This application includes by reference the microfiche appendix of U.S. patent application Ser. No. 08/509,688, having 722 frames, and the microfiche appendix of U.S. patent application Ser. No. 08/854,490, having 1070 frames. This application also includes a microfiche appendix of 568 frames. A portion of the disclosure of this patent document contains material which is the subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all copyright rights whatsoever.
1. Field of the Invention
The invention relates to network administration software. More specifically, the field of the invention is that of network administration software for managing user workstations access to resources on a network.
2. Description of the Related Art
Computer networks are arranged so that a multitude of users can access common network resources. Each user has a workstation, typically a stand alone personal computer which is connected through a suitable communications link to the other computers of the network. The network administrator is a program which runs on the network server or an administrator workstation which coordinates and manages the access and security of the users on the network. The management of users involves allocating and facilitating access to resources such as programs and data files which are needed or desired by particular users. In the process of a user connecting to the network, a network interface program is used to identify, verify, and authorize a network user access to various network resources. The security provisions involve allowing only the appropriate users access to certain programs and data files to maintain the integrity and privacy of the network system.
Networks can be administered by a single operating system running on the components of a network can coordinate desktop and servers, for example a version of the Windows NT operating system by Microsoft Corporation. Alternatively, a combination of single computer operating systems, including both desktop client and server based operating systems, interacting through a communications layer supported by a network operating system, for example a version of the Windows operating system by Microsoft Corporation and a version of the Netware operating system by Novell Corporation. In either situation, first a network user must gain access, or logon, to the computer network and second the network user must gain access to program(s) on the server. A logon interface package termed a GINA (Graphical Identification aNd Authentication) is used to obtain the user name and password from the workstation and assign operating system SIDs (Security Identifiers) to the user""s workstation session. For the single operating system, the GINA provides a high level of security, but for the combination of single machine operating systems, a possible security breach may exist between the workstation logon and the network logon.
Desktop administration programs provide each user with an individual view of the user""s workstation configuration, the network, and the resources available over the network. Such programs conventionally provide a graphic user interface and operate under several constraints. One constraint involves the transparency of the desktop administration program. Transparency in this context means the ability of a user to ascertain the presence of the program merely from observing the operation of the user""s workstation. Ideally, a user should not be able to detect the presence of the desktop administration program. Another constraint involves the underlying operating system of the workstation computer and the network. Ideally, the desktop administration program should not interfere with the operation of any portion of the underlying operating system. The management of individual user preferences also constrains desktop administration programs. Ideally, the user""s modifications of a desktop configuration should not corrupt the desktop administration program""s management of user desktops. Known desktop replacement or administration programs have difficulties in one or more of these constraints.
In order for the desktop administration program to provide access to a network resource, the desktop user must create an authenticated connection over the network. A Registry program on the workstation sets up and helps to administer the authenticated connection, allowing the desktop user to operate with the network resources. The Registry maintains a list of network resources and identifiers so that the workstation can determine when a network message is intended for the local desktop. Also, the Registry may include access information relating to the user. Conventionally, the operating system is entered as the xe2x80x9cprimary processxe2x80x9d and has precedence over all the other processes in the multi-tasking environment. All other processes are secondary processes, and can be interrupted, terminated, or otherwise controlled by the primary process. For secure communications with network resources, the Registry may include security identifiers (SIDs) such as session encryption keys, passwords, or the like. One potential problem with the aforementioned possible security breach involves corruption and manipulation of the Registry list and the information and codes contained within the Registry list.
What is needed is a desktop administration program which alleviates the above identified constraints, works in concert with the operating system and its standard graphic user interface, and mitigates the risks involved with the possible security breach between the workstation logon and the network logon.
The present invention is a desktop administration system and method which allows a network administrator to remotely create, protect, and manage desktops across a network. The invention operates to fill the gap between the workstation and network logon procedures so that the local user stays within the predefined security profiles. The methodology used involves the program of the present invention installing itself as the controlling process invoked by the workstation and preventing any other process from gaining control of the user terminal. The invention then provides a graphic user interface to construct user desktops, apply restriction options, maintain transaction logs, and password protect any object accessible from the user workstation. The invention allows these functions without altering how a user works on the desktop, or the capacities of the underlying operating system or network.
Each workstation includes a personal desktop facility (PDF) and a Daemon which protects the user""s desktop. The personal desktop facility receives desktop information from the network server and builds a desktop which the user manipulates to invoke local and/or network programs and access local and/or network utilities. The PDF further creates the expected links and interfaces with network resources for the user""s profile, while the other programs running on the workstation have no cognition of the change of control. The Daemon serves as an interface for the personal desktop facility by channeling any communication to or from the user or the network, preventing unauthorized transactions at either the workstation or network level.
The personal desktop facility (PDF) provides a graphic user interface using objects that represent collections of programs and data, such as user preferences, default directories, and access privileges. The PDF can create objects, remove objects, and alter object settings. Providing a user with the proper collection of objects with the proper settings creates a workstation tailored to the users needs, thus increasing the efficiency of the user.
The daemon has many tasks, including starting the PDF, enumerating the windows of the graphic user interface, and recording operations. Starting the PDF may involve obtaining security clearance, and includes loading the user""s desktop from the server. Enumerating the windows of the graphic user interface facilitates proper operation of the desktop and the programs running under it. Recording operations may involve creating a log of user operations, such as tagging or signaling events when they occur, noting the usage of passwords, and the startup and exit of the desktop from the network connection.
The present invention provides several significant advantages. The network administrator may standardize desktops quickly and uniformly by manipulating the server""s database of personal desktop profiles, or by modifying common desktop objects which are stored on the server. Users may also be mobile across the network, because regardless of which machine they use, the PDF will load their personal desktop file from the network server. The Daemon further protects the desktop from inadvertent damage, and prevents intentional alteration of the network architecture.
The present invention, in one form, relates to .
The present invention, in another form, is a method for .
Further aspects of the present invention involve .
Another aspect of the invention relates to a machine-readable program storage device for storing encoded instructions for a method of providing user access to resources in a network of computers including a server and a workstation according to the foregoing method.