1. Technical Field
The present invention relates in general to data processing and in particular to password protection of data processing systems. Still more particularly, the present invention relates to a method and system for providing password protection for data processing systems through the use of limited-use machine-specific passwords.
2. Description of the Related Art
Atypical corporate environment includes a distributed collection of laptop and/or desktop computers that are each assigned to a particular user who is responsible for his or her computer. Even though the individual users are entrusted with xe2x80x9cownershipxe2x80x9d of their respective machines, the computers are all typically administered by a centralized administrative department. Frequently, the administrative department, prior to distribution of a computer to a user, initializes the computer with hardware settings, software configurations, and other critical parameters that it is desirable for the user not to alter. For this reason, in addition to conventional power-on passwords (POPs), such centrally administered computers can also have secondary administrative password that must be entered into the computer before the critical settings of the computer can be changed. These administrative passwords are given to users only as needed, typically when the administrative department""s help desk is assisting a user in rectifying a computer problem.
In order to enhance the security of administrative passwords, it is desirable for the administrative password of each computer in a collection of computers to be unique. However, the administrative password for a computer should not be related to the computer in a manner that permits the administrative password to be easily deduced. The first co-pending application referenced above describes a method and apparatus for establishing administrative passwords that satisfies these requirements by providing computer-specific administrative passwords that cannot easily be deduced from information known about the computer.
Despite the high level of administrative password security provided by the invention described in the first co-pending application referenced above, once a user has been given the administrative password for his computer, the user is thereafter able to reconfigure his computer at will. The present invention recognizes that it would also be desirable and useful to limit the ability of a user to reconfigure his computer once the user is informed of the administrative password for the computer.
The present invention satisfies the need to permit a user to have limited access to an administrative password that controls reconfiguration of a computer by providing a method and system for enforcing password protection of a computer system that limits reuse of an administrative password.
In accordance with the present invention, features of a data processing system, such as its configuration, are protected utilizing a machine-specific limited-life password. The data processing system includes execution resources for executing a watchdog program, a limited-life value generator, and non-volatile storage that stores a machine-specific value at least partially derived from relatively unique information associated with the data processing system. In response to each attempted access to the protected features of the data processing system, the watchdog program generates at least one machine-specific limited-life password from the machine-specific value and a limited-life value generated by the limited-life value generator. The watchdog program allows access to the protected features in response to entry of a valid machine-specific limited-life password and otherwise denies access. In accordance with the present invention, the limited-life value can represent a timestamp that limits the duration that the machine-specific limited-life value is valid or a nonce that limits the number of times that the machine-specific limited-life value can be used.
All objects, features, and advantages of the present invention will become apparent in the following detailed written description.