CN115766070A - Terminal control method and device based on master control equipment and computing equipment - Google Patents

Terminal control method and device based on master control equipment and computing equipment Download PDF

Info

Publication number
CN115766070A
CN115766070A CN202211193237.7A CN202211193237A CN115766070A CN 115766070 A CN115766070 A CN 115766070A CN 202211193237 A CN202211193237 A CN 202211193237A CN 115766070 A CN115766070 A CN 115766070A
Authority
CN
China
Prior art keywords
control
management
terminal
control terminal
domain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211193237.7A
Other languages
Chinese (zh)
Inventor
杨宏伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Uniontech Software Technology Co Ltd
Original Assignee
Uniontech Software Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Uniontech Software Technology Co Ltd filed Critical Uniontech Software Technology Co Ltd
Priority to CN202211193237.7A priority Critical patent/CN115766070A/en
Publication of CN115766070A publication Critical patent/CN115766070A/en
Pending legal-status Critical Current

Links

Images

Abstract

The invention discloses a terminal control method and device based on a master control device and a computing device, and relates to the technical field of terminal control. The method comprises the following steps: receiving request information which is sent by a control terminal and applies for joining a control area; authenticating the control terminal according to the terminal information carried in the request information, and binding a control area of the control terminal after the authentication is successful; sending a management and control strategy of the management and control area to the management and control terminal, wherein the management and control strategy corresponds to a processor architecture or an operating system of the management and control terminal; and configuring the management and control terminal according to the management and control strategy so as to manage and control the management and control terminal in the management and control area. The invention also discloses a corresponding device and a computing device, which can realize cross-platform management and control of a plurality of terminals.

