CN106022146A - Dynamic linking control method facing virtual desktop resource protection - Google Patents
Dynamic linking control method facing virtual desktop resource protection Download PDFInfo
- Publication number
- CN106022146A CN106022146A CN201610349588.0A CN201610349588A CN106022146A CN 106022146 A CN106022146 A CN 106022146A CN 201610349588 A CN201610349588 A CN 201610349588A CN 106022146 A CN106022146 A CN 106022146A
- Authority
- CN
- China
- Prior art keywords
- virtual desktop
- operation terminal
- user operation
- control system
- access control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
- G06F21/335—User authentication using certificates for accessing specific resources, e.g. using Kerberos tickets
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Computer And Data Communications (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a dynamic linking control method facing virtual desktop resource protection; the dynamic linking control method comprises the following steps: building connection between a user operation terminal and a virtual desktop server; disconnecting the user operation terminal from the virtual desktop server. The method can effectively separate the user operation terminal from the virtual desktip server; the connection and registration of the user operation terminal with/on the virtual desktop system must be authorized by a virtual desktop management platform, thus ensuring validness of the virtual desktop management mechanism.
Description
Technical field
The present invention relates to field of information security technology, particularly relate to a kind of device of access control under virtual desktop environment.
Background technology
Virtual desktop technology is a kind of possible technique means realizing application terminal centralization, original scattered data can be made to process by virtual desktop technology and storage convergence is possibly realized.While data process and storage realizes centralization, user can access the data in virtual desktop by addressing means multiple types, multipoint.Virtual desktop agreement is relied on to communicate between user operation terminal and virtual desktop server.
Application virtual desktop technology has the advantage of safety, confidentiality, but user operation terminal is because anthelmintic or DDOS attack etc., and virtual desktop network performance here can be caused to decline.And if user is unruly, the IP address of direct virtual desktop and the user name/password known can be connected remotely to virtual desktop, managing platform without virtual desktop completely, the resource making Virtual Administrative Platform not know that it manages is the most occupied the most at leisure.It is thus desirable to method for designing, it is possible to user operation terminal and virtual desktop are cut off and are intercepted and captured operation its whole data access process to virtual desktop of control of user.
Summary of the invention
Present invention solves the technical problem that the Dynamic link library control method being to propose a kind of Virtual desktop protection of resources, improve the Information Security under virtual desktop environment.Under virtual desktop environment, between user operation terminal and virtual desktop server, it is deployed with corresponding virtual desktop management platform and virtual desktop isolation and access control system.
In order to solve problem above, the Dynamic link library control method of a kind of Virtual desktop protection of resources, comprise the following steps:
Virtual desktop isolation and access control system are intercepted and captured the connection certification of user operation terminal and are asked and hand to virtual desktop management platform;
Schedule virtual desktop resource this connection identifier of user is returned to virtual desktop isolation and access control system after virtual desktop management Platform Analysis certification;
Virtual desktop isolation and access control system complete the connection with user identity connection identifier to virtual desktop of the user operation terminal;
User operation terminal disconnects and this time connecting, and virtual desktop isolation and access control system are intercepted and captured the connection of user operation terminal and removed behavior and hand to virtual desktop management platform;
Regain virtual desktop resource after virtual desktop management Platform Analysis and notify that virtual desktop isolation and access control system disconnect user this time to the connection of virtual desktop;
Virtual desktop isolation and access control system refuse the connection to any unauthenticated of virtual desktop of the user operation terminal.
Further, preferred as one, in order to reduce the complexity of application, user operation terminal obtains the process of virtual desktop serve from virtual desktop server two stages: connection establishment stage and remove the disconnected phase.
Further, preferred as one, the isolation of described virtual desktop and access control system are intercepted and captured the connection certification of user operation terminal and are asked and hand to virtual desktop management platform step to farther include: virtual desktop isolation and access control system ensure that virtual desktop will not be interfered by user operation terminal, thus the unsafe problems blocking user operation terminal self is propagated or infects virtual desktop system.
Further, preferred as one, the isolation of described virtual desktop and access control system are intercepted and captured the connection certification of user operation terminal and are asked and hand to virtual desktop management platform step to farther include: virtual desktop isolation and access control system prevent user from just connecting without certification by operating terminal and accessing virtual desktop, virtual desktop resource is caused to be abused, mismanagement.
