Patent Application
20230403280
This invention relates to the field of computing and more particularly to a system for managing remote desktop connections to prevent unauthorized connections.
Operating systems such as Microsoft® Windows® include a connection service that is used for many functions, notably remote management of a device. In such, one using a computer is able to make what is called a remote desktop connection to a target device for remote management of a computer. Once connected, the user of the computer making the connection has access to all files and functionality of the target device.
Security for these remote desktop connections typically requires only a username and password. This is a problem because many usernames and passwords have been disclosed in data breaches or users naturally use weak passwords that can be guessed by hackers who can then connect to the target devices and access any resource on that target device or connected to that target device.
Additionally, some enterprises only want remote access from a safe computer that has proper security installed, for instance a work computer that is supplied by the enterprise. In such, given the prior art, an innocent end user could connect their home computer to a work computer using a remote desktop connection and unknowingly transferring viruses and connections from hackers to the more sensitive work computer, which, having access to enterprise resources, is able to spread the viruses or enable further connections by the hackers.
What is needed is a system that will protect the target device (e.g., a processor-based device) from unauthorized connections, even if the connecting computer has knowledge of the username and password for the target device.
Remote desktop connections are very useful, especially in corporate environments or distributed environments in which there is a bonified reason for connecting a computer to a remote device for accessing corporate networks, remote troubleshooting, remote installation by an administrator, remote administration, etc. The system for control of remote desktop connections interfaces with the operating system that is running on the target device and periodically monitors existing remote desktop connections to determine if the connecting device (e.g., the remote computer) is authorized to connect with the target device based upon the name of the connecting device. Further, as hackers often perform their activities when users are not generally expected to be active, the system for control of remote desktop connections provides a scheduling capability that allows certain connections only during certain time periods such as 9:00 AM-5:00 PM on Mondays through Fridays.
In one embodiment, a system for computer security is disclosed including security software running on a target device having connection control data for control of the security software. Upon initialization of the security software, the security software sets a timer and when the timer expires, the security software resets the timer and the security software makes a request for status of all remote computer connections from an operating system. Responsive to the request, the operating system returns a list of all remote computer connections and, for each entry in the list of all remote computer connections, the security software determines if a connecting computer of the entry is authorized to be connected to the target device and when the security software determines that a connecting computer of the entry is unauthorized to be connected to the target device, the security software requests that the operating system of the target device disconnect a connection between the connecting computer of the entry and the target device.
In another embodiment, a method of controlling remote desktop connections to a target device is disclosed including installing security software on the target device. Upon initialization of the security software on the processor, the security software reads connection control data and periodically: obtains a list of connections from an operating system, then for each item in the list of connections, the security software uses the connection control data to determine if a connecting computer name of the item is authorized to be connected to the target device and if the connecting computer name of the item is not authorized to be connected to the target device, the security software instruct the operating system to disconnect a connection between the connecting computer and the target device.
In another embodiment, computer readable instructions providing control of remote desktop connections to a target device are tangibly embodied in a non-transitory storage medium of the target device are disclosed including computer readable instructions running on a processor of the target device. Program instructions tangibly embodied in a non-transitory storage medium of a target device for providing security to the target device, wherein the program instructions comprise computer readable instructions running on a processor of the target device, after the target device is initialized, read connection control data for control of connections to the target device from connecting computers and periodically: obtain a list of connections from an operating system of the target device then for each item in the list of connections, the computer readable instructions running on the processor use the connection control data to determine if a connecting computer name of the item is authorized to be connected to the target device and when the connecting computer name of the item is not authorized to be connected to the target device, the computer readable instructions running on the processor instruct the operating system to disconnect a connection between the connecting computer and the target device.
The invention can be best understood by those having ordinary skill in the art by reference to the following detailed description when considered in conjunction with the accompanying drawings in which:
Reference will now be made in detail to the presently preferred embodiments of the invention, examples of which are illustrated in the accompanying drawings. Throughout the following detailed description, the same reference numerals refer to the same elements in all figures.
Throughout this description, the term, “computer” or “target computer” or “target device” refers to any system that has a processor and runs software. One example of such is a personal computer. Another example is a smartphone or tablet. The term, “user” refers to a human that has an interest in the computer, perhaps a user who is using the computer.
In general, the user or an administrator of the system, method, and apparatus being described utilizes the control of remote desktop connections to enhance security of the target device by preventing unauthorized access of the target device as occurs when a hacker attempts to use remote desktop connections to install a virus or steal sensitive data from the target device and/or any corporate resources that are accessible by the target device.
Referring to
Once downloaded, the security software 16 accesses the connection control data, and periodically requests the current status of remote desktop connections from the operating system. The operating system returns a list of remote desktop connections. The security software 16 then uses the connection control data to determine if each connection in the list of remote desktop connections is authorized. For example, if the connection control data has a whitelist of computer names, then for each connection that the operating system returned the list of remote desktop connections, if the computer name in the list matches a computer name in the whitelist, then that connection is authorized. Otherwise, if the computer name in the list matches is not present in the whitelist, then the security software 16 makes a request to the operating system to terminate that connection. If the connection control data has a blacklist of computer names or computer name regular expressions, then for each connection that the operating system returned the list of remote desktop connections, if the computer name in absent from the blacklist or does not match a regular expression of the blacklist, then that connection is authorized. Otherwise, if the computer name in present in the blacklist or matches a regular expression of the blacklist, then the security software 16 makes a request to the operating system to terminate that connection. Further, such whitelist/blacklist operations are anticipated to be combinations. Further, in some embodiments, a schedule is included in the connection control data, either for all connections or for individual entries in the whitelist and/or blacklist. For example, a schedule for all connections authorizes connections only between 9:00 AM and 5:00 PM, Monday through Friday, in a specific time zone, independent of the name of the connecting computer. In another example, the connection control data includes a whitelist that always authorizes connections from, for example, the administrative device 10 and only authorizes connections from the connecting computer 8 between 9:00 AM and 5:00 PM, Monday through Friday, in the specific time zone.
Referring to
The exemplary target device 12 represents a typical device used an end user or employee. This exemplary target device 12 is shown in its simplest form. Different architectures are known that accomplish similar results in a similar fashion, and the present invention is not limited in any way to any particular system architecture or implementation. In this exemplary target device 12, a processor 70 executes or runs programs in a random-access memory 75. The programs are generally stored within a persistent memory 74 and loaded into the random-access memory 75 when needed. In some user devices 12, a removable storage slot 88 (e.g., compact flash, SD) offers removable persistent storage. The processor 70 is any processor, typically a processor designed for phones. The persistent memory 74, random access memory 75, and SIM card are connected to the processor by, for example, a memory bus 72. The random-access memory 75 is any memory suitable for connection and operation with the selected processor 70, such as SRAM, DRAM, SDRAM, RDRAM, DDR, DDR-2, etc. The persistent memory 74 is any type, configuration, capacity of memory suitable for persistently storing data, for example, flash memory, read only memory, battery-backed memory, etc. In some exemplary devices 11, the persistent memory 74 is removable, in the form of a memory card of appropriate format such as SD (secure digital) cards, micro-SD cards, compact flash, etc.
Also connected to the processor 70 is a system bus 82 for connecting to peripheral subsystems such as a network interface 80, a graphics adapter 84 and a touch screen interface 92. The graphics adapter 84 receives commands from the processor 70 and controls what is depicted on the display 86. The touch screen interface 92 provides navigation and selection features.
In general, some portion of the persistent memory 74 and/or the removable storage 88 is used to store programs, executable code, phone numbers, contacts, and data, etc. In some embodiments, other data is stored in the persistent memory 74 such as audio files, video files, text messages, etc.
The peripherals are examples, and other devices are known in the industry such as Global Positioning Subsystems, speakers, microphones, USB interfaces, cameras, microphones, Bluetooth transceivers, Wi-Fi transceivers 96, touch screen interfaces 92, image sensors, temperature sensors, etc., the details of which are not shown for brevity and clarity reasons.
The network interface 80 connects the exemplary target device 12 to the network 506 (e.g., the Internet) through any known or future protocol such as Ethernet, WI-FI, GSM, TDMA, LTE, etc., through a wired or wireless medium. There is no limitation on the type of connection used. The network interface 80 provides data and messaging connections between the connecting computer 8 and the target device 12.
Referring to
Also shown connected to the processor 570 through the system bus 582 is a network interface 580 (e.g., for connecting to a network 506—e.g., the Internet), a graphics adapter 584 and a keyboard interface 592 (e.g., Universal Serial Bus—USB). The graphics adapter 584 receives information from the processor 570 and controls what is depicted on a display 586. The keyboard interface 592 provides navigation, data entry, and selection features.
In general, some portion of the persistent memory 574 is used to store programs, executable code, master files 110M, and other data, etc.
The peripherals are examples and other devices are known in the industry such as pointing devices, touch-screen interfaces, speakers, microphones, USB interfaces, Bluetooth transceivers, Wi-Fi transceivers, image sensors, temperature sensors, etc., the details of which are not shown for brevity and clarity reasons.
Referring to
There are many ways anticipated to perform the checking for unauthorized connections in a periodic manner (e.g., using timers or interrupts). In this example, the security software 16 sets 200 a timer (for example, 10 seconds) then waits 202 for the time to expire. Once the timer expires, the security software 16 reads 204 the current status of all connections, for example, making a request for status from the operating system which returns a status indicating whether remote connections are currently enabled and a list of existing connections that include an identifier of the connecting computer 8.
The security software 16 then starts with the first connection 206 and checks to see if the identifier of the connecting computer 8 matches a regular expression in the blacklist 208 and if the identifier of the connecting computer 8 matches a regular expression in the blacklist 208 the security software 16 forces the connection to be disconnected 220. Otherwise, if the identifier of the connecting computer 8 does not match any regular expression in the blacklist 208, the security software checks to see if the identifier of the connecting computer 8 matches an entry in the whitelist 210 and if the identifier of the connecting computer 8 does not match an entry in the whitelist 210 the security software 16 forces the connection to be disconnected 220. If the identifier of the connecting computer 8 matches an entry in the whitelist 210 (e.g., is authorized) the security software 16 does not disconnect that connection.
In either case, whether the connection is allowed (authorized) or forced to disconnect (unauthorized), the security software 16 checks 212 to see if this connection is the last connection in the list and if it is the last connection in the list, restarts the next period (e.g., sets the timer 200 again, etc.). If the test 212 indicates that it is not the last connection in the list, the security software 16 moves to the next connection 214 and performs the above tests 208/210 for the next connection.
Referring to
As with
The security software 16 then starts with the first connection 206 and checks to see if the identifier of the connecting computer 8 matches a regular expression in the blacklist 208 and if the identifier of the connecting computer 8 matches a regular expression in the blacklist 208 the security software 16 forces the connection to be disconnected 220. Otherwise, if the identifier of the connecting computer 8 does not match any regular expression in the blacklist 208, the security software checks to see if the identifier of the connecting computer 8 matches an entry in the whitelist 210 and if the identifier of the connecting computer 8 does not match an entry in the whitelist 210 the security software 16 forces the connection to be disconnected 220. If the identifier of the connecting computer 8 matches an entry in the whitelist 210 (e.g., is authorized) the security software 16 checks to see if current time is within a range of time 211 of the authorized entry in the whitelist. For example, the authorized entry in the whitelist is authorized from 9:00 AM to 5:00 PM. In such, if it is 8:00 AM, the current time is not within the range of time 211 of the authorized entry in the whitelist. Therefore, if current time is not within a range of time 211 of the authorized entry in the whitelist, the connection is disconnected 220 and if current time is within the range of time 211 of the authorized entry in the whitelist, the security software 16 does not disconnect that connection.
In either case, whether the connection is allowed (authorized) or forced to disconnect (unauthorized), the security software 16 checks 212 to see if this connection is the last connection in the list and if it is the last connection in the list, restarts (e.g., sets the timer 200 again, etc.). If the test 212 indicates that it is not the last connection in the list, the security software 16 moves to the next connection 214 and performs the above tests 208/210 for the next connection.
Referring to
There are two blacklist entries 410, a first blacklist entries 412 is a regular expression indicating that any connecting computer having the word “SPUTNIK” in the connecting computer's name 402 is unauthorized, as would be used if a certain series of computers are known to be used by hackers. The second blacklist entries 414 is a regular expression indicating that a connecting computer name 402 “Known-Bad” is unauthorized, as would be used if a certain computer is known to be used by hackers.
In this example, there are two whitelist entries 420, a first whitelist entries 422 is for a connecting computer having the computer name 402 of “ADMIN-011,” is always authorized (having “ALL” in the time field 404), as would be used if a certain known computer is used by an administrator. The second whitelist entry 424 is for a connecting computer having the computer name 402 of “USR-HOME-33,” which is authorized from 9:00 AM to 5:00 PM Monday through Friday, as would be used if USR-HOME-33 is known to be a trusted computer, for example, the user's home computer.
Also in this example is a global entry 430 titled “No Connections.” The global entries 430 apply to all connections, whether in the above lists or not. In this example, there is a timer global entry 432 that indicates no connections are allowed between the time of 6:00 PM and on all days. Therefore, even if a connecting computer 8 having a computer name 402 that is in the whitelist 420, for example, “ADMIN-011,” any connection from any connecting computer 8 is automatically disconnected by the security software 16.
Equivalent elements can be substituted for the ones set forth above such that they perform in substantially the same manner in substantially the same way for achieving substantially the same result.
It is believed that the system and method as described and many of its attendant advantages will be understood by the foregoing description. It is also believed that it will be apparent that various changes may be made in the form, construction and arrangement of the components thereof without departing from the scope and spirit of the invention or without sacrificing all of its material advantages. The form herein before described being merely exemplary and explanatory embodiment thereof. It is the intention of the following claims to encompass and include such changes.
