CN105391591A - Security setting and management method and apparatus for terminal - Google Patents
Security setting and management method and apparatus for terminal Download PDFInfo
- Publication number
- CN105391591A CN105391591A CN201510993350.7A CN201510993350A CN105391591A CN 105391591 A CN105391591 A CN 105391591A CN 201510993350 A CN201510993350 A CN 201510993350A CN 105391591 A CN105391591 A CN 105391591A
- Authority
- CN
- China
- Prior art keywords
- terminal
- information object
- management strategy
- security setting
- setting item
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M1/00—Substation equipment, e.g. for use by subscribers
- H04M1/72—Mobile telephones; Cordless telephones, i.e. devices for establishing wireless links to base stations without route selection
- H04M1/724—User interfaces specially adapted for cordless or mobile telephones
- H04M1/72448—User interfaces specially adapted for cordless or mobile telephones with means for adapting the functionality of the device according to specific conditions
- H04M1/72463—User interfaces specially adapted for cordless or mobile telephones with means for adapting the functionality of the device according to specific conditions to restrict the functionality of the device
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Human Computer Interaction (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a security setting and management method and apparatus for a terminal. The method comprises the steps: receiving a terminal management strategy sent from a server, wherein the terminal management strategy indicates in the terminal a setting state of at least one security setting items associated with a characteristic information object, and is configured based on the characteristic information object identified by the terminal; checking whether the setting state of security setting items in the terminal is consistent with the setting state indicated by the terminal management strategy; and conducting restoration according to the terminal management strategy if the setting state of the security setting items in the terminal is inconsistent with the setting state indicated by the terminal management strategy. Compared with a conventional terminal management strategy set manually, the terminal management strategy configured by the scheme can protect the terminal in a more comprehensive and effective manner. Moreover, restoration is conducted on all operation authorities set by the terminal at present according to the terminal management strategy, so the terminal can be timely restored in a secure state, and the security of the terminal is ensured.
Description
Technical field
The present invention relates to Internet technical field, particularly relate to a kind of terminal security and management method is set and a kind of terminal security arranges management devices.
Background technology
Along with extensively popularizing of the Internet, a lot of mechanism all establishes network information system.Most network information system comprises at least one server and multiple terminal.
When terminal storage has secret file or vital document, need to carry out safety management to described terminal, prevent the secret file of terminal storage or vital document from revealing, ensure secret file or the vital document safety of terminal storage.
Such as, for certain department, some relates to the file of company's secret, or certain terminal preserves private account information, bank card account number password etc., based on the consideration to safety such as secret file, private account information and bank's card number passwords, therefore need to configure different Security Strategies respectively to the terminal of different terminals or different department.But in practical operation, Security Strategies is arranged by staff usually, complex steps and consuming time; Further, because arranging of terminal authorization is of a great variety, most people do not know how to arrange, and cannot realize the effect of security protection.
Summary of the invention
In view of the above problems, the present invention is proposed to provide a kind of overcoming the problems referred to above or the terminal security that solves the problem at least in part arranges management method and corresponding terminal security arranges management devices.
According to one aspect of the present invention, provide a kind of terminal security and management method be set, comprising:
The terminal management strategy that reception server issues, described terminal management strategy indicate in described terminal with at least one security setting item of described characteristic information object association state is set, described terminal management strategy configures according to the characteristic information object from described terminal recognition;
What check security setting item described in described terminal arranges state, and whether the state that arranges indicated with described terminal management strategy is consistent;
If inconsistent, then repair according to described terminal management strategy.
Alternatively, comprise following at least one with at least one security setting item of described characteristic information object association in described terminal: the security setting item realizing identity verify, the security setting item realizing security audit, realize access control security setting item, realize the security setting item of resources control and realize the security setting item of intrusion defense.
Alternatively, security setting item described in the described terminal of described inspection state is set, whether the state that arranges indicated with described terminal management strategy consistent comprises:
The parameters with the security setting item of described characteristic information object association is read from the first object registration table of described terminal;
Judge described parameters whether meet described terminal management strategy instruction state is set.
Alternatively, describedly carry out reparation according to described terminal management strategy and comprise:
Revise the parameters with described characteristic information object association in the first object registration table of described terminal, the state that arranges indicated to make described parameters meet described terminal management strategy instruction state is set.
Alternatively, before the terminal management strategy that described reception server issues, described method also comprises:
According to preset recognition rule, identifying signature object from terminal multiple information object, and recognition result is uploaded onto the server.
Alternatively, described according to preset recognition rule, from terminal multiple information object before identifying signature object, described method also comprises:
Described recognition rule is downloaded from server, or, the recognition rule that reception server issues.
Alternatively, described according to preset recognition rule, from terminal multiple information object before identifying signature object, described method also comprises:
Obtain the historical operation record of described terminal to described information object, from described historical operation record, extract each information object of historical operation.
Alternatively, the historical operation record of described acquisition terminal to information object comprises:
Second target registered table of accessing operation system, reads the history access record to information object and historical search record from described second target registered table;
And/or, from the relative position of shared file hypervisor, read the share and access record to multiple operation systems share information object.
Alternatively, the keyword that described recognition rule indicates the attribute information of described characteristic information object to comprise, described according to preset recognition rule, identifying signature object from terminal multiple information object, and recognition result is uploaded onto the server comprise:
If the attribute information of described information object hits at least one keyword of described recognition rule instruction, then determine that described information object is characteristic information object, described attribute information comprises at least one in the name of the information of described information object, information type and the information content;
The characteristic information object of identification and/or the number of characteristic information object are uploaded to described server.
Alternatively, described recognition rule indicates the information path identified according to the order of sequence;
Described according to preset recognition rule, from terminal multiple information object, identifying signature object is:
According to the preferential information path identified and/or the information path ignoring identification, successively each information object is identified.
Alternatively, described recognition rule instruction identifies at least one in the execution duration of the identifying operation of multiple information object, information object size to be identified and number.
Alternatively, the terminal management strategy that described reception server issues comprises:
Receive the number of described server according to the characteristic information object identified to the terminal management strategy of described terminal configuration.
Alternatively, described recognition rule also indicates the information object said features classification comprising each keyword, and described method also comprises:
According to the keyword that described characteristic information object hits, determine that described characteristic information object said features is classified;
The described server of described reception according to the terminal management strategy of described recognition result to described terminal configuration is, receives the characteristic type of described server according to the characteristic information object identified, to the terminal management strategy of described terminal configuration.
