1. Field of the Invention
Various inventive embodiments disclosed herein relate generally to computer security applications. In particular, embodiments disclosed herein relate to a system for and methods of controlling user access and/or visibility to directories and files of a computer.
2. Description of the Related Art
In a shared computing environment, multiple users are accessing a common computer, such as a server, either directly or remotely via a network connection. Often in a shared computing environment most of the computer's files, programs, processes, and resources may be accessed or browsed by the users. However, certain files, programs, processes, and resources may be sensitive in nature and it may be desired to restrict users' access. Therefore, security measures are implemented on shared computers that attempt to provide isolation between users and thereby prevent one user from accessing another user's data and/or from performing any unauthorized actions. Currently, computer operating systems provide security features by which an administrator of a shared computer may configure each user (i.e., grant permissions or specify restrictions). However, there can be a great deal of complexity associated with using these security features. Therefore, the process of configuring the security settings of multiple users may be very difficult and time consuming.
Various inventive embodiments disclosed herein, both as to its organization and manner of operation, together with further objectives and advantages, may be best understood by reference to the following description, taken in connection with the accompanying drawings as set forth below:
The disclosure provides a system with improved security features for controlling user access and/or visibility to directories and files, and more particularly to limiting or restricting user or group access and/or visibility to directories and files of a computer. The system of the invention exhibits numerous advantages over existing systems. In various embodiments, the system and associated methods may provide a simple process by which an administrator may specify a list of allowable directories and files. Further, in some embodiments, the system of the invention may be configured such that a data structure of allowable directories and files are more readily available to an operating system kernel module. The system and methods of the invention provide isolation between different users and sessions, such that one user accessing a shared computer cannot access another user's data and/or perform any unauthorized actions.
This disclosure may relate to application publishing. The functionality of a server application shall be visible to and accessible by a client via a network. For example, server application may be a computer-aided design (CAD) application, such as AutoCAD (Autodesk, Inc., San Rafael, Calif., USA) or Cadence Virtuoso (Cadence Design Systems, San Jose, Calif.); a medical clinical workflow application such as Symbia.net (Siemens AG, Munich, Germany); an interactive mapping application such as Google Earth (Google, Inc.) or a 3D game. The functionality of the server application shall be visible to and accessible by the client via a network. For example, the functionality of a server application may be accessed from a client using a process herein known as application publishing, which is currently supported by products such as GraphOn GO-Global, Microsoft Remote Desktop Services and Citrix XenApp. Such application publishing may be performed in accordance with teachings of commonly-owned U.S. Pat. No. 5,831,609, filed Jun. 6, 1995, entitled “Method and system for dynamic translation between different graphical user interface systems,” which is incorporated by reference as though fully set forth herein.
Further, the system and methods of the invention may be used to restrict or limit the computer file trees that are accessible and/or viewable by a user. For example, the invention allows users to run applications while at the same time restricts or limits users from freely browsing the hard drive system of a shared computer. In summary, aspects of the invention include (1) directory and/or file access restrictions and (2) directory and/or file visibility restrictions.
There is as difference between allowing visibility to a set of folders and allowing access to the data or files within the folders. An aspect of the invention is that it may be used to restrict users from viewing, for example, folders that contain applications, but at the same time allow users to run the processes that may be contained in those directories. In one example, the invention may be used to block a wildcard search of the Windows System32 directory, while at the same time allow users to run the processes (e.g., User32.dll) in the Windows System32 directory.
Although not explicitly shown in
Kernel-mode address space 120 includes a kernel file system driver stack 124 and a file access manager driver 128. Kernel file system driver stack 124 is a chain of one or more drivers that receive IO requests. File access manager driver 128 may be implemented in the form of a kernel dynamic link library (DLL) or driver. Kernel file system driver stack 124 communicates with file access manager driver 128.
User-mode address space 150 includes any number of session processes 154; a public file whitelist 158; a public file whitelist manager 162; a user/group file whitelist 170, which is a private whitelist; and a user/group file whitelist manager 174. Public file whitelist 158 and user/group file whitelist 170 are maintained in any data storage medium (not shown) of computer 100. The communication path between session processes 154 and kernel file system driver stack 124 signifies that each parent process is capable of passing process directory and/or file information (e.g., the name of the process, directory, or file; or file path) to kernel file system driver stack 124 during operation. The communication paths from user/group file whitelist 170 to user/group file whitelist manager 174 and from public file whitelist 158 to public file whitelist manager 162 signify that both whitelists can be read from storage and information therein can be provided to file access manager driver 128 during operation.
A session process 154 is any application and/or program that is started in a user's session and attempts to access a directory or file. For example, the access request may be user-driven via a file open dialog or by internal processes of an application that is running. When one of session processes 154 attempts to access a certain directory or file on computer 100, the request is communicated to file access manager driver 128 through kernel-mode address space 120, and more particularly through kernel file system driver stack 124.
