EMPLOYING SESSION LEVEL RESTRICTIONS TO LIMIT ACCESS TO A REDIRECTED INTERFACE OF A COMPOSITE DEVICE

Abstract

Session level restrictions can be implemented to limit access to a redirected interface of a composite device. These session level restrictions can be defined within a policy of a directory service, such as Active Directory, to facilitate the dynamic application of the restrictions to the appropriate remote sessions. In this way, access restrictions can be applied to individual interfaces of a redirected composite device so that a particular interface will only be accessible from specified remote sessions.

Claims

1. A method, implemented by a server with which a number of client terminals establish remote sessions, for controlling from which remote sessions a redirected USB interface will be accessible, the method comprising: in response to a first USB interface being redirected from a first client terminal to the server over a first remote session, creating a first device access restriction object in a first device stack that governs access to the first redirected USB interface on the server, the first device access restriction object identifying remote sessions from which the first redirected USB interface is accessible; receiving a request from a second client terminal to establish a second remote session with the server; in conjunction with establishing the second remote session, identifying one or more policies that are applicable to the second remote session, the one or more policies including a policy setting which defines that the first redirected USB interface should be accessible; and updating the first device access restriction object to include an identifier of the second remote session thereby causing the first redirected USB interface to be accessible from the second remote session.

2. The method of claim 1, wherein the first USB interface is an interface of a composite device.

3. The method of claim 2, wherein the composite device includes a second USB interface that is also redirected over the first remote session, the method further comprising: creating a second device access restriction object in a second device stack that governs access to the second redirected USB interface on the server, the second device access restriction object identifying sessions from which the second redirected USB interface is accessible; and in accordance with a policy setting in the one or more policies applicable to the second remote session, updating the second device access restriction object to include an identifier of the second remote session thereby causing the second redirected USB interface to be accessible from the second remote session.

4. The method of claim 1, wherein the first redirected USB interface is associated with a first class code and the policy setting defines that USB interfaces associated with the first class code should be accessible.

5. The method of claim 4, wherein the first redirected USB interface is also associated with a first subclass code and the policy setting defines that USB interfaces associated with the first subclass code should be accessible.

6. The method of claim 1, further comprising: receiving, at the first device access restriction object, a request to access the first redirected USB interface, the request being associated with the identifier of the second remote session; determining that the first device access restriction object includes the identifier of the second remote session; and allowing the request.

7. The method of claim 1, further comprising: receiving, at the first device access restriction object, a request to access the first redirected USB interface, the request being associated with an identifier of another remote session; determining that the first device access restriction object does not include the identifier of other remote session; and blocking the request.

8. The method of claim 1, further comprising: for each session identified in the first device access restriction object, adding a symbolic link to the first redirected USB interface to a local object manager namespace of the session.

9. The method of claim 8, further comprising one of: removing a symbolic link to the first redirected USB interface from a global object manager namespace; or preventing a symbolic link to the first redirected USB interface from being added to a global object manager namespace.

10. The method of claim 1, further comprising: detecting that the second remote session has been terminated; and removing the identifier of the second remote session from the first device access restriction object.

11. The method of claim 1, wherein the one or more policies comprise one or more Active Directory group policy objects.

12. A server that is configured to establish remote sessions with a number of client terminals, the server comprising: a USB device stack for controlling access to a USB interface that is associated with a first class code; a virtual bus driver and an agent for enabling a USB interface to be redirected from one of the client terminals to the server; wherein the server is configured to add a device access restriction object to the USB device stack when a USB interface associated with the first class code is redirected to the server; and wherein the server is further configured to update the device access restriction object to include an identifier of a remote session when the remote session is governed by a policy that includes a policy setting that enables access to a redirected USB interface associated with the first class code.

13. The server of claim 12, wherein the device access restriction object prevents access to a USB interface associated with the first class code from remote sessions that are not identified in the device access restriction object.

14. The server of claim 12, wherein the device access restriction object is updated to include an identifier of a remote session in response to the remote session being established with the server.

