CN106022146B - A kind of Dynamic link library control method of Virtual desktop protection of resources - Google Patents
A kind of Dynamic link library control method of Virtual desktop protection of resources Download PDFInfo
- Publication number
- CN106022146B CN106022146B CN201610349588.0A CN201610349588A CN106022146B CN 106022146 B CN106022146 B CN 106022146B CN 201610349588 A CN201610349588 A CN 201610349588A CN 106022146 B CN106022146 B CN 106022146B
- Authority
- CN
- China
- Prior art keywords
- virtual desktop
- user
- terminal
- connection
- control system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
- G06F21/335—User authentication using certificates for accessing specific resources, e.g. using Kerberos tickets
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
Abstract
The invention discloses a kind of Dynamic link library control method of Virtual desktop protection of resources, the Dynamic link library control method comprises the following steps:User operates the process of terminal and virtual desktop server foundation connection and user operates terminal and removes the process connected with virtual desktop server, this method can be operated effectively in user is isolated between terminal and virtual desktop server, the connection and login for making user's operation terminal-pair virtual desktop system have to pass through virtual desktop management platform certification, ensure the validity of virtual desktop administrative mechanism.
Description
Technical field
The present invention relates to field of information security technology, more particularly to a kind of dress of the access control under virtual desktop environment
Put.
Background technology
Virtual desktop technology is a kind of possible technique means for realizing application terminal centralization, can by virtual desktop technology
So that scattered data processing and storage convergence is possibly realized originally.While centralization is realized in data processing and storage,
User can access the data in virtual desktop by multiple types, multipoint addressing meanses.User operates terminal and void
Intend being communicated by virtual desktop agreement between desktop server.
There is the advantages of security, confidentiality using virtual desktop technology, but user operate terminal because worm or
DDOS attack etc., the network performance of virtual desktop this side can be caused to decline., can be directly with void and if user is unruly
The user name/password intended the IP address of desktop and known is connected remotely to virtual desktop, is put down completely without virtual desktop management
Whether platform, the resource for making Virtual Administrative Platform not know that it is managed are occupied also at leisure.Therefore design method is needed, can
By user operate terminal and virtual desktop separated and intercept and capture user operational control its entirely the data of virtual desktop are visited
Ask process.
The content of the invention
Present invention solves the technical problem that it is to propose a kind of Dynamic link library controlling party of Virtual desktop protection of resources
Method, improve the Information Security under virtual desktop environment.Under virtual desktop environment, user operates terminal and virtual desktop serve
Between device, corresponding virtual desktop management platform and virtual desktop isolation and access control system are deployed with.
In order to solve problem above, a kind of Dynamic link library control method of Virtual desktop protection of resources, including it is following
Step:
Virtual desktop is isolated and access control system intercepts and captures user and operates the connection certification request of terminal and hand to virtual
Desktop management platform;
After virtual desktop management platform analysis authentication schedule virtual desktop resource and by user this connection identifier return
To virtual desktop isolation and access control system;
Virtual desktop is isolated and access control system completes user's operation terminal and to virtual desktop there is user identity to connect
Connect the connection of mark;
User operates terminal and disconnects this time connection, and virtual desktop isolation and access control system intercept and capture user and operate terminal
Connection dismounting behavior simultaneously hands to virtual desktop management platform;
Virtual desktop resource is withdrawn after the analysis of virtual desktop management platform and notifies virtual desktop isolation and access control system
System disconnects the connection that user this time arrives virtual desktop;
Virtual desktop is isolated and access control system refusal user operates terminal to any unauthenticated company of virtual desktop
Connect.
Further, as a preferred embodiment, in order to reduce the complexity of application, user operates terminal from virtual desktop server
The process for obtaining virtual desktop serve has two stages:Connect establishment stage and remove the disconnected phase.
Further, as a preferred embodiment, virtual desktop isolation and access control system, which intercept and capture user, operates terminal
Connect certification request and hand to virtual desktop management platform step and further comprise:Virtual desktop is isolated and access control system
Ensure that user operates terminal and virtual desktop will not be interfered, passed so as to block user to operate the unsafe problems of terminal itself
Broadcast or infect and arrive virtual desktop system.