The file access manager driver 128 is part of kernel file system driver stack 124. More specifically, file access manager driver 128 is a filter driver within kernel file system driver stack 124. Computer OSs allow filter drivers to be installed within the file system driver stack. Filter drivers receive requests from upstream file drivers in the stack and then process the requests and pass them to the next downstream file driver in the stack. Generally, a file system filter driver intercepts requests targeted at a file system or another file system filter driver. By intercepting the request before it reaches its intended target, the filter driver can extend or replace functionality provided by the original target of the request. Examples of file system filter drivers include anti-virus filters, backup agents, and encryption products.
Accordingly, file access manager driver 128, which is a filter driver, receives notification of a directory or file access request via kernel file system driver stack 124. File access manager driver 128 processes the access request and either allows the request to be passed down through the kernel file system driver stack 124 or denies the request and returns a failure. In this way, as access to a certain directory or file is requested, file access manager driver 128 performs a file filtering function according to the invention. More particularly, file access manager driver 128 is used to enforce access-restrictions and visibility-restrictions on directories and files of computer 100.
Public file whitelist 158 is a resource (e.g., a file or files) for storing a list of directories and files of computer 100 that may be accessed by all users/groups 190. Such a resource is referred to in the art as a centralized whitelist. The contents of public file whitelist 158 are set up by an administrator.
Public file whitelist manager 162 starts when computer 100 boots up. Public file whitelist manager 162 is responsible for communicating public file whitelist 158 to file access manager driver 128 to be stored in global memory 136 that can be accessed from any process. Public file whitelist manager 162 reads public file whitelist 158 from storage, adds to the whitelist any directories that an administrator has published to all users/groups 190, and then sends public file whitelist 158 to file access manager driver 128. As such, the act of publishing a directory automatically grants all users/groups 190 rights to that directory.
User/group file whitelist 170 is a resource (e.g., a file or files) for storing a list of allowed directories and files of computer 100 for each individual user or group 190. User/group file whitelist 170 may include an association between directories and files and users or groups 190. It is further expressly contemplated that user/group file whitelist 170 may instead be a blacklist; that is, a resource storing only those directories and files that are not allowed to be accessed or viewed by a user/group 190. The contents of user/group file whitelist 170 are set up by an administrator. The administrator may make manual entries to user/group file whitelist 170 and/or automatically enable a user to access directories and files that an administrator has published to a user or group 190 (e.g., directories and files that are referenced by shortcuts included in the user's profile).
User/group file whitelist manager 174 may be the program that manages initialization of the user's environment. User/group file whitelist manager 174 loads user/group file whitelist 170 from storage, adds to the whitelist directories that are published to the user (or groups to which the user belongs), and sends user/group file whitelist 170 to file access manager driver 128 to be stored in user data 132. Public file whitelist 158 can be edited by public file whitelist manager 162 or by the logon process at user/group file whitelist manager 174. By contrast, the user/group file whitelist 170 can only be edited by the logon process at user/group file whitelist manager 174. For the purposes of the invention, public file whitelist manager 162 and user/group file whitelist manager 174 may be implemented as separate processes or as a single process.
At step 210, an administrator (or other user with similar rights) uses an input device (not shown) of computer 100 to enter information regarding directories and files that are required for all users/groups 190 to access computer 100. An example of one such file on a Microsoft Windows machine is user32.dll.
At step 220, the administrator uses an input device (not shown) of computer 100 to enter information regarding directories and files that may be invoked by all users/groups 190 of computer 100. That is, in the process of configuring computer 100, the administrator publishes a set of directories and file paths to all users/groups 190. An example of one such directory is the Public Documents directory on a Windows 7 computer. The act of publishing a directory or file path to all users/groups 190 automatically grants all users/groups 190 rights to that directory or file path, as described in step 440 of method 400 of
Step 220 provides a benefit over conventional systems in which there is no connection between the process of publishing directories and files to a user and restricting the user from accessing and/or viewing directories and files that are not published. For example, administrators can publish directories and files to users on Windows computers using Group Policy Preferences and grant/deny users access and/or visibility to directories and files using Group Policy. With these methods, however, administrators must publish the directories and files and then separately perform manual steps to grant the user rights to the published directories and files and restrict the user from accessing and/or viewing directories and files that are not published. In step 220, administrators must only publish the directories and files; the system then automatically grants the user access to the published directories and files and denies the user access to all other directories and files that are not in public file whitelist 158.
At step 230, the administrator saves the set of directories and files defined at step 210 in the form of public file whitelist 158 to storage medium (not shown) of computer 100. Optionally, the administrator may also save the list of published directories and files defined at step 220 in public file whitelist 158 to storage medium of computer 100, but in order to avoid data duplication, published directories and files are typically added to public file whitelist 158 at step 440 of method 400 of
At step 310, an administrator (or other user with similar rights) uses an input device (not shown) of computer 100 to enter information regarding the directories and files of computer 100 that specific users or groups are allowed to access. In one example, the administrator generates a user-specific or group-specific whitelist for each user or group 190. In another example, the administrator generates one whitelist in which each program entry includes a list of the users and groups 190 that are allowed to access the directories and files.