Description

Terminal control method and device based on master control equipment and computing equipment
Technical Field
The invention relates to the technical field of terminal management and control, in particular to a terminal management and control method and device based on a master control device and a computing device.
Background
With the development of computers, various industries use computers to work. In different departments such as schools, enterprises and public institutions, certain limits exist for the use authority of computers and the software which can be installed. The existing method for managing and controlling multiple terminals is for the Windows system, and the adaptive processor architecture is x 86. The information of the managed terminal is transmitted to the managing terminal using a TCP (Transmission Control Protocol). The management and control terminal helps an IT (Internet Technology) administrator to perform software deployment, mobile equipment management and equipment control, and the IT administrator can well protect the network terminal. Therefore, how to quickly manage computers in different areas becomes an urgent problem for how to implement cross-platform, management and authentication for processors with different architectures.
Disclosure of Invention
Therefore, the invention provides a terminal management and control method, a terminal management and control device and a computing device based on a master control device, so as to try to solve or at least alleviate at least one problem existing above.
According to one aspect of the invention, a terminal management and control method based on a master control device is provided, which comprises the following steps: receiving request information which is sent by a control terminal and applies for joining a control area; authenticating the control terminal according to the terminal information carried in the request information, and binding a control area of the control terminal after the authentication is successful; sending a management and control strategy of the management and control area to the management and control terminal, wherein the management and control strategy corresponds to a processor architecture or an operating system of the management and control terminal; and configuring the management and control terminal according to the management and control strategy so as to manage and control the management and control terminal in the management and control area.
Optionally, the performing of the management and control area binding on the management and control terminal includes: judging whether the management and control terminal is added with a domain or whether the management and control area reaches the upper limit of point control; and when the management and control terminal is not added with a domain and the management and control area does not reach the upper limit of point control, performing management and control area binding on the management and control terminal through an LDAP domain account of the management and control terminal.
Optionally, configuring the management and control terminal according to the management and control policy includes: and executing the customized configuration and the strategy cache of the control area, and storing the terminal information of the control terminal.
Optionally, the managing and controlling the management and control terminal includes: when the domain quitting service of the control terminal is executed, deleting the terminal information of the domain quitting control terminal, removing an interface corresponding to the domain quitting control terminal, removing the binding relationship between the domain quitting control terminal and the control area, and restoring the configuration of the domain quitting control terminal.
Optionally, the managing and controlling the management and control terminal includes: when a management and control terminal network access authentication service is executed, inquiring the network access permission of the network access management and control terminal according to an LDAP domain account and a terminal equipment account of the network access management and control terminal; when the network access control terminal network access authority is successfully verified, accessing the network access control terminal to a network; and when the network access authority verification of the network access control terminal fails, preventing the network access control terminal from accessing the network.
Optionally, the managing and controlling the management and control terminal includes: when executing the hot plug control service of the USB equipment, receiving USB equipment information reported by the control terminal when capturing a USB equipment hot plug event, comparing the received USB equipment information with records in a white list or a black list according to the control strategy, determining whether the USB equipment is authorized USB equipment, and processing the USB equipment hot plug event according to a judgment result.
According to a second aspect of the present invention, there is provided a terminal control apparatus based on a general control device, including: the communication module is suitable for receiving request information which is sent by the control terminal and applies for joining the control area; the binding module is suitable for authenticating the control terminal according to the terminal information carried in the request information, and binding a control area of the control terminal after the authentication is successful; the policy issuing module is suitable for sending a management and control policy of the management and control area to the management and control terminal, and the management and control policy corresponds to a processor architecture or an operating system of the management and control terminal; and the management and control module is suitable for configuring the management and control terminal according to the management and control strategy so as to manage and control the management and control terminal in the management and control area.
Optionally, the regulating module is adapted to: when the domain quitting service of the control terminal is executed, deleting the terminal information of the domain quitting control terminal, removing an interface corresponding to the domain quitting control terminal, removing the binding relationship between the domain quitting control terminal and the control area, and restoring the configuration of the domain quitting control terminal; when a management and control terminal network access authentication service is executed, inquiring the network access permission of the network access management and control terminal according to an LDAP domain account and a terminal equipment account of the network access management and control terminal; when the network access control terminal network access authority is successfully verified, accessing the network access control terminal to a network; and when the network access authority verification of the network access control terminal fails, preventing the network access control terminal from accessing the network.
According to another aspect of the present invention, there is also provided a computing device comprising: at least one processor and a memory storing program instructions; when the program instructions are read and executed by the processor, the computing device is caused to execute the above terminal management and control method based on the overall control device.
According to still another aspect of the present invention, there is also provided a readable storage medium storing program instructions, which, when read and executed by a computing apparatus, cause the computing apparatus to execute the above terminal management and control method based on a total control apparatus.
According to the terminal control method and device based on the master control equipment and the computing equipment, the following beneficial effects can be realized: the method and the device can realize cross-platform management and control of multiple terminals aiming at processors with different architectures, and realize management and control of network access, USB storage equipment and terminal software installation of the management and control terminals through unified management and authentication of the terminals. The method and the system can help an IT administrator to perform software deployment, mobile device management and device control, and the IT administrator can well control the network terminal through the master control device. Through the method and the device, the network access of the master control device to the control terminal can be better, through the authentication of the terminal information, the condition that an illegal user is accessed into the control area is avoided, the access authority of each terminal can be limited, the condition that the terminal with potential safety hazard is accessed into the control area is also avoided, the threat and influence of worms and viruses to the control area and the borne service are greatly eliminated, and therefore, clients are helped to discover, prevent and eliminate the potential safety hazard.
Drawings
