add watermark in the picture of server of access device is passed to.
By the description of the above, for the requirement of the security strategy to match with this connection request,
The gps data of collection access device, camera data, microphone data, and be stored in management node,
Compared with prior art, gathering and preserve access device data can be periodically to virtual desktop management system
In connection request carry out security audit, improve enterprise information security.On the other hand, for connection every time
Request, implements different security control items to access device and server, solves existing skill with this respectively
The problem of can not realizing differentiation control under different access scenes in art, thus, improve business event
Information security.
Alternatively, in the alternatively possible embodiment of the present invention, in preset safety control strategy,
Preset fraction section can also be set to every kind of typical scene, i.e., to user type, access device type,
Every kind of combination of access network environment type and remote desktop type sets preset fraction section, and for connecting
Connect user type, access device type, access network environment type and remote desktop entrained in request
Each type marks fraction in type, and 5 points of mark, access device are when such as access device be mobile device
10 points are marked when personal computer, thin client;Domestic consumer marks 5 points, special user's mark 10
Point;10 points of Intranet access mark;5 points of outer net access mark;General Virtual Machine marks 5 points;It is special
Virtual machine marks 10 points.When management node receives connection request, taken by obtaining in connection request
User type, access device type, access network environment type and the remote desktop type of band, and to it
Given a mark, compare this connection request total score and every kind of typical scene corresponding to preset fraction section,
It is determined that with fraction section that this connection request matches and security strategy corresponding with the fraction section, to access
Equipment and the server implementation security strategy, using the above method, can equally solve in the prior art without
Method distinguishes the problem of different connection requests carry out differentiation security control, improves the information security of enterprise.
It should be understood that in various embodiments of the present invention, the size of the sequence number of above-mentioned each process is not intended to
The priority of execution sequence, the execution sequence of each process should be determined with its function and internal logic, without answering
Any restriction is formed to the implementation process of the embodiment of the present invention.
In summary, the method for security control provided in an embodiment of the present invention, by pre- in management node
Put safety control strategy, according to user type entrained in each connection request, access device type,
Remote desktop type is compared with preset safety control strategy, it is determined that matching with this connection request
Security strategy corresponding to typical scene and the typical scene, to the access device kimonos in this connection request
Business device implements different security strategies, and compared with prior art, solving can not under different access scenes
The problem of carrying out differentiation control to the safety of connection request, improves the information security of enterprise.In addition,
By configuring the function of passback access device data in security strategy, to the access device number in connection request
According to preservation of putting on record is carried out, security audit is convenient for, also enhances the safeguard protection power of remote desktop access
Degree.
Fig. 4 is a kind of schematic diagram of virtual desktop management system 400 in the embodiment of the present invention, as illustrated,
The virtual desktop management system includes:Management node 401, server 402, access device 403, institute
The method of stating includes:
The management node 401, for preset safety control strategy, the safety control strategy is included extremely
A few typical scene and the security strategy corresponding to each at least one typical scene, Mei Gesuo
The combination that at least one typical scene is user type, access device type and remote desktop type is stated, often
The individual security strategy includes at least one security control item;
The management node 401, is additionally operable to:Obtain entrained by the connection request that the access device is sent
User type, access device type, remote desktop type;By the user entrained by the connection request
Type, access device type, remote desktop type with it is described at least one in the safety control strategy
Typical scene is compared, it is determined that the typical scene that is matched with the connection request and with the matching
Security strategy corresponding to typical scene;Sent and referred to the access device according to the security strategy of the determination
Show information, the configured information is used to indicate that the access device establishes connection with the server;
The access device 403, for sending connection request, the connection request to the management node
Establish and connect with server for access device request;
The access device 403, is additionally operable to:The configured information that the management node is sent is received,
The configured information is used to indicate that the access device establishes connection with the server.
The server 402, connected for being established according to the configured information and the access device.
Alternatively, the management node 401, is additionally operable to:The peace of the determination is sent to the server
Full strategy, the security strategy of the connection request include collection gps data, camera data,
At least one of microphone data;Receive the access device data that the server is sent, the access
Device data is that the server notifies requirement of the access device according to the security strategy of the determination
Obtain;
The server 402, it is additionally operable to receive the security strategy for the determination that the management node is sent;
The security strategy of the determination is sent to the virtual machine;The access device data are sent to the pipe
Manage node;
The access device 403, it is additionally operable to receive the security strategy for the determination that the server is sent;
Requirement according to the security strategy of the determination gathers the access device data;By the access device number
According to being sent to the server.