At step 320, which may be in addition to or in place of step 310, the administrator publishes directories and files to specific users or groups 190. For example, on a Windows computer, an administrator may publish a directory of shared documents to a specific group of users using Group Policy Preferences. Like step 220 of method 200 of
In one example, the administrator specifies an allowable file path and executable name. In another example, an allowable directory can be specified and all subdirectories and files of the directory can be considered allowable.
At step 330, the administrator saves the allowable directories and files in the form of user/group file whitelist 170 to storage medium (not shown) of computer 100. In one example, each user/group file whitelist 170 is stored in an XML file in a user-specific or group-specific directory. Further, this file or directory can have read-only access properties for users or groups 190. The properties are enforced by OS 110 and prevent unauthorized modifications of user allowable directories and files.
At step 410, public file whitelist manager 162 is started on computer 100. In one example, public file whitelist manager 162 is started during the startup process of OS 110. Note that startup typically occurs prior to user authentication.
At step 420, public file whitelist manager 162 loads and initializes file access manager driver 128 if file access manager driver 128 is not already running (e.g., if file access manager driver 128 is not configured to load when OS 110 boots).
At step 430, public file whitelist manager 162 loads public file whitelist 158 from storage medium (not shown) into primary memory (not shown) of computer 100.
At step 440, based on files that are published in step 220 of method 200 of
At step 450, public file whitelist manager 162 transmits the composite public file whitelist 158 to file access manager driver 128. In so doing, the list of public allowable directories and files crosses over from user-mode address space 150 to kernel-mode address space 120.
At step 460, file access manager driver 128 stores public file whitelist 158 in global data 136 of file access manager driver 128.
The benefits of performing method 400 of
At step 510, a certain user 190 is authenticated with computer 100. This step may include a username and password check or other type of conventional or novel authentication known to one of skill. This step generally assumes that the list of allowable users has been predetermined for computer 100 and is accessible from storage.
At step 520, user/group file whitelist manager 174 reads into memory (not shown) of computer 100 the list of allowable directories and files contained in user/group file whitelist 170 that are associated with the authenticated user 190 and any groups of which the user belongs. The allowable directories and files may be read from a file into a data structure that can be quickly searched, such as an array list.
At step 530, based on information that is published in method 300 of
At step 540, user/group file whitelist manager 174 transmits the composite user/group file whitelist 170, which contains the user-specific list of allowable directories and files, to file access manager driver 128. Thus, the user/group list of allowable directories and files exists in kernel-mode address space 120.
At step 550, file access manager driver 128 stores user/group file access whitelist 170 in user data 132 of the authenticated user 190. User data 132 resides at file access manager driver 128.
The benefits of initialization method 500 include bringing user/group file whitelist 170 into kernel-mode address space 120, where it can be accessed with high efficiency during user-specific file access and file visibility enforcement methods.
At step 610, an authenticated user 190 attempts to access a directory or file path of computer 100 by initiating one of session processes 154. For example, the session process may be a word processing program, such as Microsoft Word® and the directory or file may be a document the user wishes to edit.
At step 620, kernel file system driver stack 124 transmits directory or file path to be accessed to file access manager driver 128. Continuing the example of Microsoft Word®, kernel file system driver stack 124 transmits the file path “C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE” to file access manager driver 128.
At decision step 630, file access manager driver 128 determines whether the directory or file path is present in public file whitelist 158. For example, file access manager driver 128 interrogates the contents of public file whitelist 158 for the requested directory or file path. Continuing the example of Microsoft Word®, file access manager driver 128 interrogates the contents of public file whitelist 158 for file path=C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE. If the directory or file path is present, method 600 proceeds to step 650. If the directory or file path is not present, method 600 proceeds to step 640.
At decision step 640, file access manager driver 128 determines whether the directory or file path is present in user/group file whitelist 170. For example, file access manager driver 128 interrogates the contents of user/group file whitelist 170 for the requested directory or file path. Continuing the example of Microsoft Word®, file access manager driver 128 interrogates the contents of user/group file whitelist 170 for file path=C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE. If the directory or file path is present, method 600 proceeds to step 650. If the directory or file path is not present, method 600 proceeds to step 660.
According to one embodiment, public file whitelist 158 and user/group file whitelist 170 are both stored in kernel space memory. Decision steps 630 and 640 may include iterating through entries in both whitelists and, for each allowable file path entry, checking as to whether the directory or file path matches the entry. In embodiments in which the list of allowable directories and file paths is stored in any one of a plurality of formats (e.g., a file name, a directory name), checking may include a format-specific step, such as comparing file name strings, and/or iterating through a directory and comparing file name strings found therein. The iteration may return a Boolean true if the allowable process is found, otherwise returning false.
At step 650, having determined that the directory or file path is in either the public file whitelist 158 or user/group file whitelist 170, file access manager driver 128 allows the user/group 190 access to the directory or file path. That is, the access request is passed to the next driver in kernel file system driver stack 124.
At step 660, having determined that the directory or file path is not present in any whitelist, file access manager driver 128 denies the user/group 190 access and/or visibility to directory or file path. That is, an access request failure is returned to kernel file system driver stack 124.