To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the following description and the annexed drawings, which are indicative of various ways in which the principles disclosed herein may be practiced, and all aspects and equivalents thereof are intended to be within the scope of the claimed subject matter. The above and other objects, features and advantages of the present disclosure will become more apparent from the following detailed description read in conjunction with the accompanying drawings. Throughout this disclosure, like reference numerals generally refer to like parts or elements.
FIG. 1 shows a schematic diagram of a computing device 100, according to one embodiment of the invention;
fig. 2 shows a flowchart of a terminal management and control method 200 based on a general control device according to an embodiment of the invention;
fig. 3 shows a flowchart of a terminal management and control method 300 based on a master control device according to another embodiment of the present invention;
fig. 4 shows a flowchart of the management and control terminal applying for adding a domain to the master control device according to an embodiment of the present invention;
fig. 5 shows a flowchart of performing a domain logout operation on the WEB management and control platform of the general control device according to an embodiment of the present invention;
fig. 6 shows a flowchart of performing a domain logout operation at a domain added client of a policing terminal according to an embodiment of the present invention;
fig. 7 shows a flowchart for managing and controlling the internet access of a management terminal according to an embodiment of the present invention;
fig. 8 shows a flowchart for managing surfing on the internet by a management terminal according to another embodiment of the present invention;
fig. 9 shows a flowchart of a policing terminal performing hot plug policing of a USB device according to an embodiment of the present invention;
fig. 10 shows a flowchart of a managing terminal logging in and authenticating with a domain account according to an embodiment of the present invention;
fig. 11 shows a flowchart of a policing terminal performing hot plug policing of a USB device according to another embodiment of the present invention;
fig. 12 shows a schematic structural diagram of a terminal management and control apparatus 1200 based on a general control device according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The terminal control method based on the master control equipment aims at the problem that the existing terminal control mode is only suitable for a Windows system and a terminal with a processor architecture of x86, can realize cross-platform control of a plurality of terminals, is applied to the master control equipment or a server side, can also realize control of the terminals by an IT (information technology) administrator remotely logging in a management platform through a control account on any computer, and is executed in the computing equipment. The computing device may be any device with storage and computing capabilities, and may be implemented as, for example, a server, a workstation, or the like, or may be implemented as a personal computer such as a desktop computer or a notebook computer, or may be implemented as a terminal device such as a mobile phone, a tablet computer, a smart wearable device, or an internet of things device, but is not limited thereto.
FIG. 1 shows a schematic block diagram of a computing device 100, according to an embodiment of the invention. It should be noted that the computing device 100 shown in fig. 1 is only an example, and in practice, the computing device 100 for implementing the terminal management and control method 200 based on a total control device of the present invention may be any type of device, and the hardware configuration situation thereof may be the same as that of the computing device 100 shown in fig. 1, or may be different from that of the computing device 100 shown in fig. 1. In practice, the computing device 100 for implementing the terminal management and control method 200 based on a general control device of the present invention may add or delete hardware components of the computing device 100 shown in fig. 1, the present invention does not limit the specific hardware configuration of the computing device 100, and the terminal management and control method 200 based on a general control device of the present invention may dynamically invoke each hardware component in the computing device 100 during the execution process.
As shown in FIG. 1, computing device 100 includes system memory 110, processor 120, and display device 130.
The system memory 110 stores therein a plurality of program instructions for executing the terminal management and control method 200 based on the overall control device of the present invention, and the system memory 110 may be any type of memory, including but not limited to: volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof. Processor 120 may be any type of process including, but not limited to: a microprocessor (μ P), a microcontroller (μ C), a Digital Signal Processor (DSP), or any combination thereof. When a user uses a display device 130 (e.g., browser 301) or a management terminal, the processor 120 reads and executes program instructions stored in the system memory 110, and then executes the program instructions through the data and platform service 201, and the result of the setting or management of the terminal is displayed through the display device 130.
According to the terminal control method 200 based on the master control device, the master control device can better control the network access of the terminal, illegal users are prevented from accessing the control area through the authentication of terminal information, the access authority of each terminal can be limited, the terminal with potential safety hazard is prevented from accessing the control area, the threat and influence of worms and viruses on the control area and the borne service are greatly eliminated, and therefore, the client is helped to discover, prevent and eliminate the potential safety hazard.
Fig. 2 shows a flowchart of a terminal management and control method 200 based on a general control device according to an embodiment of the invention. Method 200 is performed in a computing device (e.g., computing device 100 described above) for managing multiple terminals across platforms. As shown in fig. 2, the method 200 begins at step 210.
At 210, request information for applying for joining the control area sent by the control terminal is received.
In the embodiment of the invention, when the management and control terminal sends the request information, the management and control terminal can communicate with the master control device through the 802.1x standard.
In 220, the management and control terminal is authenticated according to the terminal information carried in the request information, and after the authentication is successful, the management and control terminal is bound in a management and control area.
In the embodiment of the present invention, the binding of the control region by the control terminal may be referred to as "domain addition", that is, the process of incorporating a certain control terminal into a domain by the master control device or the server may be performed by performing the binding of the control region through an LDAP domain account when adding the domain, where the control region may be represented by a domain account, and the domain account is an account stored in a certain remote master control device or server and is collectively referred to as a domain account. The domain account can be shared to log in and use by all the control terminals in the same control area. If the information related to the domain account is required to be changed, the account information in the remote master control device or the server can be modified. LDAP (Lightweight Directory Access Protocol) is an open, neutral, industry standard application Protocol that provides Access control and maintains Directory information for distributed information via IP protocols.
According to an implementation manner of the present invention, the binding the control region to the control terminal in step 220 includes: judging whether the management and control terminal is added with a domain or whether the management and control area reaches the upper limit of point control; and when the management and control terminal is not added with a domain and the management and control area does not reach the upper limit of point control, performing management and control area binding through an LDAP domain account of the management and control terminal.
In the embodiment of the invention, the master control device judges whether the control terminal is added with the domain and whether the control area reaches the upper limit of point control, so that the limitation of adding the domain to the control area is carried out.
At 230, a management and control policy of the management and control area is sent to the management and control terminal, where the management and control policy corresponds to a processor architecture or an operating system of the management and control terminal.
