1. Technical Field
The present disclosure generally relates to input/output devices and in particular to techniques for dynamic access control of input/output devices of information handling systems.
2. Description of the Related Art
As the value and use of information continue to increase, individuals and businesses seek additional ways to process and store information. One option available to users is information handling systems. An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
Active Directory™ (AD), which is included in most Windows Server™ operating systems (OSs), is a directory service for Windows™ domain networks. AD provides a central location for network administration and security. Server computers that run AD are usually referred to as AD domain controllers. An AD domain controller authenticates and authorizes all users and computers in a Windows™ domain network by assigning and enforcing security policies for all computer systems and installing and/or updating software. For example, when a user logs into a client computer system (client) that is part of a Windows™ domain network, AD checks the submitted password and determines whether the user is a system administrator or a normal user. In one or more versions, AD utilizes the lightweight directory access protocol (LDAP), Kerberos, and the domain name system (DNS).
As is known, LDAP is an application protocol for accessing and maintaining distributed directory information services over an Internet protocol (IP) network. Kerberos™ is a computer network authentication protocol that employs “tickets” to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. That is, Kerberos™ provides for mutual authentication between a user of a client and a server computer system (server), i.e., both the client and the server verify each other's identity. As is also known, the DNS is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. The DNS associates various information with domain names assigned to each of the participating entities. A domain name service resolves domain name queries into Internet protocol (IP) addresses for the purpose of locating computer services and devices. The DNS is an essential component of the functionality of the Internet, as the DNS provides a worldwide, distributed keyword-based redirection service.
In various organizations (e.g., corporations or governmental entities), central repositories (e.g., servers that implement AD and/or LDAP) store various user information, for example, user details, groups that users belong to, and the policies that are applicable to the users and/or the groups. Policies defined in a central repository are automatically applied to each user when the user connects (via a client) to the central repository. Individual user authorization and authentication is also initiated when a user (via a client) connects to a central repository. Conventionally, an information technology (IT) administrator has employed one of two options to control the usage of input/output (I/O) devices of an organization. For example, an IT administrator may disable access to some removable I/O devices based on a group policy object (GPO). A group policy, in part, controls what users of a group can and cannot do on a computer system. For example, a group policy may: enforce a password complexity policy that prevents users from choosing an overly simple password; prohibit unidentified users from connecting to a network via remote computers or allow unidentified user to connect to a network via remote computers; block access to the Windows Task Manager™; and/or restrict access to certain folders.
As another example, basic input/output system (BIOS) configuration tools may be utilized to configure a BIOS to disable access to some removable I/O devices, prior to or following operating system (OS) start-up. It should be appreciated that every time a device control policy is updated or new I/O devices are added, a system configuration update needs to be performed across all computer systems in the organization. It should also be appreciated that the two conventional options for controlling usage of I/O devices cannot be used to control system properties dynamically.