At step 710, file access manager driver 128 acquires from OS 110 the security context of the specific user/group 190 who has initiated the request in order to apply the proper restrictions for the specific user/group 190. The security context (or security identifier) includes information for uniquely identifying each user/group 190, which exists as a result of the user login and authentication process. The security context is used to determine what directories and files the specific user/group 190 has been granted rights to access.
At decision step 712, file access manager driver 128 determines whether the security context of the specific user/group 190 is found. That is, it is determined whether the specific user/group 190 has been successfully identified. If the user's security context is found, method 700 proceeds to step 716. However, if the user's security context is not found, method 700 proceeds to decision step 714.
At decision step 714, file access manager driver 128 determines whether the request pertains to a system process, meaning any process that is not initiated in the user's session. The Windows Remote Procedure Call Service, rpcss.exe, is an example of such a process. If the process is not initiated in the user's session, then it is a system process and method 700 proceeds to step 716. However, if the process is initiated in the user's session, then it is not a system process and method 700 proceeds to step 732.
At step 716, file access manager driver 128 acquires the directory or file path associated with the request. That is, file access manager driver 128 interrogates the contents of both public file whitelist 158 and user/group file whitelist 170 for the requested directory or file path.
At decision step 718, file access manager driver 128 determines whether the directory or file path exists in the contents of either public file whitelist 158 or user/group file whitelist 170. If the directory or file path is found, method 700 proceeds to decision step 720. However, if the directory or file path is not found, method 700 proceeds to step 732.
At decision step 720, file access manager driver 128 determines whether the file path is a metadata path. Certain file paths of a computer are used exclusively by the computer's OS. An example of such a file path is a metadata path. If the file path is a metadata path, method 700 proceeds to step 734. However, if the file path is not a metadata path, method 700 proceeds to step 722.
At step 722, file access manager driver 128 interrogates user/group file whitelist 170 for the directory and/or file access permissions for the specific user/group 190.
At decision step 724, file access manager driver 128 determines whether the directory and/or file access permissions for the specific user/group 190 are present in user/group file whitelist 170. That is, file access manager driver 128 determines whether directory and/or file access is allowed for the specific user/group 190. If assess is allowed, method 700 proceeds to decision step 726. However, if assess is not allowed, method 700 proceeds to step 732.
At decision step 726, based on information in user/group file whitelist 170, file access manager driver 128 determines whether write access is allowed of the directory and/or file for the specific user/group 190. If write assess is allowed, method 700 proceeds to decision step 734. However, if write assess is not allowed, method 700 proceeds to decision step 728.
At decision step 728, based on information in user/group file whitelist 170, file access manager driver 128 determines whether read access is allowed of the directory and/or file for the specific user/group 190. If read assess is allowed, method 700 proceeds to decision step 730. However, if read assess is not allowed, method 700 proceeds to step 732.
At decision step 730, file access manager driver 128 determines whether the specific user/group 190 is requesting write access to the directory and/or file. If write access is requested, method 700 proceeds to step 732. However, if write access is not requested, method 700 proceeds to decision step 734.
At step 732, the request for access is denied and a failure is returned to kernel file system driver stack 124. The request is not passed to the next file driver in kernel file system driver stack 124.
At decision step 734, file access manager driver 128 determines whether the file action is a “query directory” function. That is, whether the specific user/group 190 is requesting visibility to directories and/or files paths. If a “query directory” function, method 700 proceeds to decision step 736. However, if not a “query directory” function, method 700 proceeds to step 756.
At decision step 736, file access manager driver 128 determines whether the request is a wildcard search. There are cases in which a given process will perform a “query directory” function in order to acquire a listing of files that are stored in the same directory as the application's executable file. Generally, an application cannot run if it is unable to query the files that are in the same directory in which its executable file is located. An aspect of the invention is that it allows applications to be published to a user without requiring an administrator to specifically grant access to the directories that contain the application's executable file. This step is used to automatically grant these permissions by allowing directory queries that are not a wildcard search. If a wildcard search, method 700 proceeds to decision step 738. However, if not a wildcard search, method 700 proceeds to step 756.
At decision step 738, again file access manager driver 128 determines whether the security context of the specific user/group 190 is found. That is, it is determined whether the specific user/group 190 has been successfully identified. If the user's security context is found, method 700 proceeds to decision step 740. However, if the user's security context is not found, it is likely a system request and method 700 proceeds to step 756.
At decision step 740, file access manager driver 128 determines whether the requested file path is in the same directory as the executable file of the process or application. This is another step in which access and/or visibility to directories or files that are in the directory of the process or application that is running is automatically granted to the specific user/group 190. If the requested file path is in the directory of the process or application, method 700 proceeds to step 756. However, if requested file path is not in the directory of the process or application, method 700 proceeds to step 742.
At step 742, file access manager driver 128 interrogates user/group file whitelist 170 for the directory and/or file visibility permissions for the specific user/group 190.
At decision step 744, file access manager driver 128 determines whether the directory and/or file visibility permissions for the specific user/group 190 are present in user/group file whitelist 170. That is, file access manager driver 128 determines whether directory and/or file visibility is allowed for the specific user/group 190. If visibility is allowed, method 700 proceeds to decision step 746. However, if visibility is not allowed, method 700 proceeds to step 758.
At decision step 746, based on information in user/group file whitelist 170, file access manager driver 128 determines whether the visibility permissions for the specific user/group 190 includes “allow all children.” “Children” are any files and directories contained within the specified directory. That is, whether the specific user/group 190 is allow visibility to all children (e.g., sub-directories and files) contained in the specified directory or file path. If visibility to all children is allowed, method 700 proceeds to step 756. However, if visibility to all children is not allowed, method 700 proceeds to decision step 748.
At decision step 748, based on information in user/group file whitelist 170, file access manager driver 128 determines whether the visibility permissions for the specific user/group 190 includes “allow all visible children or allow descendants.” “Descendants” are any files and directories whose paths contain the path to the specified directory. If visibility to all children or descendants is allowed, method 700 proceeds to step 755. However, if visibility to all children or descendants is not allowed, method 700 proceeds to step 758.
At step 750, because the specific user/group 190 is allowed visibility to all children or descendants (at steps 746 and 748), the underlying driver is called for a list of the wildcard paths. That is, the request is forwarded to the next file driver in kernel file system driver stack 124 and full list of children of the requested directory is returned to file access manager driver 128.
At step 752, objects that are not in user/group file whitelist 170 are filtered out. That is, any objects not contained in user/group file whitelist 170 are removed.
At step 754, the filtered list is returned to file access manager driver 128.
At step 756, the request is passed to the next file driver in kernel file system driver stack 124.
At step 758, the request for visibility access is denied and, for example, a “file not found” message is returned to kernel file system driver stack 124. The request is not passed to the next file driver in kernel file system driver stack 124.
The present application is a continuation and claims the priority benefit of U.S. patent application Ser. No. 13/367,239 filed Feb. 6, 2012, which claims the priority benefit of U.S. provisional application No. 61/439,765 filed Feb. 4, 2011, the disclosures of which are incorporated herein by reference.
Number | Name | Date | Kind |
---|---|---|---|
5831609 | London et al. | Nov 1998 | A |
5898419 | Liu | Apr 1999 | A |
5978834 | Simonoff et al. | Nov 1999 | A |
7051288 | Bennet et al. | May 2006 | B2 |
7188181 | Squier et al. | Mar 2007 | B1 |
7222158 | Wexelblat | May 2007 | B2 |
7249175 | Donaldson | Jul 2007 | B1 |
7353252 | Yang et al. | Apr 2008 | B1 |
7461134 | Ambrose | Dec 2008 | B2 |
7526792 | Ross | Apr 2009 | B2 |
7587459 | Wewalaarachchi et al. | Sep 2009 | B2 |
7647411 | Schiavone et al. | Jan 2010 | B1 |
7716302 | Maze et al. | May 2010 | B2 |
7739693 | Bernhard et al. | Jun 2010 | B2 |
7920528 | Karaoguz et al. | Apr 2011 | B2 |
8073855 | Nagoya | Dec 2011 | B2 |
8219807 | Danoyan et al. | Jul 2012 | B1 |
8281410 | Sobel et al. | Oct 2012 | B1 |
8427445 | Kennedy | Apr 2013 | B2 |
8527978 | Sallam | Sep 2013 | B1 |
8688734 | Tidd | Apr 2014 | B1 |
8694507 | Meyerzon et al. | Apr 2014 | B2 |
8713658 | Tidd | Apr 2014 | B1 |
8738814 | Cronin | May 2014 | B1 |
8856907 | Tidd | Oct 2014 | B1 |
8863232 | Tidd | Oct 2014 | B1 |
8887132 | Hunter | Nov 2014 | B1 |
8950007 | Teal et al. | Feb 2015 | B1 |
20020091697 | Huang et al. | Jul 2002 | A1 |
20020158921 | Silverstein | Oct 2002 | A1 |
20030163448 | Kilemba et al. | Aug 2003 | A1 |
20040080771 | Mihira et al. | Apr 2004 | A1 |
20040190049 | Itoh | Sep 2004 | A1 |
20050044483 | Maze et al. | Feb 2005 | A1 |
20050093868 | Hinckley | May 2005 | A1 |
20050114760 | Arregui et al. | May 2005 | A1 |
20050149857 | Negishi et al. | Jul 2005 | A1 |
20050177730 | Davenport et al. | Aug 2005 | A1 |
20050198299 | Beck et al. | Sep 2005 | A1 |
20050210418 | Marvit et al. | Sep 2005 | A1 |
20060047780 | Patnude | Mar 2006 | A1 |
20060075224 | Tao | Apr 2006 | A1 |
20060150256 | Fanton et al. | Jul 2006 | A1 |
20060253558 | Acree et al. | Nov 2006 | A1 |
20070061264 | Yeung et al. | Mar 2007 | A1 |
20070078994 | Wilson et al. | Apr 2007 | A1 |
20070113187 | McMullen et al. | May 2007 | A1 |
20070121584 | Qiu et al. | May 2007 | A1 |
20070280459 | Yee et al. | Dec 2007 | A1 |
20070283446 | Yami et al. | Dec 2007 | A1 |
20080016504 | Cheng et al. | Jan 2008 | A1 |
20080071860 | Dal Canto et al. | Mar 2008 | A1 |
20080137131 | Cavill et al. | Jun 2008 | A1 |
20080167005 | Gilzean et al. | Jul 2008 | A1 |
20080209537 | Wong et al. | Aug 2008 | A1 |
20080270516 | Ragnet et al. | Oct 2008 | A1 |
20090013045 | Maes et al. | Jan 2009 | A1 |
20090021387 | Hosono | Jan 2009 | A1 |
20090024626 | Takei | Jan 2009 | A1 |
20090027334 | Foulk et al. | Jan 2009 | A1 |
20090037976 | Teo et al. | Feb 2009 | A1 |
20090070404 | Mazzaferri | Mar 2009 | A1 |
20090083852 | Kuo et al. | Mar 2009 | A1 |
20090132509 | Nagoya | May 2009 | A1 |
20090177791 | Edelstein et al. | Jul 2009 | A1 |
20090180777 | Bernard et al. | Jul 2009 | A1 |
20090204711 | Binyamin | Aug 2009 | A1 |
20090235347 | Syed et al. | Sep 2009 | A1 |
20090245176 | Balasubramanian et al. | Oct 2009 | A1 |
20090300129 | Golub | Dec 2009 | A1 |
20100020025 | Lemort et al. | Jan 2010 | A1 |
20100058431 | McCorkendale et al. | Mar 2010 | A1 |
20100138780 | Marano et al. | Jun 2010 | A1 |
20100153581 | Nagarajan et al. | Jun 2010 | A1 |
20100162163 | Wang et al. | Jun 2010 | A1 |
20100228963 | Kassab et al. | Sep 2010 | A1 |
20100269152 | Pahlavan et al. | Oct 2010 | A1 |
20100293499 | Young et al. | Nov 2010 | A1 |
20100295817 | Nicholson et al. | Nov 2010 | A1 |
20100325716 | Hong et al. | Dec 2010 | A1 |
20110029772 | Fanton et al. | Feb 2011 | A1 |
20110137974 | Momchilov | Jun 2011 | A1 |
20110138295 | Momchilov et al. | Jun 2011 | A1 |
20110138314 | Mir et al. | Jun 2011 | A1 |
20110141031 | McCullough et al. | Jun 2011 | A1 |
20110154212 | Gharpure et al. | Jun 2011 | A1 |
20110191407 | Fu et al. | Aug 2011 | A1 |
20110197051 | Mullin et al. | Aug 2011 | A1 |
20110209064 | Jorgensen et al. | Aug 2011 | A1 |
20110258271 | Gaquin | Oct 2011 | A1 |
20110270936 | Guthrie et al. | Nov 2011 | A1 |
20110277027 | Hayton et al. | Nov 2011 | A1 |
20110279829 | Chang et al. | Nov 2011 | A1 |
20110302495 | Pinto et al. | Dec 2011 | A1 |
20110307614 | Bernardi et al. | Dec 2011 | A1 |
20110314093 | Sheu et al. | Dec 2011 | A1 |
20120011578 | Hinton et al. | Jan 2012 | A1 |
20120023593 | Puder et al. | Jan 2012 | A1 |
20120054671 | Thompson et al. | Mar 2012 | A1 |
20120066695 | Berezansky et al. | Mar 2012 | A1 |
20120066762 | Todorovic | Mar 2012 | A1 |
20120084713 | Desai et al. | Apr 2012 | A1 |
20120092277 | Momchilov | Apr 2012 | A1 |
20120096389 | Flam et al. | Apr 2012 | A1 |
20120159570 | Reierson et al. | Jun 2012 | A1 |
20120173673 | Dietrich et al. | Jul 2012 | A1 |
20120185527 | Jaudon et al. | Jul 2012 | A1 |
20120185767 | Schlegel | Jul 2012 | A1 |
20120226742 | Momchilov et al. | Sep 2012 | A1 |
20120246645 | Iikura et al. | Sep 2012 | A1 |
20120297471 | Smithson | Nov 2012 | A1 |
20120304168 | Raj Seeniraj et al. | Nov 2012 | A1 |
20120311070 | BianRosa et al. | Dec 2012 | A1 |
20120324365 | Momchilov et al. | Dec 2012 | A1 |
20130060842 | Grossman | Mar 2013 | A1 |
20130097550 | Grossman et al. | Apr 2013 | A1 |
20130110828 | Meyerzon et al. | May 2013 | A1 |
20130198600 | Lockhart et al. | Aug 2013 | A1 |
20130254675 | de Andrade et al. | Sep 2013 | A1 |
20130254761 | Reddy et al. | Sep 2013 | A1 |
20130290856 | Beveridge et al. | Oct 2013 | A1 |
20130305344 | Alicherry et al. | Nov 2013 | A1 |
20130318582 | McCann et al. | Nov 2013 | A1 |
20130326583 | Freihold et al. | Dec 2013 | A1 |
20140012574 | Pasupalak et al. | Jan 2014 | A1 |
20140026057 | Kimpton et al. | Jan 2014 | A1 |
20140074881 | Meyerzon et al. | Mar 2014 | A1 |
20140143846 | Tidd | May 2014 | A1 |
20140143847 | Tidd | May 2014 | A1 |
20150074199 | LV | Mar 2015 | A1 |
Number | Date | Country |
---|---|---|
WO 2010135127 | Nov 2010 | WO |
Entry |
---|
U.S. Appl. No. 13/481,743 Office Action mailed Jan. 14, 2015. |