In the embodiment of the invention, the master control device or the domain management server stores the list of the information of the management and control terminal, pushes the NSQ message to the management and control terminal based on the machine ID of each management and control terminal, and issues the corresponding management and control strategy.
The method comprises the steps that a control terminal is started or connected with a network or is then subscribed with an NSQ (network spanning bridge) interested event based on a machine ID (identity) of the control terminal, after a master control device or a domain management server pushes a message to NSQ service, the control terminal is triggered to receive a control strategy and execute the control strategy, and after the control strategy is executed, a receipt result is obtained by the master control device or the domain management server, and a control strategy execution result is updated.
The governing policy may be a system-level policy and a user-level policy. The system level policies include firewall, USB and application installation, and the user level policies include desktop, taskbar, initiator and other desktop system policies. At this time, the system-level policy can be executed at the control terminal, and the user-level policy can be executed by using the D-Bus.
At 240, the management and control terminal is configured according to the management and control policy, so as to manage and control the management and control terminal in the management and control area.
In this embodiment of the present invention, configuring, according to the management and control policy, the management and control terminal in step 240 includes: and executing the customized configuration and the strategy cache of the control area, and storing the terminal information of the control terminal.
In the embodiment of the invention, after the master control device allows the management and control terminal to add the domain, the customized configuration and the strategy cache of the corresponding management and control area are carried out, and the terminal information of the management and control terminal before domain addition is locally stored.
In another embodiment of the present invention, the process sequence of step 230 and step 240 may be exchanged, as shown in fig. 3, the terminal management and control method 300 based on a general control device includes: 310, receiving request information for applying to join a control area, which is sent by a control terminal; in 320, authenticating the control terminal according to the terminal information carried in the request information, and binding a control region of the control terminal after the authentication is successful; 330, configuring the control terminal according to a processor architecture or an operating system of the control terminal; 340, sending a corresponding control policy of the control area to the control terminal, so as to control the control terminal in the control area.
In this embodiment of the present invention, step 310 is the same as step 210, step 320 is the same as step 220, and the configuring, according to the processor architecture or the operating system of the administrative terminal, the administrative terminal in step 330 includes: and executing system customized configuration and strategy cache corresponding to a processor architecture or an operating system of the control terminal, and storing the terminal information of the control terminal. The sending, to the control terminal, the control policy of the corresponding control area in step 340 includes: and sending the configuration and the management and control strategy of the current management and control area to the management and control terminal.
As shown in fig. 4, in the embodiment of the present invention, a process of applying for adding a domain to a master control device by a management and control terminal may include 401 to 409.
401. The management and control terminal acquires the terminal information machien ID and selects a pre-added management and control area.
402. And judging whether the management and control terminal is networked, if so, turning to 403, and if not, turning to 408.
403. The management and control terminal sends request information for applying for adding the domain to the master control equipment through the domain adding check port, and the master control equipment authenticates the management and control terminal. The network access of the control terminal can be better realized through the domain-added check interface master control equipment, and the illegal user is prevented from accessing the control area through the authentication of the terminal information.
404. And the master control equipment judges whether the management control terminal is added with the domain or not, if not, the control terminal is switched to 405, and if yes, the control terminal is switched to 408.
405. The master control equipment judges whether the control area reaches the upper limit of the point control, if not, the control area is switched to 406, and if the control area reaches the upper limit of the point control, the control area is switched to 408.
406. And the control terminal extracts the domain-adding customized configuration and the control strategy from the master control equipment.
407. And the master control equipment stores the terminal information of the control terminal in a warehouse, binds the control terminal and the control area, and shifts to 409.
408. And (5) error prompting and ending adding the field.
409. And successfully prompting and ending the field adding.
According to an implementation manner of the present invention, the managing and controlling the management and control terminal in step 240 includes: when the domain quitting service of the control terminal is executed, deleting the terminal information of the domain quitting control terminal, removing an interface corresponding to the domain quitting control terminal, removing the binding relationship between the domain quitting control terminal and the control area, and restoring the configuration of the domain quitting control terminal.
In the embodiment of the invention, when the management and control terminal quits the domain, the master control device can recover the customized configuration of the management and control terminal, remove the quantity of the domain binding and the point control, and the domain quitting operation can be carried out through the domain adding client of the management and control terminal or the WEB management and control platform of the master control device.
As shown in fig. 5, in the embodiment of the present invention, a process of performing a logout operation on a WEB management and control platform of a master control device may include 501 to 505.
501. And deleting the terminal information of the management and control terminal.
502. Removing the binding relation between the control terminal and the control area through a terminal removing interface;
503. and creating a deregulation task.
504. And executing the script of the quit domain, and restoring the configuration of the control terminal.
505. And prompting the management and control terminal to cancel management and control.
As shown in fig. 6, in the embodiment of the present invention, a process of performing a domain logout operation at a domain adding client of a control terminal may include 601 to 605.
601. And sending the domain quitting request information to the master control equipment.
602. The control terminal judges whether the terminal is in a networking state, when the terminal is in the networking state, the control terminal shifts to 603, and when the terminal is not in the networking state, the control terminal shifts to 604.
603. And transferring a domain quitting interface, executing a domain quitting script, removing the binding relationship between the control terminal and the control region, restoring the configuration of the control terminal, and turning to 605.
604. And (5) error prompt and ending the field quitting.
605. And successfully prompting, and ending the field quitting.
According to an implementation manner of the present invention, the controlling the control terminal in step 240 includes: when a management and control terminal network access authentication service is executed, inquiring the network access permission of the network access management and control terminal according to an LDAP domain account and a terminal equipment account of the network access management and control terminal; when the network access authority of the network access control terminal is successfully verified, accessing the network access control terminal into a network; and when the network access authority verification of the network access control terminal fails, preventing the network access control terminal from accessing the network.
In the embodiment of the invention, the management and control terminal can manage and control the surfing of the management and control terminal by using the dual authentication of the domain account and the terminal information through an 802.1x protocol. As shown in fig. 7, 701 to 706 may be included.
701. The management and control terminal sends a network access message request, wherein the network access message request carries an LDAP domain account number.