What deserves to be explained is above-mentioned virtual desktop management system 400 is used to perform as Fig. 2 to Fig. 3 is any
Methods described, it will not be repeated here.
By the preset safety control strategy in management node, when user by the request of different access devices with
When server establishes connection, virtual desktop management system 400 can be according to user type, access device class
Type, remote desktop type are compared with safety control strategy, it is determined that the allusion quotation matched with this connection request
Security strategy corresponding to type scene and the typical scene of the matching, with only passing through user or void in the prior art
The safety of plan machine operating right control connection request is compared, and realizes that the connection request progress to different scenes is poor
Alienation controls, and enhances the information safety protection of enterprise;On the other hand, according to the requirement of security strategy,
The access such as gps data, camera data, microphone data, MAC Address is gathered in access device
Device data, connection request that can be relatively low to credit rank in virtual desktop architecture carry out safe examine
Meter, with this, improve the information security of business event.
Above in conjunction with Fig. 1 to Fig. 4, the virtual table provided according to embodiments of the present invention is described in detail
The method of face security control, below in conjunction with Fig. 5 to Fig. 6, description is provided according to embodiments of the present invention
Virtual desktop security control device.
Fig. 5 is a kind of schematic diagram of management node 500 provided by the invention, as illustrated, the management
Node 500 includes processor 501, memory 502, communication interface 503, system bus 504, described
Connect and complete by system bus 504 between processor 501, memory 502 and communication interface 503
Mutual communication, it is used in the memory 502 store computer executed instructions, the virtual desktop
When management system is run, the processor 501 performs the computer executed instructions in the memory 502
To perform Fig. 2 to any one described in Fig. 3 using the hardware resource in the virtual desktop management system
Item method.
It should be understood that in embodiments of the present invention, the processor 501 can be CPU, the processor 501
Can also be other general processors, digital signal processor (DSP), application specific integrated circuit (ASIC),
Ready-made programmable gate array (FPGA) either other PLDs, discrete gate or transistor
Logical device, discrete hardware components etc..General processor can be that microprocessor or the processor also may be used
To be any conventional processor etc..
The memory 502 can include read-only storage and random access memory, and to processor 510
Instruction and data is provided.The a part of of memory 502 can also include nonvolatile RAM.
For example, memory 502 can be with the information of storage device type.
The system bus 504 can also include power bus, controlling bus in addition to including data/address bus
With status signal bus in addition etc..But for the sake of clear explanation, various buses are all designated as system in figure
Bus 504.
By the preset safety control strategy in management node, when user by the request of different access devices with
When server establishes connection, management node 500 can according to user type entrained in connection request,
Access device type and remote desktop type are matched with preset safety control strategy, determine this company
The security strategy of request is connect, compared with prior art, realizes and difference is carried out to the connection request of different scenes
Change control, enhance the information safety protection dynamics of enterprise;On the other hand, according to the requirement of security strategy,
The access such as gps data, camera data, microphone data, MAC Address is gathered in access device
Device data, connection request that can be relatively low to credit rank in virtual desktop architecture carry out safe examine
Meter, with this, improve the information security of business event.
Fig. 6 is a kind of schematic diagram of access device 600, as illustrated, the access device 600 includes
Processor 601, memory 602, communication interface 603, system bus 604, the processor 601,
Connected between memory 602 and communication interface 603 by system bus 604 and complete mutual communication,
It is used to store computer executed instructions in the memory 602, when the virtual desktop management system is run,
The processor 601 performs the computer executed instructions in the memory 602, to cause:
Connection request is sent to management node, the connection request, which is used for the access device, to be asked and service
Device establishes connection, to cause the management node to determine the security strategy of the connection request, and by described in
The security strategy for connecing request is sent to the server;
Receive the security strategy for the connection request that the server is sent, the safety of the connection request
Strategy includes at least one of collection gps data, camera data, microphone data;
Requirement according to the security strategy of the connection request gathers access device data;
The access device data are sent to the server.