According to another aspect of the present invention, provide a kind of terminal security and management devices be set, wherein, comprising:
Terminal management Policy receipt module, for the terminal management strategy that reception server issues, described terminal management strategy indicate in described terminal with at least one security setting item of described characteristic information object association state is set, described terminal management strategy configures according to the characteristic information object from described terminal recognition;
Arrange status checking module, arrange state for what check security setting item described in described terminal, whether the state that arranges indicated with described terminal management strategy is consistent;
The state that arranges repairs module, if for inconsistent, then repairs according to described terminal management strategy.
Alternatively, comprise following at least one with at least one security setting item of described characteristic information object association in described terminal: the security setting item realizing identity verify, the security setting item realizing security audit, realize access control security setting item, realize the security setting item of resources control and realize the security setting item of intrusion defense.
Alternatively, the described status checking module that arranges comprises:
Parameters reading submodule, for reading the parameters with the security setting item of described characteristic information object association from the first object registration table of described terminal;
Condition adjudgement submodule is set, for judge described parameters whether meet described terminal management strategy instruction state is set.
Alternatively, the described state that arranges repairs module, specifically for revise described terminal first object registration table in the parameters of described characteristic information object association, what the state that arranges indicated to make described parameters met the instruction of described terminal management strategy arranges state.
Alternatively, described device also comprises:
Characteristic information Object identifying module, for before the terminal management strategy that issues at described reception server, according to preset recognition rule, identifying signature object from terminal multiple information object, and recognition result is uploaded onto the server.
Alternatively, described device also comprises:
Recognition rule receiver module, for described according to preset recognition rule, from terminal multiple information object before identifying signature object, download described recognition rule from server, or, the recognition rule that reception server issues.
Alternatively, described device also comprises:
Historical operation record acquisition module, for described according to preset recognition rule, from terminal multiple information object before identifying signature object, obtain the historical operation record of described terminal to described information object, from described historical operation record, extract each information object of historical operation.
Alternatively, described historical operation record acquisition module comprises:
Second target registered table access submodule, for the second target registered table of accessing operation system, reads the history access record to information object and historical search record from described second target registered table;
And/or share and access record reading submodule, for the relative position from shared file hypervisor, reads the share and access record to multiple operation systems share information object.
Alternatively, described recognition rule indicates the keyword that the attribute information of described characteristic information object comprises;
Described characteristic information Object identifying module comprises:
Characteristic information object determination submodule, if the attribute information for described information object hits at least one keyword of described recognition rule instruction, then determine that described information object is characteristic information object, described attribute information comprises at least one in the name of the information of described information object, information type and the information content;
Information uploads submodule, for the characteristic information object of identification and/or the number of characteristic information object are uploaded to described server.
Alternatively, described recognition rule indicates the information path identified according to the order of sequence;
Described characteristic information Object identifying module, specifically for according to the preferential information path identified and/or the information path ignoring identification, identifies each information object successively.
Alternatively, described recognition rule instruction identifies at least one in the execution duration of the identifying operation of multiple information object, information object size to be identified and number.
Alternatively, described terminal management Policy receipt module, specifically for receiving the number of described server according to the characteristic information object identified to the terminal management strategy of described terminal configuration.
Alternatively, described recognition rule also indicates the information object said features classification comprising each keyword, and described device also comprises:
Tagsort determination module, for the keyword hit according to described characteristic information object, determines that described characteristic information object said features is classified;
Terminal management Policy receipt module, specifically for receiving the characteristic type of described server according to the characteristic information object identified, to the terminal management strategy of described terminal configuration.
Pass through the embodiment of the present invention, according to preset recognition rule, the multiple information object of automatic sense terminals, identifying signature object from terminal multiple information object, and recognition result is uploaded onto the server, server is according to the recognition result configurating terminal management strategy uploaded, and relative to traditional terminal management strategy arranged manually, the terminal management strategy according to the solution of the present invention configuration can protect the safety of terminal more all sidedly, effectively; Further, by repairing according to the operations authority of terminal management strategy to terminal current setting further, thus terminal can be repaired in time to safe condition, guaranteeing terminal security.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of specification, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows the flow chart of steps arranging management method according to a kind of terminal security of the embodiment of the present invention 1;
Fig. 2 shows the flow chart of steps arranging management method according to a kind of terminal security of the embodiment of the present invention 2;
Fig. 3 shows the structured flowchart arranging management devices according to a kind of terminal security of the embodiment of the present invention 1;
Fig. 4 shows the structured flowchart arranging management devices according to a kind of terminal security of the embodiment of the present invention 2.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
With reference to Fig. 1, show the flow chart of steps that management method is set according to a kind of terminal security of the embodiment of the present invention 1, specifically can comprise the steps:
Step 101, the terminal management strategy that reception server issues, described terminal management strategy indicate in described terminal with at least one security setting item of described characteristic information object association state is set, described terminal management strategy configures according to the characteristic information object from described terminal recognition.
In the embodiment of the present invention, described information object can for the external equipment of the website being stored in the file of described terminal, described terminal is browsed, described terminal or other can at least one in detected object, file can be shared file etc. between various types of document, multiple operating system.
Characteristic information object can for possessing the information object of specific properties, such as danger is higher, or relate to secure content, or other needs cause situation of terminal being carried out to security protection etc., based on the characteristic information object that terminal exists, need the Safeguard tactics that configuration is corresponding, with maintenance terminal or the safety of information object.
Terminal management strategy for carrying out the Security Strategies of safety management to terminal characteristic information object, can configure configuration by server according to the characteristic information object from described terminal recognition and obtains.Terminal management strategy can indicate in described terminal with at least one security setting item of described characteristic information object association state is set, account such as can be indicated to lock the number of characters etc. of the concrete number of times of number of times, the concrete time of account locking time and the minimum number of characters of password, for each security setting item, can also arrange cloud disc-type, capacity levels, processing mode and other arrange in state one or more.
In specific implementation, according to the characteristic information object from described terminal recognition, can formulate at server client in the edit page of terminal management strategy, select or insert relevant parameter, generating corresponding terminal management strategy.
Step 102, what check security setting item described in described terminal arranges state, and whether the state that arranges indicated with described terminal management strategy is consistent.
In the embodiment of the present invention, based on terminal management strategy can indicate with at least one security setting item of described characteristic information object association state is set, when performing the terminal management strategy received, check the current setting state of security setting item described in described terminal, whether the state that arranges indicated with described terminal management strategy is consistent.
In specific implementation, according to receive terminal management strategy check in described terminal with at least one security setting item of described characteristic information object association state is set time, secondly what first identify the security setting item that described terminal management strategy indicates arranges state, and what judge whether the current setting state of the item of security setting described in terminal meet that described terminal management strategy indicates arranges state.Such as, the state that arranges of account locking time of terminal management strategy instruction is 15min, can state being set and determining whether 15min of account locking time in identification terminal, if so, then judge that the state that arranges of account locking time of described terminal meets the requirement of described terminal management strategy; If not, then judge that the state that arranges of account locking time of described terminal does not meet the requirement of described terminal management strategy.
