METHOD AND APPARATUS FOR CREATING CONDITIONAL WINDOWS PROCESS TOKENS

摘要

A system and method for taking control of process token creation in the Windows operating system to create conditional process tokens that define access to system resources for process running on a Windows computer. The system includes an LSA shim layer that intercepts standard Windows requests for authentication and authorization and an authentication agent that determines context for each request. A custom authentication and authorization (A&A) store determines authentication success and the amount of authorization based on context and supplied credentials. Once the custom A&A store determines a successful log-on and defines authorization for the user, it passes the elements of authorization through the authentication agent to the LSA shim layer, which passes them on to the LSA module, which in turn uses them to request a Windows process token from the Windows kernel. The Windows kernel assigns the token to a user's session on the computer, defining the level of resource access available to processes the user launches.

主权项

1. A system to create a custom authentication and authorization service that intercepts and overrides a standard authentication and authorization mechanism for computers connected to a network comprising:
a local security authority module (LSA) shim layer that runs on each of a plurality of computers connected via a network; an authentication agent running on each of a corresponding one of said plurality of computers configured to accept authentication and authorization requests and perform authentication and authorization responses to said requests; a custom authentication and authorization data store that stores authentication and authorization information other than or in addition to standard authentication and authorization information; wherein the LSA shim layer is configured to:
i) unregister standard LSA plug-ins then register itself with an LSA module;ii) operate to intercept authentication and authorization calls intended for said standard LSA plugins to selectively process the intercepted calls and pass other calls to the standard LSA plug-ins;iii) pass responses from the standard LSA plug-ins back to the LSA module.