Further, as a preferred embodiment, virtual desktop isolation and access control system, which intercept and capture user, operates terminal
Connect certification request and hand to virtual desktop management platform step and further comprise:Virtual desktop is isolated and access control system
Prevent user from just being connected without certification by operating terminal and access virtual desktop, cause virtual desktop resource to be abused, manage
Manage out of control.
Further, as a preferred embodiment, virtual desktop isolation and access control system, which intercept and capture user, operates terminal
Connect certification request and hand to virtual desktop management platform step and further comprise:In connection establishment stage, user operates eventually
The connection certification initiated to virtual desktop isolation and access control system is held, authentication method not only includes user name identity card, also
Digital certificate, dynamic password mode can be supported.
Further, as a preferred embodiment, schedule virtual desktop resource is simultaneously after the virtual desktop management platform analysis authentication
User this connection identifier is returned into virtual desktop isolation and access control system step further comprises:In connection identifier
The characteristic information that user operates terminal can be the synthesis of hard disk mark, NIC address hardware information or these information.
Further, as a preferred embodiment, virtual desktop isolation and access control system completion user operate terminal and arrived
The Connection Step with user identity connection identifier of virtual desktop further comprises:Virtual desktop is isolated and access control system
It should be guaranteed that and each information of transmission can be filtered in user operates connection procedure of the terminal to virtual desktop, with
Ensure that this method can not be bypassed or get around.
Further, as a preferred embodiment, withdrawing virtual desktop resource after the analysis of virtual desktop management platform and notifying virtual
Desktop is isolated the step of this time being connected with access control system disconnection user to virtual desktop and further comprised:Virtual desktop management
Platform cancels user and operates terminal to the link information of virtual desktop, and virtual desktop is isolated and access control system can not find out user
Direct access of the user to virtual desktop will be refused by operating the link information of terminal.
Further, as a preferred embodiment, virtual desktop isolation and access control system refusal user operate terminal to virtually
The step of any unauthenticated connection of desktop, includes, if user is not by operating terminal to virtual desktop isolation and access control
System processed sends connection request, even if user knows the IP address for the virtual desktop to be accessed, the user name and password word etc., also without
Method connects around virtual desktop isolation and access control system and accesses virtual desktop system privately.
The beneficial effects of the present invention are, first, prevent user from just connecting and accessing without certification by operating terminal
Virtual desktop, virtual desktop resource is caused to be abused, mismanagement;Second, authentication method not only includes user name identity card, also
The modes such as digital certificate, dynamic password can be supported;3rd, the network admittance that this structural support operates terminal to user controls,
For example only allowing to have user's operation terminal of some features to be connected to virtual desktop, these features can be that hard disk identifies, net
The synthesis of the hardware informations such as card address or these information;4th, user can be blocked to operate the dry of terminal-pair virtual desktop system
Disturb and destroy, such as viral wooden horse infection, the influence of DDOS attack etc..To sum up, this method effectively can operate user eventually
Network between end and virtual desktop is isolated, and ensures the validity of virtual desktop administrative mechanism.
Brief description of the drawings
When considered in conjunction with the accompanying drawings, by referring to following detailed description, can more completely more fully understand the present invention with
And easily learn many of which with the advantages of, but accompanying drawing described herein be used for a further understanding of the present invention is provided,
The part of the present invention is formed, schematic description and description of the invention is used to explain the present invention, do not formed to this hair
Bright improper restriction.
Fig. 1 is the flow chart that establishment stage is connected in the present invention.
Fig. 2 is the flow chart that the disconnected phase is removed in the present invention.
Embodiment
Embodiments of the invention are illustrated referring to Fig. 1, Fig. 2.
It is right with reference to the accompanying drawings and detailed description to enable above-mentioned purpose, feature and advantage more obvious understandable
The present invention is described in further detail.
A kind of Dynamic link library control method of Virtual desktop protection of resources, comprises the following steps:
Virtual desktop is isolated and access control system intercepts and captures user and operates the connection certification request of terminal and hand to virtual
Desktop management platform;
After virtual desktop management platform analysis authentication schedule virtual desktop resource and by user this connection identifier return
To virtual desktop isolation and access control system;
Virtual desktop is isolated and access control system completes user's operation terminal and to virtual desktop there is user identity to connect
Connect the connection of mark;
User operates terminal and disconnects this connection, and virtual desktop isolation and access control system intercept and capture user and operate terminal
Connection remove behavior and hand to virtual desktop management platform;
Virtual desktop resource is withdrawn after the analysis of virtual desktop management platform and notifies virtual desktop isolation and access control system
System disconnects the connection that user this time arrives virtual desktop;
Virtual desktop is isolated and access control system refusal user operates terminal to any unauthenticated company of virtual desktop
Connect.