U.S. Appl. No. 13/367,228 Final Office Action mailed Jul. 23, 2013. |
U.S. Appl. No. 13/367,228 Office Action mailed Jan. 30, 2013. |
U.S. Appl. No. 13/367,239 Final Office Action mailed Nov. 14, 2013. |
U.S. Appl. No. 13/367,239 Office Action mailed Jun. 24, 2013. |
U.S. Appl. No. 13/481,742 Final Office Action mailed Sep. 4, 2013. |
U.S. Appl. No. 13/481,742 Office Action mailed May 9, 2013. |
U.S. Appl. No. 13/481,746 Office Action mailed Dec. 19, 2013. |
U.S. Appl. No. 13/481,751 Office Action mailed Dec. 30, 2013. |
U.S. Appl. No. 13/481,752 Final Office Action mailed Sep. 4, 2013. |
U.S. Appl. No. 13/481,752 Office Action mailed May 9, 2013. |
U.S. Appl. No. 13/753,474 Final Office Action mailed Mar. 6, 2014. |
U.S. Appl. No. 13/753,474 Office Action mailed Nov. 21, 2013. |
U.S. Appl. No. 13/570,106 Office Action mailed Feb. 27, 2014. |
U.S. Appl. No. 13/570,115 Office Action mailed Feb. 11, 2014. |
U.S. Appl. No. 13/367,228, filed Feb. 6, 2012, William Tidd, Systems for and Methods of Controlling User Access to Applications and/or Programs of a Computer. |
U.S. Appl. No. 13/481,742, filed May 25, 2012, William Tidd, System for and Method of Providing Single Sign-On (SSO) Capability in an Application Publishing Environment. |
U.S. Appl. No. 14/150,680, filed Jan. 8, 2014, William Tidd, System for and Method of Providing Single Sign-On (SSO) Capability in an Application Publishing Environment. |
U.S. Appl. No. 14/150,684, filed Jan. 8, 2014, William Tidd, System for and Method of Providing Single Sign-On (SSO) Capability in an Application Publishing Environment. |
U.S. Appl. No. 14/151,222, filed Jan. 9, 2014, William Tidd, System for a Method of Providing Single Sign-On (SSO) Capability in an Application Publishing Environment. |
U.S. Appl. No. 14/152,303, filed Jan. 10, 2014, William Tidd, System for and Method of Providing Single Sign-On (SSO) Capability in an Application Publishing Environment. |
U.S. Appl. No. 14/152,306, filed Jan. 10, 2014, William Tidd, System for and Method of Providing Single Sign-On (SSO) Capability in an Application Publishing Environment. |
U.S. Appl. No. 13/481,743, filed May 25, 2012, William Tidd, System for and Method of Providing a Document Sharing Service in Combination With Remote Access to Document Applications. |
U.S. Appl. No. 13/481,745, filed May 25, 2012, William Tidd, System for and Method of Providing a Document Sharing Service in Combination With Remote Access to Document Applications. |
U.S. Appl. No. 13/481,746, filed May 25, 2012, William Tidd, System for and Method of Providing a Document Sharing Service in Combination With Remote Access to Document Applications. |
U.S. Appl. No. 13/481,751, filed May 25, 2012, John Cronin, System for and Method of Processing User Interface Graphics Between a Client Device and an Application Host Computer. |
U.S. Appl. No. 13/481,752, filed May 25, 2012, William Tidd, System for and Methods of Providing Single Sign-On (SSO) Capability in an Application Publishing and/or Document Sharing Environment. |
U.S. Appl. No. 13/753,474, filed Jan. 29, 2013, Robert W. Currey, System for and Methods of Translating Accelerometer Information to Mouse-Based I/O Commands in a Remote Access Application Publishing Environment. |
U.S. Appl. No. 13/753,475, filed Jan. 29, 2013, Robert W. Currey, System for and Method of Cross-Platform User Notification in an Application Publishing Environment. |
U.S. Appl. No. 13/753,476, filed Jan. 29, 2013, Robert W. Currey, System for and Method of Cross-Platform User Notification in an Application Publishing Environment. |
U.S. Appl. No. 13/753,477, filed Jan. 29, 2013, Robert W. Currey, System for and Method of Rendering Remote Applications on a Client Device in an Application Publishing Environment. |
U.S. Appl. No. 13/753,478, filed Jan. 29, 2013, Robert W. Currey, System for and Method of Rendering Remote Applications on a Client Device in an Application Publishing Environment. |
U.S. Appl. No. 13/753,479, filed Jan. 29, 2013, Robert W. Currey, System for and Method of Rendering Remote Applications on a Client Device in an Application Publishing Environment. |
