JP2009151499A - Information processing system, information processor, its control method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To suppress the generation of large amounts of log information in applying a policy. <P>SOLUTION: When number of log information is over the preliminarily set number of log information corresponding to a policy to be applied exists, a management server 103 notifies an administrator terminal 102 of the result. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a technique for suppressing a large amount of log information related to operations on data.

  In recent years, leakage of personal information and confidential information has been affecting the trust of companies. Information leakage may occur due to unauthorized access from the outside, but most are caused by carelessness of people inside the company. In addition, information may be taken out by a removable storage medium and information leakage may occur. Since the Personal Information Protection Law was enforced in 2005, it has become an urgent task to take measures against information leakage as a company.

  In view of this point, the technique disclosed in Patent Document 1 creates a policy that restricts a specific operation on the management server, and controls the device by applying the policy to a specific user or client terminal. Yes.

JP 2006-309296 A

  However, in the technique disclosed in Patent Document 1, the administrator does not intend that, due to the applied policy depending on the environment of the client terminal, a large amount of operation logs are generated or the operation of a specific application is affected. Problems can occur.

  In addition, in the client terminal, information (files and the like) stored in the client terminal is changed every day by a user operation, so that there is a problem that an applied policy becomes a form.

  Therefore, an object of the present invention is to suppress a large amount of log information when a policy is applied.

  Another object of the present invention is to enable security management corresponding to data changes.

An information processing system according to the present invention manages an administrator terminal that creates a policy that defines conditions for taking an operation history on data, an operation terminal that takes an operation history on data, and an operation history on the data An information processing system connected to an information processing apparatus via a communication line, wherein the information processing apparatus stores log information indicating a history of operations on data input from the operation terminal in a recording medium And an input means for inputting a policy defining conditions for taking a history of operations on data from the administrator terminal, and the recording medium more than the number of log information corresponding to the policy set in advance within a predetermined period Determining means for determining whether or not the log information corresponding to the policy is set in advance within a predetermined period by the determining means. , If it is determined to exist in said recording medium, characterized by having a notification unit for notifying the determination result to the communication device to the administrator terminal.
An information processing apparatus according to the present invention includes an administrator terminal that creates a policy that defines a condition for taking a history of operations on data, and an information process that is connected to an operation terminal that takes a history of operations on data via a communication line. A storage unit for storing log information indicating an operation history for data input from the operation terminal in a recording medium, and a policy that defines a condition for obtaining an operation history for data from the administrator terminal A first input unit that inputs the log information, a determination unit that determines whether log information corresponding to the policy exists in the recording medium more than a predetermined number of times within a predetermined period, and the determination unit When it is determined that the log information corresponding to the policy exists in the recording medium in a predetermined number or more within a predetermined period, the determination result is given to the administrator terminal. And having a notification means for notifying.
The control method of the information processing apparatus according to the present invention is connected via a communication line to an administrator terminal that creates a policy that defines conditions for taking an operation history for data, and an operation terminal that takes an operation history for data. A storage step of storing log information indicating a history of operations on data input from the operation terminal in a recording medium, and a history of operations on data from the administrator terminal. An input step of inputting a policy that defines the conditions of the determination, a determination step of determining whether or not log information corresponding to the policy exists in the recording medium in a predetermined number or more within a predetermined period, and the determination When it is determined in the step that log information corresponding to the policy is present in the recording medium more than a predetermined number within a predetermined period, Characterized in that it comprises a notification step of notifying the judgment result to the serial manager terminal.
The program of the present invention includes an administrator terminal that creates a policy that defines a condition for taking a history of operations on data, and an information processing apparatus that is connected to an operation terminal that takes a history of operations on data via a communication line. A program for causing a computer to execute a control method, storing a log information indicating a history of operations on data input from the operation terminal in a recording medium, and a history of operations on data from the administrator terminal An input step of inputting a policy that defines a condition for determining the condition, and a determination step of determining whether or not log information corresponding to the policy exists in the recording medium in a predetermined number of times or more. More than the number of log information corresponding to the policy set in advance in a predetermined period by the determination step, the recording medium If it is determined to exist, characterized in that to execute a notifying step of notifying the determination result to the computer to the management terminal.

  In the present invention, when the log information corresponding to the policy is more than a preset number, the determination result is notified. Therefore, according to the present invention, it is possible to suppress the generation of a large amount of log information when applying the policy by re-creating the policy based on the notification of the large amount of log information.

  Further, in the present invention, since security measures for the data itself are controlled, security management corresponding to changes in data becomes possible.

  DESCRIPTION OF EXEMPLARY EMBODIMENTS Hereinafter, preferred embodiments to which the invention is applied will be described in detail with reference to the accompanying drawings.

  FIG. 1 is a block diagram schematically showing the configuration of a device restriction system according to an embodiment of the present invention. As shown in FIG. 1, in the device restriction system according to the present embodiment, a client terminal 101, an administrator terminal 102, and a management server 103 are connected to be communicable with each other via a network 104 such as a LAN as a communication line. It has a configuration. The administrator terminal 102 is a configuration that is an application example of the administrator terminal of the present invention, the management server 103 is a configuration that is an application example of the information processing apparatus of the present invention, and the client terminal 101 is It is the structure used as one example of application of the operating terminal of this invention. A device restriction system constituted by these apparatuses is a configuration serving as an application example of the information processing system of the present invention.

  The client terminal 101, the administrator terminal 102, and the management server 103 are configured by an information processing apparatus such as a computer.

  The client terminal 101 is a terminal used by a user. In this client terminal 101, an agent program and a filter driver are installed. The client terminal 101 functions to control a device (hard disk, USB memory, etc.) connected to the terminal and to send an operation log indicating an operation history to the management server 103 according to a monitoring policy distributed from the management server 103 have.

  The administrator terminal 102 is a terminal used by the administrator. This administrator terminal 102 is connected to the management server 103 through a WEB browser installed in the terminal, and has a function of operating and browsing system settings and states.

  The management server 103 is a management server that holds system information such as client information and monitoring policies. The management server 103 has a function of providing a system setting screen to the administrator terminal 102, a function of receiving an operation log from the client terminal 101, and a function of distributing a monitoring policy.

  Further, there may be a plurality of client terminals 101, administrator terminals 102, and management servers 103, respectively.

  FIG. 2 is a block diagram schematically showing a hardware configuration of the information processing apparatuses of the client terminal 101, the administrator terminal 102, and the management server 103 in FIG.

  In FIG. 2, reference numeral 201 denotes a CPU 201 that controls each device and controller connected to the system bus 204 in an integrated manner.

  Further, the ROM 202 or the external memory 211 stores a BIOS or an operating system program (hereinafter referred to as OS) which is a control program of the CPU 201, various programs described later necessary for realizing functions executed by the server or each client, and the like. The BIOS is an abbreviation for Basic Input / Output System.

  The RAM 203 functions as a main memory, work area, and the like for the CPU 201. The CPU 201 implements various operations by loading a program necessary for execution of processing into the RAM 203 and executing the program.

  An input controller (input C) 205 controls input from a pointing device such as a keyboard 209 or a mouse (not shown).

  A video controller (VC) 206 controls display on the display 210. The display 210 may be a CRT display or a liquid crystal display.

  The memory controller (MC) 207 is a hard disk (HD), floppy (registered trademark) disk (FD), or PCMCIA that stores a boot program, browser software, various applications, font data, user files, editing files, various data, and the like. Controls access to an external memory 211 such as a CompactFlash (registered trademark) memory connected to the card slot via an adapter.

  A communication I / F controller (communication I / FC) 208 is connected to and communicates with an external device via the network 105, and executes communication control processing in the network. For example, Internet communication using TCP / IP is possible.

  Note that the CPU 201 enables display on the display 201 by, for example, implementing outline font rasterization processing on the display information area in the RAM 203. Further, the CPU 201 can be instructed by a user with a mouse cursor (not shown) on the display 210.

  The program that is a feature of the present embodiment is recorded in the external memory 211, and is executed by the CPU 201 by being loaded into the RAM 202 as necessary. Furthermore, various data and various tables used by the program that is a feature of the present embodiment are stored in the external memory 211, and a detailed description thereof will be described later.

