CN106022146B - A kind of Dynamic link library control method of Virtual desktop protection of resources - Google Patents

A kind of Dynamic link library control method of Virtual desktop protection of resources Download PDF

Info

Publication number
CN106022146B
CN106022146B CN201610349588.0A CN201610349588A CN106022146B CN 106022146 B CN106022146 B CN 106022146B CN 201610349588 A CN201610349588 A CN 201610349588A CN 106022146 B CN106022146 B CN 106022146B
Authority
CN
China
Prior art keywords
virtual desktop
user
terminal
connection
control system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610349588.0A
Other languages
Chinese (zh)
Other versions
CN106022146A (en
Inventor
李晓勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING PENGCHUANG TIANDI TECHNOLOGY CO LTD
Original Assignee
BEIJING PENGCHUANG TIANDI TECHNOLOGY CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING PENGCHUANG TIANDI TECHNOLOGY CO LTD filed Critical BEIJING PENGCHUANG TIANDI TECHNOLOGY CO LTD
Priority to CN201610349588.0A priority Critical patent/CN106022146B/en
Publication of CN106022146A publication Critical patent/CN106022146A/en
Application granted granted Critical
Publication of CN106022146B publication Critical patent/CN106022146B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • G06F21/335User authentication using certificates for accessing specific resources, e.g. using Kerberos tickets
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules

Abstract

The invention discloses a kind of Dynamic link library control method of Virtual desktop protection of resources, the Dynamic link library control method comprises the following steps:User operates the process of terminal and virtual desktop server foundation connection and user operates terminal and removes the process connected with virtual desktop server, this method can be operated effectively in user is isolated between terminal and virtual desktop server, the connection and login for making user's operation terminal-pair virtual desktop system have to pass through virtual desktop management platform certification, ensure the validity of virtual desktop administrative mechanism.