702. And the main control equipment authenticates the control terminal according to the LDAP domain account in the network access registration request, and the control terminal is switched to 703 when the authentication is successful, and is switched to 706 when the authentication is unsuccessful.
703. The management and control terminal sends a verification message request carrying account number and/or password information.
704. And the main control equipment authenticates the control terminal according to the account number and/or the password information in the verification registration request, and when the authentication is successful, the process is switched to 705, and when the authentication is unsuccessful, the process is switched to 706.
705. And if the authentication is successful, the control terminal is accessed to the network.
706. And if the authentication fails, the control terminal is prevented from accessing the network.
Specifically, as shown in fig. 8, the process of performing management and control on the internet access of the management and control terminal by using dual authentication of the domain account identity and the terminal device account through the 802.1x protocol may include steps 1 to 20.
1. And the background service of the control terminal sends an EAPoL-Start message request to the switch/router and starts 802.1x authentication access.
2. The switch/router sends an EAP-Request/Identity message response to the background service of the control terminal, and requires the client to report the user name.
3. The background service of the control terminal sends an EAP-Request/Identity message Request to the switch/router, and the EAP-Request/Identity message Request carries user information.
4. The switch/router encapsulates the EAP-Request/Identity message into a RADIUS SAccess-Request message, and sends the message to an authentication server (Freeradius).
5. Freeradius sends a user account LDAP query to the domain management server.
6. And the domain management server feeds back the LDAP result of the user account to Freeradius.
7. The authentication server sends RADARSAccess-Challenge message, and EAP-Request/MD5-Challenge is encapsulated inside the RADARSAccess-Challenge message.
8. And the background service of the control terminal unpacks the EAP-Request/MD5-Challenge message and sends the message to the client.
9. The background service of the control terminal generates a Challenge-Pass-word by the user password and Challenge based on an MD5 algorithm, sends an EAP-Request/MD5-Challenge message, and fills EAPencrypt (machine-id) into an EAP-MD5 Extra Date reserved field.
10. The switch/router encapsulates the EAP-Request/MD5-Challenge message into RADIUS Access-Request and sends the message to Freeradius.
11. Freeradius queries the openldap/MySQL for the user password.
12. And the openldap/MySQL feeds back the result of the user password to Freeradius.
13. When the password comparison is successful, the FreeRadius forwards EAP-Request/MD5-Challenge to the domain management server based on the rest module.
14. The domain pipe server transmits the message data to an Authentication service (Authentication).
15. And analyzing an EAP-MD5 Extra Date reserved field by Authentication, obtaining the machine-id information by RSADecrpt, and inquiring whether the equipment is in an asset list from openldap/MySQL according to the machine-id.
16. The openldap/MySQL feeds back the MySQL query result to the Authentication.
17. And the Authentication replies the equipment Authentication result to the domain management server.
18. The domain management server is based on a freeradius rest module rule: the authentication succeeds in sending 204 a status code to the FreeRaidus, and the authentication fails in sending 401 a status code to the FreeRaidus.
19. The Freeradius sends a Radius-Access or Radius-Access-Reject message response to the background service of the control terminal.
20. And the background service of the control terminal obtains the authentication result, the EAP-Success authentication is successful, and the EAP-Failure authentication is failed.
According to an implementation manner of the present invention, the managing and controlling the management and control terminal in step 240 includes: when executing the hot plug control service of the USB equipment, receiving USB equipment information reported by the control terminal when capturing a USB equipment hot plug event, comparing the received USB equipment information with records in a white list or a black list according to the control strategy, determining whether the USB equipment is authorized USB equipment, and processing the USB equipment hot plug event according to a judgment result.
As shown in fig. 9, in the case of network connection of the governing terminal, the process of the governing terminal performing hot plug governing of the USB device may include 901 to 903.
901. And when capturing the USB equipment hot plug event, the control terminal acquires the USB equipment information.
902. And assembling the USB equipment information and reporting the information to the master control equipment.
903. And the master control equipment compares the received USB equipment information with the inserted USB limit record according to the control strategy and processes the USB equipment hot plug event.
The master control device presets a USB restriction record, which can be called as a blacklist and stores information of USB devices that are not allowed to be used. A white list can be set in the master control to store the USB device information allowed to be used. The control terminal judges whether the current USB equipment is allowed to be used according to the white list or the black list information.
The embodiment of the invention can use the UDEV development library to carry out hot plug monitoring on the USB equipment; and managing the USB device by using the rule file of the UDEV service. Wherein, the UDEV is a design manager of Linux kernel 2.6 series. The main function is to manage the device nodes under the/dev directory. And simultaneously, the system is also used for replacing the devfs and hot plug functions. The master control terminal carries out USB equipment white list or black list configuration in advance, corresponding rules are added into a rule file of the UDEV to achieve USB control, the master control terminal is reported after the control terminal detects a hot plug event of the USB equipment, and the master control terminal can judge whether the current USB equipment is allowed to be used or not according to corresponding white list or black list information.
In the embodiment of the invention, under the condition that the network of the control terminal is disconnected, the control terminal logs in through a domain account, the NSS-PAM-LDAP module completes the user login authentication, and the authentication judgment is carried out by using the cache information locally generated by the control terminal when the domain is added before. And after the login is successful, executing a corresponding control strategy through the client corresponding to the control terminal.
As shown in fig. 10, in the embodiment of the present invention, the process of managing the terminal to log in and authenticate with the domain account may include 1001 to 1003.
1001. And logging in a client corresponding to the control terminal by using the account and the password.
1002. And verifying whether the account number and the password are correct.
1003. If the result is correct, the login is successful, and if the result is wrong, the login fails.
In the embodiment of the present invention, when the management and control terminal is disconnected from the network, according to the configuration of the management and control terminal and the management and control policy, performing corresponding functions includes: performing hot plug monitoring on the USB equipment, determining whether the USB equipment is authorized USB equipment or not according to a white list or a black list in the control strategy when capturing a hot plug event of the USB equipment, and controlling the USB equipment according to a judgment result; and when the control terminal is accessed to the network, reporting the USB device hot plug event to the master control device.
As shown in fig. 11, in the case that the management terminal is disconnected from the network, the process of performing hot plug management of the USB device by the management terminal may include 1101 to 1102.
1101. And when capturing the USB equipment hot plug event, the control terminal acquires the USB equipment information.
1102. And comparing the USB equipment information with the inserted USB limit record or carrying out white list verification on the USB equipment information, and processing the USB equipment hot plug event.
In this case, after capturing the USB device hot plug event, the management and control terminal needs to verify or search whether the issued management and control policy is related to the USB management and control, and if the related configuration and policy related to the USB management and control is related to the USB device hot plug, the management and control terminal performs the management and control of the USB device hot plug.
The USB management and control of the embodiment of the invention can effectively prevent the data of the management and control terminal from being transmitted outside.