Step 103, if inconsistent, then repairs according to described terminal management strategy.
In the embodiment of the present invention, for the characteristic information object checked out in terminal, if it is inconsistent that what the state that arranges of at least one security setting item of current setting and described terminal management strategy indicated arrange state, what then can indicate according to terminal management strategy arranges state, the current setting state of described characteristic information object is repaired, makes it meet the requirement of terminal management strategy.
In specific implementation, after terminal management terminates, can add up management result, such as, can check-up through statistical means go out do not mate security setting item, statistics do not mate security setting item number and statistics do not mate the ratio that security setting item number accounts for terminal security setting option total number, the ratio of terminal security setting option total number and the corresponding relation of terminal protection grade can be accounted for based on the security setting item number that do not mate divided in advance, determine the degree of protection that terminal is current, and can be illustrated in terminal page for checking.
In the embodiment of the present invention, preferably, following at least one can be comprised with at least one security setting item of described characteristic information object association in described terminal: the security setting item realizing identity verify, the security setting item realizing security audit, realize access control security setting item, realize the security setting item of resources control and realize the security setting item of intrusion defense.
Particularly, the security setting item realizing identity verify can comprise realize logging in the security setting item unsuccessfully limited, the security setting item realizing local identity theft, realize in security setting item that password maintenance requires and other security setting items one or more.Wherein, the security setting item such as time that the security setting item unsuccessfully limited can comprise account lock threshold, account locking time and reset account lock count device is realized logging in; The security setting item realizing local identity theft can comprise to need password (connection battery) when waking computer up, need the security setting items such as password (switching on power), startup screen defence program and cryptoguard screen protection program when waking computer up; The security setting item realizing password maintenance requirement can comprise Password Length, password most short life, maximum password age limit and force the security setting items such as password history.For at least one setting option realizing comprising in the security setting item of identity verify, can arrange in account locking number of times, account locking time, the minimum number of characters of password, days, pressure password history number, cloud disc-type, capacity levels (such as GB, TB etc.), processing mode and other parameters one or more, what generate described security setting item arranges state.Such as can arrange that Password Length is 8 characters, the most short life of password is 1 day, maximum password age is limited to 90 days, force password history to be 10 and processing mode is automatic processing mode.
The security setting item realizing security audit can comprise realize account management examination & verification, realize logging in nullify examination & verification, realize in other operating rights and other setting options one or more.Further, the security setting item realizing account management examination & verification can comprise examination & verification computer account management, the management of examination & verification user account, the locking of examination & verification account and audit the security setting items such as other account management events; Realize logging in that the security setting item nullifying examination & verification can comprise examination & verification login event, the checking of examination & verification authority, audits other account login event, examination & verification is nullified, audit other and log in/Logout Events and audit the special security setting item such as to log in; The security setting item realizing other operating rights can comprise the setting option such as examination & verification authentication service and examination & verification Secure group management.
Correspondingly, for at least one setting option realizing comprising in the security setting item of security audit, can arrange in auditing result (such as success, failure, success and failure), examination & verification form (such as having examination & verification, examination & verification), cloud disc-type, capacity levels (such as GB, TB etc.), processing mode and other parameters one or more, what generate described security setting item arranges state.
The security setting item realizing access control can comprise realize Secure Network Assecc and control security setting item, realize security setting item that account access controls and realize the security setting item etc. of account control of authority.Wherein, realize the security setting item that Secure Network Assecc controls can comprise and do not allow SAM (SecurityAccountManager, Security Accounts Manager) anonymity of account enumerates, do not allow SAM account and shared anonymity to enumerate, can anonymous access named pipes, can the sharing of anonymous access, restriction, the mapping program client validation of RPC emphasis for not verified RPC (RemoteProcedureCallProtocol, remote procedure call protocol) client and forbid the security setting items such as remote desktop; Realize security setting item that account access controls and the security setting item such as can comprise guest's account status and use the local account of null password only to allow to carry out that control desk logs in; The security setting item realizing account control of authority can comprise refusal this computer of access to netwoks and allow by security setting items such as remote desktop service login.
Correspondingly, for at least one setting option realizing comprising in the security setting item of access control, can arrange in the using state (such as start, forbid) of operating right of security setting item instruction, account rights parameters (such as only allow client, only allow keeper), cloud disc-type, capacity levels (such as GB, TB etc.), processing mode and other parameters one or more, what generate described security setting item arranges state.
The security setting item realizing resources control can comprise realize Service Source control security setting item, practical function assembly control security setting item and realize device resource control security setting item etc.Further, the security setting item realizing Service Source control can comprise the security setting items such as BluetoothSupportService (bluetooth Service supportive), TerminalServices (remote desktop service) and FTPPublishingService (file transfer protocol (FTP) issuing service); The security setting item that practical function assembly controls can comprise the security setting items such as InternetInformationService (Internet Information Service) Telnet (Telnet) server; The security setting item realizing device resource control can comprise security setting items such as allowing remote access plug and play interface setting option.
Correspondingly, for at least one setting option realizing comprising in the security setting item of resources control, can arrange in the using state (such as start, forbid) of operating right of security setting item instruction, the installment state (such as allowing to install, do not allow installation) of functional unit, cloud disc-type, capacity levels (such as GB, TB etc.), processing mode and other parameters one or more, what generate described security setting item arranges state.
The security setting item realizing intrusion defense can comprise the security setting item realizing network configuration intrusion defense and the security setting item etc. realizing application safety configuration intrusion defense.Further, the security setting item realizing network configuration intrusion defense can comprise closes item such as security setting such as hand-written individuation data shared grade; The security setting item realizing application safety configuration intrusion defense can comprise closedown shell protocol protected mode, closes the DEP of explorer and close the security setting items such as broadcasting automatically.
Correspondingly, for at least one setting option realizing comprising in the security setting item of intrusion defense, can arrange in the using state (such as start, forbid) of operating right of security setting item instruction, cloud disc-type, capacity levels (such as GB, TB etc.), processing mode and other parameters one or more, what generate described security setting item arranges state.
In the embodiment of the present invention, preferably, security setting item described in the described terminal of described inspection state is set, whether the state that arranges indicated with described terminal management strategy consistent can comprise:
The parameters with the security setting item of described characteristic information object association is read from the first object registration table of described terminal;
Judge described parameters whether meet described terminal management strategy instruction state is set.
