System and method for providing private session-based access to a redirected USB device or local device

摘要

Restricting access to a device from a server, where the device is remote to the server and is connected locally to a client that is remote to the server, is described. The operations may include facilitating interception, at the server, of a function call to create a symbolic link; facilitating determination that the intercepted function call to create the symbolic link corresponds to a device object associated with the device that is remote to the server and is connected locally to a client that is remote to the server; facilitating obtaining configuration data indicating whether access to the device is to be restricted; and facilitating creation of the symbolic link in a local namespace of an object manager namespace of the server, upon obtaining configuration data indicating that access to the device is to be restricted.

主权项

1. A method for restricting access to a device from a server, the method comprising:
intercepting, at the server, a request to create a symbolic link; determining that the intercepted request corresponds to a device object associated with a device remote to the server by:
traversing a device stack associated with the device object to identify a lowest bus driver associated with the device object; anddetermining, based on the identified bus driver, that the device associated with the device object is remote to the server and connected locally to a client that is remote to the server; obtaining configuration data of the device; creating the symbolic link in an object manager namespace of the server based on the configuration data for the device; creating the symbolic link in a local namespace associated with a first user session if the configuration data of the device indicates that access to the device is to be restricted; receiving, at the server, a request including the created symbolic link from a second user session; determining whether the created symbolic link is in a local namespace associated with the second user session or in a global namespace; and blocking the received request upon determining that the created symbolic link is not in the local namespace associated with the second user session and not in the global namespace.