15. The server of claim 12, wherein the USB interface is an interface of a composite device.

16. The server of claim 12, wherein the server is further configured to: add a symbolic link to the redirected USB interface to a local object manager namespace of each remote session that is identified in the device access restriction object; and either remove a symbolic link to the redirected USB interface from a global object manager namespace or prevent a symbolic link to the redirected USB interface from being added to the global object manager namespace.

17. One or more computer storage media storing computer executable instructions which when executed on a server implement a method for controlling from which remote sessions a redirected USB interface will be accessible, the method comprising: detecting that a composite USB device has been connected to a client terminal that has established a remote session with the server; redirecting each interface of the composite USB device to the server including creating a device access restriction object in a device stack created for each of the interfaces, each device access restriction object being configured to allow access to the corresponding redirected interface from remote sessions that are identified within the device access restriction object; and in response to another client terminal establishing another remote session with the server and based on a policy setting of a policy applicable to the other remote session, updating at least one of the device access restriction objects to include an identifier of the remote session established with the other client terminal thereby allowing the corresponding redirected interface to be accessed from the other remote session in accordance with the policy setting.

18. The computer storage media of claim 17, wherein the policy comprises an Active Directory group policy object.

19. The computer storage media of claim 17, wherein the method further comprises for each redirected interface: adding a symbolic link to the redirected interface to a local object manager namespace of each remote session that is identified in the corresponding device access restriction object; and either removing a symbolic link to the redirected interface from a global object manager namespace or preventing a symbolic link to the redirected interface from being added to the global object manager namespace.

20. The computer storage media of claim 17, wherein the method further comprises: detecting that the other remote session has terminated; and removing the identifier of the other remote session from each of the at least one device access restriction objects.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0039] Understanding that these drawings depict only typical embodiments of the invention and are not therefore to be considered limiting of its scope, the invention will be described and explained with additional specificity and detail through the use of the accompanying drawings in which:

[0040] FIG. 1 illustrates an example computing environment in which the present invention can be implemented;

[0041] FIG. 2A illustrates how a USB device can be redirected from a client terminal to a server;

[0042] FIG. 2B illustrates how redirecting the USB device to the server can make the device accessible to any remote session established with the server;

[0043] FIG. 3 illustrates how access to a redirected USB device can be restricted to the session over which the redirection occurs;

[0044] FIG. 4 illustrates how two interfaces of a composite USB device can be redirected to the server;

[0045] FIG. 5 illustrates an example of how a device access restriction object can be updated to include identifiers of remote sessions that are allowed access to the corresponding redirected interface based a policy setting defined in a group policy object applicable to the remote sessions;

[0046] FIGS. 6A-6C depict a process of updating device access restriction objects in accordance with group policy when remote sessions are established; and

[0047] FIG. 7 illustrates a flowchart of an example method for controlling from which remote sessions a redirected USB interface will be accessible.

DETAILED DESCRIPTION

[0048] FIG. 4 illustrates a system 400 in which the present invention can be implemented. System 400 is substantially the same as system 300 described in FIG. 3. However, unlike in FIG. 3, FIG. 4 depicts a scenario in which a USB composite device 440 is connected to a client terminal 102 and redirected to server 404. As is known in the art, a composite device is one that includes more than one interface. For example, a composite device may be a USB device that includes both printing and scanning functionality. In FIG. 4, it will be assumed that composite device 440 includes two interfaces—a printer interface 440a and a scanner interface 440b. However, a composite device could include any reasonable number and type of interfaces.

[0049] For purposes of the present discussion, it can be assumed that a separate device stack is generated for each interface of a composite device in substantially the same manner as described above with reference to FIG. 2A. Therefore, in accordance with USB redirection techniques, when composite device 440 is connected to client terminal 102, two separate device stacks 491a, 491b can be created on server 404 corresponding to printer interface 440a and scanner interface 440b respectively. As described in the Background, device stack 491a can include a number of device objects (e.g., objects 494a-494n) which are associated with the corresponding drivers 495a-495n. Similarly, device stack 491b can include a number of device objects (e.g., objects 496a-496n) which are associated with the corresponding drivers 497a-497n. The result of creating device stacks 491a, 491b on server 404 is that virtual devices 490a, 490b corresponding to interfaces 440a, 440b respectively will appear as if they were connected directly to server 404.

[0050] As is also described in the Background, a DAR driver 493a that is registered for the class of devices to which device 490a pertains (e.g., a DAR driver for printer devices) is loaded and creates DAR object 492a. Similarly, a DAR driver 493b that is registered for the class of devices to which device 490b pertains (e.g., a DAR driver for image devices) is loaded and creates DAR object 492b.

[0051] In accordance with embodiments of the present invention, DAR objects 492a, 492b can be dynamically updated based on one or more applicable policies of a directory service (e.g., Active Directory) to control from which user sessions devices 490a, 490b will be accessible. More specifically, whenever a user establishes a session with server 404, one or more policies applicable to the user can be processed to determine whether any DAR object should be updated to allow the user to access a corresponding class of USB device from within the session. In this way, only specified users will be allowed to access a redirected device from within a session even if the redirected device is an individual interface of a composite device. The present invention therefore provides greater control over how a redirected composite device will be accessible to other users.

[0052] FIG. 5 depicts an example of how DAR objects 492a, 492b may each maintain a list 501a, 501b respectively of session identifiers. Each user session established with server 404 can be associated with an identifier. Therefore, each of DAR objects 492a, 492b can be dynamically updated so that its list 501a, 501b of session identifiers can reflect which sessions should be granted access to the corresponding device(s). As is also represented in FIG. 5, which session identifiers are added to a DAR object can be controlled using a policy object of a directory service such as a group policy object of Active Directory.

[0053] In FIG. 5, two example group policy objects 510, 511 are shown. Group policy object 510 includes a policy setting 510a which indicates that a user to which the group policy object applies should be allowed to access redirected printers. In contrast, group policy object 511 includes a policy setting 511a which indicates that a user to which the group policy object applies should be allowed to access redirected scanners. Of course, a group policy object could be defined to include any number of policy settings including policy settings that would allow access to both redirected printers and scanners.

[0054] In some embodiments of the present invention, a group policy object can define policy settings that are specific to USB devices/interfaces having a particular class code (or equally a particular subclass and/or protocol). For example, USB printers have a class code of 07h, and therefore, policy setting 510a could specify that access should be allowed to any redirected device having a class code of 07h. In short, the policy setting can be defined in a way that allows it to be mapped to a particular DAR object that governs access to a USB device having the corresponding class, subclass, and/or protocol.

[0055] In FIG. 5, list 501a is shown as including two session identifiers: SessionID1 and SessionID2; whereas list 501b is shown as including two session identifiers: SessionID1 and SessionID3. Accordingly, in this example and as will be further described below, DAR object 492a can allow access to virtual device 490a (or more specifically to interface 440a of composite device 440) from within the sessions having identifiers SessionID1 and SessionID2. Similarly, DAR object 492b can allow access to virtual device 490b (or more specifically to interface 440b of composite device 440) from within the sessions having identifiers SessionID1 and SessionID3. In contrast, any session having a session identifier that is not included in the list will not be allowed to access the corresponding virtual device. Further, in some embodiments, the corresponding DAR driver can update the global object manager namespace (OMN) of operating system 170 to prevent the virtual devices from even appearing within sessions that are not granted access to the virtual device in a similar manner as is described in the Background.

[0056] FIGS. 6A-6D generally illustrate a process that can be performed to update a DAR object when a user establishes a session with server 404. For this example, it will be assumed that three different users employ three client terminals 102a-102c to establish sessions with server 404. It will also be assumed that group policy object 510 is applicable to the users of client devices 102a, 102b and that group policy object 511 is applicable to the user of client device 102c.

[0057] In FIG. 6A, it is assumed that client terminal 102a has already established a session 601 with server 404. A composite device 640 has also been connected to client terminal 102a and each interface 640a, 640b of composite device 640 is being redirected to server 404. Interface 640a is assumed to be a printer and interface 640b is assumed to be a scanner. Accordingly, virtual device 690a corresponding to printer interface 640a and virtual device 690b corresponding to virtual device 640b can appear as if they were connected locally to server 404.

[0058] Because client terminal 102a is governed by group policy object 510, the policy settings defined within group policy object 510 can be applied when session 601 is established. In this case, the applicable policy setting 510a indicates that client terminal 102a should be allowed to access redirected printers. Accordingly, the application of group policy object 510 to session 601 will cause session 601's identifier to be added to DAR object 492a which is represented in FIG. 6A by the inclusion of “Session601_ID” in list 501a. The functionality for making such updates can be implemented in any suitable way. For example, in embodiments that employ Active Directory, a client side extension may be installed on server 404 for implementing the policy settings of applicable group policy objects.

[0059] For purposes of this example, it is assumed that client terminal 102a is not allowed access to interface 640b even though composite device 640 is connected locally to client terminal 102a. However, it is equally possible that a policy may exist which would allow all interfaces/devices that are redirected over a session to be accessible from within that same session. If such were the case, “Session601_ID” could also be added to DAR object 492b based on the application of policy settings defined within the separate policy. In any case, by employing policies to control which session identifiers are added to a DAR object, the present invention facilitates the management and control of access to redirected devices.

[0060] FIG. 6B illustrates that client terminal 102b has established a session 602 with server 404. As indicated above, it is assumed that group policy object 510 is applicable to the user of client terminal 102b. Therefore, as part of creating session 602, group policy object 510 can be processed to cause the identifier of session 602 to be added to DAR object 492a which is represented by the inclusion of “Session602_ID” in list 501a. Accordingly, DAR object 492a, which governs access to virtual device 690a, includes the identifiers of sessions 601, 602 thereby allowing printer interface 640a of composite device 640 to be accessed from these sessions.

[0061] FIG. 6C illustrates that client terminal 102c has established a session 603 with server 404. As indicated above, it is assumed that group policy object 511 is applicable to the user of client terminal 102c. Therefore, as part of creating session 603, group policy object 511 can be processed to cause the identifier of session 603 to be added to DAR object 492b which is represented by the inclusion of “Session603_ID” in list 501b. Accordingly, DAR object 492b, which governs access to virtual device 690b, includes the identifier of session 603 thereby allowing scanner interface 640b of composite device 640 to be accessed from this session.

[0062] Whenever an attempt to access virtual device 690a or virtual device 690b is made, the attempt can include the identifier of the session from which the attempt originates. For example, if the user of client terminal 102a attempts to print to virtual device 690a from a virtual desktop of session 601, the print request can include the identifier Session601_ID. Because DAR object 492a sits atop the device stack 491a, it will receive this print request and can compare the identifier in the print request to the identifiers in list 501a. In this case, since there will be a match, DAR object 492a can allow the print request to be fulfilled. In this way, DAR object 492a can be employed to selectively allow access to virtual device 690a based on policy settings of one or more applicable policies of a directory service.

[0063] As indicated in the Background, an object manager namespace of operating system 170 may define symbolic links to each connected device including, in this example, virtual devices 690a, 690b. In accordance with embodiments of the present invention, in addition to dynamically updating DAR objects 492a, 492b to include session identifiers of sessions from which access should be allowed to virtual devices 690a, 690b, the appropriate object manager namespaces may also be updated to prevent virtual devices 690a, 690b from being visible in sessions that will not be allowed access to the virtual devices.

[0064] For example, in the case of FIGS. 6A-6C, the symbolic link to virtual device 690a can be removed from (or prevented from being added to) the global object manager namespace and added only to the local object manager namespaces of sessions 601 and 602. Similarly, the symbolic link to virtual device 690b can be removed from (or prevented from being added to) the global object manager namespace and added only to the local object manager namespace of session 603. Accordingly, the addition of symbolic links for redirected interfaces of composite devices to local object manager namespaces can be controlled using policy settings of one or more applicable policies of a directory service.

[0065] In some embodiments, once a session is terminated, appropriate functionality can be performed to remove the corresponding session identifier from any DAR object. This will ensure that each DAR object includes only the session identifiers of active sessions having access to the corresponding virtual device.

[0066] An exemplary benefit of the present invention is that it facilitates the management of an Active Directory domain controller to which a large number of devices may connect. For example, an organization may employ a VDI environment to provide computing resources to its employees (e.g., using thin client devices that connect to a server having a domain controller role in Active Directory). The employees may be grouped into different Active Directory organizational units (or other larger units). An administrator may then define one or more group policy objects for each organizational unit which defines which class of redirected USB devices/interfaces the users within the organizational unit should be allowed to access.

[0067] As an example, an accounting department having users that are located in the same area of a building may be grouped into an accounting organizational unit. A group policy object may then be defined governing all users within the accounting organizational unit. This group policy object may include a policy setting stating that users within the accounting organizational unit should be allowed to access a redirected printer interface of a composite device. A composite device including a printer could then be connected to any of the thin client devices employed by the users in the accounting department (thereby causing the printer to be located near each user). Using the techniques of the present invention, the group policy object for the accounting organizational unit would ensure that each user in the accounting department would be able to print to the printer interface of the composite device. If, for whatever reason, it was desired to prevent the accounting department from accessing a scanner interface of the composite device, the group policy object could include a policy setting that would implement the restriction (whether by including a positive restriction or failing to include a permission to access USB devices/interfaces having an image class code).

[0068] FIG. 7 illustrates a flowchart of an example method 700 for controlling from which remote sessions a redirected USB interface will be accessible. As an example, method 700 can be implemented by server 404.

[0069] Method 700 includes an act 701 of, in response to a first USB interface being redirected from a first client terminal to the server over a first remote session, creating a first device access restriction object in a first device stack that governs access to the first redirected USB interface on the server, the first device access restriction object identifying remote sessions from which the first redirected USB interface is accessible. For example, DAR object 492a can be created in device stack 491a which governs access to virtual device 690a corresponding to interface 640a which is redirected over remote session 601.

[0070] Method 700 includes an act 702 of receiving a request from a second client terminal to establish a second remote session with the server. For example, clients 102b can request a remote session with server 404.

[0071] Method 700 includes an act 703 of, in conjunction with establishing the second remote session, identifying one or more policies that are applicable to the second remote session, the one or more policies including a policy setting which defines that the first redirected USB interface should be accessible. For example, in conjunction with establishing remote session 602, group policy object 510 can be identified as being applicable to remote session 602.

[0072] Method 700 includes an act 704 of updating the first device access restriction object to include an identifier of the second remote session thereby causing the first redirected USB interface to be accessible from the second remote session. For example, Session602_ID can be added to list 501a within DAR object 492a so that virtual device 690a can be accessed from within remote session 602.

[0073] Embodiments of the present invention may comprise or utilize special purpose or general-purpose computers including computer hardware, such as, for example, one or more processors and system memory. Embodiments within the scope of the present invention also include physical and other computer-readable media for carrying or storing computer-executable instructions and/or data structures. Such computer-readable media can be any available media that can be accessed by a general purpose or special purpose computer system.

[0074] Computer-readable media is categorized into two disjoint categories: computer storage media and transmission media. Computer storage media (devices) include RAM, ROM, EEPROM, CD-ROM, solid state drives (“SSDs”) (e.g., based on RAM), Flash memory, phase-change memory (“PCM”), other types of memory, other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other similarly storage medium which can be used to store desired program code means in the form of computer-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer. Transmission media include signals and carrier waves.

[0075] Computer-executable instructions comprise, for example, instructions and data which, when executed by a processor, cause a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. The computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language or P-Code, or even source code.

[0076] Those skilled in the art will appreciate that the invention may be practiced in network computing environments with many types of computer system configurations, including, personal computers, desktop computers, laptop computers, message processors, hand-held devices, multi-processor systems, microprocessor-based or programmable consumer electronics, network PCs, minicomputers, mainframe computers, mobile telephones, PDAs, tablets, pagers, routers, switches, and the like.

[0077] The invention may also be practiced in distributed system environments where local and remote computer systems, which are linked (either by hardwired data links, wireless data links, or by a combination of hardwired and wireless data links) through a network, both perform tasks. In a distributed system environment, program modules may be located in both local and remote memory storage devices. An example of a distributed system environment is a cloud of networked servers or server resources. Accordingly, the present invention can be hosted in a cloud environment.

[0078] The present invention may be embodied in other specific forms without departing from its spirit or essential characteristics. The described embodiments are to be considered in all respects only as illustrative and not restrictive. The scope of the invention is, therefore, indicated by the appended claims rather than by the foregoing description.