Further, preferred as one, the isolation of described virtual desktop and access control system are intercepted and captured the connection certification of user operation terminal and are asked and hand to virtual desktop management platform step to farther include: in the connection establishment stage, the connection certification that user operation terminal is initiated to virtual desktop isolation and access control system, authentication method not only includes user name identity card, the modes such as digital certificate, dynamic password can also be supported.
Further, preferred as one, schedule virtual desktop resource this connection identifier of user is returned to virtual desktop isolation and access control system step farther includes after the management Platform Analysis certification of described virtual desktop: the hardware informations such as in connection identifier, the characteristic information of user operation terminal can be hard disk mark, NIC address or these information comprehensive.
Further, preferred as one, the isolation of described virtual desktop and access control system complete user operation terminal and farther include to the Connection Step with user identity connection identifier of virtual desktop: virtual desktop isolation and access control system are it should be guaranteed that can filter each the information transmitted, to guarantee that the method cannot be bypassed or get around in user operation terminal to the connection procedure of virtual desktop.
Further, preferred as one, regain virtual desktop resource after virtual desktop management Platform Analysis and notify that virtual desktop is isolated the step this time connected to virtual desktop with access control system disconnection user and farther included: virtual desktop manages the platform cancellation user operation terminal link information to virtual desktop, and virtual desktop is isolated and access control system can not find out the link information of user operation terminal by refusal user directly accessing virtual desktop.
Further, preferred as one, virtual desktop isolation includes with the step of access control system refusal user operation terminal to the connection of any unauthenticated of virtual desktop, if user does not sends connection request by operation terminal to virtual desktop isolation and access control system, even if user knows the IP address of virtual desktop to be accessed, the user name and password word etc., also cannot walk around virtual desktop isolation and access control system privately connects and accesses virtual desktop system.
The beneficial effects of the present invention is, first, prevent user from just connecting without certification by operating terminal and accessing virtual desktop, cause virtual desktop resource to be abused, mismanagement;The modes such as second, authentication method not only includes user name identity card, it is also possible to support digital certificate, dynamic password;The hardware informations such as the 3rd, the network admittance of user operation terminal is controlled by this structural support, the most only allows the user operation terminal with some feature to be connected to virtual desktop, and these features can be hard disk mark, NIC address or these information comprehensive;4th, user operation terminal can be blocked to the interference of virtual desktop system and destruction, such as virus wooden horse infects, the impact etc. of DDOS attack.To sum up, the network between user operation terminal and virtual desktop can effectively be isolated by this method, ensures the effectiveness of virtual desktop administrative mechanism.
Accompanying drawing explanation
When considered in conjunction with the accompanying drawings, by referring to detailed description below, can more completely be more fully understood that the present invention and easily learn the advantage that many of which is adjoint, but accompanying drawing described herein is used for providing a further understanding of the present invention, constitute the part of the present invention, the schematic description and description of the present invention is used for explaining the present invention, is not intended that inappropriate limitation of the present invention.
Fig. 1 is the flow chart in connection establishment stage in the present invention.
Fig. 2 is the flow chart removing the disconnected phase in the present invention.
Detailed description of the invention
Referring to Fig. 1, Fig. 2, embodiments of the invention are illustrated.
Understandable for enabling above-mentioned purpose, feature and advantage to become apparent from, the present invention is further detailed explanation with detailed description of the invention below in conjunction with the accompanying drawings.
The Dynamic link library control method of a kind of Virtual desktop protection of resources, comprises the following steps:
Virtual desktop isolation and access control system are intercepted and captured the connection certification of user operation terminal and are asked and hand to virtual desktop management platform;
Schedule virtual desktop resource this connection identifier of user is returned to virtual desktop isolation and access control system after virtual desktop management Platform Analysis certification;
Virtual desktop isolation and access control system complete the connection with user identity connection identifier to virtual desktop of the user operation terminal;
User operation terminal disconnects this connection, and virtual desktop isolation and access control system are intercepted and captured the connection of user operation terminal and removed behavior and hand to virtual desktop management platform;
Regain virtual desktop resource after virtual desktop management Platform Analysis and notify that virtual desktop isolation and access control system disconnect user this time to the connection of virtual desktop;
Virtual desktop isolation and access control system refuse the connection to any unauthenticated of virtual desktop of the user operation terminal.