Description

A kind of Dynamic link library control method of Virtual desktop protection of resources
Technical field
The present invention relates to field of information security technology, more particularly to a kind of dress of the access control under virtual desktop environment Put.
Background technology
Virtual desktop technology is a kind of possible technique means for realizing application terminal centralization, can by virtual desktop technology So that scattered data processing and storage convergence is possibly realized originally.While centralization is realized in data processing and storage, User can access the data in virtual desktop by multiple types, multipoint addressing meanses.User operates terminal and void Intend being communicated by virtual desktop agreement between desktop server.
There is the advantages of security, confidentiality using virtual desktop technology, but user operate terminal because worm or DDOS attack etc., the network performance of virtual desktop this side can be caused to decline., can be directly with void and if user is unruly The user name/password intended the IP address of desktop and known is connected remotely to virtual desktop, is put down completely without virtual desktop management Whether platform, the resource for making Virtual Administrative Platform not know that it is managed are occupied also at leisure.Therefore design method is needed, can By user operate terminal and virtual desktop separated and intercept and capture user operational control its entirely the data of virtual desktop are visited Ask process.
The content of the invention
Present invention solves the technical problem that it is to propose a kind of Dynamic link library controlling party of Virtual desktop protection of resources Method, improve the Information Security under virtual desktop environment.Under virtual desktop environment, user operates terminal and virtual desktop serve Between device, corresponding virtual desktop management platform and virtual desktop isolation and access control system are deployed with.
In order to solve problem above, a kind of Dynamic link library control method of Virtual desktop protection of resources, including it is following Step:
Virtual desktop is isolated and access control system intercepts and captures user and operates the connection certification request of terminal and hand to virtual Desktop management platform;
After virtual desktop management platform analysis authentication schedule virtual desktop resource and by user this connection identifier return To virtual desktop isolation and access control system;
Virtual desktop is isolated and access control system completes user's operation terminal and to virtual desktop there is user identity to connect Connect the connection of mark;
User operates terminal and disconnects this time connection, and virtual desktop isolation and access control system intercept and capture user and operate terminal Connection dismounting behavior simultaneously hands to virtual desktop management platform;
Virtual desktop resource is withdrawn after the analysis of virtual desktop management platform and notifies virtual desktop isolation and access control system System disconnects the connection that user this time arrives virtual desktop;
Virtual desktop is isolated and access control system refusal user operates terminal to any unauthenticated company of virtual desktop Connect.
Further, as a preferred embodiment, in order to reduce the complexity of application, user operates terminal from virtual desktop server The process for obtaining virtual desktop serve has two stages:Connect establishment stage and remove the disconnected phase.
Further, as a preferred embodiment, virtual desktop isolation and access control system, which intercept and capture user, operates terminal Connect certification request and hand to virtual desktop management platform step and further comprise:Virtual desktop is isolated and access control system Ensure that user operates terminal and virtual desktop will not be interfered, passed so as to block user to operate the unsafe problems of terminal itself Broadcast or infect and arrive virtual desktop system.
Further, as a preferred embodiment, virtual desktop isolation and access control system, which intercept and capture user, operates terminal Connect certification request and hand to virtual desktop management platform step and further comprise:Virtual desktop is isolated and access control system Prevent user from just being connected without certification by operating terminal and access virtual desktop, cause virtual desktop resource to be abused, manage Manage out of control.
Further, as a preferred embodiment, virtual desktop isolation and access control system, which intercept and capture user, operates terminal Connect certification request and hand to virtual desktop management platform step and further comprise:In connection establishment stage, user operates eventually The connection certification initiated to virtual desktop isolation and access control system is held, authentication method not only includes user name identity card, also Digital certificate, dynamic password mode can be supported.
Further, as a preferred embodiment, schedule virtual desktop resource is simultaneously after the virtual desktop management platform analysis authentication User this connection identifier is returned into virtual desktop isolation and access control system step further comprises:In connection identifier The characteristic information that user operates terminal can be the synthesis of hard disk mark, NIC address hardware information or these information.
Further, as a preferred embodiment, virtual desktop isolation and access control system completion user operate terminal and arrived The Connection Step with user identity connection identifier of virtual desktop further comprises:Virtual desktop is isolated and access control system It should be guaranteed that and each information of transmission can be filtered in user operates connection procedure of the terminal to virtual desktop, with Ensure that this method can not be bypassed or get around.
Further, as a preferred embodiment, withdrawing virtual desktop resource after the analysis of virtual desktop management platform and notifying virtual Desktop is isolated the step of this time being connected with access control system disconnection user to virtual desktop and further comprised:Virtual desktop management Platform cancels user and operates terminal to the link information of virtual desktop, and virtual desktop is isolated and access control system can not find out user Direct access of the user to virtual desktop will be refused by operating the link information of terminal.
Further, as a preferred embodiment, virtual desktop isolation and access control system refusal user operate terminal to virtually The step of any unauthenticated connection of desktop, includes, if user is not by operating terminal to virtual desktop isolation and access control System processed sends connection request, even if user knows the IP address for the virtual desktop to be accessed, the user name and password word etc., also without Method connects around virtual desktop isolation and access control system and accesses virtual desktop system privately.