In the embodiment of the invention, the setting, control and information processing of the pipe control terminal can be realized by remotely logging in the master control device, for example, on any computer, the master control device is logged in through a page or an app or a WEB control platform, and the strategy configuration based on the region is carried out and is stored in the master control device; the master control equipment end is based on Redis service cache; when carrying out policy synchronization, the management and control terminal acquires the policy file from the master control device or the domain management server to execute and cache the policy file in the local file.
The embodiment of the invention can also realize reverse proxy, namely, the general control equipment or the management and control server uses Nginx as a proxy server, supports HTTP, TCP and UDP reverse proxy, and achieves the purposes of high concurrency and high availability through a load balancing strategy.
The embodiment of the invention can realize read-write separation, and the purposes of high availability (the master library is down and does not influence the reading of the slave library; the slave libraries are not fully down and do not influence the reading and writing of data) and read-write separation are achieved by separating MySQL, redis and OpenLDAP data storage services from docker deployment and distributing and deploying one master and multiple slaves. The read-write separation of the embodiment of the invention can ensure that the data access of the server is more stable.
The master control device or the control server in the embodiment of the invention can realize hot switching between the master and the standby, and achieve the purpose of hot switching between the master and the standby based on Nginx + keepalived + virtual ip. And when the main service is down, the standby server is started, and the mail informs the main service of the down event.
As shown in fig. 12, an embodiment of the present invention further provides a terminal management and control apparatus 1200 based on a general control device, including: the system comprises a communication module 1201, a binding module 1202, a policy issuing module 1203 and a management and control module 1204.
The communication module 1201 is suitable for receiving request information for applying for joining in a control area, which is sent by a control terminal; a binding module 1202, adapted to authenticate the management and control terminal according to the terminal information carried in the request information, and after the authentication is successful, perform management and control area binding on the management and control terminal; a policy issuing module 1203, adapted to send a management and control policy of the management and control area to the management and control terminal, where the management and control policy corresponds to a processor architecture or an operating system of the management and control terminal; a management and control module 1204, adapted to configure the management and control terminal according to the management and control policy, so as to manage and control the management and control terminal in the management and control area.
In the embodiment of the present invention, the binding module binds the control region of the control terminal, which is suitable for: judging whether the management and control terminal is added with a domain or whether the management and control area reaches the upper limit of point control; and when the management and control terminal is not added with a domain and the management and control area does not reach the upper limit of point control, performing management and control area binding on the management and control terminal through an LDAP domain account of the management and control terminal.
In the embodiment of the present invention, the management and control module configures the management and control terminal according to the management and control policy, and is adapted to: and executing the customized configuration and the strategy cache of the control area, and storing the terminal information of the control terminal.
In this embodiment of the present invention, the processing, by the management and control module, of managing and controlling the management and control terminal may include: when the domain quitting service of the control terminal is executed, deleting the terminal information of the domain quitting control terminal, removing an interface corresponding to the domain quitting control terminal, removing the binding relationship between the domain quitting control terminal and the control area, and restoring the configuration of the domain quitting control terminal.
In this embodiment of the present invention, the processing of the management and control module to manage and control the management and control terminal may include: when executing a network access authentication service of a control terminal, a master control device inquires the network access permission of the access control terminal according to an LDAP domain account and a terminal device account of the access control terminal; when the network access control terminal network access authority is successfully verified, accessing the network access control terminal to a network; and when the network access authority verification of the network access control terminal fails, preventing the network access control terminal from accessing the network.
In this embodiment of the present invention, the processing of the management and control module to manage and control the management and control terminal may include: when executing the hot plug control service of the USB equipment, receiving USB equipment information reported by the control terminal when capturing a USB equipment hot plug event, comparing the received USB equipment information with records in a white list or a black list according to the control strategy, determining whether the USB equipment is authorized USB equipment, and processing the USB equipment hot plug event according to a judgment result.
An embodiment of the present invention further provides a computing device, including: at least one processor and a memory storing program instructions; when the program instructions are read and executed by the processor, the computing device is caused to execute the terminal management and control method based on the general control device.
The embodiment of the present invention further provides a readable storage medium storing program instructions, and when the program instructions are read and executed by a computing device, the computing device is enabled to execute the above terminal management and control method based on the general control device.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions thereof, may take the form of program code (i.e., instructions) embodied in tangible media, such as removable hard drives, U.S. disks, floppy disks, CD-ROMs, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the computing device will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to execute the terminal management and control method based on the general control device according to the instructions in the program codes stored in the memory.
By way of example, and not limitation, readable media may comprise readable storage media and communication media. Readable storage media store information such as computer readable instructions, data structures, program modules or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
In the description provided herein, algorithms and displays are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with examples of this invention. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose preferred embodiments of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim.
Those skilled in the art will appreciate that the modules or units or components of the devices in the examples disclosed herein may be arranged in a device as described in this embodiment or alternatively may be located in one or more devices different from the devices in this example. The modules in the foregoing examples may be combined into one module or may be further divided into multiple sub-modules.
Those skilled in the art will appreciate that the modules in the devices in an embodiment may be adaptively changed and arranged in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments.
Furthermore, some of the described embodiments are described herein as a method or combination of method elements that can be performed by a processor of a computer system or by other means of performing the described functions. A processor having the necessary instructions for carrying out the method or method elements thus forms a means for carrying out the method or method elements. Further, the elements of the apparatus embodiments described herein are examples of the following apparatus: the means for performing the functions performed by the elements for the purpose of carrying out the invention.
As used herein, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common object, merely indicate that different instances of like objects are being referred to, and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter.