The parameters associated for different information object is recorded in described first object registration table, when what check security setting item described in described terminal, state is set, when whether the state that arranges indicated with described terminal management strategy is consistent, the parameters with described characteristic information object association can be read from described first object registration table.Such as, the terminal management strategy of corresponding configuration comprises and arranges account keeper's authority, then can by access registration table path [HKEY_LOCAL_MACHINE]--> [SOFTWARE]--> [Microsoft]--> [WindowsNT]--> [CurrentVersion]--> [Winlogon]--> [SpecialAccounts], parameters relevant to account authority under this path is [numerical designations], the logon name of representative of consumer, authority is closed when numeric data is 0, numeric data is 1 is unlatching authority, can modify according to the state that arranges of management strategy instruction.
In specific implementation, can also read from other relative positions the parameters associated with described characteristic information, the present invention does not limit at this.
In the embodiment of the present invention, preferably, describedly carry out reparation according to described terminal management strategy and can comprise:
Revise the parameters with described characteristic information object association in the first object registration table of described terminal, the state that arranges indicated to make described parameters meet described terminal management strategy instruction state is set.
Owing to have recorded the parameters associated different information object in described first object registration table, when what check security setting item described in described terminal, state is set, when whether the state that arranges indicated with described terminal management strategy is consistent, the parameters with described characteristic information object association in the first object registration table of the described terminal of amendment can be passed through, what the state that arranges indicated to make described parameters and described terminal management strategy indicated arranges state consistency, realizes carrying out terminal reparation according to described terminal management strategy.
According to the embodiment of the present invention, according to preset recognition rule, the multiple information object of automatic sense terminals, identifying signature object from terminal multiple information object, and recognition result is uploaded onto the server, server is according to the recognition result configurating terminal management strategy uploaded, and relative to traditional terminal management strategy arranged manually, the terminal management strategy according to the solution of the present invention configuration can protect the safety of terminal more all sidedly, effectively; Further, by repairing according to the operations authority of terminal management strategy to terminal current setting further, thus terminal can be repaired in time to safe condition, guaranteeing terminal security.
With reference to Fig. 2, show the flow chart of steps that management method is set according to a kind of terminal security of the embodiment of the present invention 2, specifically can comprise the steps:
Step 201, downloads described recognition rule from server, or, the recognition rule that reception server issues.
In the embodiment of the present invention, recognition rule may be used for identifying signature object from terminal multiple information object.Such as, recognition rule can the file name of indicative character object or the keyword that comprises, can be comprise file name or keyword regular expression etc., described recognition result can be the number of the characteristic information object identified and/or the characteristic information object identified.
In specific implementation, at server, one client can be installed, the edit page for formulating recognition rule is set in client, the setting of recognition rule is provided or adds entrance, to configure recognition rule at server; Also pre-configured recognition rule can be stored to server.
During pre-execution Terminal Security Management strategy, can send the instruction of downloading recognition rule to server, recognition rule is fed back to terminal after receiving instruction by server; Or, can pre-set at server the time issuing recognition rule, issue recognition rule to realize server by setting-up time.
Particularly, when information object is document, characteristic information object can be black file or the file having specific information, recognition rule can be formulated according to the actual requirements, such as, can according to filename, concrete by searching in terminal the file with described filename, can determine characteristic information object; Can according to file content, concrete can by searching in terminal the file with described file content, and determine characteristic information object, described file content can comprise multiple, as other guides such as keyword, author, statements; Can according to file path, concrete by searching the file under specified file path, can determine characteristic information object.
When information object is website, characteristic information object is the website possible bringing security threat to the Web browsing application in terminal or terminal, can preset various keyword or blacklist identify.Such as, can preset web site name or website or other information, from history access record, search the website with described web site name or website.
When information object is the external equipment of terminal, such as USB flash disk, keyboard etc.Characteristic information object can for having the external device of security threat to terminal or needing the external equipment of special protection; can identify according to the various access informations of external equipment; such as can identify according to device name; attribute (such as title, capacity etc.) according to external equipment identifies etc.
Step 202, according to preset recognition rule, identifying signature object from terminal multiple information object, and recognition result is uploaded onto the server.
In the embodiment of the present invention, when terminal management, the recognition rule that reception server sends, according to the recognition rule received, identifying signature object from terminal multiple information object, and recognition result is uploaded onto the server.
In specific implementation, the keyword that recognition rule can indicate the attribute information of described characteristic information object to comprise, can indicate identify according to the order of sequence information path, at least one in the execution duration of the identifying operation identifying multiple information object, information object size to be identified and number can be indicated, can indicate comprise each keyword information object said features classification and other information.
When the keyword that recognition rule indicates the attribute information of described characteristic information object to comprise, if the attribute information of described information object hits at least one keyword of described recognition rule instruction, then determine that described information object is characteristic information object.
Particularly, the keyword of described recognition rule instruction can be single character word or digital or symbol, also can be the combination of multiple words or numeral or symbol, when keyword search being carried out to terminal document according to recognition rule, first open file, file content is read tag memory, utilize canonical matched rule, whether keyword is there is when retrieving in this file, the number of the tag file of the tag file of hit or statistics can be reported to server, described server can be privately owned Cloud Server, publicly-owned Cloud Server or another terminal.
The attribute information of information object comprises at least one in the name of the information of described information object, information type and the information content, can also be other any suitable types, such as information size, and the present invention is to this and limit.
When attribute packets of information draws together the name of the information of information object, the keyword of recognition rule instruction can be the name of the information of information object, can according to the name of the information of the information object of recognition rule instruction, the file meeting described name of the information in terminal is defined as tag file, and the tag file determined is uploaded onto the server.Such as, recognition rule instruction filename blacklist, comprise " filename 1:readme.txt " and " filename 2:md5.exe " two filenames, and instruction comprises above-mentioned any filename or comprises the file of two filenames simultaneously, can confirm as tag file.
When attribute packets of information draws together the information type of information object, the keyword of recognition rule instruction can be the information type of information object, can according to the file type of recognition rule instruction, the file meeting described file type in terminal is defined as tag file, and the tag file determined is uploaded onto the server.File type can be OfficeWord, OfficeExcel, WPS text, WPS form, txt document, rtf document, CSV document, PDF document or other form.
When attribute packets of information draws together the information content of information object, the keyword of recognition rule instruction can be the MD5 value (Message-DigestAlgorithm5 of the information content, 5th cover message digest algorithm), the file that the MD5 value of the information content can be met described MD5 rule is defined as tag file.The information object of hit MD5 value is characteristic information object, can be dangerous file or the file possessing certain specific properties.
Preferably, when recognition rule can also indicate the information path identified according to the order of sequence, according to the preferential information path identified and/or the information path ignoring identification, successively each information object can be identified.
Particularly, can the information path of preferential identification as indicated, search the tag file under this path; The information path ignoring identification of instruction can be ignored, search the tag file under other paths.Such as, the preferential path identified of recognition rule instruction is: " C: testdate ", then according to recognition rule, the file searched under this path " C: testdate " identifies, after tag file being detected, the tag file of detection and path, tag file place can being shown on the table in the lump, by clicking " confirmation " button, value document can be uploaded onto the server.
Preferably, when recognition rule can also indicate at least one in the execution duration of the identifying operation identifying multiple information object, information object size to be identified and number, can identify each information object successively according to recognition rule, the number of the characteristic information object or characteristic information object that meet recognition rule is sent to server.Such as, recognition rule indicates information object size to be identified to be less than 200M, then only identify the file being less than 200M in terminal.
Preferably, when recognition rule can also indicate the information object said features of each keyword to classify, the keyword that can hit according to described characteristic information object, determines that described characteristic information object said features is classified.
Particularly, after going out characteristic information object according to described keyword recognition, the relation can classified according to the keyword of recognition rule instruction and information object said features, determine that described characteristic information object said features is classified, the number of the tag file of the tag file of hit or statistics can be reported to server.Such as, the keyword of recognition rule instruction is identification card number, and preset the tag file comprising described identification card number and belong to classified papers, after identify the file with described identification card number content in terminal, determine that the tag file identified belongs to classified papers, and this tagsort of classified papers is uploaded onto the server.
Further, after terminal management terminates, can add up management result, such as, the statistic mixed-state unmatched setting option, the number of unmatched setting option of statistics and the unmatched setting option number of statistics that go out can account for the ratio of terminal setting option total number, the ratio of terminal setting option total number and the corresponding relation of terminal protection grade can be accounted for based on the unmatched setting option number divided in advance, determine the degree of protection that terminal is current, and can be illustrated in terminal page for checking.
Step 203, the terminal management strategy that reception server issues, described terminal management strategy indicate in described terminal with at least one security setting item of described characteristic information object association state is set, described terminal management strategy configures according to the characteristic information object from described terminal recognition.
In specific implementation, can the corresponding relation of pre-recorded recognition result and terminal management strategy in server, the corresponding relation of the corresponding relation of such as characteristic information object and terminal management strategy, the number of characteristic information object and terminal management strategy or characteristic information object said features are classified and the corresponding relation of terminal management strategy.Server according to the corresponding relation of record, can determine the terminal management strategy that described recognition result is corresponding after receiving the recognition result that terminal sends, and by the terminal management policy feedback determined to terminal.
Particularly, terminal can receive the characteristic information object of described server according to identification to the terminal management strategy of described terminal configuration, such as, can receive the classification of described server according to the characteristic information object identified to the terminal management strategy of described terminal configuration; The number of described server according to the characteristic information object identified can be received to the terminal management strategy of described terminal configuration; The characteristic type of described server according to the characteristic information object identified can be received, to the terminal management strategy of described terminal configuration.
Step 204, what check security setting item described in described terminal arranges state, and whether the state that arranges indicated with described terminal management strategy is consistent.
Step 205, if inconsistent, then repairs according to described terminal management strategy.
In the embodiment of the present invention, when the state that arranges of at least one security setting item and described terminal management strategy that detect current setting in described terminal are inconsistent, can repair to it requirement meeting terminal management strategy.Such as, the most short life of password of terminal management strategy instruction is 1 day, if detect, the most short life of the password of terminal current setting is 5 days, then this setting of terminal is repaired, most for the password of terminal short life is changed to 1 day, particularly, can in terminal page the information of the most short life of display update password, and receive the most short life of the amended password that inputted by the page 1 day.
Further, can add up management result, such as, can add the state that arranges of the security setting item meeting terminal management strategy and detect by mark, after can completing wait the state that the arranges reparation not meeting terminal management strategy, it is added and repairs complete mark; The number not mating security setting item can be added up and do not mate with statistics the ratio that security setting item number accounts for terminal security setting option total number, the ratio of terminal security setting option total number and the corresponding relation of terminal protection grade can be accounted for based on the security setting item number that do not mate divided in advance, determining the degree of protection of terminal, terminal page can being illustrated in for checking.
In the embodiment of the present invention, preferably, described according to preset recognition rule, from terminal multiple information object before identifying signature object, described method can also comprise:
Obtain the historical operation record of described terminal to described information object, from described historical operation record, extract each information object of historical operation.
In specific implementation, browsing page or website, share data, use USB flash disk, check account, open file or other operations time, terminal can carry out record to the operation of described information object, generation historical viewings record, data sharing record, USB flash disk use record, file access is opened the historical operation records such as record, and stored for checking.
Further, the historical operation record of described acquisition terminal to information object can comprise:
Second target registered table of accessing operation system, reads the history access record to information object and historical search record from described second target registered table;
And/or, from the relative position of shared file hypervisor, read the share and access record to multiple operation systems share information object.
Second target registered table of operating system can storage terminal to the history access record of information object and historical search record.Particularly, when pre-acquiring is to the history access record of information object or historical search record, desired data can be read from the second target registered table of operating system.
When sharing data, the share and access record of multiple operation systems share information object can be stored to relative position, such as linked database, file etc. by shared file hypervisor.Particularly, during the share and access record of pre-read to multiple operation systems share information object, desired data can be read from the linked database of shared file hypervisor or file.
According to the embodiment of the present invention, according to preset recognition rule, the multiple information object of automatic sense terminals, identifying signature object from terminal multiple information object, and recognition result is uploaded onto the server, server is according to the recognition result configurating terminal management strategy uploaded, and relative to traditional terminal management strategy arranged manually, the terminal management strategy according to the solution of the present invention configuration can protect the safety of terminal more all sidedly, effectively; Further, by repairing according to the operations authority of terminal management strategy to terminal current setting further, thus terminal can be repaired in time to safe condition, guaranteeing terminal security.
With reference to Fig. 3, show the structured flowchart that management devices is set according to a kind of terminal security of the embodiment of the present invention 1, specifically can comprise as lower module:
Terminal management Policy receipt module 301, for the terminal management strategy that reception server issues, described terminal management strategy indicate in described terminal with at least one security setting item of described characteristic information object association state is set, described terminal management strategy configures according to the characteristic information object from described terminal recognition.
Arrange status checking module 302, arrange state for what check security setting item described in described terminal, whether the state that arranges indicated with described terminal management strategy is consistent.