The beneficial effects of the present invention are, first, prevent user from just connecting and accessing without certification by operating terminal Virtual desktop, virtual desktop resource is caused to be abused, mismanagement;Second, authentication method not only includes user name identity card, also The modes such as digital certificate, dynamic password can be supported;3rd, the network admittance that this structural support operates terminal to user controls, For example only allowing to have user's operation terminal of some features to be connected to virtual desktop, these features can be that hard disk identifies, net The synthesis of the hardware informations such as card address or these information;4th, user can be blocked to operate the dry of terminal-pair virtual desktop system Disturb and destroy, such as viral wooden horse infection, the influence of DDOS attack etc..To sum up, this method effectively can operate user eventually Network between end and virtual desktop is isolated, and ensures the validity of virtual desktop administrative mechanism.
Brief description of the drawings
When considered in conjunction with the accompanying drawings, by referring to following detailed description, can more completely more fully understand the present invention with And easily learn many of which with the advantages of, but accompanying drawing described herein be used for a further understanding of the present invention is provided, The part of the present invention is formed, schematic description and description of the invention is used to explain the present invention, do not formed to this hair Bright improper restriction.
Fig. 1 is the flow chart that establishment stage is connected in the present invention.
Fig. 2 is the flow chart that the disconnected phase is removed in the present invention.
Embodiment
Embodiments of the invention are illustrated referring to Fig. 1, Fig. 2.
It is right with reference to the accompanying drawings and detailed description to enable above-mentioned purpose, feature and advantage more obvious understandable The present invention is described in further detail.
A kind of Dynamic link library control method of Virtual desktop protection of resources, comprises the following steps:
Virtual desktop is isolated and access control system intercepts and captures user and operates the connection certification request of terminal and hand to virtual Desktop management platform;
After virtual desktop management platform analysis authentication schedule virtual desktop resource and by user this connection identifier return To virtual desktop isolation and access control system;
Virtual desktop is isolated and access control system completes user's operation terminal and to virtual desktop there is user identity to connect Connect the connection of mark;
User operates terminal and disconnects this connection, and virtual desktop isolation and access control system intercept and capture user and operate terminal Connection remove behavior and hand to virtual desktop management platform;
Virtual desktop resource is withdrawn after the analysis of virtual desktop management platform and notifies virtual desktop isolation and access control system System disconnects the connection that user this time arrives virtual desktop;
Virtual desktop is isolated and access control system refusal user operates terminal to any unauthenticated company of virtual desktop Connect.
Embodiment one:
A kind of application of Dynamic link library control method of Virtual desktop protection of resources in enterprise's cloud service, including with Lower step:
S1, user initiate certification request to the virtual desktop isolation of enterprise and access control system;
S2, virtual desktop isolation and access control system hand to request the virtual desktop management platform of enterprise;
After S3, virtual desktop management platform certification, transfer the virtual desktop resource of enterprises and notify virtual desktop every Allow to establish the connection that virtual desktop operates to user terminal from access control system;
S4, virtual desktop isolation and access control system have connected user's operation terminal with virtual desktop as bridge Come;
S5, user are disconnected, and by user, virtual desktop is handed in this operation with access control system for virtual desktop isolation Management platform;
After S6, virtual desktop management platform receive, the isolation of notice virtual desktop and access control system no longer allow user Operate connection of the terminal to virtual desktop;
S7, virtual desktop isolation and access control system refuse the unauthenticated connection of user.
Embodiment two:
A kind of application of Dynamic link library control method of Virtual desktop protection of resources in army's cloud service, including with Lower step:
S1, user initiate certification request to the virtual desktop isolation of army and access control system;
S2, virtual desktop isolation and access control system hand to request the virtual desktop management platform of army;
After S3, virtual desktop management platform certification, transfer army inside virtual desktop resource and notify virtual desktop every Allow to establish the connection that virtual desktop operates to user terminal from access control system;
S4, virtual desktop isolation and access control system have connected user's operation terminal with virtual desktop as bridge Come;
S5, user are disconnected, and by user, virtual desktop is handed in this operation with access control system for virtual desktop isolation Management platform;
After S6, virtual desktop management platform receive, the isolation of notice virtual desktop and access control system no longer allow user Operate connection of the terminal to virtual desktop;
S7, virtual desktop isolation and access control system refuse the unauthenticated connection of user.
Embodiment three:
A kind of application of dynamic connection method of Virtual desktop protection of resources in colleges and universities' cloud service, including following step Suddenly:
S1, user initiate certification request to the virtual desktop isolation of colleges and universities and access control system;
S2, virtual desktop isolation and access control system hand to request the virtual desktop management platform of colleges and universities;
After S3, virtual desktop management platform certification, transfer colleges and universities inside virtual desktop resource and notify virtual desktop every Allow to establish the connection that virtual desktop operates to user terminal from access control system;
S4, virtual desktop isolation and access control system have connected user's operation terminal with virtual desktop as bridge Come;
S5, user are disconnected, and by user, virtual desktop is handed in this operation with access control system for virtual desktop isolation Management platform;
After S6, virtual desktop management platform receive, the isolation of notice virtual desktop and access control system no longer allow user Operate connection of the terminal to virtual desktop;
S7, virtual desktop isolation and access control system refuse the unauthenticated connection of user.
As described above, embodiments of the invention are explained, as long as but essentially without this hair of disengaging Bright inventive point and effect can have many deformations, and this will be readily apparent to persons skilled in the art.Therefore, this The variation of sample is also integrally incorporated within protection scope of the present invention.

Claims (11)

1. a kind of Dynamic link library control method of Virtual desktop protection of resources, it is characterised in that comprise the following steps:
First stage, that is, the connection establishment stage of virtual desktop, comprise the following steps:
User operates the certification request that terminal sends connection virtual desktop;
Virtual desktop is isolated and access control system intercepts and captures the user and operates the connection certification request of terminal and hand to virtual Desktop management platform;
After the virtual desktop management platform analysis authentication schedule virtual desktop resource and by user this connection identifier return To virtual desktop isolation and access control system;
The virtual desktop isolation and access control system, which complete user's operation terminal, to virtual desktop there is user identity to connect Connect the connection of mark;
Second stage, that is, the dismounting disconnected phase of virtual desktop, comprise the following steps:
User operates terminal and sends the request for disconnecting this time connection;
Virtual desktop is isolated and access control system intercepts and captures user and operates the connection dismounting behavior of terminal and hand to virtual desktop Management platform;
Virtual desktop resource is withdrawn after the virtual desktop management platform analysis and notifies virtual desktop isolation and access control system System disconnects the connection that user this time arrives virtual desktop;
The virtual desktop isolation and access control system refusal user operate terminal to any unauthenticated company of virtual desktop Connect.
2. a kind of Dynamic link library control method by Virtual desktop protection of resources as claimed in claim 1 is applied to virtual The method of desktop services, the virtual desktop serve include two stages:Virtual desktop connects establishment stage and virtual desktop is torn open Except the disconnected phase, wherein virtual desktop connection establishment stage is mainly completed to lead between user's operation terminal and virtual desktop server Cross virtual desktop isolation and access control system and virtual desktop management platform establishes the process of Dynamic link library, when user operates eventually Hold after disconnecting this time connection, the dismounting disconnected phase of virtual desktop can be entered, user's operation terminal is sent certification again please Virtual desktop system could be connected by asking.
3. a kind of Dynamic link library control method of Virtual desktop protection of resources according to claim 1, its feature exist In user is operated between terminal and virtual desktop server, is isolated simultaneously by virtual desktop isolation and access control system Control connection demolishing process, and by virtual desktop management platform come certification and schedule virtual desktop resource.
4. virtual desktop isolation according to claim 1 and access control system intercept and capture the connection certification that user operates terminal Ask and hand to virtual desktop management platform step, further include:User operates terminal to virtual desktop isolation and access Control system initiates certification request, and virtual desktop isolation and access control system do not establish user after intercepting and capturing and operate terminal at once To the connection of virtual desktop, but temporary suspension and the processing of virtual desktop management platform is handed into request.
5. virtual desktop isolation according to claim 4 and access control system intercept and capture the connection certification that user operates terminal Ask and hand to virtual desktop management platform step, further include:Authentication method not only includes usemame/password, may be used also To support digital certificate, dynamic password mode.
6. after virtual desktop management platform analysis authentication according to claim 1 schedule virtual desktop resource and by user this Secondary connection identifier returns to virtual desktop isolation and access control system step, further comprises:Virtual desktop management platform According to the subscriber identity information and the identity information of present terminal for parsing to obtain from connection request, corresponding connection mark is generated Know, the virtual desktop information and connection identifier one that are adapted to distribute to the user and operate terminal will be found from virtual desktop server Rise and return to virtual desktop isolation and access control system.
7. after virtual desktop management platform analysis authentication according to claim 6 schedule virtual desktop resource and by user this Secondary connection identifier returns to virtual desktop isolation and access control system step, further comprises:The identity letter of present terminal Breath can be the synthesis of its hard disk mark, NIC address hardware information or these information.
8. virtual desktop isolation according to claim 1 and access control system complete user and operate terminal to virtual desktop The Connection Step with user identity connection identifier, further comprise:Virtual desktop is isolated and access control system is according to connecing The information received, establish one and support to operate connection of the terminal to virtual desktop from user, then user's can is connected and stepped on Record uses the virtual desktop.
9. one according to claims 8 support to operate connection of the terminal to virtual desktop from user, virtual desktop every The each information transmitted in connection can be filtered from access control system, with ensure this method can not be bypassed or around Open, user is operated into terminal and virtual desktop is isolated on the physical layer of network.
10. the virtual desktop isolation and access control system refusal user according to claims 1 operate terminal to virtually Any unauthenticated Connection Step of desktop further comprises:Virtual desktop is isolated and access control system receives virtual desktop pipe Platform disconnect notice after, the connection is removed, even if user knows the IP address of the virtual desktop, user name/password Word is also no longer possible to be connected to virtual desktop privately.
11. a kind of can be effectively isolated user's operation terminal and virtual desktop and ensure that the dynamic of virtual desktop administrative mechanism validity State connection management device, the device include:
One and the server of the above, implement hardware virtualization technology on the server, fictionalize multiple virtual machines, it is described virtual Virtual desktop system is disposed on machine;
The user of one and the above operates terminal, and user operates on terminal operation platform, accesses the virtual desktop system, and Send the request of data exchange;
Virtual desktop management platform, is deployed in the virtual desktop and user operates terminal room;
Virtual desktop is isolated and access control system, is deployed in the virtual desktop and user operates terminal room;
The virtual desktop isolation and agency of the access control system as virtual desktop serve, intercept and capture user terminal and are sent to virtually The connection request of desktop server simultaneously hands to virtual desktop management platform, and virtual desktop management platform is according in connection request Identity information analysis is adapted to distribute to the virtual desktop that the user operates terminal, the isolation of notice virtual desktop and access control system One is established to support to operate connection of the terminal to virtual desktop from user;
The virtual desktop isolation and agency of the access control system as virtual desktop serve, respond in virtual desktop server After user operates terminal connection request, it can intercept and capture and filter each in user's operation terminal to the connection procedure of virtual desktop Information, play a part of a cut-off therebetween;
Virtual desktop is isolated and agency of the access control system as virtual desktop serve, and terminal disconnection is operated intercepting user After the operation of connection, can hand to virtual desktop management platform cancel user's virtual desktop isolation and access control system on it is right The connection of virtual desktop, user can not connect virtual desktop privately again after removing the connection.
CN201610349588.0A 2016-05-24 2016-05-24 A kind of Dynamic link library control method of Virtual desktop protection of resources Active CN106022146B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610349588.0A CN106022146B (en) 2016-05-24 2016-05-24 A kind of Dynamic link library control method of Virtual desktop protection of resources

