1. Field of the Invention
This invention pertains in general to computer security, and more specifically to managing computer hygiene by applying differing security policies to different users using the same computer.
2. Description of the Related Art
Computer systems are continually threatened by a risk of attack from malicious computer code, also known as “malware.” Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing web sites. Malicious code can spread through a variety of different routes. For example, malicious code can spread via an email message or when a user inserts a disk or other infected medium. Malware can also access and cause damage to a user's computer when a user installs new programs that are infected, visits untrustworthy websites, downloads suspicious files, or otherwise takes actions that expose a computer to malware risks.
In a corporate environment, managing workstation security problems can be a great challenge. Multiple users often share a single computer, subjecting that computer to different levels of malware risk. While certain users may apply sound security practices, others may regularly engage in behaviors that open the computer up to infection by malicious code and detract from the overall hygiene of that machine. For example, downloading or installing untrustworthy files, visiting suspicious websites, opening risky email attachments, applying poor password protection practices, etc. can all lead to malware infections. To manage different levels of risk in these multi-user scenarios, companies are often forced to limit all actions that can be taken using a given workstation. Users may be prohibited, when using that computer, from visiting certain websites, installing certain programs of unknown reputation, or performing other actions that are considered risky. Even users who carefully adhere to security guidelines can be affected because security policies are commonly applied equally across all users. This can lead to frustration amongst the users and limit productivity in the company since the actions that these good-hygiene users can take on the workstation are limited due to the poor computer-use hygiene of other users.
Within an enterprise, security policies are also typically applied across all computers regardless of the level of security or hygiene of a particular computer. Even on a machine for which security patches are regularly downloaded and kept current, for which user account controls are enabled, for which passwords are required to be regularly changed, etc., the freedom is limited. The computer is commonly treated equally to all other machines, just as good-hygiene users and poor-hygiene users are treated equally. The activities that users can perform on that machine are restricted to the same degree as on other less-secure machines.
In the current multi-user operating system environments with enterprise-roaming users, it can be a problem to apply the same level of security policies or restrictions to a given computer irrespective of the user. Similarly, the hygiene of a given computer should also be taken into account so that all computers do not have to be equally restricted based on security policies. Therefore, there is a need in the art for a solution that separates the user's actions and responsibility for the overall hygiene of a computer from the administrator's responsibilities and actions.