Claims (10)

1. A terminal control method based on a master control device comprises the following steps:
receiving request information which is sent by a control terminal and applies for joining a control area;
authenticating the control terminal according to the terminal information carried in the request information, and binding a control area of the control terminal after the authentication is successful;
sending a management and control strategy of the management and control area to the management and control terminal, wherein the management and control strategy corresponds to a processor architecture or an operating system of the management and control terminal;
and configuring the management and control terminal according to the management and control strategy so as to manage and control the management and control terminal in the management and control area.
2. The method of claim 1, wherein the binding of the governing area to the governing terminal comprises:
judging whether the management and control terminal is added with a domain or whether the management and control area reaches the upper limit of point control;
and when the management and control terminal is not added with a domain and the management and control area does not reach the upper limit of point control, performing management and control area binding on the management and control terminal through an LDAP domain account of the management and control terminal.
3. The method of claim 1 or 2, wherein configuring the governing terminal according to the governing policy comprises:
and executing the customized configuration and the strategy cache of the control area, and storing the terminal information of the control terminal.
4. The method of claim 1, wherein the governing terminal comprises:
when the domain quitting service of the control terminal is executed, deleting the terminal information of the domain quitting control terminal, removing an interface corresponding to the domain quitting control terminal, removing the binding relationship between the domain quitting control terminal and the control area, and restoring the configuration of the domain quitting control terminal.
5. The method of claim 1, wherein the governing terminal comprises:
when a management and control terminal network access authentication service is executed, inquiring the network access permission of the network access management and control terminal according to an LDAP domain account and a terminal equipment account of the network access management and control terminal;
when the network access control terminal network access authority is successfully verified, accessing the network access control terminal to a network; and when the network access authority verification of the network access control terminal fails, preventing the network access control terminal from accessing the network.
6. The method of claim 1, wherein the governing terminal comprises:
when executing the hot plug control service of the USB equipment, receiving USB equipment information reported by the control terminal when capturing a USB equipment hot plug event, comparing the received USB equipment information with records in a white list or a black list according to the control strategy, determining whether the USB equipment is authorized USB equipment, and processing the USB equipment hot plug event according to a judgment result.
7. A terminal management and control device based on total control equipment comprises:
the communication module is suitable for receiving request information which is sent by the control terminal and applies for joining the control area;
the binding module is suitable for authenticating the control terminal according to the terminal information carried in the request information, and after the authentication is successful, the binding module binds a control area of the control terminal;
the policy issuing module is suitable for sending a management and control policy of the management and control area to the management and control terminal, and the management and control policy corresponds to a processor architecture or an operating system of the management and control terminal;
and the management and control module is suitable for configuring the management and control terminal according to the management and control strategy so as to manage and control the management and control terminal in the management and control area.
8. The apparatus of claim 7, wherein the regulating module is adapted to:
when the domain quitting service of the control terminal is executed, deleting the terminal information of the domain quitting control terminal, removing an interface corresponding to the domain quitting control terminal, removing the binding relationship between the domain quitting control terminal and the control area, and restoring the configuration of the domain quitting control terminal;
when a management and control terminal network access authentication service is executed, inquiring the network access permission of the network access management and control terminal according to an LDAP domain account and a terminal equipment account of the network access management and control terminal;
when the network access authority of the network access control terminal is successfully verified, accessing the network access control terminal into a network; when the network access authority verification of the network access control terminal fails, the network access control terminal is prevented from accessing the network;
when executing the hot plug control service of the USB equipment, receiving USB equipment information reported by the control terminal when capturing a USB equipment hot plug event, comparing the received USB equipment information with records in a white list or a black list according to the control strategy, determining whether the USB equipment is authorized USB equipment, and processing the USB equipment hot plug event according to a judgment result.
9. A computing device, comprising:
at least one processor and a memory storing program instructions;
when the program instructions are read and executed by the processor, the computing device is caused to execute the terminal management and control method based on the general control device according to any one of claims 1-6.
10. A readable storage medium storing program instructions which, when read and executed by a computing apparatus, cause the computing apparatus to execute the terminal management and control method based on an overall control apparatus according to any one of claims 1 to 6.
CN202211193237.7A 2022-09-28 2022-09-28 Terminal control method and device based on master control equipment and computing equipment Pending CN115766070A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211193237.7A CN115766070A (en) 2022-09-28 2022-09-28 Terminal control method and device based on master control equipment and computing equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211193237.7A CN115766070A (en) 2022-09-28 2022-09-28 Terminal control method and device based on master control equipment and computing equipment