It should be understood that in embodiments of the present invention, the processor 601 can be CPU, the processor 601
Can also be other general processors, digital signal processor (DSP), application specific integrated circuit (ASIC),
Ready-made programmable gate array (FPGA) either other PLDs, discrete gate or transistor
Logical device, discrete hardware components etc..General processor can be that microprocessor or the processor also may be used
To be any conventional processor etc..
The memory 602 can include read-only storage and random access memory, and to processor 510
Instruction and data is provided.The a part of of memory 602 can also include nonvolatile RAM.
For example, memory 602 can be with the information of storage device type.
The system bus 604 can also include power bus, controlling bus in addition to including data/address bus
With status signal bus in addition etc..But for the sake of clear explanation, various buses are all designated as system in figure
Bus 604.
Alternatively, the security strategy of the connection request also includes file system redirection, shear plate is reset
At least one of into, digital watermarking, then
Security strategy of the access device based on the connection request:
The file system of the access device is mapped to the server;Or
The access device shear plate content is passed into the server;Or
Watermark is added in the image of the access device.
By the description of above content, access device 600 can determine security strategy based on management node
It is required that gps data, camera data, microphone data, MAC are gathered in access device 600
The access device data such as address, management node preservation is returned to, compared with prior art, saved by managing
Access device data are preserved in point, periodically the connection request in virtual desktop architecture can be carried out
Security audit, with this, improve the information security of business event.
Fig. 7 is the schematic diagram of server 700, as illustrated, the server 700 includes:Including place
Device 701, memory 702, communication interface 703, system bus 704 are managed, the processor 701, is deposited
Connected between reservoir 702 and communication interface 703 by system bus 704 and complete mutual communication,
It is used to store computer executed instructions in the memory 702, when the virtual desktop management system is run,
The processor 701 performs the computer executed instructions in the memory 702, to cause:
Receive management node send security strategy, the security strategy include gps data,
At least one of camera data, microphone data;
The security strategy is sent to the access device, to cause the access device according to the peace
The requirement collection access device data of full strategy;
Receive the access device data that the access device is sent;
The access device is sent to the management node, to cause the management node to be connect described in preserving
Enter device data.
It should be understood that in embodiments of the present invention, the processor 701 can be CPU, the processor 701
Can also be other general processors, digital signal processor (DSP), application specific integrated circuit (ASIC),
Ready-made programmable gate array (FPGA) either other PLDs, discrete gate or transistor
Logical device, discrete hardware components etc..General processor can be that microprocessor or the processor also may be used
To be any conventional processor etc..
The memory 702 can include read-only storage and random access memory, and to processor 510
Instruction and data is provided.The a part of of memory 702 can also include nonvolatile RAM.
For example, memory 702 can be with the information of storage device type.
The system bus 704 can also include power bus, controlling bus in addition to including data/address bus
With status signal bus in addition etc..But for the sake of clear explanation, various buses are all designated as system in figure
Bus 704.
Alternatively, the security strategy also includes:File system redirects, shear plate redirects, numeral
At least one of in watermark, then
The server is based on the security strategy:
The file system of the server is mapped to the access device;Or
The shear plate content of the server is passed into the access device;Or
Watermark is added in the image that the server is sent to the access device.
By the description of the above, server 700 can be real based on the security strategy that management node determines
Different security control items are applied, and the security strategy is sent to access device, and access device is returned
Access device data be sent to management node, the access device data are preserved by management node, it is and existing
There is technology to compare, management node can according to the user type entrained by connection request, access device type,
Security strategy determined by remote desktop type, differentiation control is implemented to the connection request of different scenes,
Improve the information security of business event.
Those of ordinary skill in the art with reference to the embodiments described herein it is to be appreciated that describe each
The unit and algorithm steps of example, can be with electronic hardware or the knot of computer software and electronic hardware
Close to realize.These functions are performed with hardware or software mode actually, spy depending on technical scheme
Fixed application and design constraint.Professional and technical personnel can use not Tongfang to each specific application
Method realizes described function, but this realization is it is not considered that beyond the scope of this invention.
It is apparent to those skilled in the art that for convenience and simplicity of description, it is above-mentioned to retouch
The specific work process of system, device and the unit stated, may be referred to the correspondence in preceding method embodiment
Process, it will not be repeated here.
In several embodiments provided herein, it should be understood that disclosed system, device and
Method, it can realize by another way.For example, device embodiment described above is only to show
Meaning property, for example, the division of the unit, only a kind of division of logic function can when actually realizing
To there is other dividing mode, such as multiple units or component can combine or be desirably integrated into another
System, or some features can be ignored, or not perform.Another, shown or discussed is mutual
Coupling or direct-coupling or communication connection can be INDIRECT COUPLING by some interfaces, device or unit
Or communication connection, can be electrical, mechanical or other forms.
The unit illustrated as separating component can be or may not be it is physically separate, make
It can be for the part that unit is shown or may not be physical location, you can with positioned at a place,
Or it can also be distributed on multiple NEs.Can select according to the actual needs part therein or
Person's whole unit realizes the purpose of this embodiment scheme.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit,
Can also be that unit is individually physically present, can also two or more units be integrated in a list
In member.
If the function is realized in the form of SFU software functional unit and as independent production marketing or made
Used time, it can be stored in a computer read/write memory medium.Based on such understanding, the present invention
The part that is substantially contributed in other words to prior art of technical scheme or the technical scheme portion
Dividing can be embodied in the form of software product, and the computer software product is stored in a storage medium
In, including some instructions to cause a computer equipment (can be personal computer, server,
Or network equipment etc.) perform all or part of step of each embodiment methods described of the present invention.It is and preceding
The storage medium stated includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory),
Random access memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can
With the medium of store program codes.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited to
In this, any one skilled in the art the invention discloses technical scope in, can be easily
Expect change or replacement, should all be included within the scope of the present invention.Therefore, protection of the invention
Scope described should be defined by scope of the claims.
Claims (14)
- A kind of 1. method of virtual desktop security control, it is characterised in that the preset peace in management node Full control strategy, the safety control strategy include at least one typical scene and with each described at least one Security strategy corresponding to individual typical scene, each at least one typical scene are user type, connect Enter the combination of device type and remote desktop type, each security strategy includes at least one safety and controlled Item processed;Methods described includes:The management node receives the connection request that access device is sent, and the connection request is used for described connect Enter device request and establish connection with server;The management node obtains user type entrained by the connection request, access device type, remote Journey table-top type;The management node is by the user type entrained by the connection request, access device type, long-range Table-top type compared with least one typical scene in the safety control strategy, it is determined that with The typical scene of the connection request matching and security strategy corresponding with the typical scene of the matching;The management node sends configured information according to the security strategy of the determination to the access device, The configured information is used to indicate that the access device establishes connection with the server.
- 2. method according to claim 1, it is characterised in that methods described also includes:The management node sends the security strategy of the determination, the safety of the determination to the server Strategy includes gathering gps data, camera data, the microphone data of the access device At least one of;The management node receives the access device data that the server is sent, the access device data The access device is notified to be obtained according to the security strategy of the determination for the server;The management node preserves the access device data.
- 3. method according to claim 2, it is characterised in that the access device is according to described true Fixed security strategy obtains the access device data:The access device receives the security strategy for the determination that the server is sent;The access device gathers the access device data according to the requirement of the security strategy of the determination;The access device sends the access device data to the server.
- 4. method according to claim 1, it is characterised in that methods described also includes:The management node sends the security strategy of the determination, the safety of the determination to the server Strategy includes at least one in file system redirection, shear plate redirection, digital watermarking, to cause Security strategy of the server based on the determination:The file system of the server is mapped to the access device;OrThe shear plate content of the server is passed into the access device;OrWatermark is added in the image that the server is sent to the access device.
- 5. method according to claim 4, it is characterised in that methods described also includes:The server sends the security strategy of the determination to the access device, to cause the access Security strategy of the equipment based on the determination:The file system of the access device is mapped to the server;OrThe access device shear plate content is passed into the server;OrWatermark is added in the image of the access device.
- A kind of 6. method of virtual desktop security control, it is characterised in that methods described includes:Access device sends connection request to management node, and the connection request please for the access device Ask to establish with server and connect, to cause the management node to determine the security strategy of the connection request, And the security strategy of the determination is sent to the server;The access device receives the security strategy for the determination that the server is sent, the determination Security strategy includes at least one in collection gps data, camera data, microphone data Kind;The access device gathers access device data according to the requirement of the security strategy of the connection request;The access device data are sent to the server by the access device.
- 7. method according to claim 6, it is characterised in that the security strategy of the determination is also wrapped At least one in file system redirection, shear plate redirection, digital watermarking is included, thenSecurity strategy of the access device based on the connection request:The file system of the access device is mapped to the server;OrThe access device shear plate content is passed into the server;OrWatermark is added in the image of the access device.
- A kind of 8. method of virtual desktop security control, it is characterised in that methods described includes:Server receives the security strategy that management node is sent, and the security strategy includes global positioning system At least one of data, camera data, microphone data;The security strategy is sent to the access device by the server, to cause the access device Access device data are gathered according to the requirement of the security strategy;The server receives the access device data that the access device is sent;The access device is sent to the management node by the server, to cause the management node Preserve the access device data.
- 9. method according to claim 8, it is characterised in that the security strategy also includes:Text At least one of in part system redirection, shear plate redirection, digital watermarking, thenThe server is based on the security strategy:The file system of the server is mapped to the access device;OrThe shear plate content of the server is passed into the access device;OrWatermark is added in the image that the server is sent to the access device.
- 10. a kind of virtual desktop management system, it is characterised in that the virtual desktop management system includes: Server, management node, access device:The management node is used for, preset safety control strategy, and the safety control strategy includes at least one Individual typical scene and the security strategy corresponding to each at least one typical scene, it is each described extremely Lack the combination that a typical scene is user type, access device type and remote desktop type, Mei Gesuo Stating security strategy includes at least one security control item;The management node, is additionally operable to:Obtain the use entrained by the connection request that the access device is sent Family type, access device type, remote desktop type;By the user type entrained by the connection request, Access device type, remote desktop type and at least one typical field in the safety control strategy Scape is compared, it is determined that the typical scene that is matched with the connection request and the typical field with the matching Security strategy corresponding to scape;Configured information is sent to the access device according to the security strategy of the determination, The configured information is used to indicate that the access device establishes connection with the server;The access device, for sending connection request to the management node, the connection request is used for The access device request is established with server to be connected;The access device, is additionally operable to:The configured information that the management node is sent is received, it is described Configured information is used to indicate that the access device establishes connection with the server.The server, connected for being established according to the configured information and the access device.
- 11. method according to claim 10, it is characterised in that methods described also includes:The management node, it is additionally operable to send the security strategy of the determination to the server, it is described true Fixed security strategy is included in collection gps data, camera data, microphone data extremely Few one kind;The access device data that the server is sent are received, the access device data are the clothes Business device notifies the access device to be obtained according to the requirement of the security strategy of the determination;Preserve the access Device data;The server, it is additionally operable to receive the security strategy for the determination that the management node is sent;To The virtual machine sends the security strategy of the determination;The access device data are sent to the management Node;The access device, it is additionally operable to receive the security strategy for the determination that the server is sent;Press Requirement according to the security strategy of the determination gathers the access device data;By the access device data It is sent to the server.
- A kind of 12. management node, it is characterised in that the management node include processor, memory, Communication interface, system bus, connected between the processor, memory and communication interface by system bus Connect and complete mutual communication, be used to store computer executed instructions in the memory, it is described virtual When desktop management system is run, the computer executed instructions in memory described in the computing device are with profit With any one in the hardware resource perform claim requirement 1,2 and 4 in the virtual desktop management system Described method.
- A kind of 13. access device, it is characterised in that the access device include processor, memory, Communication interface, system bus, connected between the processor, memory and communication interface by system bus Connect and complete mutual communication, be used to store computer executed instructions in the memory, it is described virtual When desktop management system is run, the computer executed instructions in memory described in the computing device are with profit With the method described in the hardware resource perform claim requirement 6 and 7 in the virtual desktop management system.
- 14. a kind of server, it is characterised in that the server includes processor, memory, communication Interface, system bus, between the processor, memory and communication interface by system bus connection simultaneously Mutual communication is completed, is used to store computer executed instructions, the virtual desktop in the memory When management system is run, computer executed instructions in memory described in the computing device are to utilize institute State the method described in the hardware resource perform claim requirement 8 and 9 in virtual desktop management system.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610488502.2A CN107547480A (en) | 2016-06-28 | 2016-06-28 | A kind of method, apparatus and virtual desktop management system of virtual desktop security control |
PCT/CN2017/080095 WO2018000891A1 (en) | 2016-06-28 | 2017-04-11 | Security control method and device for virtual desktop, and virtual desktop management system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610488502.2A CN107547480A (en) | 2016-06-28 | 2016-06-28 | A kind of method, apparatus and virtual desktop management system of virtual desktop security control |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107547480A true CN107547480A (en) | 2018-01-05 |
Family
ID=60785841
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610488502.2A Withdrawn CN107547480A (en) | 2016-06-28 | 2016-06-28 | A kind of method, apparatus and virtual desktop management system of virtual desktop security control |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN107547480A (en) |
WO (1) | WO2018000891A1 (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111277670A (en) * | 2020-03-09 | 2020-06-12 | 西安万像电子科技有限公司 | Remote control system and method |
CN111314286A (en) * | 2019-12-20 | 2020-06-19 | 杭州迪普科技股份有限公司 | Configuration method and device of security access control policy |
CN111310135A (en) * | 2018-12-12 | 2020-06-19 | 中兴通讯股份有限公司 | Watermark adding method and device based on virtual desktop |
CN112311851A (en) * | 2020-09-25 | 2021-02-02 | 新华三大数据技术有限公司 | Network policy configuration method and device |
CN112714185A (en) * | 2020-12-30 | 2021-04-27 | 威创集团股份有限公司 | Access seat system |
CN113630390A (en) * | 2021-07-23 | 2021-11-09 | 谭静 | Network security communication method and device of terminal equipment based on big data |
CN114389876A (en) * | 2022-01-13 | 2022-04-22 | 平安普惠企业管理有限公司 | Security policy enforcement method, device, equipment and storage medium |
CN114416251A (en) * | 2022-01-14 | 2022-04-29 | 阿里巴巴(中国)有限公司 | Cloud desktop management method and computer storage medium |
CN115643109A (en) * | 2022-12-21 | 2023-01-24 | 四川汉科计算机信息技术有限公司 | Remote control method, system, equipment and medium based on virtualization platform |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113572839A (en) * | 2021-07-23 | 2021-10-29 | 段采标 | Remote control method, device and system of industrial personal computer |
CN116015852A (en) * | 2022-12-26 | 2023-04-25 | 国网江苏省电力有限公司扬州供电分公司 | Virtual cloud desktop security management method based on national power grid information |
CN116896583A (en) * | 2023-07-17 | 2023-10-17 | 博智安全科技股份有限公司 | Remote control method, device, electronic equipment and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103812829A (en) * | 2012-11-08 | 2014-05-21 | 华为技术有限公司 | Method and system for improving security of remote desktop, and remote desktop server |
CN104753930A (en) * | 2015-03-17 | 2015-07-01 | 成都盛思睿信息技术有限公司 | Cloud desktop management system based on security gateway and security access control method thereof |
CN105049414A (en) * | 2015-06-03 | 2015-11-11 | 北京朋创天地科技有限公司 | Dataflow control method facing virtual desktop and information safety device |
CN105378659A (en) * | 2013-06-14 | 2016-03-02 | 托加里奥有限责任公司 | Method and system for enabling access of client device to remote desktop |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100571157C (en) * | 2006-08-15 | 2009-12-16 | 华为技术有限公司 | A kind of method and system thereof that realizes the travelling carriage security control |
US9571507B2 (en) * | 2012-10-21 | 2017-02-14 | Mcafee, Inc. | Providing a virtual security appliance architecture to a virtual cloud infrastructure |
US20140283071A1 (en) * | 2013-03-12 | 2014-09-18 | Spikes, Inc. | Application malware isolation via hardware separation |
CN104618435B (en) * | 2014-12-29 | 2016-11-09 | 北京奇虎科技有限公司 | Realize method and the long-distance desktop management system of remote desktop |
-
2016
- 2016-06-28 CN CN201610488502.2A patent/CN107547480A/en not_active Withdrawn
-
2017
- 2017-04-11 WO PCT/CN2017/080095 patent/WO2018000891A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103812829A (en) * | 2012-11-08 | 2014-05-21 | 华为技术有限公司 | Method and system for improving security of remote desktop, and remote desktop server |
CN105378659A (en) * | 2013-06-14 | 2016-03-02 | 托加里奥有限责任公司 | Method and system for enabling access of client device to remote desktop |
CN104753930A (en) * | 2015-03-17 | 2015-07-01 | 成都盛思睿信息技术有限公司 | Cloud desktop management system based on security gateway and security access control method thereof |
CN105049414A (en) * | 2015-06-03 | 2015-11-11 | 北京朋创天地科技有限公司 | Dataflow control method facing virtual desktop and information safety device |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111310135A (en) * | 2018-12-12 | 2020-06-19 | 中兴通讯股份有限公司 | Watermark adding method and device based on virtual desktop |
CN111314286A (en) * | 2019-12-20 | 2020-06-19 | 杭州迪普科技股份有限公司 | Configuration method and device of security access control policy |
CN111314286B (en) * | 2019-12-20 | 2022-11-01 | 杭州迪普科技股份有限公司 | Configuration method and device of security access control policy |
CN111277670A (en) * | 2020-03-09 | 2020-06-12 | 西安万像电子科技有限公司 | Remote control system and method |
CN112311851A (en) * | 2020-09-25 | 2021-02-02 | 新华三大数据技术有限公司 | Network policy configuration method and device |
CN112311851B (en) * | 2020-09-25 | 2022-04-01 | 新华三大数据技术有限公司 | Network policy configuration method and device |
CN112714185B (en) * | 2020-12-30 | 2022-03-18 | 威创集团股份有限公司 | Access seat system |
CN112714185A (en) * | 2020-12-30 | 2021-04-27 | 威创集团股份有限公司 | Access seat system |
CN113630390A (en) * | 2021-07-23 | 2021-11-09 | 谭静 | Network security communication method and device of terminal equipment based on big data |
CN113630390B (en) * | 2021-07-23 | 2023-09-01 | 国网湖北省电力有限公司荆州供电公司 | Network security communication method and device of terminal equipment based on big data |
CN114389876A (en) * | 2022-01-13 | 2022-04-22 | 平安普惠企业管理有限公司 | Security policy enforcement method, device, equipment and storage medium |
CN114416251A (en) * | 2022-01-14 | 2022-04-29 | 阿里巴巴(中国)有限公司 | Cloud desktop management method and computer storage medium |
CN115643109A (en) * | 2022-12-21 | 2023-01-24 | 四川汉科计算机信息技术有限公司 | Remote control method, system, equipment and medium based on virtualization platform |
Also Published As
Publication number | Publication date |
---|---|
WO2018000891A1 (en) | 2018-01-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107547480A (en) | A kind of method, apparatus and virtual desktop management system of virtual desktop security control | |
CN111355780B (en) | Internet of things monitoring management method and system based on block chain | |
CN101986651B (en) | Remote storage method, remote storage system and client | |
CN100450033C (en) | Administration of access to computer resources on a network | |
CN104753817B (en) | A kind of cloud computing Message Queuing Services local analogy method and system | |
CN105991734B (en) | A kind of cloud platform management method and system | |
CN101901315B (en) | Security isolation and monitoring management method of USB mobile storage media | |
JP2019536380A (en) | Method, apparatus and system for realizing cross-chain communication of blockchain | |
CN105765901B (en) | Intelligent firewall access rule | |
CN102523197B (en) | Enterprise's social information exchange method, server and enterprise's social networking system | |
Kelbert et al. | Data usage control enforcement in distributed systems | |
CN107153565A (en) | Configure the method and its network equipment of resource | |
CN107430666A (en) | Tenant's lock box | |
CN105871930A (en) | Self-adaptive firewall security policy configuration method and system based on applications | |
CN112532718B (en) | Block chain based offshore equipment data sharing system, method and medium | |
CN107426152B (en) | Multitask security isolation system and method under cloud platform actual situation Interconnection Environment | |
CN108965289A (en) | A kind of network security collaboration means of defence and system | |
CN206686205U (en) | The multiple-protection network architecture | |
CN103795530B (en) | A kind of method, device and the main frame of cross-domain controller certification | |
CN103685608A (en) | Method and device for automatically configuring IP (Internet Protocol) address of security virtual machine | |
CN110474897A (en) | A kind of file permission management system | |
CN106716968A (en) | Account management method, device and account management system | |
CN111786954A (en) | Power grid data access method based on block chain and user role control and computer equipment | |
CN108390886A (en) | Educate big data secure access control system | |
CN109451071A (en) | A kind of trust data grid system based on block chain |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20180105 |