CN109583182A - Start method, apparatus, electronic equipment and the computer storage medium of remote desktop - Google Patents

Start method, apparatus, electronic equipment and the computer storage medium of remote desktop Download PDF

Info

Publication number
CN109583182A
CN109583182A CN201811447982.3A CN201811447982A CN109583182A CN 109583182 A CN109583182 A CN 109583182A CN 201811447982 A CN201811447982 A CN 201811447982A CN 109583182 A CN109583182 A CN 109583182A
Authority
CN
China
Prior art keywords
remote desktop
domain
starting
default
depressed place
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811447982.3A
Other languages
Chinese (zh)
Other versions
CN109583182B (en
Inventor
孙国峰
赵春雷
邹仕洪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yuanxin Information Technology Group Co ltd
Original Assignee
Beijing Yuanxin Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Yuanxin Science and Technology Co Ltd filed Critical Beijing Yuanxin Science and Technology Co Ltd
Priority to CN201811447982.3A priority Critical patent/CN109583182B/en
Publication of CN109583182A publication Critical patent/CN109583182A/en
Application granted granted Critical
Publication of CN109583182B publication Critical patent/CN109583182B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/451Execution arrangements for user interfaces
    • G06F9/452Remote windowing, e.g. X-Window System, desktop virtualisation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Human Computer Interaction (AREA)
  • Mathematical Physics (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer And Data Communications (AREA)
  • Stored Programmes (AREA)

Abstract

This application involves terminal device technical fields, disclose a kind of method, apparatus, electronic equipment and computer readable storage medium for starting remote desktop, wherein, the method for starting remote desktop is applied to include in the application environment at least two mutually isolated execution domains, operating system and remote desktop system are separately operable at least two mutually isolated execution domains, this method comprises: carrying out initial authentication to the default depressed place equipment of access when detecting the access of default depressed place equipment;If then initial authentication passes through, authenticated according to the remote desktop starting request received by starting permission of first domain to remote desktop;If then the authentication is passed for starting permission, control starts remote desktop in the first domain, so that running remote desktop system in the first domain.The method of the embodiment of the present application effectively avoids illegal user to the unauthorized access of remote desktop, the behaviors such as access of assuming another's name, it is ensured that start the safety of remote desktop.