  FIG. 3 is a block diagram schematically showing the module configuration of the client terminal 101 in FIG.

  First, the client terminal 101 includes an operating system 308 and programs operating on the operating system, such as a setting program 301, a temporary writing program 302, a control / communication service program 303, a print monitoring module 310, and a filter driver (file system) 304. , A filter driver (CD-RW / DVD writing) 305, a file system driver 306, a CD-RW / DVD writing driver 307, a printer driver 313, a device 309, and a printer 314.

  The setting program 301 provides user operation screens such as an agent program stop screen and an application screen.

  The temporary writing program 302 provides a function of writing a file to a device connected to the client terminal 101 when the temporary use of the device is permitted by the temporary writing function.

  The control / communication service program 303 operates as a resident program. Also, the control / communication service program 303 is a function for setting the operation to the filter driver (file system) 304 and the filter driver (CD-RW / DVD writing) 305, a function for acquiring a monitoring policy from the management server 103, and a function for transmitting an operation log. I will provide a.

  The print monitoring module 310 is a module called in the control / communication service program 303 and provides a function for controlling execution of printing.

  A filter driver (file system) 304 monitors file operations on devices such as a hard disk, a USB memory, a floppy (registered trademark) disk drive, and a shared folder. The filter driver (file system) 304 provides a function for prohibiting operations based on the operating conditions set by the control / communication service program 303.

  A filter driver (CD-RW / DVD writing) 305 monitors an operation on an optical disk such as a CD-R, CD-RW, or DVD, and prohibits the operation based on an operating condition set by the control / communication service program 303. Provide the function to do.

  The file system driver 306 provides a function for the operating system 308 to control the external memory 211.

  The CD-RW / DVD writing driver 307 provides a function for the operating system 308 to control an optical disc such as a CD-R, CD-RW, or DVD.

  The printer driver 313 provides a function for the operating system 308 to control the printer 314.

  The printer 314 means a device that prints character data, image data, graphic data, or the like on paper, an OHP sheet, or the like.

  The device 309 means a device built in the client terminal 101 such as a built-in hard disk, a shared folder connected on the network, or a removable storage medium such as a USB memory, a floppy (registered trademark) disk, or an optical disk. To do.

  FIG. 4 is a block diagram schematically showing the module configuration of the administrator terminal 102 in FIG.

  The administrator terminal 102 includes an operating system 403, a WEB browser application 401 that is a program that operates on the operating system, and an e-mail receiving application 402, and is stored in the external memory 211 shown in FIG.

  An administrator uses the WEB browser application 401 to connect to the management server 103 and provides a function for setting and browsing system information.

  The e-mail receiving application 402 provides a function of receiving e-mail from the management server 103.

  FIG. 5 is a block diagram schematically showing the module configuration of the management server 103 in FIG.

  The management server 103 includes an operating system 505, a log reception program 501 that is a program operating on the operating system, a WEB server 502, a management WEB application 503, and a database 504. The management server 103 is stored in the external memory 211 shown in FIG.

  The log reception program 501 provides a function of receiving an operation log from the client terminal 101 and storing it in a database.

  The management web application 503 operates on the web server 502 and provides a function for providing a setting screen, system information, and operation log information in response to a request from the web browser application 401 installed in the administrator terminal 102. To do. The management WEB application 503 provides a function for distributing a monitoring policy in response to a monitoring policy acquisition request from the client terminal 101.

  Next, the database 313 provides a function of storing the set system information and the operation log transmitted from the client terminal 101.

  The module is stored in a hard disk or floppy (registered trademark) disk 211 shown in FIG.

  FIG. 6 is a flowchart illustrating an example of a processing procedure of the device restriction system in the present embodiment.

  First, an apparatus for executing each step shown in FIG. 6 will be described. First, in steps S601 to S611 shown in FIG. 6, the CPU 201 of the client terminal 101 executes the control / communication service program 303, the setting program 301, and the print monitoring module 310 stored in the storage unit such as the external memory 211. This is realized by loading the program into the RAM 203 and executing it.

  Next, the processing of steps S621 to S625 shown in FIG. 6 is realized by the CPU 201 of the management server 103 loading the management WEB application 503 stored in the storage means such as the external memory 211 into the RAM 203 and executing it. Is done.

  6 is realized by the CPU 201 of the management server 103 loading the log reception program 501 stored in the storage unit such as the external memory 211 into the RAM 203 and executing it. .

  Finally, in steps S651 to S653 shown in FIG. 6, the CPU 201 of the administrator terminal 102 loads the WEB browser application 401 and the e-mail receiving application 402 stored in the storage means such as the external memory 211 into the RAM 203. It is realized by executing. The above is the apparatus for executing each step shown in FIG.

Next, each step of the flowchart shown in FIG. 6 will be described.
First, the monitoring policy creation process in steps S651, S652, S621, and S622 will be described.

  First, the CPU 201 of the administrator terminal 102 activates the WEB browser application 401 based on a screen operation by the administrator.

  Then, the WEB browser application 401 of the administrator terminal 102 connects to the management WEB application 503 of the management server 103, and transmits approval information (user ID and password) (step S651).

  Next, the management WEB application 503 of the management server 103 receives the authentication information transmitted from the administrator terminal 102 and executes authentication processing (step S621).

  The authentication process here means authentication by ID and password, or authentication by an authentication device such as a smart card.

  Next, when the authentication process is successful, the WEB browser application 401 of the administrator terminal 102 displays a monitoring policy setting screen (FIG. 9) for inputting the monitoring policy (FIG. 10).

  On the other hand, if the authentication process fails, the CPU 201 of the administrator terminal 102 displays an error message (not shown) indicating that the authorization has failed on the WEB browser application 401.

  In the monitoring policy setting screen, as shown in FIG. 9, setting of the monitoring policy name (0901), description of the monitoring policy (0902), floppy disk access control and operation log setting (0903) , Removable disk access control and operation log setting (0904), local hard disk access control and operation log setting (0905), optical disk access control and operation log setting by packet writing (0906), optical disk by writing software Access control and operation log setting (0907), print control and operation log setting (0908), shared folder access control and operation log setting (0909) are displayed.

  In addition, as shown in FIG. 10, the monitoring policy prohibits a read command, a write command, a file name change command, and a delete command for a floppy (registered trademark) disk, a removable disk, a local hard disk, an optical disk, and a network drive. This is information that defines whether or not to set a print command for a printer and whether to record the command as a log.

  Next, using the monitoring policy setting screen (FIG. 9), the administrator inputs the monitoring policy (FIG. 10) and presses the monitor policy creation button (0910). Then, the WEB browser application 401 of the administrator terminal 102 transmits the input monitoring policy, the monitoring policy name, and the description of the monitoring policy to the management server 103 (step S652).

  Next, the management WEB application 503 of the management server 103 receives the monitoring policy, the monitoring policy name, and the description of the monitoring policy (step S622), and stores them in the monitoring policy table (FIG. 11) (step S623).

  Here, as shown in FIG. 11, the monitoring policy table 1101 stores a monitoring policy ID, a monitoring policy name, a description of the monitoring policy, a monitoring policy creation time, and a monitoring policy for specifying the monitoring policy.

  When the monitoring policy is stored in the monitoring policy table, it is converted into a character string, and the floppy disk (registered trademark) access control setting is stored in the FD_CTRL property. The FD_LOG property stores operation log settings for a floppy (registered trademark) disk. The RM_CTRL property stores access control settings for removable disks. The operation log setting of the removable disk is stored in the RM_LOG property. The HD_CTRL property stores the local hard disk access control settings. The HD_LOG property stores the operation log settings for the local hard disk. The PCD_CTRL property stores access control settings for the optical disk by packet writing. The PCD_LOG property stores the operation log settings for the optical disk by packet writing. The WCD_CTRL property stores the access control setting for the optical disc by the writing software. The WCD_LOG property stores the operation log setting of the optical disc by the writing software. Print control settings are stored in the PRT_CTRL property. The operation log setting for printing is stored in the PRT_LOG property. The NET_CTRL property stores the access control settings for the network drive. The operation log setting of the network drive is stored in the NET_LOG property.

  With the above processing, the monitoring policy creation processing of Step S651, Step S652, and Step S621, Step S622 is completed.

  Next, the installation process of step S601, step S602, and step S623 will be described.

  First, the CPU 201 of the client terminal 101 installs the agent program 311 and the filter driver 312 in the client terminal 101 based on the administrator's screen operation (step S601).

  Here, the agent program 311 means the setting program 301, the temporary writing program 302, the control / communication service program 303, and the print monitoring module 310 shown in FIG.

  The filter driver 312 means the filter driver (file system) 304 and the filter driver (CD-RW / DVD writing) 305 shown in FIG.

  Next, when the installation is completed, the CPU 201 of the client terminal 101 activates the setting program 301 and displays a screen (not shown) for setting network information such as the IP address of the management server 103.

  When the administrator inputs network information using the screen, the setting program 301 of the client terminal 101 notifies the control / communication service program 303 of the input network information.

  Next, the control / communication service program 303, which is a resident program of the client terminal 101, transmits the notified client information (FIG. 7) to the management WEB application 503 of the management server 103 (step 602).

  Here, the client information includes the name (domain name) of the domain to which the client terminal 101 is connected, the user name, IP address, and computer name set and registered in the client terminal 101, as shown in FIG. Information.

  This client information is used to acquire a monitoring policy ID from the client information table in the monitoring policy acquisition process in step S624.

  Then, the management WEB application 503 of the management server 103 receives the client information and stores the client information in the client information table (step S621).

  Here, as shown in FIG. 8, the client information table includes an agent ID for identifying the agent program 311, a domain name of the client terminal 101, a computer name and an IP address, and a user name logged in to the client terminal 101. And the ID of the monitoring policy to be applied to the client terminal 101 (monitoring policy ID) is stored.

  The monitoring policy ID stores the monitoring policy ID created in step S622. Accordingly, the monitoring policy applied to the client terminal 101 can be known by referring to the monitoring policy ID in the client information table.

  In the above embodiment, the monitoring policy is applied to the client terminal 101. However, it is also possible to apply the monitoring policy to a user who logs in to the client terminal 101. It is also possible to apply and manage monitoring policies in groups by grouping client terminals and users.

  With the above processing, the installation processing in step S601, step S602, and step S623 is completed.

  In the above embodiment, the agent program 311 and the filter driver 312 are installed based on the screen operation of the administrator. However, it is also possible to automatically install using the directory service.

  Next, the monitoring policy application process in steps S603, S604, and S624 will be described.

  First, the control / communication service program 303, which is a resident program of the client terminal 101, transmits a monitoring policy acquisition request to the management server 103 (step S603).

  Here, the monitoring policy acquisition request is the name of the domain (domain name) to which the client terminal 101 is connected, the computer name of the client terminal 101, the user name of the client terminal 101, and the inquiry type that identifies the content of the inquiry. Information including an ID and an agent ID for identifying the agent program.

  Also, the monitoring policy acquisition request transmission processing in step S603 is executed by the control / communication service program 303 of the client terminal 101 based on the screen operation of the administrator, or the control / communication service program 303 is preset. Run regularly at intervals.

  Next, the management WEB application 503 of the management server 103 receives the monitoring policy acquisition request, refers to the client information table (FIG. 8) using the agent ID, domain name, user name, and computer name as keys, and monitors the monitoring policy. Get an ID.

  Further, the management WEB application 503 of the management server 103 refers to the monitoring policy table (FIG. 11) using the acquired monitoring policy ID as a key, and acquires the monitoring policy (1101). Then, the management WEB application 503 of the management server 103 returns the monitoring policy to the control / communication service program 303 of the client terminal 101 (step S624).

  Next, the control / communication service program 303 of the client terminal 101 that has received the monitoring policy executes a monitoring policy application process (FIG. 12) (step S604).

  Hereinafter, the monitoring policy application process will be described with reference to FIG. The processing in steps S1201 to S1203 in FIG. 12 is realized by the CPU 201 of the client terminal 101 loading the control / communication service program 303 stored in the storage unit such as the external memory 211 into the RAM 203 and executing it. The

  First, the control / communication service program 303, which is a resident program of the client terminal 101, stores the received monitoring policy in the file format in the external memory 211 of the client terminal 101 (step S1201).

  The file saved here is called a monitoring policy file (FIG. 13), and each property in the file means the same value as the monitoring policy (1101) of the monitoring policy table described above.

  Next, the control / communication service program 303 of the client terminal 101 refers to the monitoring policy file (FIG. 13) stored in the external memory 211, and defines information defining whether to permit or reject the execution of the printing process. To the print monitoring module 310. Then, the print monitoring module 310 monitors the execution of the printing process (step S1202).

  Further, the control / communication service program 303 of the client terminal 101 refers to the monitoring policy file (FIG. 13) stored in the external memory 211. Then, the control / communication service program 303 sets the device path prohibited by the monitoring policy and the prohibited file operation in the rejection condition (FIG. 21) held by the filter driver 312 (step S1203).

  As shown in FIG. 21, the rejection condition is a file path for which the filter driver 312 performs access control, and a read command, a write command, a file name change command, or a delete command executed on the file. Stores information defining whether instructions are prohibited. Specifically, when the access control is set to read only (only read operation is permitted) as in the floppy disk access control 909 on the monitoring policy setting screen (FIG. 9), the rejection condition includes , A floppy disk drive path and a write command, a file name change command, and a delete command prohibition for the path are registered. Thus, when a write command is executed from an arbitrary program on a file stored in a floppy (registered trademark), the filter driver 312 can prohibit the operation.

  As shown in FIG. 21, the rejection condition is set for each floppy (registered trademark) disk, removable disk, local hard disk, CD / DVD drive, and network drive. Here, it is also possible to set the file path using wildcard characters such as * (asterisk), which means all character strings. FIG. 21 shows prohibition instructions corresponding to the items of access control (none, read-only, all prohibition).

  The file driver 312 holds permission conditions (FIG. 20) in addition to the rejection conditions. As shown in FIG. 20, the permission condition includes a file path for which the filter driver 312 performs access control, and a read command, a write command, a file name change command, and a delete command executed on the file. Stores information defining which commands are allowed.

  The permission condition can also control a file operation command executed by the process by registering a process ID instead of a file path.

  Specifically, when the process ID of the control / communication service program 303 is registered in the permission condition as shown in step S1404 in FIG. 14 (FIG. 20), the file operation command executed from the control / communication service program 303 is Execution is always permitted even for folders and files registered in the rejection condition.

  With the above processing, the monitoring policy application processing shown in FIG. 12 is completed. As a result, when the file operation prohibited by the monitoring policy is executed in the client terminal 101, the filter driver 312 can interrupt the file operation.

  Note that the monitoring policy file saved in step S1201 is stored in the same folder where the agent program is stored. Access to this folder is prohibited by programs other than the agent program by the filter driver (file system) 304 of the client terminal 101. For this reason, it is not possible to browse files in a folder or write information from other programs.

  The agent program folder access control process will be described below with reference to FIG. 14 is realized by the CPU 201 of the client terminal 101 loading the control / communication service program 303 stored in the storage unit such as the external memory 211 into the RAM 203 and executing it. The

  First, the control / communication service program 303, which is a resident program of the client terminal 101, acquires the path of the folder in which the agent program is stored (step S1401).

  Then, the control / communication service program 303, which is a resident program of the client terminal 101, sets the path of the agent program acquired in step S1401 and the path to the rejection condition (FIG. 21) held by the filter driver (file system) 304. The prohibition of the read command, the write command, the file name change command, and the delete command is set (step S1402).

  Next, the control / communication service program 303 of the client terminal 101 acquires its own process ID (step S1403).

  Then, the control / communication service program 303 of the client terminal 101 sets the process ID acquired in step S1403, a read instruction, a write instruction, and a file name change instruction for the process as permission conditions held by the filter driver (file system) 304. Then, permission of the deletion command is set (step S1404).

  With the above processing, the agent program folder access control processing shown in FIG. 14 is completed. As a result, other programs cannot operate the monitoring policy file and the agent program.

  With the above processing, the monitoring policy application processing in steps S603, S604, and S624 is completed.

  Next, processing when the device operation from step S605 to step S608 is performed will be described.

  First, the CPU 201 of the client terminal 101 executes an access command to a device such as a file or a printer by a user screen operation (step S606).

  If the executed command is a printer operation, the print monitoring module 310 of the client terminal 101 executes access control for the printer operation (FIG. 15). On the other hand, in the case of a file operation, the filter driver 312 executes access control for the file operation (FIG. 16).

  First, processing when printing is executed will be described with reference to FIG. The processing in steps S1501 to S1504 in FIG. 15 is executed by the CPU 201 of the client terminal 101 by loading the control / communication service program 303 and the print monitoring module 310 stored in the storage unit such as the external memory 211 into the RAM 203. It is realized by doing.

  First, the print monitoring module 310 of the client terminal 101 detects a printing operation and notifies the control / communication service program 303 (step S1501).

  Next, the control / communication service program 303 receives the notification from the print monitoring module 310, refers to the monitoring policy stored in the external memory 211, and determines whether printing is prohibited (step S1502). ).

  If printing is not prohibited, the control / communication service program 303 notifies the print monitoring module 310 of a print operation permission command.

  Then, the print monitoring module 310 passes the process to the operating system 308 and executes the print process (step S1503).

  Conversely, when printing is prohibited, the control / communication service program 303 notifies the print monitoring module 310 of a print operation prohibition command.

  Then, the print monitoring module 310 does not pass the print execution command to the operating system 308, but transmits the print failure information to the program that executed the print, and interrupts the print (step S1504). The above processing is processing when printing is executed.

  Next, processing when a file operation is executed will be described with reference to FIG. Note that the processing in steps S1601 to S1607 in FIG. 16 is realized by the CPU 201 of the client terminal 101 loading the filter driver 312 stored in the storage unit such as the external memory 211 into the RAM 203 and executing it.

  Further, as described in the description of step S601, the filter driver 312 here means the filter driver (file system) 304 and the filter driver (CD-RW / DVD writing) 305 shown in FIG. A filter driver (CD-RW / DVD writing) 305 controls file operations on the optical disc. On the other hand, the filter driver (file system) 304 controls file operations for a floppy (registered trademark) disk, a removable disk, a local hard disk, and a network drive.

  The filter driver (file system) 304 and the filter driver (CD-RW / DVD writing) 305 perform the same processing except that the devices to be controlled are different.

  First, the filter driver 312 of the client terminal 101 detects that a file operation has been executed (step S1601).

  Next, the filter driver 312 of the client terminal 101 determines whether the executed file operation matches the permission condition held by itself (steps S1602 and S1603).

  Specifically, it is determined whether the operation target file or process is the same as the file or process registered in the permission condition. If it is the same as the file or process registered under the permission condition, a determination is made by comparing whether the file operation command is a command permitted under the permission condition.

  Next, when the permission conditions are met, the filter driver 312 of the client terminal 101 transmits the information to the lower driver without stopping the operation and completes the processing (step S1607).

  On the other hand, if it does not match the permission condition, the filter driver 312 of the client terminal 101 checks whether the content of the file operation matches the rejection condition (FIG. 21) (S1604).

  Specifically, it is determined whether the operation target file is the same as the file registered in the rejection condition. When the file is the same as the file registered under the rejection condition, a determination is made by comparing whether the file operation instruction is an instruction prohibited by the rejection condition.

  Next, when the rejection condition is not met, the filter driver 312 of the client terminal 101 transmits information to the lower driver and completes the process (step S1607).

  On the other hand, if the rejection condition is met in step S1705, the filter driver 312 of the client terminal 101 interrupts the detected file operation (step S1606). The above processing is processing when a file operation is executed.

  Next, an operation log recording process in steps S608, S609, S626, and S627 will be described.

  First, the control / communication service program 303, which is a resident program of the client terminal 101, refers to the monitoring policy file stored in the external memory 211 and determines whether to record an operation log (step S608).

  When recording the operation log, the control / communication service program 303 of the client terminal 101 transmits the operation log (FIG. 17) to the log reception program 501 of the management server 103 (step S609).

  Here, the operation log (FIG. 17) refers to an agent ID for identifying an agent program, an operation log occurrence time, a computer name, a domain name, an IP address, a MAC address, and an operation log type of the client terminal 101 where the operation log has occurred. Event ID that identifies the operation, detailed event ID that indicates whether the operation is permitted or prohibited, device ID that stores device information on which the operation has been executed, file name of the operation target file, file size, output destination file path , Execution process name, number of print pages, print execution time, print execution printer name, print execution printer port number, and information including print file name.

  The number of print pages, print execution time, print execution printer name, print execution printer port number, and print file name in the operation log are recorded only when printing is executed.

  On the other hand, the file name, file size, and output file path of the operation log are recorded only when the file operation is executed.

  Next, the log reception program 501 of the management server 103 receives the operation log (FIG. 17) (step S626).

  Then, the log reception program 501 of the management server 103 stores the operation log in the operation log table (FIG. 18) (step S627).

  On the other hand, when the operation log is not transmitted, the control / communication service program 303 of the client terminal 101 does not execute the process of step S609 and proceeds to the next step.

  With the above processing, the operation log recording processing in step S608, step S609, step S626, and step S627 is completed.

  Note that the processing in steps 603 to 610 is executed until the operating system 308 ends or the CPU 201 of the client terminal 101 stops the agent program based on the user's screen operation.

  Next, the agent program stop process in step S611 will be described. First, the setting program 301 of the client terminal 101 executes an agent program stop process when an agent program stop command is executed based on a user operation (step S611).

  Hereinafter, the stop processing of the agent program will be described with reference to FIG. The process of step S1901 in FIG. 19 is realized by the CPU 201 of the client terminal 101 loading and executing the setting program 301 stored in the storage unit such as the external memory 211 on the RAM 203.

  19 is realized by the CPU 201 of the client terminal 101 loading the control / communication service program 303 stored in the storage unit such as the external memory 211 into the RAM 203 and executing it. The

  First, the setting program 301 of the client terminal 101 displays a password input screen (not shown) (step S1901).

  Then, the setting program 301 of the client terminal 101 notifies the stop command of the agent program and the password to the control / communication service program 303 which is a resident program after the password is input by the user using the password input screen. (Step S1902).

  Next, the control / communication service program 303 compares whether the predetermined password matches the password notified from the setting program 301 (step S1903). If they match, the control / communication service program 303 transmits a stop command to the filter driver 312 and the print control program 310 (step S1904).

  Further, the control / communication service program 303 terminates its own program and completes the stop processing of the agent program (step S1905).

  With the above processing, the agent program stop processing in step S511 is completed. The authentication process using the password is to prevent the agent program from being stopped intentionally and disabling the device restriction function.

  Finally, the monitoring log browsing process in steps S625 and S653 will be described. First, the CPU 201 of the administrator terminal 102 activates the WEB browser application 401 and displays a search screen (not shown) on the WEB browser application 401.

  When the search condition is input by the user's screen operation, the WEB browser application 401 of the administrator terminal 102 transmits the search condition to the management WEB application 503 of the management server 103 (step S653).

  Next, the management WEB application 503 of the management server 103 refers to the operation log table (FIG. 18), acquires an operation log that matches the search condition, and transmits it to the client terminal 101 (step S625).

  Then, the WEB browser application 401 of the client terminal 101 displays the contents of the operation log.

  With the above processing, the monitoring log browsing processing in step S625 and step 653 is completed. The above is the processing procedure of the device restriction system in the present embodiment.

  FIG. 23 is a flowchart showing processing of the dynamic security policy function of the device restriction system in the present embodiment.

First, an apparatus that executes each step of the flowchart shown in FIG. 23 will be described.
First, the processing from step S2301 to step S2304 shown in FIG. 23 is realized by the CPU 201 of the client terminal 101 loading the control / communication service program 303 stored in the storage means such as the external memory 211 into the RAM 203 and executing it. Is done.

  Next, the processing of steps S2331 to S2332 shown in FIG. 23 is realized by the CPU 201 of the management server 103 loading the management WEB application 503 stored in the storage unit such as the external memory 211 into the RAM 203 and executing it. Is done.

  23 is realized by the CPU 201 of the management server 103 loading the log reception program 501 stored in the storage unit such as the external memory 211 into the RAM 203 and executing it. .

  Finally, the process of step S2361 shown in FIG. 23 is realized by the CPU 201 of the administrator terminal 102 loading the WEB browser application 401 stored in the storage unit such as the external memory 211 into the RAM 203 and executing it. The above is the processing apparatus that executes each step of the flowchart shown in FIG.

  Next, each step of the flowchart shown in FIG. 23 will be described. First, the dynamic monitoring policy setting process in steps S2331 and S2361 will be described. The dynamic monitoring policy setting process is a process for creating a dynamic monitoring policy to be applied to the client terminal 101.

  First, the CPU 201 of the administrator terminal 102 activates the WEB browser application 401 and connects to the management WEB application 503 of the management server 103 by the administrator's screen operation. Then, the WEB browser application 401 of the administrator terminal 102 displays a dynamic monitoring policy list screen (FIG. 24) for displaying a list of dynamic monitoring policies.

  Next, when the “add dynamic monitoring policy” button (2401) is pressed by the administrator from the screen, the WEB browser application 401 of the administrator terminal 102 sets the dynamic monitoring policy. The setting screen (FIG. 25) is displayed.

  Here, the dynamic monitoring policy is information including a monitoring policy name, a monitoring condition (FIG. 26), a monitoring operation (FIG. 27), a monitoring condition value, and a logical code.

  The dynamic monitoring policy setting screen includes a monitoring policy name (2502), a monitoring condition (2503), a monitoring condition value (2504), a logical code (2505), a monitoring operation (2507), and a monitoring operation value ( An item for inputting 2508) is displayed.

  First, the monitoring condition 2501 is information defining whether the folder or file is the target of the monitoring operation when the search process of step S2304 is executed, and the condition shown in FIG. 26 can be designated. Specifically, when “is a shared file” is selected as the monitoring condition (2503), the shared file stored in the external memory 211 of the client terminal 101 is searched in the search process in step S2304. .

  The monitoring condition value is a specific file name or extension when “a file including a specific file name” or “a file with a specific extension” is selected in the monitoring condition (2503). Means a child value.

  Next, the monitoring operation 2506 is information defining an operation to be executed when the control / communication service program 303 of the client terminal 101 matches the above monitoring condition in the search processing in step S2304, and is shown in FIG. You can specify the action.

  Specifically, when “is a shared file” is selected as the monitoring condition (2503) and “make read-only” is set in the monitoring operation (2507), in the search process of step S2304, The shared file stored in the external memory 211 of the client terminal 101 is searched. As a result, if the corresponding file exists, the file is changed to read-only.

  In addition, the value of the monitoring operation is set to a specific user name or specific when “set owner as a specific user” or “change file name to a specific name” is selected in the monitoring operation (2507). Means the name.

Finally, the logical code (2505) means that if a plurality of monitoring conditions are created, if all the monitoring conditions are matched, it is determined that the monitoring conditions are met, or one of the monitoring conditions is applicable. Then, it is a value that defines whether it is determined that the monitoring condition is met.
In the above embodiment, the folder or file condition for executing the search is defined in the monitoring condition (2501). However, it is possible to define not only a folder or a file but also an operating system setting (registry, network, account setting) or the like as a condition, and search in step S2304.

  Next, when a dynamic monitoring policy is input by the administrator from the screen and the “add dynamic monitoring policy” button (2509) is pressed, the WEB browser application 401 of the administrator terminal 102 manages the management server 103. The dynamic monitoring policy is transmitted to the management web application 503 (step S2361).

  Then, the management WEB application 503 of the management server 103 stores the dynamic monitoring policy in the dynamic monitoring policy table (FIG. 28) and the monitoring condition table (FIG. 29) (step S2331).

  Here, as shown in FIG. 28, the dynamic monitoring policy table stores information including a dynamic monitoring policy ID for identifying the dynamic monitoring policy, a rule name of the dynamic monitoring policy, and a monitoring operation.

  In addition, as shown in FIG. 29, the monitoring condition table includes a monitoring condition ID for identifying a monitoring condition, a dynamic monitoring policy ID indicating a relationship with the monitoring condition, a monitoring condition, a value of the monitoring condition, and a relationship with each monitoring condition. Stores information including a logical code indicating.

  With the above processing, the dynamic monitoring policy setting processing in step S2331 and step S2361 is completed.

  Next, dynamic monitoring policy acquisition and application processing in steps S2301 and S2332 will be described. In the dynamic monitoring policy acquisition process and the application process, the agent program 311 of the client terminal 101 acquires a dynamic monitoring policy stored in the management server 103 and stores it in the external memory 211.

  First, the control / communication service program 303 of the client terminal 101 transmits a dynamic monitoring policy acquisition request to the management server 103 (step S2301).

  Here, the dynamic monitoring policy acquisition request includes an agent ID for identifying an agent program, a name of a domain (domain name) to which the client terminal 101 is connected, a computer name of the client terminal 101, and a user of the client terminal 101. This is information including a name and an inquiry type ID for identifying inquiry contents.

  The dynamic monitoring policy acquisition request process is executed at an arbitrary timing by the control / communication service program 303 of the client terminal 101 based on an administrator's screen operation, or periodically at a preset interval. Executed.

  Next, the management WEB application 503 of the management server 103 receives the dynamic monitoring policy acquisition request. Then, the management WEB application 503 of the management server 103 refers to the client information table (FIG. 30) using the agent ID of the dynamic monitoring policy acquisition request as a key, and monitors the dynamic monitoring policy ID, dynamic monitoring policy name, and monitoring. Get the behavior.

  Here, the client information table shown in FIG. 30 is a table obtained by adding a dynamic monitoring policy ID column to the client information table shown in FIG. When the present invention is implemented, it is necessary to perform processing using the client information table shown in FIG. 30 in the client terminal registration processing in step S612 of FIG.

  In addition, the value of the default dynamic monitoring policy ID is automatically stored in the dynamic monitoring policy ID of FIG. 30 when the client terminal is registered.

  Next, the management WEB application 503 of the management server 103 acquires the monitoring condition, value, and logical code from the monitoring condition table using the acquired dynamic monitoring policy ID as a key. Then, the management WEB application 503 of the management server 103 transmits the dynamic monitoring policy (FIG. 31) to the control / communication service program 303 of the client terminal 101. This processing is processing that is an example of processing of the transmission unit of the present invention.

  Next, the control / communication service program 303 of the client terminal 101 receives the dynamic monitoring policy from the management WEB application 503 of the management server 103.

  The control / communication service program 303 stores the dynamic monitoring policy in the file format (FIG. 32) in the external memory 221 of the client terminal 101 (step S2302).

  This file is called a dynamic monitoring policy file, and information including a dynamic monitoring policy name, a monitoring condition, a monitoring operation, a monitoring condition value, and a logical code is stored in an XML format.

  The dynamic monitoring policy file stores a dynamic monitoring policy including a dynamic monitoring policy name (POLNAME), a monitoring condition (CONDITION), and a monitoring operation (ACTION).

  Note that this dynamic monitoring policy file is prohibited from being accessed from other than the agent program by the filter driver (file system) 304, as in the process of protecting the monitoring policy file described in FIG. 6 (FIG. 14). . Therefore, browsing and overwriting from other programs cannot be performed.

  With the above processing, the dynamic monitoring policy acquisition and application processing in steps S2301 and S2332 are completed.

  Next, the search process in step S2304 will be described. First, the control / communication service program 303 of the client terminal 101 executes a search process using an idle time such as when a screen saver is executed or when a logoff is performed (step S2304).

  Hereinafter, the search process will be described with reference to FIG. The processing from step S3301 to step S3305 shown in FIG. 33 is realized by the CPU 201 of the client terminal 101 loading the control / communication service program 303 stored in the storage means such as the external memory 211 into the RAM 203 and executing it. Is done.

  First, the control / communication service program 303 of the client terminal 101 refers to the dynamic monitoring policy file stored in the external memory 211 of the client terminal 101, and acquires the dynamic monitoring policy (step S3301).

  Next, the control / communication service program 303 of the client terminal 101 satisfies the monitoring condition shown in FIG. 26 for all the folders or files stored in the external memory 211 of the client terminal 101, and the folder or file exists. The monitoring condition search process is executed (step S3302).

  The monitoring condition search process determines whether the control / communication service program 303 of the client terminal 101 is a file that matches the monitoring condition for each folder and file stored in the external memory 211. To do.

  Specifically, when “is a shared file” is set as the monitoring condition, it is checked whether the target file is a shared file.

  If all the monitoring conditions are not met, the next folder or file is compared, and it is repeatedly executed until there is no uncompared folder or file (step S3303).

  Conversely, when a folder or file that matches the monitoring condition is found, the control / communication service program 303 of the client terminal 101 refers to the dynamic monitoring policy file stored in the external memory 221 of the client terminal 101. Then, the control / communication service program 303 of the client terminal 101 executes the monitoring operation (FIG. 27) associated with the matched monitoring condition (step S3304).

  For example, when “prohibit write operation” is set in the monitoring operation (2507), a setting for prohibiting the write command is added to the rejection condition of the filter driver 312.

  Then, the control / communication service program 303 transmits the change log (FIG. 42) to the log reception program 501 of the management server 103 (step S3305).

  Here, the change log includes an agent ID that identifies the agent program 311, a processing execution time, a computer name and domain name of the client terminal 101, a user name logged in to the client terminal 101, and an IP address of the client terminal 101. MAC address, monitoring condition and monitoring condition value applicable to search processing, file path applicable to search processing and file path after execution of monitoring operation, executed monitoring operation and monitoring operation value, monitoring operation result (success, failure) ). With the above processing, the search processing in step S2304 is completed.

In the above embodiment, the search process is executed for all files stored in the external memory 211 of the client terminal 101. However, it is also possible to execute a search process for only files in a specific path.
In the above embodiment, the search condition for folders and files is defined in the monitoring condition (2501), and the monitoring condition search process is executed. However, not only folders and files but also operating system settings (registries, networks, account settings) and the like can be defined as monitoring conditions to execute search processing.

  Next, the change log storage processing in steps S2333 and S2334 will be described.

  First, when a change log is transmitted from the control / communication service program 303 of the client terminal 101 in the search process of step S2304, the log reception program 501 of the management server 103 receives the change log (step S2333).

  Next, the log receiving program 501 stores the change log in the change log table (FIG. 43) in the recording medium such as the HDD (step S2334).

  With the above processing, the change log storage processing in steps S2333 and S2334 is completed.

  This change log can be viewed from the administrator terminal 102 by the same method as the operation log browsing in step S653 of FIG.

  As a result, it is possible to set a security policy corresponding to a client environment that changes from day to day, so that higher client security can be maintained. The above is the processing procedure of the dynamic security policy function in this embodiment.

  FIG. 34 is a flowchart showing processing of the application policy prediction function of the device restriction system in this embodiment.

  First, an apparatus that executes each step of the flowchart shown in FIG. 34 will be described. First, the processing of step S3401 and step S3402 shown in FIG. 34 is realized by the CPU 201 of the client terminal 101 loading the control / communication service program 303 stored in the storage means such as the external memory 211 into the RAM 203 and executing it. Is done.

  Next, the processing from step S3421 to step S3424 shown in FIG. 34 is realized by the CPU 201 of the management server 103 loading the management web application 503 stored in the storage means such as the external memory 211 into the RAM 203 and executing it. Is done.

  Finally, the processing of step S3451 and step S3452 shown in FIG. 34 is realized by the CPU 201 of the administrator terminal 102 loading the WEB browser application 401 stored in the storage means such as the external memory 211 into the RAM 203 and executing it. Is done. The above is the processing apparatus that executes each step of the flowchart shown in FIG.

  Next, each step of the flowchart shown in FIG. 34 will be described. First, the prediction log recording process in steps S3401, S3402, and S3421 will be described.

  First, the control / communication service program 303 of the client terminal 101 executes the processing described with reference to FIGS. 15 and 16 with reference to the applied monitoring policy file when a print operation or a file operation is generated by a user's screen operation. (Step S3401).

  Next, the control / communication service program 303 of the client terminal 101 predicts the information of the executed print operation or file operation separately from the operation log recording process of steps S608 and S609 of FIG. 6 (FIG. 44). Record as. Then, the control / communication service program 303 of the client terminal 101 transmits to the log reception program 501 of the management server 103 (step S3402).

  Here, the prediction log means information obtained by adding a prediction log flag for identifying whether it is a prediction log to the operation log described in S609 of FIG. This prediction log is used as information for predicting whether the monitoring policy to be applied operates correctly in the monitoring policy application prediction processing in step S3423.

  Next, the log reception program 501 of the management server 103 receives the transmitted prediction log.

  If there is a prediction log flag in the received prediction log, it is stored in a prediction log table (FIG. 44) in a recording medium such as an HDD (step S3421). Step S3421 is an example of processing of the storage unit of the present invention.

  Here, the prediction log table is a table that can store the same information as the operation log table described in step S627 of FIG.

  With the above processing, the prediction log recording processing in steps S3401, S3402, and S3421 is completed.

  Next, the monitoring policy application prediction setting process in steps S3422 and S3451 will be described.

  First, the CPU 201 of the administrator terminal 102 activates the WEB browser application 401 and connects to the management WEB application 503 of the management server 103 by the administrator's screen operation.

  Then, the WEB browser application 401 of the administrator terminal 102 displays the monitoring policy application prediction setting screen (FIG. 37) (step S3451).

  Here, on the monitoring policy application prediction setting screen, a warning defining a period (3701) of a prediction log used for monitoring policy application prediction processing and a state in which a prediction result is to be warned A list of conditions (3702) is displayed.

  Next, when the “create warning condition” button (3703) is pressed by the administrator's screen operation, the web browser application 401 of the management server 103 displays a warning condition creation screen (FIG. 35).

  Here, the warning condition creation screen shows the warning condition name (4601), the type of device (4602) such as a floppy (registered trademark) disk or a removable disk, and how many days (4604) the operation log is generated. The number of input items (4603) and the process (4605) specifying the name of the process that executed the operation are displayed.

  Next, the administrator inputs the above settings and presses the apply button (4606) on the warning condition creation screen. Then, the management WEB application 503 of the administrator terminal 102 transmits the information set on the warning condition creation screen to the management WEB application 503 of the management server 103 (S3451).

  The management WEB application 503 of the management server 103 receives the information and stores it in the warning condition table (FIG. 39) (step S3422).

  As shown in FIG. 39, the warning condition table stores the warning condition ID, warning condition name, device type, operation type, number of cases, period, and process name.

  Thus, the monitoring policy application prediction setting process in steps S3422 and S3451 is completed.

  Next, the monitoring policy application process in steps S3423, S3424, and S3452 will be described.

  First, the WEB browser application 401 of the administrator terminal 102 executes monitoring policy application processing (steps S3452 and S3423).

  The monitoring policy application process will be described below with reference to FIG. Note that the processing of steps S4001 to S4003 shown in FIG. 40 is realized by the CPU 201 of the management server 103 loading the management web application 503 stored in the storage means such as the external memory 211 into the RAM 203 and executing it. The

  40 is realized by the CPU 201 of the administrator terminal 102 loading the WEB browser application 401 stored in the storage unit such as the external memory 211 into the RAM 203 and executing it. The

  First, the CPU 201 of the administrator terminal 102 activates the WEB browser application 401 and displays a monitoring policy setting screen (FIG. 9) for inputting a monitoring policy by an administrator screen operation. Here, the monitoring policy setting screen means the screen described in step 652 of FIG.

  Next, when the administrator inputs a monitoring policy from the monitoring policy setting screen, the WEB browser application 401 of the administrator terminal 102 transmits the monitoring policy to the management WEB application 503 of the management server 103 (step S4021). .

  Then, the management WEB application 503 of the management server 103 predicts whether a phenomenon that matches the warning condition will occur when the monitoring policy is received and the monitoring policy is applied to the client terminal 101 (monitoring policy application prediction process). (Step S4001). Step S4001 is an example of processing of the input unit (first input unit) and the determination unit of the present invention.

  Next, the management WEB application 503 of the management server 103 transmits the prediction result (determination result) of step S4021 to the WEB browser application 401 of the administrator terminal 102 (step S4002). Note that step S4002 is an example of processing of the notification means of the present invention. The process of receiving the monitoring result and receiving the monitoring policy from the administrator terminal 102 on the management server 103 side in step S4001 is an example of a process of the second input unit of the present invention.

  Then, the management WEB application 503 of the management server 103 determines whether the setting of the monitoring policy matches the warning condition based on the prediction result of step S4021 (step S4003).

  If the warning condition is met, the management WEB application 503 of the management server 103 returns to step S4001 and waits for the modified monitoring policy to be transmitted from the administrator terminal 102 again.

  On the other hand, if the warning condition is not met, the management WEB application 503 of the management server 103 stores the monitoring policy in the monitoring policy table (FIG. 11) (step S3424).

  On the other hand, the WEB browser application 401 of the administrator terminal 102 to which the prediction result is transmitted in step S4002 receives the prediction result (step S4022).

  Then, the WEB browser application 401 of the administrator terminal 102 determines whether there is a monitoring policy that matches the warning condition in the prediction process executed in step S4001 (step S4023).

  If the warning condition is not met, a screen (not shown) indicating that the monitoring policy has been applied is displayed on the administrator terminal 102.

  Conversely, if the warning condition is met, a prediction result message screen (FIG. 38) is displayed on the administrator terminal 102. Then, it waits for the management policy to be corrected again (step S4024).

  Here, the procedure of the audit policy application prediction process in step S4001 will be described below with reference to FIG.

  41 is realized when the CPU 201 of the management server 103 loads the management web application 503 stored in the storage unit such as the external memory 211 into the RAM 203 and executes it. The

  First, the management WEB application 503 of the management server 103 acquires a warning condition from the warning condition table (step S4101).

  Next, the management WEB application 503 of the management server 103 uses the prediction log to monitor each monitoring policy (floppy (registered trademark) disk, removable disk, optical disk, network drive, local hard disk, printing) set in step S3452. When applied to a client terminal, it is predicted whether a result that matches the warning condition will occur (step S4102).

  Specifically, “All prohibited” is set in the access control setting (0909) of the floppy (registered trademark) disk of FIG. 9, the floppy (registered trademark) disk is set as the device type of the warning condition, and the number is 10,000. If one day is set for the period, a search is performed to determine whether or not 10,000 logs or more that have been prohibited from floppy disk operation in 24 hours have occurred in the prediction log of the prediction log table.

Other specific examples are shown below.
For example, “all prohibited” is set in the access control setting (0908) to the shared file (for example, \\ Server \ Folder) on the network, and “Read”, “Write”, “Delete”, “Rename” Is checked (that is, when the data is read, written, deleted, the file name is changed and the log is set to be stored), the access log to the shared file is stored in the prediction log table. Remembered.

  When “Process A” is set as the process name of application A in the log warning condition, 1000000 is set as the number of cases, and 7 days is set as the period, the process A is completed in 168 hours in the prediction log of the prediction log table. A search is performed as to whether or not there are 100,000 or more logs that are prohibited by the operation.

  Specifically, the management server predicts from the prediction log table that the detailed event ID is “2” (ID indicating that access is prohibited (denied)) and the process name is “process A (procnameA)”. When the log is searched and the number of logs in 168 hours exceeds 1000000, it is determined that there is a possibility that an abnormality will occur when the monitoring policy set in step S3452 is applied to the client terminal 101, and the determination result (prediction) (Result) is transmitted to the administrator terminal (step S4002).

  And the administrator terminal which acquired the said prediction result produces | generates a prediction log result display screen (FIG. 38) according to the said prediction result, for example, and displays it on display parts, such as the display 210. FIG.

  The example of FIG. 38 shows a warning notification that the access log from the application A (process A) to the shared folder path “\\ Server \ Folder” may exceed 1000000 in 7 days. Yes.

  As described above, it can be determined whether or not there are 100000 or more logs for which the operation by the process A is prohibited in 168 hours. That is, it is possible to identify application software having a history of prohibition of data operation by a predetermined number or more within a predetermined period from the process (name) and detailed event ID in the prediction log table. This processing is an example of processing of the specifying means of the present invention.

  In general, the administrator often does not fully understand what applications are installed in each client terminal.

  Therefore, if an application that is frequently accessed to a predetermined file and is not known to the administrator is installed on the client terminal, a large number of logs will be generated if a policy is set to prohibit access to the file. There is a risk that.

  In order to prevent this, with the above configuration, the administrator can recognize whether or not the prohibition of access from the application can be removed. Hereinafter, the description returns to FIG.

  In step S4103, if the warning condition is met, it is determined that there is a possibility that an abnormality may occur if the monitoring policy set in step S3452 is applied to the client terminal 101.

  Conversely, if the warning condition is not met, it is determined that no abnormality occurs even if the monitoring policy set in step S3452 is applied to the client terminal 101. This makes it possible to perform monitoring policy application prediction processing.

  With the above processing, the monitoring policy application processing in steps S3423, S3424, and S3451 is completed.

  As a result, it is possible to prevent log size prediction and application malfunction using operation logs acquired in the past. The above is the processing procedure of the applied policy prediction function in this embodiment.

  As described above, the application policy prediction function can predict the operation log size output in advance before applying the monitoring policy and the application in which a failure occurs. In addition, since the dynamic security policy function is applied with a monitoring policy for security measures automatically applied to data according to the client environment, it is possible to prevent the monitoring policy from being cloaked. As a result, an operation unintended by the administrator can be predicted, information in the client can be protected more safely, and information leakage can be prevented.

  In addition, the management server 103 applies a monitoring policy that prohibits data manipulation by predetermined application software (hereinafter referred to as application). As a result, when it is determined that there are more than a preset number of logs (log information) corresponding to the monitoring policy, the management server 103 may transmit the determination result to the administrator terminal 102. Receiving this, the administrator terminal 102 can prevent a large amount of logs from being generated by changing the monitoring policy to prohibit data operation by a predetermined application.

  In addition, the management server 103 refers to the log corresponding to the monitoring policy, and determines whether or not prohibition of data operation by a predetermined application is indicated in the referred log. As a result, when it is determined that data manipulation by a predetermined application is prohibited, the management server 103 may transmit the determination result to the administrator terminal 102. Receiving this, the administrator terminal 102 creates and applies a monitoring policy with a content that prohibits data operation by a predetermined application. As a result, the administrator can grasp that the shared file cannot be referred to by the predetermined application, and if necessary, the operation on the shared file by the predetermined application can be canceled. it can.

  Further, the management server 103 may transmit control information for preventing the client terminal 101 from creating a log for data including a predetermined extension. As a result, logs for unnecessary data operations can be suppressed, and a large amount of logs can be prevented. The transmission process of the control information by the management server 103 is an example of a process of the control means of the present invention.

  It should be noted that the configuration and contents of the various data described above are not limited to this, and it goes without saying that the various data and configurations are configured according to the application and purpose.

  Although the embodiments of the present invention have been described above, the present invention can take embodiments as, for example, a system, apparatus, method, program, or recording medium. Specifically, the present invention may be applied to a system composed of a plurality of devices, or may be applied to an apparatus composed of a single device.

1 is a block diagram schematically showing a system configuration of an information processing system according to an embodiment of the present invention. FIG. 2 is a block diagram schematically showing a hardware configuration of the information processing apparatus in FIG. 1. It is a module block diagram which shows roughly the structure of the module with which the information processing apparatus (client terminal) in FIG. 1 is provided. It is a module block diagram which shows roughly the structure of the module with which the information processing apparatus (administrator terminal) in FIG. 1 is provided. It is a module block diagram which shows roughly the structure of the module with which the information processing apparatus (management server) in FIG. 1 is provided. It is a flowchart figure which shows the process sequence of a device restriction | limiting system. It is a figure which shows roughly the information handled by step S602 of FIG. It is a figure which shows roughly an example of the database table which stores the information handled by FIG.6 S623. It is a figure which shows roughly the information handled by step S651 of FIG. It is a figure which shows an example of the screen displayed by step S652 of FIG. It is a figure which shows roughly an example of the database table which stores the information handled by FIG.6 S622. 3 is a flowchart showing a procedure of monitoring policy application processing executed by the information processing apparatus (client terminal) in FIG. 1. It is a figure which shows roughly an example of the monitoring policy file preserve | saved by step S1201 of FIG. It is a flowchart which shows the procedure of the monitoring policy preservation | save process performed by step S1201 of FIG. 3 is a flowchart illustrating a processing procedure during printing executed by the information processing apparatus (client terminal) in FIG. 1. It is a flowchart which shows the process sequence at the time of the file operation which the information processing apparatus (client terminal) in FIG. 1 performs. It is a figure which shows roughly an example of the information handled by step S609 of FIG. It is a figure which shows roughly an example of the database table which stores the information handled by step S627 of FIG. 2 is a flowchart illustrating a procedure of an agent program stop process executed by the information processing apparatus (client terminal) in FIG. 1. FIG. 2 is a diagram schematically showing an example of information held by a filter driver 312 in FIG. 1. FIG. 2 is a diagram schematically showing an example of information held by a filter driver 312 in FIG. 1. FIG. 10 is a diagram showing a correspondence table of prohibition instructions registered in the rejection condition of the filter driver 312 of FIG. 1 when the access control of FIG. 9 is set. It is a flowchart which shows the process sequence of a dynamic security policy function. It is a figure which shows an example of the dynamic monitoring policy list screen displayed by step S2361 of FIG. It is a figure which shows an example of the dynamic monitoring policy setting screen displayed by step S2361 of FIG. It is a figure which shows roughly the information handled by step S2361 of FIG. It is a figure which shows roughly the information handled by step S2361 of FIG. It is a figure which shows roughly an example of the database table which stores the information handled by step S2331 of FIG. It is a figure which shows roughly an example of the database table which stores the information handled by step S2331 of FIG. It is a figure which shows roughly an example of the database table which stores the information handled by step S2332 of FIG. It is a figure which shows roughly the information handled by step S2361 of FIG. It is a figure which shows roughly the information handled by step S2302 of FIG. It is a flowchart which shows the procedure of the search process which the information processing apparatus (client terminal) in FIG. 1 performs. It is a flowchart which shows the process sequence of an application policy prediction function. It is a figure which shows an example of the dynamic monitoring policy setting screen displayed by step S3451 of FIG. It is a figure which shows roughly an example of the database table which stores the information handled by step S3421 of FIG. FIG. 35 is a diagram showing an example of a monitoring policy application prediction setting displayed in step S3451 in FIG. It is a figure which shows roughly the information handled by step S3452 of FIG. It is a figure which shows roughly an example of the database table which stores the information handled by step S3422 of FIG. 3 is a flowchart showing a monitoring policy application processing procedure executed by the information processing apparatus (administrator terminal) and the management server in FIG. 1. It is a flowchart which shows the prediction process procedure of the monitoring policy performed by step S4001 of FIG. It is a figure which shows roughly the information handled by step 2333 of FIG. It is a figure which shows roughly an example of the database table which stores the information handled by step 2334 of FIG. It is a figure which shows roughly the information handled by step S3402 of FIG.

Explanation of symbols

101: Client terminal 102: Administrator terminal 103: Management server 104: Network 301: Setting program 302: Temporary writing program 303: Control / communication service program 304: Filter driver (file system)
305: Filter driver (CD-RW / DVD writing driver)
306: File system driver 307: CD-RW / DVD writing driver 308: Operating system 309: Device 310: Print monitoring program 311: Agent program 312: Filter driver 313: Printer driver 314: Printer 401: WEB browser application 402: E-mail Reception application 403: Operating system 501: Log reception program 502: WEB server 503: Web application for management 504: Database 505: Operating system

Claims (8)

An administrator terminal that creates a policy that stipulates conditions for taking an operation history on data, an operation terminal that takes an operation history on data, and an information processing device that manages the operation history on the data are connected to a communication line. An information processing system connected via
The information processing apparatus includes:
Storage means for storing log information indicating a history of operations on data input from the operation terminal in a recording medium;
An input means for inputting a policy defining conditions for taking a history of operations on data from the administrator terminal;
Determining means for determining whether or not the log information corresponding to the policy exists in the recording medium more than a predetermined number within a predetermined period;
When it is determined by the determination means that log information corresponding to the policy is present in the recording medium by a predetermined number or more within a predetermined period, the determination result is sent to the communication device to the administrator terminal. An information processing system comprising notification means for notifying the information processing means. An administrator terminal that creates a policy that defines conditions for taking an operation history for data, and an information processing apparatus that is connected to an operation terminal that takes an operation history for data via a communication line,
Storage means for storing log information indicating a history of operations on data input from the operation terminal in a recording medium;
A first input means for inputting a policy defining conditions for taking a history of operations on data from the administrator terminal;
Determining means for determining whether or not the log information corresponding to the policy exists in the recording medium more than a predetermined number within a predetermined period;
Notification means for notifying the administrator terminal of the determination result when the determination means determines that log information corresponding to the policy exists in the recording medium in a predetermined number or more within a predetermined period. And an information processing apparatus. A second input means for inputting another policy whose contents have been changed from the administrator terminal in response to the notification by the notification means;
The information processing apparatus according to claim 2, wherein the determination unit performs the determination process again for the other policy whose content has been changed. Based on log information corresponding to the policy, further includes a specifying unit that specifies application software having a history of prohibition of data operation by a predetermined number or more within a predetermined period,
4. The information processing apparatus according to claim 2, wherein the notifying unit notifies that the operation of data by the application software specified by the specifying unit is prohibited.   5. The information processing apparatus according to claim 2, further comprising a control unit configured to perform control so that log information is not generated for an operation on data including a predetermined extension.   6. The information processing apparatus according to claim 2, further comprising a transmission unit configured to transmit information for controlling processing of security measures applied to the data itself to the operation terminal that performs an operation on the data. The information processing apparatus described. An administrator terminal that creates a policy that defines conditions for taking a history of operations on data, and a control method for an information processing apparatus that is connected to an operation terminal that takes a history of operations on data via a communication line,
A storage step of storing log information indicating a history of operations on data input from the operation terminal in a recording medium;
An input step for inputting a policy that defines conditions for taking a history of operations on data from the administrator terminal;
A determination step of determining whether or not log information corresponding to the policy exists in the recording medium more than a predetermined number within a predetermined period;
A notification step of notifying the administrator terminal of the determination result when it is determined that the log information corresponding to the policy is present in the recording medium in a predetermined period or more by the determination step. And a method of controlling the information processing apparatus. A computer that executes a control method for an administrator terminal that creates a policy that stipulates conditions for collecting data operation history and an information processing apparatus that is connected to the operation terminal that collects data operation history via a communication line. A program for
A storage step of storing log information indicating a history of operations on data input from the operation terminal in a recording medium;
An input step for inputting a policy that defines conditions for taking a history of operations on data from the administrator terminal;
A determination step of determining whether or not log information corresponding to the policy exists in the recording medium more than a predetermined number within a predetermined period;
A notification step of notifying the administrator terminal of the determination result when it is determined that the log information corresponding to the policy is present in the recording medium in a predetermined period or more by the determination step. A program that causes a computer to execute.

Images