Embodiment one:
A kind of application of Dynamic link library control method of Virtual desktop protection of resources in enterprise's cloud service, including with
Lower step:
S1, user initiate certification request to the virtual desktop isolation of enterprise and access control system;
S2, virtual desktop isolation and access control system hand to request the virtual desktop management platform of enterprise;
After S3, virtual desktop management platform certification, transfer the virtual desktop resource of enterprises and notify virtual desktop every
Allow to establish the connection that virtual desktop operates to user terminal from access control system;
S4, virtual desktop isolation and access control system have connected user's operation terminal with virtual desktop as bridge
Come;
S5, user are disconnected, and by user, virtual desktop is handed in this operation with access control system for virtual desktop isolation
Management platform;
After S6, virtual desktop management platform receive, the isolation of notice virtual desktop and access control system no longer allow user
Operate connection of the terminal to virtual desktop;
S7, virtual desktop isolation and access control system refuse the unauthenticated connection of user.
Embodiment two:
A kind of application of Dynamic link library control method of Virtual desktop protection of resources in army's cloud service, including with
Lower step:
S1, user initiate certification request to the virtual desktop isolation of army and access control system;
S2, virtual desktop isolation and access control system hand to request the virtual desktop management platform of army;
After S3, virtual desktop management platform certification, transfer army inside virtual desktop resource and notify virtual desktop every
Allow to establish the connection that virtual desktop operates to user terminal from access control system;
S4, virtual desktop isolation and access control system have connected user's operation terminal with virtual desktop as bridge
Come;
S5, user are disconnected, and by user, virtual desktop is handed in this operation with access control system for virtual desktop isolation
Management platform;
After S6, virtual desktop management platform receive, the isolation of notice virtual desktop and access control system no longer allow user
Operate connection of the terminal to virtual desktop;
S7, virtual desktop isolation and access control system refuse the unauthenticated connection of user.
Embodiment three:
A kind of application of dynamic connection method of Virtual desktop protection of resources in colleges and universities' cloud service, including following step
Suddenly:
S1, user initiate certification request to the virtual desktop isolation of colleges and universities and access control system;
S2, virtual desktop isolation and access control system hand to request the virtual desktop management platform of colleges and universities;
After S3, virtual desktop management platform certification, transfer colleges and universities inside virtual desktop resource and notify virtual desktop every
Allow to establish the connection that virtual desktop operates to user terminal from access control system;
S4, virtual desktop isolation and access control system have connected user's operation terminal with virtual desktop as bridge
Come;
S5, user are disconnected, and by user, virtual desktop is handed in this operation with access control system for virtual desktop isolation
Management platform;
After S6, virtual desktop management platform receive, the isolation of notice virtual desktop and access control system no longer allow user
Operate connection of the terminal to virtual desktop;
S7, virtual desktop isolation and access control system refuse the unauthenticated connection of user.
As described above, embodiments of the invention are explained, as long as but essentially without this hair of disengaging
Bright inventive point and effect can have many deformations, and this will be readily apparent to persons skilled in the art.Therefore, this
The variation of sample is also integrally incorporated within protection scope of the present invention.
Claims (11)
1. a kind of Dynamic link library control method of Virtual desktop protection of resources, it is characterised in that comprise the following steps:
First stage, that is, the connection establishment stage of virtual desktop, comprise the following steps:
User operates the certification request that terminal sends connection virtual desktop;
Virtual desktop is isolated and access control system intercepts and captures the user and operates the connection certification request of terminal and hand to virtual
Desktop management platform;
After the virtual desktop management platform analysis authentication schedule virtual desktop resource and by user this connection identifier return
To virtual desktop isolation and access control system;
The virtual desktop isolation and access control system, which complete user's operation terminal, to virtual desktop there is user identity to connect
Connect the connection of mark;
Second stage, that is, the dismounting disconnected phase of virtual desktop, comprise the following steps:
User operates terminal and sends the request for disconnecting this time connection;
Virtual desktop is isolated and access control system intercepts and captures user and operates the connection dismounting behavior of terminal and hand to virtual desktop
Management platform;
Virtual desktop resource is withdrawn after the virtual desktop management platform analysis and notifies virtual desktop isolation and access control system
System disconnects the connection that user this time arrives virtual desktop;
The virtual desktop isolation and access control system refusal user operate terminal to any unauthenticated company of virtual desktop
Connect.