U.S. Appl. No. 13/570,103, filed Aug. 8, 2012, Christoph Berlin, System for and Method of Providing a Universal I/O Command Translation Framework in an Application Publishing Environment. |
U.S. Appl. No. 13/570,106, filed Aug. 8, 2012, Christoph Berlin, System for and Method of Providing a Universal I/O Command Translation Framework in an Application Publishing Environment. |
U.S. Appl. No. 13/570,108, filed Aug. 8, 2012, Christoph Berlin, System for and Method of Providing a Universal I/O Command Translation Framework in an Application Publishing Environment. |
U.S. Appl. No. 13/570,110, filed Aug. 8, 2012, Christoph Berlin, System for and Method of Providing Alternating Desktop Views on a Client Device in an Application Publishing Environment. |
U.S. Appl. No. 13/570,111, filed Aug. 8, 2012, Christoph Berlin, System for and Method of Providing Alternating Desktop Views on a Client Device in an Application Publishing Environment. |
U.S. Appl. No. 13/570,113, filed Aug. 8, 2012, Christoph Berlin, System for and Method of Providing Alternating Desktop Views on a Client Device in a Cloud-Based Application Publishing Environment. |
U.S. Appl. No. 13/570,115, filed Aug. 8, 2012, Christoph Berlin, System for and Method of Providing Alternating Desktop Views on a Client Device in a Cloud-Based Application Publishing Environment. |
U.S. Appl. No. 13/668,097, filed Nov. 2, 2012, William Tidd, System for and Methods of Providing Bidirectional Communication Between a Web Application and an Application Hosted in an Application Publishing Environment. |
U.S. Appl. No. 13/668,100, filed Nov. 2, 2012, William Tidd, Client Computing System in a Client-Server Computing Environment for Providing Bidirectional Communication Between a Web Application and a Hosted Application. |
U.S. Appl. No. 14/332,660 Office Action mailed Mar. 27, 2015. |
U.S. Appl. No. 13/481,745 Office Action mailed Feb. 10, 2015. |
U.S. Appl. No. 13/753,474 Office Action mailed Mar. 27, 2015. |
U.S. Appl. No. 13/570,108 Office Action mailed Apr. 1, 2015. |
U.S. Appl. No. 13/570,110 Office Action mailed Mar. 30, 2015. |
U.S. Appl. No. 13/570,111 Office Action mailed Apr. 1, 2015. |
U.S. Appl. No. 13/570,113 Office Action mailed Apr. 3, 2015. |
U.S. Appl. No. 13/481,746 Final Office Action mailed Mar. 26, 2014. |
U.S. Appl. No. 13/570,108 Office Action mailed May 13, 2014. |
U.S. Appl. No. 13/753,475 Office Action mailed Apr. 24, 2015. |
U.S. Appl. No. 13/753,476 Office Action mailed Apr. 22, 2015. |
U.S. Appl. No. 13/570,103 Office Action mailed Apr. 24, 2015. |
U.S. Appl. No. 13/570,115 Office Action mailed Jun. 19, 2015. |
U.S. Appl. No. 13/668,097 Final Office Action mailed Jun. 16, 2015. |
U.S. Appl. No. 13/668,100 Final Office Action mailed Jun. 17, 2015. |
Park et al.; “Role-based access control on the web”; ACM transactions on information and system security; vol. 4, No. 1, Feb. 2001. p. 37-71, 35 pages. |
U.S. Appl. No. 13/753,474 Office Action mailed Jun. 11, 2014. |
U.S. Appl. No. 13/570,115 Final Office Action mailed Jun. 30, 2014. |
U.S. Appl. No. 14/332,660, filed Jul. 16, 2014, William Tidd, System for and Methods of Controlling User Access to Applications and/or Programs of a Computer. |
U.S. Appl. No. 14/445,319, filed Jul. 29, 2014, William Tidd, System for and Methods of Providing Single Sign-On (SSO) Capability in an Application Publishing and/or Document Sharing Environment. |
U.S. Appl. No. 13/481,751 Final Office Action mailed Sep. 3, 2014. |
U.S. Appl. No. 13/753,474 Final Office Action mailed Oct. 6, 2014. |
U.S. Appl. No. 13/570,106 Final Office Action mailed Sep. 15, 2014. |
U.S. Appl. No. 13/570,108 Office Action mailed Oct. 10, 2014. |
U.S. Appl. No. 13/668,097 Office Action mailed Sep. 12, 2014. |
U.S. Appl. No. 13/668,100 Office Action mailed Sep. 10, 2014. |
U.S. Appl. No. 13/753,477 Office Action mailed Jul. 29, 2015. |
U.S. Appl. No. 13/753,478 Office Action mailed Aug. 19, 2015. |
U.S. Appl. No. 13/753,479 Office Action mailed Aug. 12, 2015. |
U.S. Appl. No. 13/668,105 Office Action mailed Jul. 8, 2015. |
Number | Date | Country | |
---|---|---|---|
61439765 | Feb 2011 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 13367239 | Feb 2012 | US |
Child | 14176895 | US |