Description

Start method, apparatus, electronic equipment and the computer storage medium of remote desktop
Technical field
This application involves terminal device technical fields, specifically, this application involves it is a kind of start remote desktop method, Device, electronic equipment and computer storage medium.
Background technique
As patterned operating system graduallys mature, long-range connection starts to support directly to carry out long-range calculating environment Patterned presentation and access, various Remote Desktop Protocol start to occur, wherein especially with Microsoft Remote desktop RDP (Remote Display Protocol, remote display protocol) agreement, be based on VFB (Virtual Frame Buffer, vrtual frame buffer) VNC (Virtual Network Computing, Virtual Networking Computing) agreement, (image passes by the agreement based on X and PCoIP Defeated agreement), HDX/ICA (High Definition Experience/Independent ComputingArchitectur, High definition usage experience/independent counting system structure), SPICE (desktop virtualization Data Transport Protocol), RGS (Remote Graphics Software, remote graphics software) etc. specialized protocols it is most common.By these communications protocol, can will run on Remote desktop on server is presented on terminal device in a manner of naturally, and user is when using these remote desktops, behaviour Make mode with operation run on local terminal desktop system it is just the same.
With the arrival of cloud computing era and the rapid development of virtualization technology, remote desktop is from directly running on one On a bare server hardware, become and run on IaaS (Infrastructure as a Service, infrastructure service) Or in a virtual machine on PaaS (Platform as a Service, platform are to service) platform.No longer become bottle in bandwidth The 5G epoch of neck, the void by cloud that the terminal software or terminal hardware realized based on various Remote Desktop Protocol can be convenient Quasi- desktop environment is introduced into local terminal, has the tendency that replacing traditional office desktop computer or notebook completely greatly.
It is at present usually to parasitize remote virtual desktop client in the operating system of terminal device, however, this side Formula not only develops that complicated, the development cycle is long, but also is not easy to be adapted to new equipment, while there is also certain security risks, also lacks steady It is qualitative.
Summary of the invention
The purpose of the application is intended at least can solve above-mentioned one of technological deficiency, and spy proposes following technical scheme:
In a first aspect, provide a kind of method for starting remote desktop, applied to including at least two mutually isolated holding In the application environment in row domain, it is separately operable operating system and remote desktop system in at least two mutually isolated execution domain, Include:
When detecting the access of default depressed place equipment, initial authentication is carried out to the default depressed place equipment of access;
If initial authentication passes through, starting of first domain to remote desktop is passed through according to the remote desktop starting request received Permission is authenticated;
If starting permission, the authentication is passed, control starts remote desktop in the first domain, so that running in the first domain remote Journey desktop system.
Second aspect provides a kind of device for starting remote desktop, applied to including at least two mutually isolated holding In the application environment in row domain, it is separately operable operating system and remote desktop system in at least two mutually isolated execution domain, Include:
First authentication module, for being carried out to the default depressed place equipment of access initial when detecting the access of default depressed place equipment Authentication;
Second authentication module, for when it is initial the authentication is passed when, pass through the according to the remote desktop starting request received One domain authenticates the starting permission of remote desktop;
Starting module, for controlling and starting remote desktop in the first domain when the authentication is passed for starting permission, so that Remote desktop system is run in first domain.
The third aspect, provides a kind of electronic equipment, including memory, processor and storage on a memory and can located The computer program run on reason device, processor realizes above-mentioned starting remote desktop method when executing described program.
Fourth aspect provides a kind of computer readable storage medium, calculating is stored on computer readable storage medium Machine program, which realizes above-mentioned starting remote desktop method when being executed by processor.
The method of starting remote desktop provided by the embodiments of the present application, when detecting the access of default depressed place equipment, to access Default depressed place equipment carry out initial authentication, it is ensured that the safety of the default depressed place equipment of access opens remote desktop to be subsequent Dynamic permission carries out authentication and provides premise guarantee;Then after initial authentication passes through, according to the remote desktop starting request received It is authenticated by starting permission of first domain to remote desktop, and after the authentication is passed, is controlled in the first domain in starting permission Start remote desktop, to authenticate by access authority of first domain to remote desktop, this is not only it is possible to prevente effectively from non- Method user is to the unauthorized access of remote desktop, the behaviors such as access of assuming another's name, it is ensured that starts the safety of remote desktop, and runs First domain of remote desktop system and the domain of operation operating system are mutually isolated, effectively overcome operating system bring stability The problems such as difference and security risk, can operating ratio in addition independently of the first domain of the operation remote desktop system of operating system The kernel relatively simplified reduces exploitation complexity, shortens the development cycle, and is easily adapted other equipment.
The additional aspect of the application and advantage will be set forth in part in the description, these will become from the following description It obtains obviously, or recognized by the practice of the application.
Detailed description of the invention
The application is above-mentioned and/or additional aspect and advantage will become from the following description of the accompanying drawings of embodiments Obviously and it is readily appreciated that, in which:
Fig. 1 is the structural schematic diagram of remote desktop system in the prior art and operating system;
Fig. 2 is the flow diagram of the method for the starting remote desktop of the embodiment of the present application;
Fig. 3 is the knot in the first domain of the operation operating system of the embodiment of the present application and the second domain of operation remote desktop system Structure schematic diagram;
Fig. 4 is the basic structure schematic diagram of the device of the starting remote desktop of the embodiment of the present application;
Fig. 5 is the detailed construction schematic diagram of the device of the starting remote desktop of the embodiment of the present application;
Fig. 6 is the structural schematic diagram of the electronic equipment of the embodiment of the present application.
Specific embodiment
Embodiments herein is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end Same or similar label indicates same or similar element or element with the same or similar functions.Below with reference to attached The embodiment of figure description is exemplary, and is only used for explaining the application, and cannot be construed to the limitation to the application.
Those skilled in the art of the present technique are appreciated that unless expressly stated, singular " one " used herein, " one It is a ", " described " and "the" may also comprise plural form.It is to be further understood that being arranged used in the description of the present application Diction " comprising " refer to that there are the feature, integer, step, operation, element and/or component, but it is not excluded that in the presence of or addition Other one or more features, integer, step, operation, element, component and/or their group.It should be understood that when we claim member Part is " connected " or when " coupled " to another element, it can be directly connected or coupled to other elements, or there may also be Intermediary element.In addition, " connection " used herein or " coupling " may include being wirelessly connected or wirelessly coupling.It is used herein to arrange Diction "and/or" includes one or more associated wholes for listing item or any cell and all combinations.
To keep the purposes, technical schemes and advantages of the application clearer, below in conjunction with attached drawing to the application embodiment party Formula is described in further detail.
The remote virtual desktop client software on terminal device is run in the prior art, is connected by Remote Desktop Protocol Connect the virtual desktop in cloud, wherein the equipment that intelligent terminal connection is similar to hub connects local by the hub device Net, mouse, keyboard and display equipment etc., as shown in Figure 1, user can use long-range void as using common computer at this time Quasi- desktop.However, this virtual desktop client parasitizes the implementation in the operating system of intelligent terminal, occur in system After failure is enabled, it will lead to not using remote virtual desktop, and be possible to generate security risk, i.e., above-mentioned implementation Deficient in stability, and it is difficult to develop complicated, period length, adaptation new equipment.
Method, apparatus, electronic equipment and the computer readable storage medium of starting remote desktop provided by the present application, it is intended to Solve the technical problem as above of the prior art.
How the technical solution of the application and the technical solution of the application are solved with specifically embodiment below above-mentioned Technical problem is described in detail.These specific embodiments can be combined with each other below, for the same or similar concept Or process may repeat no more in certain embodiments.Below in conjunction with attached drawing, embodiments herein is described.
Embodiment one
The embodiment of the present application provides a kind of method for starting remote desktop, applied to mutually isolated including at least two In the application environment for executing domain, operating system and remote desktop system are separately operable in at least two mutually isolated execution domain System, as shown in Figure 1, comprising:
Step S110 carries out initial authentication to the default depressed place equipment of access when detecting the access of default depressed place equipment.
Specifically, external equipment can be connected by default communication interface by presetting depressed place equipment, such as pass through USB (Universal Serial Bus, universal serial bus) interface connects the external equipments such as mobile phone, computer, Ipad, in another example logical The audio interface connection smart phone for crossing smart phone, similar to the U-shield generally used now.
Further, it presets and is added with safety chip in the equipment of depressed place in advance, for carrying out the authentication of user and building Vertical trust chain.
Further, terminal device can be by the variation of detection USB interface or the level of audio interface, to determine whether There is default depressed place equipment to access, when detecting the access of default depressed place equipment, initial authentication is carried out to the default depressed place equipment of access.
Step S120, if initial authentication passes through, according to the remote desktop starting request received by the first domain to long-range The starting permission of desktop is authenticated.
Specifically, user can send remote desktop starting request to terminal device by default depressed place equipment, remote to connect Journey virtual desktop, wherein after the equipment access terminal equipment of default depressed place, S110 is pre- to this in advance through the above steps for terminal device If depressed place equipment carries out initial authentication, and after initial authentication passes through, the remote desktop starting request received is authenticated.
Further, terminal device can pass through first when authenticating to the remote desktop starting request received Domain authenticates the starting permission of remote desktop.
Step S130, if the authentication is passed for starting permission, control starts remote desktop in the first domain, so that in the first domain Middle operation remote desktop system.
Specifically, terminal device after the authentication is passed, is opened by starting permission of first domain to remote desktop by the first domain Dynamic remote desktop, such as starting request, remote desktop can be sent to remote desktop by the Remote Desktop Protocol in the first domain After receiving starting request, based on starting request starting remote desktop, i.e., long-range table is run in the first domain of terminal device Plane system.
The method of starting remote desktop provided by the embodiments of the present application, compared with prior art, when detecting that default depressed place sets When standby access, initial authentication is carried out to the default depressed place equipment of access, it is ensured that the safety of the default depressed place equipment of access is subsequent Authentication is carried out to the starting permission of remote desktop, premise guarantee is provided;Then remote according to what is received after initial authentication passes through After the starting request of journey desktop is authenticated by starting permission of first domain to remote desktop, and the authentication is passed in starting permission, Control starts remote desktop in the first domain, to be authenticated by access authority of first domain to remote desktop, this is not only It is possible to prevente effectively from illegal user is to the unauthorized access of remote desktop, the behaviors such as access of assuming another's name, it is ensured that start remote desktop Safety, and the first domain of operation remote desktop system and the domain of operation operating system are mutually isolated, effectively overcome operation The problems such as system bring stability difference and security risk, in addition, the of the operation remote desktop system independently of operating system One domain, can the kernel simplified of running and comparing, reduce exploitation complexity, shorten the development cycle, and be easily adapted it Its equipment.
The embodiment of the present application provides alternatively possible implementation, wherein further includes before step S110 Step S100 (is not marked in figure): at least two mutually isolated execution domains is established based on a kind of virtual machine, so that at least two Operating system and remote desktop system can be separately operable in a mutually isolated execution domain.
Specifically, research staff is in advance designed terminal device, develops and produces according to demand, only terminal device After volume production, sales volume, user could buy and using terminal equipment, such as by default depressed place equipment access terminal equipment, in another example Start remote desktop etc. by terminal device.
Further, it during being designed, developing to terminal device, i.e., is set by default depressed place equipment access terminal Before standby, the system architecture of terminal device can be planned, be designed, use terminal device based on a kind of virtual machine to be It unites framework, while at least two mutually isolated execution domains is established based on a kind of virtual machine, and is at least two mutually isolated at this Execution domain in transport operating system and remote desktop system respectively, i.e. operating system and remote desktop system is separately operable at two Independently of each other, in mutually isolated execution domain, such as remote desktop system operates in the first domain, and operating system is second In domain, i.e., terminal user's operating system used in everyday is run in the second domain, meets demand used in everyday, first The remote desktop system of customization is run in domain, and system kernel, the run-time library in the second domain are all simplified, and are only retained It runs Remote Desktop Protocol and guarantees the necessary component of safety, as shown in Figure 3.
It is possible to further run remote desktop system in a dedicated virtual machine example, such as transport in the first domain Row remote desktop system can only run the system kernel and run-time library simplified in the first domain, such as long-range in operation In first domain of desktop system, only retain Remote Desktop Protocol application, and carry out safe enhancing in the system kernel and system layer, By only retaining remote virtual desktop client application in the first domain, stability ensure that greatest extent.Meanwhile it can be another Operating system is run in one dedicated virtual machine example, such as runs operating system in the second domain, second domain and original Terminal device use habit is consistent, and stability and safety issue in system do not interfere with remote desktop system.
Further, a kind of virtual machine refers to that virtualization type is the virtual machine of Type-I type, the virtual machine of Type-I type Operating system be not installed on hardware, is being mounted directly a virtualization software, this software directly adapter tube cpu (central processing unit) And memory, all hosts operated on Current hardware are all virtual machines.
It is mutually isolated at two by being separately operable operating system and remote desktop system for the embodiment of the present application Execute domain so that remote desktop system is not necessarily to parasitize in the operating system of terminal device, avoid because operating system occurs therefore The generation for the case where hindering and remote desktop is caused not to be available, while also avoiding because of the common applications in operating system The problems such as security risk and stability, caused by remote desktop security risk and stability the problems such as, in addition, independently of behaviour Make the first domain of the operation remote desktop system of system, can the kernel simplified of running and comparing, reduce exploitation complexity, contract The short development cycle, and it is easily adapted other equipment.
The embodiment of the present application provides alternatively possible implementation, wherein further includes step after step S110 S111 (is not marked in figure): receiving the data communications requests that default depressed place equipment is sent, default depressed place is carried in the data communications requests Any one of the device private of the equipment mark code of equipment and default depressed place equipment.
In addition, step S110 specifically includes step S1101 (being not marked in figure) or step S1102 (being not marked in figure), In,
Step S1101: determine whether equipment mark code is the identification code preset in equipment mark code list, and in equipment mark Knowing code is when presetting the identification code in equipment mark code list, to determine that initial authentication passes through.
Step S1102: authenticating device private based on pre-stored equipment public key, and certification by when determine just Beginning, the authentication is passed.
In addition, after step silo further including step S112 (being not marked in figure): if the currently behaviour in the second domain of operation When making system, control virtual machine manager is switched to the first domain of operation remote desktop system.
Specifically, terminal device will preset depressed place equipment with this and establish communication link after detecting default depressed place equipment access It connects, such as receives the data communications requests that default depressed place equipment is sent, and verify to the data communications requests received, if It is verified, then sends the confirmation message for being directed to the data communications requests to default depressed place equipment, to be established with default depressed place equipment Communication connection does not send any response message to default depressed place equipment, or send to default depressed place equipment if not verified For the refusal information of the data communications requests, communicated to connect to not established with default depressed place equipment.
It further, can be in data communications requests when default depressed place equipment sends data communications requests to terminal device The equipment mark code of default depressed place equipment or the device private of default depressed place equipment are carried, so that terminal device is based on data communication The equipment mark code or device private carried in request presets the legitimacy before depressed place equipment carries out foundation communication connection to this Certification carries out initial authentication to default depressed place equipment.
Further, terminal device can carry out initial authentication to default depressed place equipment according to above equipment identification code, can also To carry out initial authentication to default depressed place equipment according to above equipment private key, wherein set according to above equipment identification code to default depressed place It, can be by determining whether above equipment identification code be the mark preset in equipment mark code list when standby progress initial authentication Code carries out initial authentication to default depressed place equipment.If above equipment identification code is the mark in default equipment mark code list Code, it is determined that default depressed place equipment initial authentication passes through, and subsequent terminal device can be directed to the number by sending to default depressed place equipment According to the confirmation message of communication request, communicated to connect to be established with default depressed place equipment.In addition, according to above equipment private key to default When depressed place equipment carries out initial authentication, terminal device can be authenticated the device private based on pre-stored equipment public key, such as Fruit certification passes through, it is determined that initial authentication passes through, and subsequent terminal device can be directed to the data by sending to default depressed place equipment The confirmation message of communication request communicates to connect to establish with default depressed place equipment.
Further, terminal device is determining that currently running is the operation in the second domain after initial authentication passes through System, that is, what is be currently up is the second domain for running operating system, and control virtual machine manager is switched to operation remote desktop system First domain of system, convenient for the subsequent starting for carrying out remote desktop based on the first domain.It should be noted that if it is determined that current operation Be remote desktop system in the first domain, then switched over without controlling virtual machine manager.
For the embodiment of the present application, initial authentication is carried out to the default depressed place equipment of access, it is ensured that the default depressed place of access is set Standby safety carries out authentication for the subsequent starting permission to remote desktop and provides premise guarantee, after initial authentication passes through, Control virtual machine manager is switched to the first domain of operation remote desktop system, carries out remote desktop convenient for subsequent first domain that is based on Starting.
The embodiment of the present application provides alternatively possible implementation, wherein step S120 specifically includes step S1201 (being not marked in figure) and step S1202 (being not marked in figure), wherein
Step S1201: by the first domain, the starting request of starting remote desktop is received, carries default depressed place in starting request The identification code of safety chip and terminal device send network information when starting is requested in equipment;
Step S1202: by the first domain, determine whether the identification code of safety chip and the network information are all satisfied default item Part, to be authenticated to starting permission.
Wherein, step S1202 specifically includes step S12021 (being not marked in figure) and step S12022 (being not marked in figure), Wherein,
Step S12021: the identification code that the identification code of safety chip belongs in default chip identification code list is determined;
Step S12022: determine that LAN Information and the public network information in the network information belong to default network information column The network information in table.
Specifically, user can start remote desktop by sending the starting request of starting remote desktop to terminal device, The starting that i.e. terminal device receives starting remote desktop is requested.Wherein, terminal device is in the starting request for receiving remote desktop Afterwards, remote desktop will not be started immediately, but according to the remote desktop starting request received by the first domain to remote desktop Starting permission authenticated.
Further, the starting that terminal device can receive starting remote desktop by the first domain is requested, wherein the starting The network information when identification code of safety chip and terminal device in default depressed place equipment send starting request can be carried in request, After the starting request for receiving remote desktop, terminal device determines the safe core carried in starting request by the first domain Whether the identification code and the network information of piece are all satisfied preset condition, with to starting permission authenticate, i.e. the first domain automatically according to Default depressed place equipment and current network information carry out remote desktop and establish the certification of the subscription authentication before connection.
Further, network information when terminal device sends starting request includes LAN Information and public network information, In, it, can be by determining safety chip when determining whether the identification code of safety chip and the network information are all satisfied preset condition Whether identification code belongs to the identification code in default chip identification code list, to determine it is default whether the identification code of safety chip meets Condition, if the identification code of safety chip belongs to the identification code in default chip identification code list, it is determined that the mark of safety chip Know code and meet preset condition, while can be by determining whether LAN Information in the network information and public network information belong to The network information in default network information list, to determine whether the network information meets preset condition, if LAN Information with And public network information belongs to the network information in default network information list, then the network information meets preset condition.
Further, when the identification code of safety chip and the network information are all satisfied preset condition, remote desktop is determined Starting permission, the authentication is passed, can start the connection of Remote Desktop Protocol, Lai Qidong remote desktop by the first domain at this time.If peace Any of the identification code of full chip and the network information are unsatisfactory for preset condition, it is determined that the starting permission of remote desktop authenticates Do not pass through, is not connected to Remote Desktop Protocol at this time, i.e., does not start remote desktop.
Further, if terminal device detects that default depressed place equipment disconnects, such as user disconnects default depressed place equipment With the connection of terminal device, at this time terminal device by the first domain close remote desktop, i.e. the first domain run remote desktop until User disconnects the connection of default depressed place equipment and terminal device.
For the embodiment of the present application, is authenticated, effectively prevented non-by access authority of first domain to remote desktop Method user is to the unauthorized access of remote desktop, the behaviors such as access of assuming another's name, it is ensured that starts the safety of remote desktop.
Embodiment two
Fig. 4 is a kind of structural schematic diagram of device for starting remote desktop provided by the embodiments of the present application, as shown in figure 4, The device is applied to include at least two mutually isolated execution in the application environment at least two mutually isolated execution domains Operating system and remote desktop system are separately operable in domain, which may include the first authentication module 41, second authentication mould Block 42 and starting module 43, wherein
First authentication module 41 is used for when detecting the access of default depressed place equipment, is carried out to the default depressed place equipment of access initial Authentication;
Second authentication module 42 be used for when it is initial the authentication is passed when, pass through the according to the remote desktop starting request received One domain authenticates the starting permission of remote desktop;
Starting module 43 is used for when the authentication is passed for starting permission, and control starts remote desktop in the first domain, so that Remote desktop system is run in the first domain.
Specifically, the device further include establish module 44, as shown in figure 5, establish module 44 for based on one kind virtual machine At least two mutually isolated execution domains are established, so that operation can be separately operable at least two mutually isolated execution domains System and remote desktop system.
Further, which further includes receiving module, as shown in figure 5, receiving module 45 is for receiving default depressed place equipment The data communications requests of transmission carry the equipment mark code of default depressed place equipment and the equipment of default depressed place equipment in data communications requests Any one of private key;
First authentication module 41 determines submodule 411 and authentication sub module 412 including first, as shown in Figure 5, wherein
First determines that submodule 411 is used to determine whether equipment mark code to be the mark preset in equipment mark code list Code;And when equipment mark code is the identification code in default equipment mark code list, determine that initial authentication passes through;Alternatively,
Authentication sub module 412 is for authenticating device private based on pre-stored equipment public key;And when certification passes through When, determine that initial authentication passes through.
Further, which further includes switching module 46, as shown in figure 5, switching module 46 is used in current operation the When operating system in two domains, control virtual machine manager is switched to the first domain of operation remote desktop system.
Further, the second authentication module 42 includes starting request receiving submodule 421 and verifying submodule 422, such as Fig. 5 It is shown, wherein
Start the starting request that request receiving submodule 421 is used to receive starting remote desktop by the first domain, starting is asked Seek the network information carried when the identification code of safety chip and terminal device in default depressed place equipment send starting request;
Second determines that submodule 422 is used for determining whether the identification code of safety chip and the network information are equal by the first domain Meet preset condition, to authenticate to starting permission.
Further, second determine that submodule 422 is specifically used for determining that the identification code of safety chip belongs to default chip mark Know the identification code in code list;And for determining that LAN Information in the network information and public network information belong to default net The network information in network information list.
Device provided by the embodiments of the present application, compared with prior art, when detecting the access of default depressed place equipment, to access Default depressed place equipment carry out initial authentication, it is ensured that the safety of the default depressed place equipment of access opens remote desktop to be subsequent Dynamic permission carries out authentication and provides premise guarantee;Then after initial authentication passes through, according to the remote desktop starting request received It is authenticated by starting permission of first domain to remote desktop, and after the authentication is passed, is controlled in the first domain in starting permission Start remote desktop, to authenticate by access authority of first domain to remote desktop, this is not only it is possible to prevente effectively from non- Method user is to the unauthorized access of remote desktop, the behaviors such as access of assuming another's name, it is ensured that starts the safety of remote desktop, and runs First domain of remote desktop system and the domain of operation operating system are mutually isolated, effectively overcome operating system bring stability The problems such as difference and security risk, in addition, the first domain of the operation remote desktop system independently of operating system, it can operating ratio The kernel relatively simplified reduces exploitation complexity, shortens the development cycle, and is easily adapted other equipment.
Embodiment three
The embodiment of the present application provides a kind of electronic equipment, as shown in fig. 6, electronic equipment shown in fig. 6 600 includes: place Manage device 601 and memory 603.Wherein, processor 601 is connected with memory 603, is such as connected by bus 602.Further, Electronic equipment 600 can also include transceiver 604.It should be noted that transceiver 604 is not limited to one in practical application, it should The structure of electronic equipment 600 does not constitute the restriction to the embodiment of the present application.
Wherein, processor 601 is applied in the embodiment of the present application, authenticates mould for realizing Fig. 4 or shown in fig. 5 first Block, the function of the second authentication module and starting module and the function shown in fig. 5 for establishing module, receiving module and switching module Energy.
Processor 601 can be CPU, general processor, DSP, ASIC, FPGA or other programmable logic device, crystalline substance Body pipe logical device, hardware component or any combination thereof.It, which may be implemented or executes, combines described by present disclosure Various illustrative logic blocks, module and circuit.Processor 601 is also possible to realize the combination of computing function, such as wraps It is combined containing one or more microprocessors, DSP and the combination of microprocessor etc..
Bus 602 may include an access, and information is transmitted between said modules.Bus 602 can be pci bus or EISA Bus etc..Bus 602 can be divided into address bus, data/address bus, control bus etc..For convenient for indicating, in Fig. 6 only with one slightly Line indicates, it is not intended that an only bus or a type of bus.
Memory 603 can be ROM or can store the other kinds of static storage device of static information and instruction, RAM Or the other kinds of dynamic memory of information and instruction can be stored, it is also possible to EEPROM, CD-ROM or other CDs Storage, optical disc storage (including compression optical disc, laser disc, optical disc, Digital Versatile Disc, Blu-ray Disc etc.), magnetic disk storage medium Or other magnetic storage apparatus or can be used in carry or store have instruction or data structure form desired program generation Code and can by any other medium of computer access, but not limited to this.
Memory 603 is used to store the application code for executing application scheme, and is held by processor 601 to control Row.Processor 601 is for executing the application code stored in memory 603, to realize that Fig. 4 or embodiment illustrated in fig. 5 are mentioned The movement of the device of the starting remote desktop of confession.
Electronic equipment provided by the embodiments of the present application, including memory, processor and storage on a memory and can located The computer program that runs on reason device, when processor executes program, compared with prior art, it can be achieved that: when detecting default depressed place When equipment accesses, initial authentication is carried out to the default depressed place equipment of access, it is ensured that the safety of the default depressed place equipment of access, after being It is continuous that authentication offer premise guarantee is carried out to the starting permission of remote desktop;Then after initial authentication passes through, according to what is received Remote desktop starting request is authenticated by starting permission of first domain to remote desktop, and the authentication is passed in starting permission Afterwards, control starts remote desktop in the first domain, to be authenticated by access authority of first domain to remote desktop, this is not Only it is possible to prevente effectively from illegal user is to the unauthorized access of remote desktop, the behaviors such as access of assuming another's name, it is ensured that starting remote desktop Safety, and run remote desktop system the first domain with run operating system domain it is mutually isolated, effectively overcome behaviour The problems such as making system bring stability difference and security risk, in addition, independently of the operation remote desktop system of operating system First domain, can the kernel simplified of running and comparing, reduce exploitation complexity, shorten the development cycle, and be easily adapted Other equipment.
The embodiment of the present application provides a kind of computer readable storage medium, is stored on the computer readable storage medium Computer program realizes method shown in embodiment one when the program is executed by processor.Compared with prior art, when detecting When default depressed place equipment access, initial authentication is carried out to the default depressed place equipment of access, it is ensured that the safety of the default depressed place equipment of access Property, authentication is carried out for the subsequent starting permission to remote desktop, and premise guarantee is provided;Then after initial authentication passes through, according to connecing The remote desktop starting request received is authenticated by starting permission of first domain to remote desktop, and in starting permission authentication By rear, control starts remote desktop in the first domain, thus authenticated by access authority of first domain to remote desktop, This is not only it is possible to prevente effectively from illegal user is to the unauthorized access of remote desktop, the behaviors such as access of assuming another's name, it is ensured that starting is long-range The safety of desktop, and the first domain of operation remote desktop system and the domain of operation operating system are mutually isolated, effectively overcome The problems such as operating system bring stability difference and security risk, in addition, independently of the operation remote desktop system of operating system First domain of system, can the kernel simplified of running and comparing, reduce exploitation complexity, shorten the development cycle, and be easy to It is adapted to other equipment.
Computer readable storage medium provided by the embodiments of the present application is suitable for any embodiment of the above method.Herein not It repeats again.
It should be understood that although each step in the flow chart of attached drawing is successively shown according to the instruction of arrow, These steps are not that the inevitable sequence according to arrow instruction successively executes.Unless expressly stating otherwise herein, these steps Execution there is no stringent sequences to limit, can execute in the other order.Moreover, at least one in the flow chart of attached drawing Part steps may include that perhaps these sub-steps of multiple stages or stage are not necessarily in synchronization to multiple sub-steps Completion is executed, but can be executed at different times, execution sequence, which is also not necessarily, successively to be carried out, but can be with other At least part of the sub-step or stage of step or other steps executes in turn or alternately.
The above is only some embodiments of the application, it is noted that for the ordinary skill people of the art For member, under the premise of not departing from the application principle, several improvements and modifications can also be made, these improvements and modifications are also answered It is considered as the protection scope of the application.

Claims (10)

1. a kind of method for starting remote desktop, which is characterized in that the method is applied to include at least two mutually isolated In the application environment for executing domain, operating system and remote desktop system are separately operable in described at least two mutually isolated execution domains System, which comprises
When detecting the access of default depressed place equipment, initial authentication is carried out to the default depressed place equipment of access;
Starting permission if initial authentication passes through, according to the remote desktop starting request received by the first domain to remote desktop It is authenticated;
If starting permission, the authentication is passed, control starts remote desktop in first domain, so that transporting in first domain Row remote desktop system.
2. the method according to claim 1, wherein before detecting default depressed place equipment access, further includes:
Described at least two mutually isolated execution domains are established based on a kind of virtual machine, so that described at least two is mutually isolated Execution domain in can be separately operable operating system and remote desktop system.
3. according to the method described in claim 2, it is characterized in that, after detecting default depressed place equipment access, further includes:
The data communications requests that default depressed place equipment is sent are received, the equipment mark of default depressed place equipment is carried in the data communications requests Know any one of the device private of code and default depressed place equipment;
The default depressed place equipment of described pair of access carries out initial authentication, comprising:
Determine whether the equipment mark code is the identification code preset in equipment mark code list;
If it is, determining that initial authentication passes through;Alternatively,
The device private is authenticated based on pre-stored equipment public key;
If certification passes through, it is determined that initial authentication passes through.
4. method according to claim 1-3, which is characterized in that after initial authentication passes through, further includes:
If control virtual machine manager is switched to the of operation remote desktop system when operating system currently in the second domain of operation One domain.
5. the method according to claim 1, wherein according to the remote desktop starting request received by first Domain authenticates the starting permission of remote desktop, comprising:
By the first domain, the starting request of starting remote desktop is received, carries safety in default depressed place equipment in the starting request The identification code and terminal device of chip send network information when starting request;
By the first domain, determine whether the identification code of the safety chip and the network information are all satisfied preset condition, with right Starting permission is authenticated.
6. according to the method described in claim 5, it is characterized in that, determining that the identification code of the safety chip meets default item Part, comprising:
Determine the identification code that the identification code of the safety chip belongs in default chip identification code list;
Determine that the network information meets preset condition, comprising:
Determine the network that LAN Information and the public network information in the network information belong in default network information list Information.
7. a kind of device for starting remote desktop, which is characterized in that described device is applied to include at least two mutually isolated In the application environment for executing domain, operating system and remote desktop system are separately operable in described at least two mutually isolated execution domains System, described device include:
First authentication module, for carrying out initial authentication to the default depressed place equipment of access when detecting the access of default depressed place equipment;
Second authentication module, for passing through the first domain according to the remote desktop starting request received when initially the authentication is passed The starting permission of remote desktop is authenticated;
Starting module, for controlling and starting remote desktop in first domain when the authentication is passed for starting permission, so that Remote desktop system is run in first domain.
8. device according to claim 7, which is characterized in that further include establishing module;
It is described to establish module, for establishing described at least two mutually isolated execution domains based on a kind of virtual machine, so that institute Operating system and remote desktop system can be separately operable by stating at least two mutually isolated execution domains.
9. a kind of electronic equipment including memory, processor and stores the calculating that can be run on a memory and on a processor Machine program, which is characterized in that the processor realizes that starting described in any one of claims 1-6 is long-range when executing described program The method of desktop.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium Program, which realizes starting remote desktop described in any one of claims 1-6 method when being executed by processor.
CN201811447982.3A 2018-11-29 2018-11-29 Method and device for starting remote desktop, electronic equipment and computer storage medium Active CN109583182B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811447982.3A CN109583182B (en) 2018-11-29 2018-11-29 Method and device for starting remote desktop, electronic equipment and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811447982.3A CN109583182B (en) 2018-11-29 2018-11-29 Method and device for starting remote desktop, electronic equipment and computer storage medium

Publications (2)

Publication Number Publication Date
CN109583182A true CN109583182A (en) 2019-04-05
CN109583182B CN109583182B (en) 2021-06-04

Family

ID=65925479

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811447982.3A Active CN109583182B (en) 2018-11-29 2018-11-29 Method and device for starting remote desktop, electronic equipment and computer storage medium

Country Status (1)

Country Link
CN (1) CN109583182B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111756729A (en) * 2020-06-23 2020-10-09 北京网瑞达科技有限公司 Network resource access method, device, computer equipment and storage medium
CN112241299A (en) * 2019-07-18 2021-01-19 上海达龙信息科技有限公司 Operation management method, system, medium and server for electronic equipment

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102214127A (en) * 2010-11-15 2011-10-12 上海安纵信息科技有限公司 Method for intensively storing and backing up data based on operating system virtualization theory
US20120084381A1 (en) * 2010-09-30 2012-04-05 Microsoft Corporation Virtual Desktop Configuration And Operation Techniques
CN102420846A (en) * 2010-10-15 2012-04-18 微软公司 Remote access to hosted virtual machines by enterprise users
CN103188332A (en) * 2011-12-30 2013-07-03 中国移动通信集团公司 Remote desktop access control management method, equipment and system
US20150169206A1 (en) * 2013-12-17 2015-06-18 American Megatrends, Inc. Techniques of launching virtual machine from thin client
CN104811455A (en) * 2015-05-18 2015-07-29 成都卫士通信息产业股份有限公司 Cloud computing identity authentication method
CN105721441A (en) * 2016-01-22 2016-06-29 华中科技大学 Method for authenticating identity under virtualized environment
CN108804189A (en) * 2018-06-01 2018-11-13 成都雨云科技有限公司 A kind of cloud desktop management method and system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120084381A1 (en) * 2010-09-30 2012-04-05 Microsoft Corporation Virtual Desktop Configuration And Operation Techniques
CN102420846A (en) * 2010-10-15 2012-04-18 微软公司 Remote access to hosted virtual machines by enterprise users
CN102214127A (en) * 2010-11-15 2011-10-12 上海安纵信息科技有限公司 Method for intensively storing and backing up data based on operating system virtualization theory
CN103188332A (en) * 2011-12-30 2013-07-03 中国移动通信集团公司 Remote desktop access control management method, equipment and system
US20150169206A1 (en) * 2013-12-17 2015-06-18 American Megatrends, Inc. Techniques of launching virtual machine from thin client
CN104811455A (en) * 2015-05-18 2015-07-29 成都卫士通信息产业股份有限公司 Cloud computing identity authentication method
CN105721441A (en) * 2016-01-22 2016-06-29 华中科技大学 Method for authenticating identity under virtualized environment
CN108804189A (en) * 2018-06-01 2018-11-13 成都雨云科技有限公司 A kind of cloud desktop management method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
姚一楠等: "双操作系统移动智能终端安全分析", 《移动通信》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112241299A (en) * 2019-07-18 2021-01-19 上海达龙信息科技有限公司 Operation management method, system, medium and server for electronic equipment
CN112241299B (en) * 2019-07-18 2023-08-18 上海达龙信息科技有限公司 Operation management method, system, medium and server of electronic equipment
CN111756729A (en) * 2020-06-23 2020-10-09 北京网瑞达科技有限公司 Network resource access method, device, computer equipment and storage medium
CN111756729B (en) * 2020-06-23 2022-06-17 北京网瑞达科技有限公司 Network resource access method, device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN109583182B (en) 2021-06-04

Similar Documents

Publication Publication Date Title
US20210297410A1 (en) Mec platform deployment method and apparatus
WO2019062235A1 (en) Method, device, and system for invoking network function service
CN110365695A (en) The block chain data interactive method and device of changeable common recognition algorithm
CN108462710B (en) Authentication and authorization method, device, authentication server and machine-readable storage medium
RU2683620C1 (en) Method of the data sharing implementation between the client and the virtual desktop, the client and the system
CN110521182B (en) Method and system for protocol level identity mapping
EP4120109A1 (en) Cluster access method and apparatus, electronic device, and medium
CN108881228A (en) Cloud registration activation method, device, equipment and storage medium
WO2017008047A1 (en) Authentication method, apparatus, and system
WO2023241060A1 (en) Data access method and apparatus
CN109583182A (en) Start method, apparatus, electronic equipment and the computer storage medium of remote desktop
CN105554750A (en) Transmission method of data frame, and terminal
CN103220347A (en) CRP (compression reflection protocol) cloud interaction method
CN111698196A (en) Authentication method and micro-service system
WO2023241331A1 (en) Internet of things system, authentication and communication method therefor, and related device
CN102752308A (en) Network-based digital certificate comprehensive service providing system and implementation method thereof
CN111726328B (en) Method, system and related device for remotely accessing a first device
CN115174558B (en) Cloud network end integrated identity authentication method, device, equipment and storage medium
EP4149053B1 (en) Authorization processing method and apparatus, and storage medium
CN110493175A (en) A kind of information processing method, electronic equipment and storage medium
CN114389868A (en) Method, system and device for distributing cloud resources and storage medium
WO2021109309A1 (en) Information processing method, device, and computer storage medium
CN115222392A (en) Service access method, device, medium and electronic equipment based on block chain
CN109462604A (en) A kind of data transmission method, device, equipment and storage medium
CN111988263B (en) Container service management method, container manager, virtual network function instance and virtual network function manager

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230516

Address after: Room 401, Floor 4, No. 2, Haidian East Third Street, Haidian District, Beijing 100080

Patentee after: Yuanxin Information Technology Group Co.,Ltd.

Address before: 100176 room 2222, building D, building 33, 99 Kechuang 14th Street, Beijing Economic and Technological Development Zone, Daxing District, Beijing

Patentee before: YUANXIN TECHNOLOGY

TR01 Transfer of patent right