Embodiment one:
The application in enterprise's cloud service of the Dynamic link library control method of a kind of Virtual desktop protection of resources, comprises the following steps:
S1, user isolate to the virtual desktop of enterprise and access control system initiates certification request;
The virtual desktop management platform of enterprise is handed in request by the isolation of S2, virtual desktop and access control system;
After S3, virtual desktop management platform authentication, transfer the virtual desktop resource of enterprises and notify that virtual desktop isolation and access control system allow the connection setting up virtual desktop to user operation terminal;
User operation terminal and virtual desktop are coupled together by the isolation of S4, virtual desktop and access control system as bridge;
S5, user disconnect, and this operation of user is handed to virtual desktop management platform by virtual desktop isolation and access control system;
After S6, virtual desktop management platform receives, notice virtual desktop isolation and access control system no longer allow user operation terminal to the connection of virtual desktop;
The isolation of S7, virtual desktop and the connection of access control system refusal user's unauthenticated.
Embodiment two:
The application in army's cloud service of the Dynamic link library control method of a kind of Virtual desktop protection of resources, comprises the following steps:
S1, user isolate to the virtual desktop of army and access control system initiates certification request;
The virtual desktop management platform of army is handed in request by the isolation of S2, virtual desktop and access control system;
After S3, virtual desktop management platform authentication, transfer the virtual desktop resource within army and notify that virtual desktop isolation and access control system allow the connection setting up virtual desktop to user operation terminal;
User operation terminal and virtual desktop are coupled together by the isolation of S4, virtual desktop and access control system as bridge;
S5, user disconnect, and this operation of user is handed to virtual desktop management platform by virtual desktop isolation and access control system;
After S6, virtual desktop management platform receives, notice virtual desktop isolation and access control system no longer allow user operation terminal to the connection of virtual desktop;
The isolation of S7, virtual desktop and the connection of access control system refusal user's unauthenticated.
Embodiment three:
The application in colleges and universities' cloud service of the dynamic connection method of a kind of Virtual desktop protection of resources, comprises the following steps:
S1, user isolate to the virtual desktop of colleges and universities and access control system initiates certification request;
The virtual desktop management platform of colleges and universities is handed in request by the isolation of S2, virtual desktop and access control system;
After S3, virtual desktop management platform authentication, transfer the virtual desktop resource within colleges and universities and notify that virtual desktop isolation and access control system allow the connection setting up virtual desktop to user operation terminal;
User operation terminal and virtual desktop are coupled together by the isolation of S4, virtual desktop and access control system as bridge;
S5, user disconnect, and this operation of user is handed to virtual desktop management platform by virtual desktop isolation and access control system;
After S6, virtual desktop management platform receives, notice virtual desktop isolation and access control system no longer allow user operation terminal to the connection of virtual desktop;
The isolation of S7, virtual desktop and the connection of access control system refusal user's unauthenticated.
As it has been described above, explained embodiments of the invention, but as long as can have a lot of deformation essentially without the inventive point and effect departing from the present invention, this will be readily apparent to persons skilled in the art.Therefore, within such variation is also integrally incorporated in protection scope of the present invention.
Claims (11)
1. the Dynamic link library control method of a Virtual desktop protection of resources, it is characterised in that comprise the following steps:
First stage, that is the connection establishment stage of virtual desktop, comprise the following steps:
User operation terminal sends the certification request connecting virtual desktop;
Virtual desktop isolation and access control system are intercepted and captured the connection certification of described user operation terminal and are asked and hand to virtual desktop management platform;
Schedule virtual desktop resource this connection identifier of user is returned to the isolation of described virtual desktop and access control system after the management Platform Analysis certification of described virtual desktop;
The isolation of described virtual desktop and access control system complete the connection with user identity connection identifier to virtual desktop of the user operation terminal;
Second stage, that is the dismounting disconnected phase of virtual desktop, comprise the following steps:
User operation terminal sends and disconnects the request this time connected;
Virtual desktop isolation and access control system are intercepted and captured the connection of user operation terminal and are removed behavior and hand to virtual desktop management platform;
Regain virtual desktop resource after described virtual desktop management Platform Analysis and notify that virtual desktop isolation and access control system disconnect user this time to the connection of virtual desktop;
The isolation of described virtual desktop and access control system refuse the connection to any unauthenticated of virtual desktop of the user operation terminal.
2. the method that the Dynamic link library control method of Virtual desktop protection of resources as claimed in claim 1 is applied to virtual desktop serve, described virtual desktop serve comprises two stages: virtual desktop connection establishment stage and virtual desktop remove the disconnected phase, wherein the virtual desktop connection establishment stage mainly completes to be set up between user operation terminal and virtual desktop server the process of Dynamic link library by virtual desktop isolation and access control system and virtual desktop management platform, after user operation terminal disconnects and this time connecting, the dismounting disconnected phase of virtual desktop can be entered, make user operation terminal must again send certification request and could connect virtual desktop system.
The Dynamic link library control method of a kind of Virtual desktop protection of resources the most according to claim 1; it is characterized in that; between user operation terminal and virtual desktop server; isolated and control to connect demolishing process by virtual desktop isolation and access control system, and come certification schedule virtual desktop resource by virtual desktop management platform.
Virtual desktop the most according to claim 1 isolation and access control system are intercepted and captured the connection certification of user operation terminal and are asked and hand to virtual desktop management platform step, comprise further: user operation terminal initiates certification request to virtual desktop isolation and access control system, virtual desktop isolation and access control system set up the connection to virtual desktop of the user operation terminal after intercepting and capturing the most at once, but temporary suspension request is handed to virtual desktop manage platform processes.
Virtual desktop the most according to claim 4 isolation and access control system are intercepted and captured the connection certification of user operation terminal and are asked and hand to virtual desktop management platform step, comprise further: authentication method not only includes usemame/password, the modes such as digital certificate, dynamic password can also be supported.
Schedule virtual desktop resource this connection identifier of user is returned to virtual desktop isolation and access control system step after virtual desktop the most according to claim 1 management Platform Analysis certification, farther include: virtual desktop management platform is according to the identity information resolving subscriber identity information and the present terminal obtained from connection request, generate corresponding connection identifier, return to virtual desktop isolation and access control system together with connection identifier by finding the virtual desktop information being suitable for distributing to this user operation terminal from virtual desktop server.
Schedule virtual desktop resource this connection identifier of user returns to virtual desktop isolation and access control system step after virtual desktop the most according to claim 6 management Platform Analysis certification, farther includes: the identity information of present terminal can be the comprehensive of the hardware informations such as its hard disk mark, NIC address or these information.
Virtual desktop the most according to claim 1 isolation and access control system complete the user operation terminal Connection Step with user identity connection identifier to virtual desktop, farther include: virtual desktop isolation and access control system are according to the information received, setting up a connection supported from user operation terminal to virtual desktop, then user just can connect and log in this virtual desktop of use.
9. support the connection from user operation terminal to virtual desktop according to described in claims 8, each the information connecting upper transmission can be filtered by virtual desktop isolation and access control system, to guarantee that the method cannot be bypassed or get around, user operation terminal and virtual desktop are isolated on the physical layer of network.
10. isolate according to the virtual desktop described in claims 1 and access control system refusal user operation terminal farther include to the Connection Step of any unauthenticated of virtual desktop: virtual desktop isolation and access control system receive virtual desktop manage platform disconnect notice after, remove this connection, even if user knows that the IP address of this virtual desktop, user name/password word are the most no longer possible is privately connected to virtual desktop.
11. 1 kinds can be effectively isolated user operation terminal and virtual desktop and ensure that the dynamic connection management device of virtual desktop administrative mechanism effectiveness, and this device includes:
One and above server, implement hardware virtualization technology on the server, fictionalize multiple virtual machine, and described virtual machine is disposed virtual desktop system;
One and above user operation terminal, user operates on terminal operation platform, accesses described virtual desktop system, and sends the request of data exchange;
Virtual desktop management platform, is deployed in described virtual desktop and user operation terminal room;
Virtual desktop isolation and access control system, be deployed in described virtual desktop and user operation terminal room;
The isolation of described virtual desktop and access control system are as the agency of virtual desktop serve, intercept and capture user terminal be sent to the connection request of virtual desktop server and hand to virtual desktop management platform, virtual desktop management platform is suitable for distributing to the virtual desktop of this user operation terminal according to the identity information analysis in connection request, and notice virtual desktop isolation and access control system set up a connection supported from user operation terminal to virtual desktop;
The isolation of described virtual desktop and access control system are as the agency of virtual desktop serve, after virtual desktop server response user operation terminal connection request, can intercept and capture and filter user operation terminal and virtual desktop should between flow of information, play an effect cut off between;
Virtual desktop isolation and access control system are as the agency of virtual desktop serve, after intercepting the operation that user operation terminal disconnects, can hand to virtual desktop management platform and cancel connection to virtual desktop on the isolation of this user's virtual desktop and access control system, after removing this connection, user cannot connect virtual desktop the most privately.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610349588.0A CN106022146B (en) | 2016-05-24 | 2016-05-24 | A kind of Dynamic link library control method of Virtual desktop protection of resources |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610349588.0A CN106022146B (en) | 2016-05-24 | 2016-05-24 | A kind of Dynamic link library control method of Virtual desktop protection of resources |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106022146A true CN106022146A (en) | 2016-10-12 |
| CN106022146B CN106022146B (en) | 2018-01-12 |
Family
ID=57093242
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610349588.0A Active CN106022146B (en) | 2016-05-24 | 2016-05-24 | A kind of Dynamic link library control method of Virtual desktop protection of resources |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106022146B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100229185A1 (en) * | 2009-03-03 | 2010-09-09 | Cisco Technology, Inc. | Event / calendar based auto-start of virtual disks for desktop virtualization |
| CN104753887A (en) * | 2013-12-31 | 2015-07-01 | 中国移动通信集团黑龙江有限公司 | Safety control implementation method and system and cloud desktop system |
| CN105049414A (en) * | 2015-06-03 | 2015-11-11 | 北京朋创天地科技有限公司 | Dataflow control method facing virtual desktop and information safety device |
-
2016
- 2016-05-24 CN CN201610349588.0A patent/CN106022146B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100229185A1 (en) * | 2009-03-03 | 2010-09-09 | Cisco Technology, Inc. | Event / calendar based auto-start of virtual disks for desktop virtualization |
| CN104753887A (en) * | 2013-12-31 | 2015-07-01 | 中国移动通信集团黑龙江有限公司 | Safety control implementation method and system and cloud desktop system |
| CN105049414A (en) * | 2015-06-03 | 2015-11-11 | 北京朋创天地科技有限公司 | Dataflow control method facing virtual desktop and information safety device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106022146B (en) | 2018-01-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP3262689B2 (en) | Remote control system | |
| CN104753887B (en) | Security management and control implementation method, system and cloud desktop system | |
| US7607021B2 (en) | Isolation approach for network users associated with elevated risk | |
| JP4168052B2 (en) | Management server | |
| CN109743163A (en) | Purview certification method, apparatus and system in micro services framework | |
| JP5382819B2 (en) | Network management system and server | |
| CN103428211B (en) | Network authentication system based on switch and authentication method thereof | |
| CN104426837B (en) | The application layer message filtering method and device of FTP | |
| ES2768049T3 (en) | Procedures and systems to secure and protect repositories and directories | |
| CN102104592A (en) | Session migration between network policy servers | |
| CA2688553A1 (en) | System and method for providing network and computer firewall protection with dynamic address isolation to a device | |
| CN109413080B (en) | Cross-domain dynamic authority control method and system | |
| CN101488857B (en) | Authenticated service virtualization | |
| CN104159225A (en) | Wireless network based real-name registration system management method and system | |
| CN104754582A (en) | Client and method for maintaining BYOD (Bring Your Own Device) safety | |
| US9686256B2 (en) | Method and system for accessing network through public device | |
| US10333977B1 (en) | Deceiving an attacker who is harvesting credentials | |
| CN106792684B (en) | Multi-protection wireless network safety protection system and protection method | |
| US20160345170A1 (en) | Wireless network segmentation for internet connected devices using disposable and limited security keys and disposable proxies for management | |
| TWI476627B (en) | The management system and method of network service level and function of cloud virtual desktop application | |
| CN106685785B (en) | Intranet access system based on IPsec VPN proxy | |
| CN105592180A (en) | Portal authentication method and device | |
| CN105721441B (en) | Identity authentication method in virtualization environment | |
| CN105049414A (en) | Dataflow control method facing virtual desktop and information safety device | |
| CN102882861A (en) | Method of achieving IP address cheating prevention based on analysis of dynamic host configuration protocol (DHCP) message |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |