METHODS AND SYSTEMS FOR CONTROLLING ACCESS TO RESOURCES AND PRIVILEGES PER PROCESS

摘要

To control privileges and access to resources on a per-process basis, an administrator creates a rule that may be applied to modify a token of a process. The rule may include an application-criterion set and changes to be made to the groups and/or privileges of the token. The rule may be set as a policy within a group policy object (GPO), where a GPO is associated with one or more groups of computers or users. When a GPO containing a rule is applied to a computer, a driver installed on the computer may access the rule(s) anytime a logged-on user executes a process. If the executed process satisfies the criterion set of a rule, the changes contained within the rule are made to the process token, and the user has expanded and/or contracted access and/or privileges for only that process.

主权项

1. A method comprising:
detecting execution of a command to execute a child process; determining, before execution of the child process, if one or more rules apply to the child process based on one or more criteria, the one or more criteria facilitating blocking or allowing inheritance by the child process of a parent process token of a parent process; modifying, in accordance with the one or more applicable rules, a child process token of the child process to change a security parameter with which to execute the child process; accessing the modified child process token of the child process to determine the security parameter; and executing the child process, the child process being executed using the modified child process token; and allowing access to an object based, at least in part, on the execution of the child process.