The state that arranges repairs module 303, if for inconsistent, then repairs according to described terminal management strategy.
In the embodiment of the present invention, preferably, comprise following at least one with at least one security setting item of described characteristic information object association in described terminal: the security setting item realizing identity verify, the security setting item realizing security audit, realize access control security setting item, realize the security setting item of resources control and realize the security setting item of intrusion defense.
In the embodiment of the present invention, preferably, the described status checking module 302 that arranges can comprise:
Parameters reading submodule, for reading the parameters with the security setting item of described characteristic information object association from the first object registration table of described terminal;
Condition adjudgement submodule is set, for judge described parameters whether meet described terminal management strategy instruction state is set.
In the embodiment of the present invention, preferably, the described state that arranges repairs module 303, specifically may be used for revising the parameters with described characteristic information object association in the first object registration table of described terminal, what the state that arranges indicated to make described parameters met the instruction of described terminal management strategy arranges state.
According to the embodiment of the present invention, according to preset recognition rule, the multiple information object of automatic sense terminals, identifying signature object from terminal multiple information object, and recognition result is uploaded onto the server, server is according to the recognition result configurating terminal management strategy uploaded, and relative to traditional terminal management strategy arranged manually, the terminal management strategy according to the solution of the present invention configuration can protect the safety of terminal more all sidedly, effectively; Further, by repairing according to the operations authority of terminal management strategy to terminal current setting further, thus terminal can be repaired in time to safe condition, guaranteeing terminal security.
With reference to Fig. 4, show the structured flowchart that management devices is set according to a kind of terminal security of the embodiment of the present invention 2, specifically can comprise as lower module:
Recognition rule receiver module 401, for downloading described recognition rule from server, or, the recognition rule that reception server issues.
Characteristic information Object identifying module 402, for according to preset recognition rule, identifying signature object from terminal multiple information object, and recognition result is uploaded onto the server.
Terminal management Policy receipt module 403, for the terminal management strategy that reception server issues, described terminal management strategy indicate in described terminal with at least one security setting item of described characteristic information object association state is set, described terminal management strategy configures according to the characteristic information object from described terminal recognition.
Arrange status checking module 404, arrange state for what check security setting item described in described terminal, whether the state that arranges indicated with described terminal management strategy is consistent.
The state that arranges repairs module 405, if for inconsistent, then repairs according to described terminal management strategy.
In the embodiment of the present invention, preferably, described device can also comprise:
Historical operation record acquisition module, for described according to preset recognition rule, from terminal multiple information object before identifying signature object, obtain the historical operation record of described terminal to described information object, from described historical operation record, extract each information object of historical operation.
Further, described historical operation record acquisition module can comprise:
Second target registered table access submodule, for the second target registered table of accessing operation system, reads the history access record to information object and historical search record from described second target registered table;
And/or share and access record reading submodule, for the relative position from shared file hypervisor, reads the share and access record to multiple operation systems share information object.
In the embodiment of the present invention, preferably, described recognition rule can indicate the keyword that the attribute information of described characteristic information object comprises;
Described characteristic information Object identifying module 402 can comprise:
Characteristic information object determination submodule, if the attribute information for described information object hits at least one keyword of described recognition rule instruction, then determine that described information object is characteristic information object, described attribute information comprises at least one in the name of the information of described information object, information type and the information content;
Information uploads submodule, for the characteristic information object of identification and/or the number of characteristic information object are uploaded to described server.
In the embodiment of the present invention, preferably, described recognition rule can indicate the information path identified according to the order of sequence;
Described characteristic information Object identifying module 402, specifically may be used for, according to the preferential information path identified and/or the information path ignoring identification, identifying successively to each information object.
In the embodiment of the present invention, preferably, described recognition rule can indicate at least one in the execution duration of the identifying operation identifying multiple information object, information object size to be identified and number.
In the embodiment of the present invention, preferably, described terminal management Policy receipt module 403, specifically may be used for receiving the number of described server according to the characteristic information object identified to the terminal management strategy of described terminal configuration.
In the embodiment of the present invention, preferably, described recognition rule can also indicate the information object said features classification comprising each keyword, and described device also comprises:
Tagsort determination module, for the keyword hit according to described characteristic information object, determines that described characteristic information object said features is classified;
Terminal management Policy receipt module, specifically for receiving the characteristic type of described server according to the characteristic information object identified, to the terminal management strategy of described terminal configuration.
According to the embodiment of the present invention, according to preset recognition rule, the multiple information object of automatic sense terminals, identifying signature object from terminal multiple information object, and recognition result is uploaded onto the server, server is according to the recognition result configurating terminal management strategy uploaded, and relative to traditional terminal management strategy arranged manually, the terminal management strategy according to the solution of the present invention configuration can protect the safety of terminal more all sidedly, effectively; Further, by repairing according to the operations authority of terminal management strategy to terminal current setting further, thus terminal can be repaired in time to safe condition, guaranteeing terminal security.
For device embodiment, due to itself and embodiment of the method basic simlarity, so description is fairly simple, relevant part illustrates see the part of embodiment of the method.
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In specification provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize arranging according to the terminal security of the embodiment of the present invention the some or all parts in management equipment.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
The invention discloses A1, a kind of terminal security arrange management method, wherein, comprising:
The terminal management strategy that reception server issues, described terminal management strategy indicate in described terminal with at least one security setting item of described characteristic information object association state is set, described terminal management strategy configures according to the characteristic information object from described terminal recognition;
What check security setting item described in described terminal arranges state, and whether the state that arranges indicated with described terminal management strategy is consistent;
If inconsistent, then repair according to described terminal management strategy.
A2, method according to A1, wherein, comprise following at least one with at least one security setting item of described characteristic information object association in described terminal: the security setting item realizing identity verify, the security setting item realizing security audit, realize access control security setting item, realize the security setting item of resources control and realize the security setting item of intrusion defense.
A3, method according to A1, wherein, security setting item described in the described terminal of described inspection state is set, whether the state that arranges indicated with described terminal management strategy consistent comprises:
The parameters with the security setting item of described characteristic information object association is read from the first object registration table of described terminal;
Judge described parameters whether meet described terminal management strategy instruction state is set.
A4, method according to A1, wherein, describedly carry out reparation according to described terminal management strategy and comprise:
Revise the parameters with described characteristic information object association in the first object registration table of described terminal, the state that arranges indicated to make described parameters meet described terminal management strategy instruction state is set.
A5, method according to A1, wherein, before the terminal management strategy that described reception server issues, described method also comprises:
According to preset recognition rule, identifying signature object from terminal multiple information object, and recognition result is uploaded onto the server.
A6, method according to A5, wherein, described according to preset recognition rule, from terminal multiple information object before identifying signature object, described method also comprises:
Described recognition rule is downloaded from server, or, the recognition rule that reception server issues.
A7, method according to A5, wherein, described according to preset recognition rule, from terminal multiple information object before identifying signature object, described method also comprises:
Obtain the historical operation record of described terminal to described information object, from described historical operation record, extract each information object of historical operation.
A8, method according to A7, wherein, the historical operation record of described acquisition terminal to information object comprises:
Second target registered table of accessing operation system, reads the history access record to information object and historical search record from described second target registered table;
And/or, from the relative position of shared file hypervisor, read the share and access record to multiple operation systems share information object.
A9, method according to A5, wherein, the keyword that described recognition rule indicates the attribute information of described characteristic information object to comprise, described according to preset recognition rule, identifying signature object from terminal multiple information object, and recognition result is uploaded onto the server comprise:
If the attribute information of described information object hits at least one keyword of described recognition rule instruction, then determine that described information object is characteristic information object, described attribute information comprises at least one in the name of the information of described information object, information type and the information content;
The characteristic information object of identification and/or the number of characteristic information object are uploaded to described server.
A10, method according to A5, wherein, described recognition rule indicates the information path identified according to the order of sequence;
Described according to preset recognition rule, from terminal multiple information object, identifying signature object is:
According to the preferential information path identified and/or the information path ignoring identification, successively each information object is identified.
A11, method according to A5, wherein, described recognition rule instruction identifies at least one in the execution duration of the identifying operation of multiple information object, information object size to be identified and number.
A12, method according to A5, wherein, the terminal management strategy that described reception server issues comprises:
Receive the number of described server according to the characteristic information object identified to the terminal management strategy of described terminal configuration.
A13, method according to A5, wherein, described recognition rule also indicates the information object said features classification comprising each keyword, and described method also comprises:
According to the keyword that described characteristic information object hits, determine that described characteristic information object said features is classified;
The described server of described reception according to the terminal management strategy of described recognition result to described terminal configuration is, receives the characteristic type of described server according to the characteristic information object identified, to the terminal management strategy of described terminal configuration.
The invention also discloses B14, a kind of terminal security arrange management devices, wherein, comprising:
Terminal management Policy receipt module, for the terminal management strategy that reception server issues, described terminal management strategy indicate in described terminal with at least one security setting item of described characteristic information object association state is set, described terminal management strategy configures according to the characteristic information object from described terminal recognition;
Arrange status checking module, arrange state for what check security setting item described in described terminal, whether the state that arranges indicated with described terminal management strategy is consistent;
The state that arranges repairs module, if for inconsistent, then repairs according to described terminal management strategy.
B15, method according to B14, wherein, comprise following at least one with at least one security setting item of described characteristic information object association in described terminal: the security setting item realizing identity verify, the security setting item realizing security audit, realize access control security setting item, realize the security setting item of resources control and realize the security setting item of intrusion defense.
B16, device according to B14, wherein, the described status checking module that arranges comprises:
Parameters reading submodule, for reading the parameters with the security setting item of described characteristic information object association from the first object registration table of described terminal;
Condition adjudgement submodule is set, for judge described parameters whether meet described terminal management strategy instruction state is set.
B17, device according to B14, wherein:
The described state that arranges repairs module, specifically for revise described terminal first object registration table in the parameters of described characteristic information object association, what the state that arranges indicate to make described parameters met that described terminal management strategy indicates arranges state.
B18, device according to B14, wherein, described device also comprises:
Characteristic information Object identifying module, for before the terminal management strategy that issues at described reception server, according to preset recognition rule, identifying signature object from terminal multiple information object, and recognition result is uploaded onto the server.
B19, device according to B18, wherein, described device also comprises:
Recognition rule receiver module, for described according to preset recognition rule, from terminal multiple information object before identifying signature object, download described recognition rule from server, or, the recognition rule that reception server issues.
B20, device according to B19, wherein, described device also comprises:
Historical operation record acquisition module, for described according to preset recognition rule, from terminal multiple information object before identifying signature object, obtain the historical operation record of described terminal to described information object, from described historical operation record, extract each information object of historical operation.
B21, device according to B20, wherein, described historical operation record acquisition module comprises:
Second target registered table access submodule, for the second target registered table of accessing operation system, reads the history access record to information object and historical search record from described second target registered table;
And/or share and access record reading submodule, for the relative position from shared file hypervisor, reads the share and access record to multiple operation systems share information object.
B22, device according to B18, wherein, the keyword that described recognition rule indicates the attribute information of described characteristic information object to comprise;
Described characteristic information Object identifying module comprises:
Characteristic information object determination submodule, if the attribute information for described information object hits at least one keyword of described recognition rule instruction, then determine that described information object is characteristic information object, described attribute information comprises at least one in the name of the information of described information object, information type and the information content;
Information uploads submodule, for the characteristic information object of identification and/or the number of characteristic information object are uploaded to described server.
B23, device according to B18, wherein, described recognition rule indicates the information path identified according to the order of sequence;
Described characteristic information Object identifying module, specifically for according to the preferential information path identified and/or the information path ignoring identification, identifies each information object successively.
B24, device according to B18, wherein, described recognition rule instruction identifies at least one in the execution duration of the identifying operation of multiple information object, information object size to be identified and number.
B25, device according to B18, wherein:
Described terminal management Policy receipt module, specifically for receiving the number of described server according to the characteristic information object identified to the terminal management strategy of described terminal configuration.
B26, device according to B18, wherein, described recognition rule also indicates the information object said features classification comprising each keyword, and described device also comprises:
Tagsort determination module, for the keyword hit according to described characteristic information object, determines that described characteristic information object said features is classified;
Terminal management Policy receipt module, specifically for receiving the characteristic type of described server according to the characteristic information object identified, to the terminal management strategy of described terminal configuration.
Claims (10)
1. terminal security arranges a management method, wherein, comprising:
The terminal management strategy that reception server issues, described terminal management strategy indicate in described terminal with at least one security setting item of described characteristic information object association state is set, described terminal management strategy configures according to the characteristic information object from described terminal recognition;
What check security setting item described in described terminal arranges state, and whether the state that arranges indicated with described terminal management strategy is consistent;
If inconsistent, then repair according to described terminal management strategy.
2. method according to claim 1, wherein, comprise following at least one with at least one security setting item of described characteristic information object association in described terminal: the security setting item realizing identity verify, the security setting item realizing security audit, realize access control security setting item, realize the security setting item of resources control and realize the security setting item of intrusion defense.
3. method according to claim 1, wherein, security setting item described in the described terminal of described inspection state is set, whether the state that arranges indicated with described terminal management strategy consistent comprises:
The parameters with the security setting item of described characteristic information object association is read from the first object registration table of described terminal;
Judge described parameters whether meet described terminal management strategy instruction state is set.
4. method according to claim 1, wherein, describedly carry out reparation according to described terminal management strategy and comprise:
Revise the parameters with described characteristic information object association in the first object registration table of described terminal, the state that arranges indicated to make described parameters meet described terminal management strategy instruction state is set.
5. method according to claim 1, wherein, before the terminal management strategy that described reception server issues, described method also comprises:
According to preset recognition rule, identifying signature object from terminal multiple information object, and recognition result is uploaded onto the server.
6. method according to claim 5, wherein, described according to preset recognition rule, from terminal multiple information object before identifying signature object, described method also comprises:
Described recognition rule is downloaded from server, or, the recognition rule that reception server issues.
7. method according to claim 5, wherein, described according to preset recognition rule, from terminal multiple information object before identifying signature object, described method also comprises:
Obtain the historical operation record of described terminal to described information object, from described historical operation record, extract each information object of historical operation.
8. method according to claim 7, wherein, the historical operation record of described acquisition terminal to information object comprises:
Second target registered table of accessing operation system, reads the history access record to information object and historical search record from described second target registered table;
And/or, from the relative position of shared file hypervisor, read the share and access record to multiple operation systems share information object.
9. method according to claim 5, wherein, the keyword that described recognition rule indicates the attribute information of described characteristic information object to comprise, described according to preset recognition rule, identifying signature object from terminal multiple information object, and recognition result is uploaded onto the server comprise:
If the attribute information of described information object hits at least one keyword of described recognition rule instruction, then determine that described information object is characteristic information object, described attribute information comprises at least one in the name of the information of described information object, information type and the information content;
The characteristic information object of identification and/or the number of characteristic information object are uploaded to described server.
10. terminal security arranges a management devices, wherein, comprising:
Terminal management Policy receipt module, for the terminal management strategy that reception server issues, described terminal management strategy indicate in described terminal with at least one security setting item of described characteristic information object association state is set, described terminal management strategy configures according to the characteristic information object from described terminal recognition;
Arrange status checking module, arrange state for what check security setting item described in described terminal, whether the state that arranges indicated with described terminal management strategy is consistent;
The state that arranges repairs module, if for inconsistent, then repairs according to described terminal management strategy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510993350.7A CN105391591A (en) | 2015-12-24 | 2015-12-24 | Security setting and management method and apparatus for terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510993350.7A CN105391591A (en) | 2015-12-24 | 2015-12-24 | Security setting and management method and apparatus for terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105391591A true CN105391591A (en) | 2016-03-09 |
Family
ID=55423443
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510993350.7A Pending CN105391591A (en) | 2015-12-24 | 2015-12-24 | Security setting and management method and apparatus for terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105391591A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106445596A (en) * | 2016-09-27 | 2017-02-22 | 依偎科技(南昌)有限公司 | Method and device for managing setting items |
| CN113518055A (en) * | 2020-04-09 | 2021-10-19 | 奇安信安全技术(珠海)有限公司 | Data security protection processing method and device, storage medium and terminal |
| WO2022016434A1 (en) * | 2020-07-22 | 2022-01-27 | Oppo广东移动通信有限公司 | Device deregistration method, device registration method, communication device and cloud platform |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
| US20100076777A1 (en) * | 2008-09-23 | 2010-03-25 | Yahoo! Inc. | Automatic recommendation of location tracking privacy policies |
| CN103701778A (en) * | 2013-12-11 | 2014-04-02 | 清华大学 | System and method for protecting privacy information in mobile terminal |
-
2015
- 2015-12-24 CN CN201510993350.7A patent/CN105391591A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100076777A1 (en) * | 2008-09-23 | 2010-03-25 | Yahoo! Inc. | Automatic recommendation of location tracking privacy policies |
| CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
| CN103701778A (en) * | 2013-12-11 | 2014-04-02 | 清华大学 | System and method for protecting privacy information in mobile terminal |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106445596A (en) * | 2016-09-27 | 2017-02-22 | 依偎科技(南昌)有限公司 | Method and device for managing setting items |
| CN106445596B (en) * | 2016-09-27 | 2020-01-14 | 依偎科技(南昌)有限公司 | Method and device for managing setting items |
| CN113518055A (en) * | 2020-04-09 | 2021-10-19 | 奇安信安全技术(珠海)有限公司 | Data security protection processing method and device, storage medium and terminal |
| WO2022016434A1 (en) * | 2020-07-22 | 2022-01-27 | Oppo广东移动通信有限公司 | Device deregistration method, device registration method, communication device and cloud platform |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Uddin et al. | A dynamic access control model using authorising workflow and task-role-based access control | |
| CN107239702A (en) | The method and device of a kind of security breaches detection | |
| CN104067283B (en) | Identify the wooden horse application program of mobile environment | |
| CN111695156A (en) | Service platform access method, device, equipment and storage medium | |
| US20110219424A1 (en) | Information protection using zones | |
| CN103473501B (en) | A kind of Malware method for tracing based on cloud security | |
| Wilson | Cyber threats to critical information infrastructure | |
| CN104021339A (en) | Safety payment method and device for mobile terminal | |
| CN103677935A (en) | Installation and control method, system and device for application programs | |
| CN104537310B (en) | The management method of movable storage device and client | |
| CN103617381B (en) | The authority configuring method and authority configuration system of equipment | |
| Fisk | Cyber security, building automation, and the intelligent building | |
| US8387877B2 (en) | Systems and methods for the secure control of data within heterogeneous systems and networks | |
| CN111191246A (en) | Spring annotation based security development verification method | |
| US20150067784A1 (en) | Computer network security management system and method | |
| CN114218194A (en) | Data bank safety system | |
| CN105391591A (en) | Security setting and management method and apparatus for terminal | |
| CN112150113A (en) | Method, device and system for borrowing file data and method for borrowing data | |
| CN109977644B (en) | Hierarchical authority management method under Android platform | |
| CN104850797A (en) | Device security management method and apparatus | |
| CN1610296B (en) | Method for identifying executable code securely to authentication entity | |
| CN105550597A (en) | Information scanning based terminal management method and apparatus | |
| CN117076245A (en) | Trusted traceability system based on block chain implementation | |
| US10725898B2 (en) | Testing network framework and information management method applied thereto | |
| CN105653904A (en) | Application screen-locking processing method and apparatus as well as mobile terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160309 |