Publications (1)

Publication Number Publication Date
CN115766070A true CN115766070A (en) 2023-03-07

Family

ID=85350546

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211193237.7A Pending CN115766070A (en) 2022-09-28 2022-09-28 Terminal control method and device based on master control equipment and computing equipment

Country Status (1)

Country Link
CN (1) CN115766070A (en)

Similar Documents

Publication Publication Date Title
US8365266B2 (en) Trusted local single sign-on
US10356612B2 (en) Method of authenticating a terminal by a gateway of an internal network protected by an access security entity providing secure access
US8266683B2 (en) Automated security privilege setting for remote system users
CN102047262B (en) Authentication for distributed secure content management system
CN111314340B (en) Authentication method and authentication platform
US20120291106A1 (en) Confidential information leakage prevention system, confidential information leakage prevention method, and confidential information leakage prevention program
CN109995792B (en) Safety management system of storage equipment
WO2022247751A1 (en) Method, system and apparatus for remotely accessing application, device, and storage medium
CN110572395B (en) Identity verification method and system
CN111355713B (en) Proxy access method, device, proxy gateway and readable storage medium
CN105162775A (en) Logging method and device of virtual machine
CN112118269A (en) Identity authentication method, system, computing equipment and readable storage medium
JP5722778B2 (en) Server system and method for providing at least one service
CN102271136A (en) Access control method and equipment under NAT (Network Address Translation) network environment
CN116319024A (en) Access control method and device of zero trust system and zero trust system
CN114301617A (en) Identity authentication method and device for multi-cloud application gateway, computer equipment and medium
US20240064021A1 (en) Access control method, apparatus, network side device, terminal and blockchain node
CN116996305A (en) Multi-level security authentication method, system, equipment, storage medium and entry gateway
CN107172082B (en) File sharing method and system
CN109861982A (en) A kind of implementation method and device of authentication
CN115766070A (en) Terminal control method and device based on master control equipment and computing equipment
CN112565209B (en) Network element equipment access control method and equipment
US20080060060A1 (en) Automated Security privilege setting for remote system users
US10412097B1 (en) Method and system for providing distributed authentication
CN112491895A (en) Identity authentication method, storage medium and system based on micro-service

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination