CN109583182B - Method and device for starting remote desktop, electronic equipment and computer storage medium - Google Patents

Method and device for starting remote desktop, electronic equipment and computer storage medium Download PDF

Info

Publication number
CN109583182B
CN109583182B CN201811447982.3A CN201811447982A CN109583182B CN 109583182 B CN109583182 B CN 109583182B CN 201811447982 A CN201811447982 A CN 201811447982A CN 109583182 B CN109583182 B CN 109583182B
Authority
CN
China
Prior art keywords
remote desktop
starting
domain
preset
identification code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811447982.3A
Other languages
Chinese (zh)
Other versions
CN109583182A (en
Inventor
孙国峰
赵春雷
邹仕洪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yuanxin Information Technology Group Co ltd
Original Assignee
Beijing Yuanxin Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Yuanxin Science and Technology Co Ltd filed Critical Beijing Yuanxin Science and Technology Co Ltd
Priority to CN201811447982.3A priority Critical patent/CN109583182B/en
Publication of CN109583182A publication Critical patent/CN109583182A/en
Application granted granted Critical
Publication of CN109583182B publication Critical patent/CN109583182B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/451Execution arrangements for user interfaces
    • G06F9/452Remote windowing, e.g. X-Window System, desktop virtualisation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Human Computer Interaction (AREA)
  • Mathematical Physics (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer And Data Communications (AREA)
  • Stored Programmes (AREA)

Abstract

The application relates to the technical field of terminal equipment, and discloses a method and a device for starting a remote desktop, electronic equipment and a computer readable storage medium, wherein the method for starting the remote desktop is applied to an application environment comprising at least two mutually isolated execution domains, and an operating system and a remote desktop system are respectively operated in the at least two mutually isolated execution domains, and the method comprises the following steps: when detecting that the preset docking equipment is accessed, performing initial authentication on the accessed preset docking equipment; then if the initial authentication is passed, authenticating the starting authority of the remote desktop through the first domain according to the received remote desktop starting request; and then if the starting authority authentication passes, controlling to start the remote desktop in the first domain so as to operate the remote desktop system in the first domain. The method of the embodiment of the application effectively avoids the behaviors of illegal users such as illegal access, impersonation access and the like to the remote desktop, and ensures the safety of starting the remote desktop.

Description

Method and device for starting remote desktop, electronic equipment and computer storage medium
Technical Field
The application relates to the technical field of terminal equipment, in particular to a method and a device for starting a remote desktop, electronic equipment and a computer storage medium.
Background
As graphical operating systems have become mature, Remote connections have begun to support direct graphical presentation and access to Remote Computing environments, and various Remote desktop protocols have begun to appear, in particular, microsoft Remote desktop RDP (Remote Display Protocol) Protocol, VFB (Virtual Frame Buffer) based VNC (Virtual Network Computing) Protocol, X-based Protocol, PCoIP (image transfer Protocol), HDX/ICA (High Definition external/Independent Computing architecture), SPICE (desktop virtualization data transfer Protocol), RGS (Remote Graphics Software), and other dedicated protocols are the most common. Through the communication protocols, the remote desktops running on the server can be presented on the terminal equipment in a natural mode, and when the user uses the remote desktops, the operation mode is identical to the operation mode of a desktop system running on the local terminal equipment.
With the advent of the cloud computing age and the rapid development of virtualization technologies, a remote desktop is changed from running directly on bare server hardware to running on a virtual machine on an IaaS (Infrastructure as a Service) or PaaS (Platform as a Service) Platform. In the 5G era that bandwidth no longer becomes a bottleneck, terminal software or terminal hardware implemented based on various remote desktop protocols can conveniently introduce the virtual desktop environment of the cloud to local terminal equipment, and the trend of completely replacing traditional office desktops or notebooks is great.
At present, a remote virtual desktop client is usually hosted in an operating system of a terminal device, however, the method is complex in development and long in development period, new devices are not easily adapted, certain potential safety hazards exist, and stability is lacked.
Disclosure of Invention
The purpose of the present application is to solve at least one of the above technical drawbacks, and to provide the following solutions:
in a first aspect, a method for starting a remote desktop is provided, which is applied in an application environment including at least two isolated execution domains, where an operating system and a remote desktop system run in the at least two isolated execution domains, respectively, and includes:
when detecting that the preset docking equipment is accessed, performing initial authentication on the accessed preset docking equipment;
if the initial authentication is passed, authenticating the starting authority of the remote desktop through the first domain according to the received remote desktop starting request;
and if the starting authority authentication passes, controlling to start the remote desktop in the first domain so as to operate the remote desktop system in the first domain.
In a second aspect, an apparatus for starting a remote desktop is provided, which is applied in an application environment including at least two isolated execution domains, where an operating system and a remote desktop system run in the at least two isolated execution domains, respectively, and includes:
the first authentication module is used for performing initial authentication on the accessed preset docking equipment when the preset docking equipment is detected to be accessed;
the second authentication module is used for authenticating the starting authority of the remote desktop through the first domain according to the received remote desktop starting request when the initial authentication is passed;
and the starting module is used for controlling the starting of the remote desktop in the first domain when the starting authority authentication is passed so as to operate the remote desktop system in the first domain.
In a third aspect, an electronic device is provided, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the method for starting a remote desktop is implemented.
In a fourth aspect, a computer-readable storage medium is provided, on which a computer program is stored, which when executed by a processor implements the method of starting a remote desktop described above.
According to the method for starting the remote desktop, when the preset docking device is detected to be accessed, the accessed preset docking device is initially authenticated, so that the safety of the accessed preset docking device is ensured, and a precondition guarantee is provided for the subsequent authentication of the starting permission of the remote desktop; then after the initial authentication is passed, the starting authority of the remote desktop is authenticated through the first domain according to the received remote desktop starting request, and after the starting authority authentication is passed, the remote desktop is controlled to be started in the first domain, thereby the access authority of the remote desktop is authenticated through the first domain, which not only can effectively avoid the illegal access, the impersonation access and other behaviors of the illegal user to the remote desktop, ensure the safety of starting the remote desktop, and the first domain running the remote desktop system is isolated from the domain running the operating system, thereby effectively overcoming the problems of poor stability, potential safety hazard and the like caused by the operating system, in addition, the first domain which is independent of the operating system and runs the remote desktop system can only run a relatively simplified kernel, thereby reducing the development complexity, shortening the development period and being easy to adapt to other devices.
Additional aspects and advantages of the present application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the present application.
Drawings
The foregoing and/or additional aspects and advantages of the present application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a diagram illustrating a remote desktop system and an operating system according to the prior art;
FIG. 2 is a flowchart illustrating a method for starting a remote desktop according to an embodiment of the present application;
FIG. 3 is a schematic structural diagram of a first domain running an operating system and a second domain running a remote desktop system according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a basic structure of an apparatus for starting a remote desktop according to an embodiment of the present application;
FIG. 5 is a detailed structural diagram of an apparatus for starting a remote desktop according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to embodiments of the present application, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are exemplary only for the purpose of explaining the present application and are not to be construed as limiting the present application.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or wirelessly coupled. As used herein, the term "and/or" includes all or any element and all combinations of one or more of the associated listed items.
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
In the prior art, remote virtual desktop client software running on a terminal device is connected with a virtual desktop at a cloud end through a remote desktop protocol, wherein an intelligent terminal is connected with a device similar to a hub, and is connected with a local area network, a mouse, a keyboard, a display device and the like through the hub device, as shown in fig. 1, a user can use the remote virtual desktop as a common computer. However, in the implementation mode in which the virtual desktop client is hosted in the operating system of the intelligent terminal, after the system fails and is enabled, the remote virtual desktop cannot be used, and potential safety hazards may occur, that is, the implementation mode is lack of stability, and is complex in development, long in period, and difficult to adapt to new equipment.
The application provides a method, an apparatus, an electronic device and a computer-readable storage medium for starting a remote desktop, which aim to solve the above technical problems in the prior art.
The following describes the technical solutions of the present application and how to solve the above technical problems with specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Example one
An embodiment of the present application provides a method for starting a remote desktop, which is applied to an application environment including at least two isolated execution domains, where an operating system and a remote desktop system are respectively run in the at least two isolated execution domains, as shown in fig. 1, including:
step S110, when detecting that the preset docking device is accessed, performing initial authentication on the accessed preset docking device.
Specifically, the preset docking device may be connected to an external device through a preset communication interface, for example, the external device is connected to an external device such as a mobile phone, a computer, an Ipad through a USB (Universal Serial Bus) interface, and for example, the external device is connected to a smart phone through an audio interface of the smart phone, which is similar to the U-shield generally used at present.
Further, a security chip is added in the preset docking device in advance and used for identity authentication of the user and establishment of a trust chain.
Further, the terminal device may determine whether a preset docking device is accessed by detecting a change in a level of the USB interface or the audio interface, and perform initial authentication on the accessed preset docking device when detecting the access of the preset docking device.
And step S120, if the initial authentication is passed, authenticating the starting authority of the remote desktop through the first domain according to the received remote desktop starting request.
Specifically, the user may send a remote desktop start request to the terminal device through the preset docking device to connect the remote virtual desktop, where after the preset docking device is connected to the terminal device, the terminal device performs initial authentication on the preset docking device in advance through the step S110, and after the initial authentication is passed, authenticates the received remote desktop start request.
Further, when authenticating the received remote desktop start request, the terminal device may authenticate the start authority of the remote desktop through the first domain.
Step S130, if the authorization authentication of the start authority passes, controlling to start the remote desktop in the first domain, so that the remote desktop system is operated in the first domain.
Specifically, after the terminal device passes the authentication of the start authority of the remote desktop through the first domain, the remote desktop is started through the first domain, for example, a start request may be sent to the remote desktop through a remote desktop protocol in the first domain, and after receiving the start request, the remote desktop starts based on the start request, that is, the remote desktop system is run in the first domain of the terminal device.
Compared with the prior art, the method for starting the remote desktop provided by the embodiment of the application has the advantages that when the preset docking device is detected to be accessed, the initial authentication is carried out on the accessed preset docking device, so that the safety of the accessed preset docking device is ensured, and the precondition guarantee is provided for the subsequent authentication on the starting permission of the remote desktop; then after the initial authentication is passed, the starting authority of the remote desktop is authenticated through the first domain according to the received remote desktop starting request, and after the starting authority authentication is passed, the remote desktop is controlled to be started in the first domain, thereby the access authority of the remote desktop is authenticated through the first domain, which not only can effectively avoid the illegal access, the impersonation access and other behaviors of the illegal user to the remote desktop, ensure the safety of starting the remote desktop, and the first domain running the remote desktop system is isolated from the domain running the operating system, thereby effectively overcoming the problems of poor stability, potential safety hazard and the like caused by the operating system, in addition, the first domain which is independent of the operating system and runs the remote desktop system can only run a relatively simplified kernel, thereby reducing the development complexity, shortening the development period and being easy to adapt to other devices.
The embodiment of the present application provides another possible implementation manner, wherein step S100 (not labeled in the figure) is further included before step S110: at least two mutually isolated execution domains are established based on one type of virtual machine, so that the at least two mutually isolated execution domains can respectively run an operating system and a remote desktop system.
Specifically, the research and development personnel design, develop and produce the terminal equipment in advance according to the demand, and only after the terminal equipment is produced in quantity and sold, the user can purchase and use the terminal equipment, for example, the preset dock equipment is accessed into the terminal equipment, and for example, a remote desktop is started through the terminal equipment.
Further, in the process of designing and developing the terminal device, that is, before the preset docking device is connected to the terminal device, the system architecture of the terminal device may be planned and designed, so that the terminal device adopts the system architecture based on one type of virtual machine, and at least two mutually isolated execution domains are established based on one type of virtual machine, and the operating system and the remote desktop system are respectively run in the at least two mutually isolated execution domains, that is, the operating system and the remote desktop system are respectively run in two mutually independent and mutually isolated execution domains, for example, the remote desktop system is run in the first domain, the operating system is run in the second domain, that is, the operating system daily used by the user of the terminal device is run in the second domain, so as to meet the daily use requirement, the customized remote desktop system is run in the first domain, and a system kernel in the first domain, The runtime libraries are all condensed and only the necessary components to run the remote desktop protocol and ensure security are reserved, as shown in fig. 3.
Further, the remote desktop system may be run in a dedicated virtual machine instance, for example, the remote desktop system may be run in the first domain, only the reduced system kernel and the runtime library may be run in the first domain, for example, only the remote desktop protocol application is reserved in the first domain where the remote desktop system is run, and security enhancement is performed in the system kernel and the system layer, and stability is ensured to the maximum extent by only the remote virtual desktop client application being reserved in the first domain. Meanwhile, the operating system can be operated in another special virtual machine case, for example, the operating system is operated in a second domain, the second domain is consistent with the original use habit of the terminal equipment, and the stability and the safety in the system can not affect the remote desktop system.
Furthermore, the Type I virtual machine is a virtual machine with a virtualization Type of Type-I, an operating system is not installed on hardware of the Type-I virtual machine, virtualization software is directly installed on the Type-I virtual machine, the software directly takes over a cpu (central processing unit) and a memory, and all hosts running on the current hardware are virtual machines.
For the embodiment of the application, the operating system and the remote desktop system are respectively operated in the two execution domains which are isolated from each other, so that the remote desktop system does not need to be parasitized in the operating system of the terminal equipment, the situation that the remote desktop cannot be used due to the fault of the operating system is avoided, and meanwhile, the problems of potential safety hazard, stability and the like of the remote desktop due to the potential safety hazard, stability and the like of a common application program in the operating system are also avoided.
The embodiment of the present application provides another possible implementation manner, wherein step S110 further includes step S111 (not labeled in the figure): receiving a data communication request sent by a preset docking device, wherein the data communication request carries any one of a device identification code of the preset docking device and a device private key of the preset docking device.
In addition, step S110 specifically includes step S1101 (not shown) or step S1102 (not shown), wherein,
step S1101: and determining whether the equipment identification code is an identification code in a preset equipment identification code list, and determining that the initial authentication is passed when the equipment identification code is the identification code in the preset equipment identification code list.
Step S1102: and authenticating the device private key based on the pre-stored device public key, and determining that the initial authentication is passed when the authentication is passed.
In addition, step S112 (not labeled in the figure) is also included after step S110: and if the operating system in the second domain is currently operated, controlling the virtual machine manager to be switched to the first domain for operating the remote desktop system.
Specifically, after detecting the preset docking device being plugged in, the terminal device establishes a communication connection with the preset docking device, for example, receives a data communication request sent by the preset docking device, verifies the received data communication request, sends a confirmation message for the data communication request to the preset docking device if the verification is passed, so as to establish a communication connection with the preset docking device, and does not send any response message to the preset docking device if the verification is not passed, or sends a rejection message for the data communication request to the preset docking device, so as not to establish a communication connection with the preset docking device.
Further, when the preset docking device sends the data communication request to the terminal device, the data communication request may carry a device identification code of the preset docking device or a device private key of the preset docking device, so that the terminal device performs, based on the device identification code or the device private key carried in the data communication request, validity authentication before establishing communication connection with the preset docking device, that is, performs initial authentication on the preset docking device.
Further, the terminal device may perform initial authentication on the preset docking device according to the device identification code, or may perform initial authentication on the preset docking device according to the device private key, where when performing initial authentication on the preset docking device according to the device identification code, the terminal device may perform initial authentication on the preset docking device by determining whether the device identification code is an identification code in a preset device identification code list. If the device identification code is an identification code in the preset device identification code list, it is determined that the preset docking device initially authenticates, and then the terminal device may establish a communication connection with the preset docking device by sending confirmation information for the data communication request to the preset docking device. In addition, when the preset docking device is initially authenticated according to the device private key, the terminal device may authenticate the device private key based on a pre-stored device public key, and if the authentication passes, it is determined that the initial authentication passes, and then the terminal device may establish a communication connection with the preset docking device by transmitting confirmation information for the data communication request to the preset docking device.
Further, after the initial authentication is passed, after determining that the currently running operating system is in the second domain, that is, the currently started operating system is in the second domain, the terminal device controls the virtual machine manager to switch to the first domain running the remote desktop system, so that the subsequent starting of the remote desktop based on the first domain is facilitated. It should be noted that if it is determined that the remote desktop system in the first domain is currently running, the virtual machine manager does not need to be controlled to switch.
For the embodiment of the application, the accessed preset docking equipment is initially authenticated, the safety of the accessed preset docking equipment is ensured, a precondition guarantee is provided for the subsequent authentication of the starting authority of the remote desktop, and after the initial authentication is passed, the virtual machine manager is controlled to be switched to the first domain for operating the remote desktop system, so that the subsequent starting of the remote desktop based on the first domain is facilitated.
The embodiment of the present application provides another possible implementation manner, wherein step S120 specifically includes step S1201 (not labeled in the figure) and step S1202 (not labeled in the figure), wherein,
step S1201: receiving a starting request for starting the remote desktop through a first domain, wherein the starting request carries an identification code of a safety chip in the preset dock device and network information when the terminal device sends the starting request;
step S1202: and determining whether the identification code and the network information of the security chip both meet preset conditions through the first domain so as to authenticate the starting authority.
The step S1202 specifically includes a step S12021 (not shown) and a step S12022 (not shown), wherein,
step S12021: determining that the identification code of the security chip belongs to the identification code in the preset chip identification code list;
step S12022: and determining that the local area network information and the public network information in the network information both belong to the network information in the preset network information list.
Specifically, the user may start the remote desktop by sending a start request for starting the remote desktop to the terminal device, that is, the terminal device receives the start request for starting the remote desktop. After receiving a starting request of the remote desktop, the terminal equipment does not start the remote desktop immediately, but authenticates the starting authority of the remote desktop through the first domain according to the received starting request of the remote desktop.
Further, the terminal device may receive a start request for starting the remote desktop through the first domain, where the start request may carry an identification code of a security chip in the preset docking device and network information when the terminal device sends the start request, and after receiving the start request for the remote desktop, the terminal device determines, through the first domain, whether the identification code of the security chip and the network information carried in the start request both satisfy a preset condition to authenticate a start permission, that is, the first domain automatically performs authentication of a user before establishing a connection with the remote desktop according to the preset docking device and the current network information.
Further, the network information when the terminal device sends the start request includes local area network information and public network information, wherein, when determining whether the identification code of the security chip and the network information both satisfy the preset condition, it is possible to determine whether the identification code of the security chip satisfies the preset condition by determining whether the identification code of the security chip belongs to identification codes in a preset chip identification code list, if the identification code of the security chip belongs to the identification codes in the preset chip identification code list, determining that the identification code of the security chip meets the preset condition, meanwhile, whether the network information meets the preset condition can be determined by determining whether the local network information and the public network information in the network information belong to the network information in the preset network information list, and if the local area network information and the public network information both belong to the network information in the preset network information list, the network information meets the preset condition.
Further, when the identification code and the network information of the security chip both meet the preset conditions, it is determined that the authentication of the starting authority of the remote desktop passes, and at this time, the connection of the remote desktop protocol can be started through the first domain to start the remote desktop. And if any one of the identification code of the security chip and the network information does not meet the preset condition, determining that the starting authority authentication of the remote desktop is not passed, and at the moment, not connecting the remote desktop protocol, namely not starting the remote desktop.
Further, if the terminal device detects that the preset docking device is disconnected, for example, the user disconnects the preset docking device from the terminal device, at this time, the terminal device closes the remote desktop through the first domain, that is, the first domain runs the remote desktop until the user disconnects the preset docking device from the terminal device.
For the embodiment of the application, the access right of the remote desktop is authenticated through the first domain, so that the behaviors of illegal users such as illegal access, impersonation access and the like to the remote desktop are effectively avoided, and the safety of starting the remote desktop is ensured.
Example two
Fig. 4 is a schematic structural diagram of an apparatus for booting a remote desktop according to an embodiment of the present application, as shown in fig. 4, the apparatus is applied to an application environment including at least two isolated execution domains, where an operating system and a remote desktop system respectively run in the at least two isolated execution domains, the apparatus 40 may include a first authentication module 41, a second authentication module 42, and a booting module 43, where,
the first authentication module 41 is configured to perform initial authentication on the accessed preset docking device when detecting that the preset docking device is accessed;
the second authentication module 42 is configured to authenticate the start permission of the remote desktop through the first domain according to the received remote desktop start request when the initial authentication is passed;
the starting module 43 is configured to control the remote desktop to be started in the first domain when the starting authority authentication passes, so that the remote desktop system is run in the first domain.
Specifically, the apparatus further includes an establishing module 44, as shown in fig. 5, the establishing module 44 is configured to establish at least two mutually isolated execution domains based on a class of virtual machines, so that the at least two mutually isolated execution domains can run the operating system and the remote desktop system, respectively.
Further, the apparatus further includes a receiving module, as shown in fig. 5, the receiving module 45 is configured to receive a data communication request sent by the preset docking device, where the data communication request carries any one of a device identification code of the preset docking device and a device private key of the preset docking device;
the first authentication module 41 includes a first determining sub-module 411 and an authentication sub-module 412, as shown in fig. 5, wherein,
the first determining sub-module 411 is used for determining whether the device identification code is an identification code in a preset device identification code list; when the equipment identification code is an identification code in a preset equipment identification code list, determining that the initial authentication is passed; alternatively, the first and second electrodes may be,
the authentication sub-module 412 is configured to authenticate the device private key based on a pre-stored device public key; and when the authentication is passed, determining that the initial authentication is passed.
Further, the apparatus further includes a switching module 46, as shown in fig. 5, the switching module 46 is configured to control the virtual machine manager to switch to the first domain running the remote desktop system when the operating system in the second domain is currently running.
Further, the second authentication module 42 includes a start request receiving sub-module 421 and a verification sub-module 422, as shown in fig. 5, wherein,
the start request receiving submodule 421 is configured to receive, through the first domain, a start request for starting the remote desktop, where the start request carries an identification code of a security chip in the preset dock device and network information when the terminal device sends the start request;
the second determining submodule 422 is configured to determine whether the identification code of the security chip and the network information both satisfy a preset condition through the first domain, so as to authenticate the start permission.
Further, the second determining sub-module 422 is specifically configured to determine that the identification code of the security chip belongs to an identification code in a preset chip identification code list; and the network information is used for determining that the local area network information and the public network information in the network information both belong to the network information in the preset network information list.
Compared with the prior art, the device provided by the embodiment of the application performs initial authentication on the accessed preset docking equipment when the preset docking equipment is detected to be accessed, ensures the safety of the accessed preset docking equipment, and provides a precondition guarantee for the subsequent authentication on the starting permission of the remote desktop; then after the initial authentication is passed, the starting authority of the remote desktop is authenticated through the first domain according to the received remote desktop starting request, and after the starting authority authentication is passed, the remote desktop is controlled to be started in the first domain, thereby the access authority of the remote desktop is authenticated through the first domain, which not only can effectively avoid the illegal access, the impersonation access and other behaviors of the illegal user to the remote desktop, ensure the safety of starting the remote desktop, and the first domain running the remote desktop system is isolated from the domain running the operating system, thereby effectively overcoming the problems of poor stability, potential safety hazard and the like caused by the operating system, in addition, the first domain which is independent of the operating system and runs the remote desktop system can only run a relatively simplified kernel, thereby reducing the development complexity, shortening the development period and being easy to adapt to other devices.
EXAMPLE III
An embodiment of the present application provides an electronic device, as shown in fig. 6, an electronic device 600 shown in fig. 6 includes: a processor 601 and a memory 603. The processor 601 is coupled to the memory 603, such as via a bus 602. Further, the electronic device 600 may also include a transceiver 604. It should be noted that the transceiver 604 is not limited to one in practical applications, and the structure of the electronic device 600 is not limited to the embodiment of the present application.
The processor 601 is applied to the embodiment of the present application, and is configured to implement the functions of the first authentication module, the second authentication module and the start module shown in fig. 4 or fig. 5, and the functions of the setup module, the receiving module and the switching module shown in fig. 5.
The processor 601 may be a CPU, general purpose processor, DSP, ASIC, FPGA or other programmable logic device, transistor logic device, hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor 601 may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs and microprocessors, and the like.
Bus 602 may include a path that transfers information between the above components. The bus 602 may be a PCI bus or an EISA bus, etc. The bus 602 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 6, but this is not intended to represent only one bus or type of bus.
Memory 603 may be, but is not limited to, ROM or other types of static storage devices that can store static information and instructions, RAM or other types of dynamic storage devices that can store information and instructions, EEPROM, CD-ROM or other optical disk storage, optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, blu-ray disk, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
The memory 603 is used for storing application program codes for executing the scheme of the application, and the processor 601 controls the execution. The processor 601 is configured to execute the application program code stored in the memory 603 to implement the actions of the apparatus for starting a remote desktop provided by the embodiment shown in fig. 4 or fig. 5.
The electronic device provided by the embodiment of the application comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, and when the processor executes the program, compared with the prior art, the electronic device can realize that: when the preset docking equipment is detected to be accessed, the accessed preset docking equipment is initially authenticated, so that the safety of the accessed preset docking equipment is ensured, and a precondition guarantee is provided for the subsequent authentication of the starting permission of the remote desktop; then after the initial authentication is passed, the starting authority of the remote desktop is authenticated through the first domain according to the received remote desktop starting request, and after the starting authority authentication is passed, the remote desktop is controlled to be started in the first domain, thereby the access authority of the remote desktop is authenticated through the first domain, which not only can effectively avoid the illegal access, the impersonation access and other behaviors of the illegal user to the remote desktop, ensure the safety of starting the remote desktop, and the first domain running the remote desktop system is isolated from the domain running the operating system, thereby effectively overcoming the problems of poor stability, potential safety hazard and the like caused by the operating system, in addition, the first domain which is independent of the operating system and runs the remote desktop system can only run a relatively simplified kernel, thereby reducing the development complexity, shortening the development period and being easy to adapt to other devices.
The embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the method shown in the first embodiment. Compared with the prior art, when the preset docking device is detected to be accessed, the accessed preset docking device is initially authenticated, so that the safety of the accessed preset docking device is ensured, and a precondition guarantee is provided for the subsequent authentication of the starting permission of the remote desktop; then after the initial authentication is passed, the starting authority of the remote desktop is authenticated through the first domain according to the received remote desktop starting request, and after the starting authority authentication is passed, the remote desktop is controlled to be started in the first domain, thereby the access authority of the remote desktop is authenticated through the first domain, which not only can effectively avoid the illegal access, the impersonation access and other behaviors of the illegal user to the remote desktop, ensure the safety of starting the remote desktop, and the first domain running the remote desktop system is isolated from the domain running the operating system, thereby effectively overcoming the problems of poor stability, potential safety hazard and the like caused by the operating system, in addition, the first domain which is independent of the operating system and runs the remote desktop system can only run a relatively simplified kernel, thereby reducing the development complexity, shortening the development period and being easy to adapt to other devices.
The computer-readable storage medium provided by the embodiment of the application is suitable for any embodiment of the method. And will not be described in detail herein.
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless explicitly stated herein. Moreover, at least a portion of the steps in the flow chart of the figure may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
The foregoing is only a partial embodiment of the present application, and it should be noted that, for those skilled in the art, several modifications and decorations can be made without departing from the principle of the present application, and these modifications and decorations should also be regarded as the protection scope of the present application.

Claims (10)

1. A method for starting a remote desktop is applied to an application environment comprising at least two mutually isolated execution domains, wherein the at least two mutually isolated execution domains respectively run an operating system and a remote desktop system, and the method comprises the following steps:
when detecting that the preset docking equipment is accessed, performing initial authentication on the accessed preset docking equipment;
if the initial authentication is passed, authenticating the starting authority of the remote desktop through the first domain according to the received remote desktop starting request;
and if the starting authority authentication passes, controlling to start the remote desktop in the first domain so as to operate the remote desktop system in the first domain.
2. The method of claim 1, further comprising, prior to detecting the pre-docking device access:
and establishing the at least two mutually isolated execution domains based on a class of virtual machines, so that the at least two mutually isolated execution domains can respectively run an operating system and a remote desktop system.
3. The method of claim 2, further comprising, after detecting the pre-docking device access:
receiving a data communication request sent by a preset docking device, wherein the data communication request carries any one of a device identification code of the preset docking device and a device private key of the preset docking device;
the initial authentication of the accessed preset docking device includes:
determining whether the equipment identification code is an identification code in a preset equipment identification code list;
if so, determining that the initial authentication is passed; alternatively, the first and second electrodes may be,
authenticating the device private key based on a pre-stored device public key;
and if the authentication is passed, determining that the initial authentication is passed.
4. The method according to any of claims 1-3, further comprising, after the initial authentication passes:
and if the operating system in the second domain is currently operated, controlling the virtual machine manager to be switched to the first domain for operating the remote desktop system.
5. The method of claim 1, wherein authenticating the start authority of the remote desktop via the first domain according to the received remote desktop start request comprises:
receiving a starting request for starting a remote desktop through a first domain, wherein the starting request carries an identification code of a security chip in a preset dock device and network information when a terminal device sends the starting request;
and determining whether the identification code of the security chip and the network information both meet preset conditions through a first domain so as to authenticate the starting authority.
6. The method of claim 5, wherein determining that the identification code of the security chip satisfies a preset condition comprises:
determining that the identification code of the security chip belongs to an identification code in a preset chip identification code list;
determining that the network information meets a preset condition, including:
and determining that the local area network information and the public network information in the network information both belong to the network information in a preset network information list.
7. An apparatus for launching a remote desktop, wherein the apparatus is applied to an application environment including at least two isolated execution domains, and the at least two isolated execution domains respectively run an operating system and a remote desktop system, and the apparatus comprises:
the first authentication module is used for performing initial authentication on the accessed preset docking equipment when the preset docking equipment is detected to be accessed;
the second authentication module is used for authenticating the starting authority of the remote desktop through the first domain according to the received remote desktop starting request when the initial authentication is passed;
and the starting module is used for controlling the starting of the remote desktop in the first domain when the starting authority authentication passes so as to operate the remote desktop system in the first domain.
8. The apparatus of claim 7, further comprising a setup module;
the establishing module is used for establishing the at least two mutually isolated execution domains based on a class of virtual machines so that the at least two mutually isolated execution domains can respectively run an operating system and a remote desktop system.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of launching a remote desktop according to any of claims 1-6 when executing the program.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the method of launching a remote desktop according to any one of claims 1 to 6.
CN201811447982.3A 2018-11-29 2018-11-29 Method and device for starting remote desktop, electronic equipment and computer storage medium Active CN109583182B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811447982.3A CN109583182B (en) 2018-11-29 2018-11-29 Method and device for starting remote desktop, electronic equipment and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811447982.3A CN109583182B (en) 2018-11-29 2018-11-29 Method and device for starting remote desktop, electronic equipment and computer storage medium

Publications (2)

Publication Number Publication Date
CN109583182A CN109583182A (en) 2019-04-05
CN109583182B true CN109583182B (en) 2021-06-04

Family

ID=65925479

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811447982.3A Active CN109583182B (en) 2018-11-29 2018-11-29 Method and device for starting remote desktop, electronic equipment and computer storage medium

Country Status (1)

Country Link
CN (1) CN109583182B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112241299B (en) * 2019-07-18 2023-08-18 上海达龙信息科技有限公司 Operation management method, system, medium and server of electronic equipment
CN111756729B (en) * 2020-06-23 2022-06-17 北京网瑞达科技有限公司 Network resource access method, device, computer equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102420846A (en) * 2010-10-15 2012-04-18 微软公司 Remote access to hosted virtual machines by enterprise users
CN103188332A (en) * 2011-12-30 2013-07-03 中国移动通信集团公司 Remote desktop access control management method, equipment and system
CN104811455A (en) * 2015-05-18 2015-07-29 成都卫士通信息产业股份有限公司 Cloud computing identity authentication method
CN105721441A (en) * 2016-01-22 2016-06-29 华中科技大学 Method for authenticating identity under virtualized environment
CN108804189A (en) * 2018-06-01 2018-11-13 成都雨云科技有限公司 A kind of cloud desktop management method and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8849941B2 (en) * 2010-09-30 2014-09-30 Microsoft Corporation Virtual desktop configuration and operation techniques
CN102214127B (en) * 2010-11-15 2013-01-09 上海安纵信息科技有限公司 Method for intensively storing and backing up data based on operating system virtualization theory
US9671945B2 (en) * 2013-12-17 2017-06-06 American Megatrends, Inc. Techniques of launching virtual machine from thin client

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102420846A (en) * 2010-10-15 2012-04-18 微软公司 Remote access to hosted virtual machines by enterprise users
CN103188332A (en) * 2011-12-30 2013-07-03 中国移动通信集团公司 Remote desktop access control management method, equipment and system
CN104811455A (en) * 2015-05-18 2015-07-29 成都卫士通信息产业股份有限公司 Cloud computing identity authentication method
CN105721441A (en) * 2016-01-22 2016-06-29 华中科技大学 Method for authenticating identity under virtualized environment
CN108804189A (en) * 2018-06-01 2018-11-13 成都雨云科技有限公司 A kind of cloud desktop management method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
双操作系统移动智能终端安全分析;姚一楠等;《移动通信》;20171130(第21期);第16-20页,图2 *

Also Published As

Publication number Publication date
CN109583182A (en) 2019-04-05

Similar Documents

Publication Publication Date Title
US9928101B2 (en) Certificate based connection to cloud virtual machine
US9800669B2 (en) Connection leasing for hosted services
US20160342784A1 (en) Mobile device authentication
RU2683620C1 (en) Method of the data sharing implementation between the client and the virtual desktop, the client and the system
US20220043901A1 (en) Method of data transfer between hosted applications
US11709929B2 (en) Interaction method and apparatus
US9940148B1 (en) In-place hypervisor updates
WO2010087829A1 (en) Selectively communicating data of a peripheral device to plural sending computers
CN109583182B (en) Method and device for starting remote desktop, electronic equipment and computer storage medium
CN111158857B (en) Data encryption method, device, equipment and storage medium
US20180357404A1 (en) Information processing method and apparatus, and electronic device
WO2014075231A1 (en) Dual-factor authentication method and virtual machine device
CN114969713A (en) Equipment verification method, equipment and system
CN107277163B (en) Equipment remote mapping method and device
CN103220347A (en) CRP (compression reflection protocol) cloud interaction method
CN111565382B (en) Transmission method and electronic equipment
CN115174558B (en) Cloud network end integrated identity authentication method, device, equipment and storage medium
CN110795182A (en) Cloud host creation method and system
CN107872786B (en) Control method and smart card
WO2021109309A1 (en) Information processing method, device, and computer storage medium
CN116610274B (en) Cross-equipment screen projection method and device, electronic equipment and readable storage medium
US20230345240A1 (en) Contextual authentication for secure remote sessions
CN116186709B (en) Method, device and medium for unloading UEFI (unified extensible firmware interface) safe start based on virtualized VirtIO technology
JP6201633B2 (en) Information processing apparatus and information processing system
CN110365756B (en) Access method, electronic device and computer storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230516

Address after: Room 401, Floor 4, No. 2, Haidian East Third Street, Haidian District, Beijing 100080

Patentee after: Yuanxin Information Technology Group Co.,Ltd.

Address before: 100176 room 2222, building D, building 33, 99 Kechuang 14th Street, Beijing Economic and Technological Development Zone, Daxing District, Beijing

Patentee before: YUANXIN TECHNOLOGY

TR01 Transfer of patent right