| 发明名称 |
Granular assessment of device state |
| 摘要 |
A system for assessing a computer device's state may collect state data about the device, then assess the state with respect to the policy for granting one or more claims. Each claim may be defined by a set of requirements that, if fulfilled, may be used to permit or deny access to a resource, such as an application, network, data, or other resource. A collection engine may reside on the device or other location and may collect requested data, and some collection engines may be extensible with a plugin architecture for expansion. A server may receive information from the device to evaluate claims. Depending on the use scenario, the claim results may be incorporated into communications and passed to an evaluator that may produce an access token which is used to permit or deny access based on the claim results. |
| 申请公布号 |
US9143509(B2) |
申请公布日期 |
2015.09.22 |
| 申请号 |
US201113111968 |
申请日期 |
2011.05.20 |
| 申请人 |
Microsoft Technology Licensing, LLC |
发明人 |
Rose Daniel;Ortal Amos;Feldbaum Boaz;Dgany Avihai;Levy Elan;Zvi Raanan;Yassour Yoav |
| 分类号 |
H04L29/06;G06F21/74;G06F21/50 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
Churna Timothy;Drakos Kate;Minhas Micky |
| 主权项 |
1. A system for processing a request from a device to access a resource, the system comprising:
a device state engine that is configured to:
parse a claim policy to identify one or more state objects relevant to accessing said resource, said claim policy defining a minimum device configuration that is expected for components installed at said device to permit access to said resource, said one or more state objects corresponding to said components installed at said device, said claim policy further defining an order in which said one or more state objects are to be processed to determine if access to said resource is permitted, the defined order including processing at least one security related state object prior to processing at least one other state object; anddetermine one or more actual state object values for said one or more state objects from a device configuration of said device, determining said one or more actual state object values including gathering boot record information and gathering executing code identifiers for said device, the executing code identifiers corresponding to executing code executing on said device; and an evaluator that is configured to:
access said claim policy;receive an indication that the integrity of said device configuration has been verified by an authenticator;subsequent and in response to receiving said indication, evaluate said claim policy to determine if said client device is to be granted access to said resource or if said device is to be denied access to said resource by determining if said device satisfies said minimum device configuration, including determining that said executing code is legitimate based on said boot record information and said executing code identifiers, evaluating said claim policy including processing said one or more actual state object values, including values for said boot record information and said executing code identifiers, from said device configuration, in accordance with said order for said one or more state objects, said processing including processing an actual state object value for said at least one security related state object prior to processing an actual state object value for said at least one other state object; andcreate a token based on the results of evaluating said claim policy, said token indicating whether said device is granted or denied access to said resource. |
| 地址 |
Redmond WA US |