2. a kind of Dynamic link library control method by Virtual desktop protection of resources as claimed in claim 1 is applied to virtual
The method of desktop services, the virtual desktop serve include two stages:Virtual desktop connects establishment stage and virtual desktop is torn open
Except the disconnected phase, wherein virtual desktop connection establishment stage is mainly completed to lead between user's operation terminal and virtual desktop server
Cross virtual desktop isolation and access control system and virtual desktop management platform establishes the process of Dynamic link library, when user operates eventually
Hold after disconnecting this time connection, the dismounting disconnected phase of virtual desktop can be entered, user's operation terminal is sent certification again please
Virtual desktop system could be connected by asking.
3. a kind of Dynamic link library control method of Virtual desktop protection of resources according to claim 1, its feature exist
In user is operated between terminal and virtual desktop server, is isolated simultaneously by virtual desktop isolation and access control system
Control connection demolishing process, and by virtual desktop management platform come certification and schedule virtual desktop resource.
4. virtual desktop isolation according to claim 1 and access control system intercept and capture the connection certification that user operates terminal
Ask and hand to virtual desktop management platform step, further include:User operates terminal to virtual desktop isolation and access
Control system initiates certification request, and virtual desktop isolation and access control system do not establish user after intercepting and capturing and operate terminal at once
To the connection of virtual desktop, but temporary suspension and the processing of virtual desktop management platform is handed into request.
5. virtual desktop isolation according to claim 4 and access control system intercept and capture the connection certification that user operates terminal
Ask and hand to virtual desktop management platform step, further include:Authentication method not only includes usemame/password, may be used also
To support digital certificate, dynamic password mode.
6. after virtual desktop management platform analysis authentication according to claim 1 schedule virtual desktop resource and by user this
Secondary connection identifier returns to virtual desktop isolation and access control system step, further comprises:Virtual desktop management platform
According to the subscriber identity information and the identity information of present terminal for parsing to obtain from connection request, corresponding connection mark is generated
Know, the virtual desktop information and connection identifier one that are adapted to distribute to the user and operate terminal will be found from virtual desktop server
Rise and return to virtual desktop isolation and access control system.
7. after virtual desktop management platform analysis authentication according to claim 6 schedule virtual desktop resource and by user this
Secondary connection identifier returns to virtual desktop isolation and access control system step, further comprises:The identity letter of present terminal
Breath can be the synthesis of its hard disk mark, NIC address hardware information or these information.
8. virtual desktop isolation according to claim 1 and access control system complete user and operate terminal to virtual desktop
The Connection Step with user identity connection identifier, further comprise:Virtual desktop is isolated and access control system is according to connecing
The information received, establish one and support to operate connection of the terminal to virtual desktop from user, then user's can is connected and stepped on
Record uses the virtual desktop.
9. one according to claims 8 support to operate connection of the terminal to virtual desktop from user, virtual desktop every
The each information transmitted in connection can be filtered from access control system, with ensure this method can not be bypassed or around
Open, user is operated into terminal and virtual desktop is isolated on the physical layer of network.
10. the virtual desktop isolation and access control system refusal user according to claims 1 operate terminal to virtually
Any unauthenticated Connection Step of desktop further comprises:Virtual desktop is isolated and access control system receives virtual desktop pipe
Platform disconnect notice after, the connection is removed, even if user knows the IP address of the virtual desktop, user name/password
Word is also no longer possible to be connected to virtual desktop privately.
11. a kind of can be effectively isolated user's operation terminal and virtual desktop and ensure that the dynamic of virtual desktop administrative mechanism validity
State connection management device, the device include:
One and the server of the above, implement hardware virtualization technology on the server, fictionalize multiple virtual machines, it is described virtual
Virtual desktop system is disposed on machine;
The user of one and the above operates terminal, and user operates on terminal operation platform, accesses the virtual desktop system, and
Send the request of data exchange;
Virtual desktop management platform, is deployed in the virtual desktop and user operates terminal room;
Virtual desktop is isolated and access control system, is deployed in the virtual desktop and user operates terminal room;
The virtual desktop isolation and agency of the access control system as virtual desktop serve, intercept and capture user terminal and are sent to virtually
The connection request of desktop server simultaneously hands to virtual desktop management platform, and virtual desktop management platform is according in connection request
Identity information analysis is adapted to distribute to the virtual desktop that the user operates terminal, the isolation of notice virtual desktop and access control system
One is established to support to operate connection of the terminal to virtual desktop from user;
The virtual desktop isolation and agency of the access control system as virtual desktop serve, respond in virtual desktop server
After user operates terminal connection request, it can intercept and capture and filter each in user's operation terminal to the connection procedure of virtual desktop
Information, play a part of a cut-off therebetween;
Virtual desktop is isolated and agency of the access control system as virtual desktop serve, and terminal disconnection is operated intercepting user
After the operation of connection, can hand to virtual desktop management platform cancel user's virtual desktop isolation and access control system on it is right
The connection of virtual desktop, user can not connect virtual desktop privately again after removing the connection.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610349588.0A CN106022146B (en) | 2016-05-24 | 2016-05-24 | A kind of Dynamic link library control method of Virtual desktop protection of resources |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610349588.0A CN106022146B (en) | 2016-05-24 | 2016-05-24 | A kind of Dynamic link library control method of Virtual desktop protection of resources |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106022146A CN106022146A (en) | 2016-10-12 |
CN106022146B true CN106022146B (en) | 2018-01-12 |
Family
ID=57093242
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610349588.0A Active CN106022146B (en) | 2016-05-24 | 2016-05-24 | A kind of Dynamic link library control method of Virtual desktop protection of resources |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106022146B (en) |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104753887A (en) * | 2013-12-31 | 2015-07-01 | 中国移动通信集团黑龙江有限公司 | Safety control implementation method and system and cloud desktop system |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9419814B2 (en) * | 2009-03-03 | 2016-08-16 | Cisco Technology, Inc. | Event / calendar based auto-start of virtual disks for desktop virtualization |
CN105049414A (en) * | 2015-06-03 | 2015-11-11 | 北京朋创天地科技有限公司 | Dataflow control method facing virtual desktop and information safety device |
-
2016
- 2016-05-24 CN CN201610349588.0A patent/CN106022146B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104753887A (en) * | 2013-12-31 | 2015-07-01 | 中国移动通信集团黑龙江有限公司 | Safety control implementation method and system and cloud desktop system |
Also Published As
Publication number | Publication date |
---|---|
CN106022146A (en) | 2016-10-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP3262689B2 (en) | Remote control system | |
TWI545446B (en) | A method and system for use with a public cloud network | |
CN104753887B (en) | Security management and control implementation method, system and cloud desktop system | |
CN101005503B (en) | Method and data processing system for intercepting communication between a client and a service | |
CN103875211B (en) | A kind of internet account number management method, manager, server and system | |
CN104426837B (en) | The application layer message filtering method and device of FTP | |
JP5382819B2 (en) | Network management system and server | |
WO2017091401A1 (en) | Identity authentication method, system, business server and authentication server | |
CN103428211B (en) | Network authentication system based on switch and authentication method thereof | |
CN101488857B (en) | Authenticated service virtualization | |
CN101986598B (en) | Authentication method, server and system | |
CN109067937A (en) | Terminal admittance control method, device, equipment, system and storage medium | |
CN109413080B (en) | Cross-domain dynamic authority control method and system | |
CN109819053A (en) | Applied to the springboard machine system and its control method under mixing cloud environment | |
CN104618522B (en) | The method and Ethernet access equipment that IP address of terminal automatically updates | |
CN109547270A (en) | A kind of method for network access control and system based on vCPE | |
EP3855695B1 (en) | Access authentication | |
CN107360178A (en) | A kind of method that network access is controlled using white list | |
US20090271852A1 (en) | System and Method for Distributing Enduring Credentials in an Untrusted Network Environment | |
CN103475491A (en) | Remote maintenance system which is logged in to safely without code and achieving method | |
JP2012070225A (en) | Network relay device and transfer control system | |
CN107483480A (en) | A kind of processing method and processing device of address | |
CN106022146B (en) | A kind of Dynamic link library control method of Virtual desktop protection of resources | |
CN107342903A (en) | One kind bypass certification and auditing method | |
CN105978866B (en) | A kind of method and system of user access control, third party's client server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |