Automating software security restrictions on system resources

Abstract

Security components of managed computers are configured using inoculation data. Inoculation data can be retrieved from an inoculation data provider. The inoculation data provider analyzes unauthorized software applications to develop inoculation data. The inoculation data configures the security component to deny access to resources to unauthorized software applications. Inoculation data can be embedded into a script, which is distributed via a management protocol to one or more managed computers from a management computer. Resources can include files, storage paths, memory, registry keys, processor priority, services, dynamic link libraries, archives, browser cookies, and/or ActiveX controls, Java applets, or classes thereof.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

Many aspects of the invention can be better understood with reference to the following drawings. The components in the drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present invention.

FIG. 1 is a block diagram illustrating the environment of the method for automating the creation of scripts including inoculation data.

FIG. 2 is a block diagram illustrating one embodiment of the managed target computer system of FIG. 1.

FIG. 3 is a block diagram illustrating one embodiment of database 140 from FIG. 1.

FIG. 4 is a block diagram illustrating the correspondence between database 140 of FIG. 1 and software restriction 175 of FIG. 1.

FIG. 5 is a block diagram illustrating the registry of the managed target computer system of FIG. 1.

FIG. 6 is a block diagram illustrating the format of script 170 from FIG. 1.

FIG. 7 is a block diagram illustrating the parameters of a registry entry for a security setting as contained in the script of FIG. 6.

FIG. 8 is a block diagram illustrating the DACL string 730 of FIG. 7.

FIG. 9 is a flowchart diagram illustrating the translation process performed by the script generator 160 of FIG. 1.

FIG. 10 is a flowchart diagram of the WriteRegistryKeysSection subroutine 930 of FIG. 9.

FIG. 11 is a flowchart diagram of the WriteFileSecuritySection subroutine 940 of FIG. 9.

FIG. 12 is a flowchart diagram of the WriteServicesSection subroutine 950 of FIG. 9.

FIG. 13 is a block diagram of a general-purpose computer that can be used to implement the method for automating the creation of scripts including inoculation data.

Claims

1. A method of enforcing a software restriction on at least one managed computer system, the method comprising: retrieving inoculation data from an inoculation data provider, wherein the inoculation data represents an access restriction of at least one resource for at least one unauthorized software application;receiving a selection including at least one managed computer system;communicating the inoculation data to the selection of at least one managed computer system; andconfiguring each of the selection of at least one managed computer system to configure its security component according to the inoculation data, such that the security component blocks the unauthorized software application from accessing the resource of the managed computer system.

2. The method of claim 1, wherein the inoculation data is embedded in a script adapted to be executed by a managed computer system.

3. The method of claim 2, wherein the script is adapted to add inoculation data to configuration database of the managed computer system.

4. The method of claim 2, wherein the script is created by the inoculation data provider.

5. The method of claim 1, wherein communicating the inoculation data utilizes a management protocol.

6. The method of claim 1, wherein the resource includes memory of the managed computer system.

7. The method of claim 1, wherein the resource includes a service of the managed computer system.

8. The method of claim 1, wherein the resource includes configuration data of the managed computer system.

9. The method of claim 1, wherein the resource includes a storage path of the managed computer system.

10. The method of claim 1, wherein the resource includes a dynamic link library of the managed computer system.

11. The method of claim 1, wherein the resource includes an archive of the managed computer system.

12. The method of claim 1, wherein the resource includes processor priority of the managed computer system.

13. The method of claim 1, wherein the resource includes a browser cookie of the managed computer system.

14. The method of claim 1, wherein the inoculation data specifies an ActiveX class identification associated with the unauthorized software application.

15. The method of claim 1, wherein the inoculation data specifies a Java applet class identification associated with the unauthorized software application.

16. The method of claim 1, wherein the inoculation data is adapted to configure the security component of the managed computer system to deny access to the resource to the unauthorized software application.

17. The method of claim 1, wherein the inoculation data is adapted to configure the security component of the managed computer system to allow access to the resource to an authorized software application

18. A method for automating creation of a script for use with a managed computer system, the method comprising the steps of: retrieving inoculation data that describes a resource on a managed computer system to which an unauthorized software application is to be denied access; andcreating an entry in a script based on the inoculation data, the entry corresponding to a security component setting on the target computer system, the setting adapted to control access to the resource on the managed computer system.

19. The method of claim 18, wherein the security component setting is adapted to instruct a security component of the managed computer system to deny access to the resource to the unauthorized software application.

20. The method of claim 18, wherein the security component setting is adapted to instruct a security component of the managed computer system to allow access to the resource to an authorized software application.

21. The method of claim 18, further comprising the step of: distributing the script to the managed computer system over a network via a management protocol.

22. The method of claim 18, further comprising the step of: executing a system administrator utility program to distribute the script to the managed computer system.

23. The method of claim 18, wherein communicating the inoculation data utilizes a management protocol.

24. The method of claim 18, wherein the resource includes memory of the managed computer system.

25. The method of claim 18, wherein the resource includes a service of the managed computer system.

26. The method of claim 18, wherein the resource includes configuration data of the managed computer system.

27. The method of claim 18, wherein the resource includes a storage path of the managed computer system.

28. The method of claim 18, wherein the resource includes a dynamic link library of the managed computer system.

29. The method of claim 18, wherein the resource includes an archive of the managed computer system.

30. The method of claim 18, wherein the resource includes processor priority of the managed computer system.

31. The method of claim 18, wherein the resource includes a browser cookie of the managed computer system.

32. The method of claim 18, wherein the inoculation data specifies an ActiveX class identification associated with the unauthorized software application.

33. The method of claim 18, wherein the inoculation data specifies a Java applet class identification associated with the unauthorized software application.