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610349588.0A CN106022146B (en) 2016-05-24 2016-05-24 A kind of Dynamic link library control method of Virtual desktop protection of resources

Publications (2)

Publication Number Publication Date
CN106022146A CN106022146A (en) 2016-10-12
CN106022146B true CN106022146B (en) 2018-01-12

Family

ID=57093242

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610349588.0A Active CN106022146B (en) 2016-05-24 2016-05-24 A kind of Dynamic link library control method of Virtual desktop protection of resources

Country Status (1)

Country Link
CN (1) CN106022146B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104753887A (en) * 2013-12-31 2015-07-01 中国移动通信集团黑龙江有限公司 Safety control implementation method and system and cloud desktop system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9419814B2 (en) * 2009-03-03 2016-08-16 Cisco Technology, Inc. Event / calendar based auto-start of virtual disks for desktop virtualization
CN105049414A (en) * 2015-06-03 2015-11-11 北京朋创天地科技有限公司 Dataflow control method facing virtual desktop and information safety device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104753887A (en) * 2013-12-31 2015-07-01 中国移动通信集团黑龙江有限公司 Safety control implementation method and system and cloud desktop system

Also Published As

Publication number Publication date
CN106022146A (en) 2016-10-12

Similar Documents

Publication Publication Date Title
JP3262689B2 (en) Remote control system
TWI545446B (en) A method and system for use with a public cloud network
CN104753887B (en) Security management and control implementation method, system and cloud desktop system
CN101005503B (en) Method and data processing system for intercepting communication between a client and a service
CN103875211B (en) A kind of internet account number management method, manager, server and system
CN104426837B (en) The application layer message filtering method and device of FTP
JP5382819B2 (en) Network management system and server
WO2017091401A1 (en) Identity authentication method, system, business server and authentication server
CN103428211B (en) Network authentication system based on switch and authentication method thereof
CN101488857B (en) Authenticated service virtualization
CN101986598B (en) Authentication method, server and system
CN109067937A (en) Terminal admittance control method, device, equipment, system and storage medium
CN109413080B (en) Cross-domain dynamic authority control method and system
CN109819053A (en) Applied to the springboard machine system and its control method under mixing cloud environment
CN104618522B (en) The method and Ethernet access equipment that IP address of terminal automatically updates
CN109547270A (en) A kind of method for network access control and system based on vCPE
EP3855695B1 (en) Access authentication
CN107360178A (en) A kind of method that network access is controlled using white list
US20090271852A1 (en) System and Method for Distributing Enduring Credentials in an Untrusted Network Environment
CN103475491A (en) Remote maintenance system which is logged in to safely without code and achieving method
JP2012070225A (en) Network relay device and transfer control system
CN107483480A (en) A kind of processing method and processing device of address
CN106022146B (en) A kind of Dynamic link library control method of Virtual desktop protection of resources
CN107342903A (en) One kind bypass certification and auditing method
CN105978866B (en) A kind of method and system of user access control, third party's client server

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant