System for protecting information containing state secrets from unauthorised access. RU patent 2504834.
 Digital rights management apparatus and method / 2504005Method comprises steps of: encoding a digital program to link said digital program with an authentication agent by packing the digital program and authentication agent into single digital content. Said authentication agent includes a program code executed by a device, wherein the device can reproduce said digital program and execute the program code. The program code is configured to authenticate the device when executed in the device; and provide said device with digital content which includes said digital program and said authentication agent. Said digital program is encrypted via a first encryption algorithm, and the decryption key of the fist encryption algorithm is encrypted via a second encryption algorithm and is stored in the authentication agent. |
 Method and apparatus for performing user video authentication / 2504004Disclosed is a method of performing video authentication of a user, which comprises steps of: receiving a user-provided authentication photograph; capturing a continuous video image of the user in real time over a certain period of time using a video capturing device at a user client; performing real-time decomposition of the video image and obtaining a series of video data frames; selecting from the series of video data frames a specific number of video data frames and generating at least one contrast image for video authentication of the user based on the specific number of video data frames; comparing the authentication photograph with the contrast image and making a decision on the user video authentication result according to the comparison result. |
 Method for cryptographic transformation of information and apparatus for realising said method / 2503135Method is based on breaking down an initial 32-bit input vector into eight serial 4-bit input vectors. Conversion tables are placed in each replacement unit, each table having sixteen rows, each row having four padding bits corresponding to 4-bit output vectors. Four replacement units are used, one for each pair of 4-bit input vectors, wherein each replacement unit employs a 16-byte or more central processing unit register in which two conversion tables are placed, and conversion of pairs of 4-bit input vectors to pairs of 4-bit output vectors in accordance with the conversion unit is carried out by switching the rows of the conversion tables to the central processing unit register of the corresponding replacement unit using pairs of 4-bit input vectors in form of switching addresses, after which the 4-bit output vectors are combined in series into a 32-bit output vector. |
 Method for remote monitoring and control of networking information security based on use of domain name system / 2503059Method involves modifying DNS response to resolution of a domain name of a target information service such that, an "Additional" field specified by configuration information and security policy rules is added to the DNS response, said field initiating the beginning of the process of monitoring and controlling communication security, after which the modified DNS response is sent from a controlled DNS server to the DNS server of an internet provider; a request is sent on behalf of a client to the target information service; the request from the client is received at the monitoring point; the necessary control actions are determined based on the network security policy and information in the request to the target information service; control actions are carried out for network traffic. |
 Hardware interface for enabling direct access and security assessment sharing / 2502200IPv4 to IPv6 translation component provides IPv4 to IPv6 translation for data traffic that is incoming to the network interface card. An IPsec component is configured to terminate an IPsec connection. An enterprise security assessment sharing component is configured to implement a security assessment publish and subscribe model in hardware for sharing security assessments among network endpoints, a security assessment being arranged to provide contextual meaning to a security incident that occurs within an enterprise network environment. |
 Systems, methods and apparatus for detecting and correcting encryption errors / 2501173Method involves using a first set from one or more input encryption parameters for decrypting data in a received protocol data unit, wherein encrypted data were encrypted using a second set from one or more input encryption parameters; comparing the value of at least part of the decrypted data with an expected value; detecting, using a decryption control scheme, an encryption error if the value of at least part of the decrypted data does not match the expected value; and initiating an encryption resynchronisation procedure in response to the determination that there has been an encryption error, in order to resynchronise at least one input encryption parameter from the first set with at least one input encryption parameter from the second set. |
 Verification of portable consumer devices / 2501084Method of providing a verification value for a portable consumer device includes: receiving, at a server, a verification value request for a portable consumer device associated with a user; obtaining, from the received request, a unique identification code assigned to the user; obtaining an account record containing the obtained unique identification code, wherein the account record links the consumer account of the portable consumer device with the obtained unique identification code, wherein the consumer account has an account number associated with it, which identifies the consumer account within a payment handling network, wherein the obtained unique identification code differs from the consumer account number of the obtained account record; obtaining a data entity indicating the verification value for the consumer account of the obtained account record; and sending the obtained data entity to at least one of: a telephone number or network address of a personal communication device associated with the consumer account of the obtained account record. |
 Cell-based security representation for data access / 2501083Computer-implemented data security system, having a memory device storing computer-executed components which include: a definition component for defining cell level security attributes for cells of a data table, having rows and columns, wherein cell level security attributes for a cell located in a row, having one or more other cells, and in a column, having one or more other cells, may be defined to block access to data of that cell, but grant access to data of other cells in that row and data of other cells in that column; a storage component for storing cell level security attributes as security metadata, and a security component for applying the security metadata to results of a query from a user to return filtered results based on said user, and a processor for executing said computer-executed components stored in memory. |
 Controlling access to documents using file locks / 2501082System includes one or more document files (304) stored on a document server (104), a document access processing module (302), having a file sharing processing module (402) that determines a coauthoring status of a software application (202, 204) of a client computer, a file lock processing module (404), wherein the document access processing module uses the coauthoring status of the software application (202, 204) and the file lock status of a document file (304) to determine whether the software application (202, 204) is permitted to have write access to the document file (304). |
 Multi-factor content protection / 2501081Recipient receives content from a publisher. Some content is managed by an access server. The access server controls the recipient's use of managed content through interaction with a trusted agent at the recipient. The content is encrypted on a content key, and the content is associated with policy information. The policy information includes the content key for decrypting the content. The policy information is encrypted on an access server key allowing the policy information to be decrypted by the access server. The content key is received from the access server. The content key is encrypted on a trusted agent key. The content key is further encrypted on additional factor(s) defining additional content protection beyond that provided by trusted agent. The content key is decrypted using the trusted agent key and the at least one additional factor. The content is decrypted using the content key. |
 Method for using a server, device for controlling reservation of server and means for storing a program / 2276400For this in accordance to method reservation is requested, reservation is confirmed, authentication information included in reservation information is stored, service is requested on basis of authentication information, server utilization is authenticated and server is utilized on basis of authentication result, while on stage of reservation confirmation device for controlling reservation transfers reservation setting information, and on stage of authentication server utilization is only confirmed when authentication information matches authentication information transferred from user terminal. Device contains receiving means, information generation device and transmitting means. |
 Distribution device, terminal device, program and method used in these devices / 2287851In distribution device groups of two or more informational products which represent digital informational content are stored with information about policy administration which indicates user's rights to this group by interrelated method. Distribution device transfers the user requested informational content from group to the terminal device with license certificate (LC), refreshes information about policy administration decreasing policy validity. On return of the renewed LC distribution device increases the decreased policy validity taking into account the part of policy validity which is indicated in the renewed LC. On user's demand distribution device again transfers LC or other digital informational content. |
 Method for restricting access to protected system / 2289845Fingerprint image is registered with following user personality identification. Some peculiarities of papillary pattern coordinates are determined and using difference of coordinates of peculiarities of received fingerprint image and stored in database positive or negative decision to grant access to system is made. |
| Method for restricting access to protected system / 2289845 Fingerprint image is registered with following user personality identification. Some peculiarities of papillary pattern coordinates are determined and using difference of coordinates of peculiarities of received fingerprint image and stored in database positive or negative decision to grant access to system is made. |
| / 2292122 |
 Method for controlling protected communication line in dynamic networks / 2297037Invention discloses method for setting up protected communication lines for transferring data and controlling them by means of exchanging keys for protection, authentication and authorization. Method includes setup of protected communication line with limited privileges with usage of identifier of mobile computing block. This is especially profitable is user of mobile block does not have information identifying the user and fit for authentication. Also, advantage of provision by user of information taken by default, identifying the user, is that it initiates intervention of system administrator instead of refusal based on empty string. This decentralized procedure allows new users to access the network without required physical presence in central office for demonstration of their tickets. |
 Method, device and information carrier for confirming access right to autonomous resources / 2300142Method includes changing identification information during each new query of autonomous resource, which information is used for identification of carrier during following queries to autonomous resources, by including it in algorithmically converted form on information carrier and in database of central device and checking of its correspondence in a row of previous queries to autonomous resources. Each autonomous resource has memory block for storing conversion algorithms and signs of these algorithms and block for reading/recording carrier information. Central device contains at appropriate data bank addresses the virtual memory blocks for storing information for identification of carriers and memory block for storing a set of algorithms for converting code from one type to another and signs of these algorithms, and for each carrier - information storage address which was used during previous accesses. Carrier contains energy-independent additional memory block for recording, storing and reading additional information code after identification of carrier, available both during manufacture of carrier and its submission to autonomous resource. |
 Remote user authentication method and the system for realization of the method / 2303811In accordance to method, electronic user identification data is formed and saved in authentication server database, which data is compared to identification data of user during realization of procedure of user access to computer network of protected system and on basis of that comparison, decision is taken about degree of user authority. |
 Multi-broadcasting, limited by time window for future delivery of multi-broadcasting / 2305863In accordance to the invention, encoded event, containing information which is not meant to be published before time of publishing, is dispatched to clients before the time of publishing. In the moment of the time of publishing, small decryption key is dispatched to each client. In another variant, highly reliable boundary servers, which can be trusted not to publish the information before appropriate time, dispatch non-encrypted event or decode an encrypted event and dispatch decrypted event in certain time or before it, but after the time of publishing, so that decrypted or non-encrypted event reached clients, which can not store and decrypt an encrypted event, approximately at the same time when the key reaches other clients. Therefore, every client may receive information at approximately one and the same time, independently from client throughput or client capacity for storage and decryption of information. |
 Method (variants) and device (variants) for protecting communication channel of a computer network / 2306599In the method, initial data is set, initial data packet is generated at sender side. Then received data packet is encoded and transformed to TCP/IP format. After that current addresses of sender and receiver are included in it and formed packet is transferred. Sender address is replaced. At receiver side, sender and receiver addresses are selected and compared to predetermined addresses. In case of mismatch received packets are not analyzed, and in case of match encoded data is extracted from received packet and decoded. Receiver address is replaced. Then initial data packet is repeatedly formed at sender side. Protection device consists of 2 identical local protection segments 31 and 3k, one of which is connected to local computing network li, and k one is connected to local computing network lk. Local computing networks are interconnected through corresponding routers 41,4k and the Internet. |
FIELD: information technology.
SUBSTANCE: system for protecting information containing state secrets from unauthorised access comprises a plurality of user information security systems, a plurality of automated workstations and functional severs, a backbone network, a domain controller server, a security server, a security server database, at least one automated workstation for an information security administrator and at least one administrator information security system. Each user information security system comprises a security agent, a user access partitioning system and a database of enhanced user authentication means, and the administrator information security system comprises a security administrator agent, a security administrator access partitioning system and a database of enhanced security administrator authentication means.
EFFECT: high security of information owing to combined use of multiple user authentication factors.
1 dwg
The invention relates to protect against unauthorized access to information stored on local computers (workstations of users or functional servers), and in network computing in General, and can be used in automated systems of processing of information containing state secrets.
Modern automated systems create on the basis of computer network in which all domain computers - the automated workplaces of users, functional servers and server-domain controller connected to each other on the network backbone.
For complex protection of information containing state secrets, in automated systems, you must ensure the security of information stored on each local computer (workstation user or functional server), and in the computer network as a whole.
Security of information containing information constituting a state secret, provided by the authorized level of access each user in the automated system to authorized local and/or network resources files, disks, applications, printers.
A device of protection from unauthorized access to the information stored in the personal computer, containing the system of protection of information from unauthorized access, which is connected to the bus of the control and data exchange one of the local computer (automated working place of the user) [1].
Known device of protection from unauthorized access to the information stored in the personal computer, provides protection from unauthorized access to the resources of the local automated system through implementation of the identification and authentication of users, implementing verification of their identity and existence of the right of access to personal computers (automated working place of the user).
Identification and authentication is performed at each time the user logs into the system. To do this, when you turn on or restart the personal computer program BIOS extension of the composition of the device software protection against unauthorized access to information stored in the personal computer, intercepts control for initial loading of the personal computer and shall identify the user by reading the external storage device name (registration number) of the user and verify it with the control information recorded in advance in the registration files and defining each user's access to the resources of the personal computer.
Then the specified program expansion BIOS performs the authentication of the user by checking the user-entered from the keyboard of the personal computer password with the control information recorded in advance in the registration files, and checks the integrity of the controlled objects (files and/or boot sectors on the hard disk) for this user.
After that, the program of expansion of the BIOS transfers control to a staff software and hardware of the personal computer to finish booting the BIOS, boot the operating system from the hard disk of the personal computer and run modified system files CONFIG.SYS and AUTOEXEC.BAT, which runs resident software module of composition of the device software protection against unauthorized access to information containing state secrets stored in the personal computer, the controlling user rights to run a variety of programs in accordance with the registration data of the user and stored on the hard disk of the personal computer, and starting for the user program.
However, the known device of protection from unauthorized access to the information stored in the personal computer, does not protect against unauthorized access to network resources of the automated system.
Known systems of information protection from unauthorized access to the information containing state secrets, containing a number of systems for protection of information from unauthorized access, each of which is connected to the bus of the control and data exchange one of the many automated workplaces of users or functional servers in a computer network, connected to each other and with the server is a domain controller on the network backbone [2], [3].
Known systems of information protection from unauthorized access to the information containing state secrets, if you use the base operating system Windows XP Professional [2], or Windows 7 [3] in computer networks with active directory (Active Directory) allow you to manage the security of information at the level of network resources, and at the level of files, folders and the rights of individual users using security groups, user rights and access rights.
However, the known systems of information protection from unauthorized access to the information containing state secrets, protect against unauthorized access to network resources of the automated system only on the basis of the use of discretionary rules of differentiation of access.
Closest to the proposed is a system of information protection from unauthorized access to the information containing state secrets, containing a number of automated workplaces of users or functional servers, at least one automated workplace of the Manager of information security and server-domain controller in a computer network, connected to each other on the network backbone, a number of systems for protection of information from unauthorized access, each of which contains the relevant security agent and a system of separation of user access, United bus control and data exchange corresponding automated working place of the user or functional server, the system of information protection from unauthorized administrator access containing the agent administrator security and a system of separation of administrator access security, the United bus control and data exchange corresponding automated working place of the administrator of information security, and the security server and database security that are connected to the control and data exchange server domain controller [4].
A well-known system of information protection from unauthorized access to the information containing state secrets, if you use the base operating system Windows XP Professional [2] or Windows 7 operating system [4] in computer networks with active directory (Active Directory) allows you to manage the security of information at the level of network resources, and at the level of files, folders and the rights of individual users using security groups, user rights and access rights based on the joint use of discretionary and mandatory rules of access control.
However, a well-known system of information protection from unauthorized access to the information containing state secrets, does not provide the requested information security in case of a compromised password or smart card theft.
The technical result consists in increasing the security of information through the joint application of several factors authenticate users, excluding the possibility of unauthorized access to information due to a compromised password or smart card theft.
To achieve the specified result in system of protection of information from unauthorized access to the information containing state secrets, containing a great number of automated workplaces of users or functional servers, at least one automated workplace of the Manager of information security and server-domain controller in a computer network, connected to each other on the network backbone, a number of systems for protection of information from unauthorized access, each of which contains the relevant security agent and a system of separation of user access, United bus control and communication of the corresponding automated working place of the user or functional server, information protection systems administrator from unauthorized access, containing the agent administrator security and a system of separation of administrator access security, the United bus control and data exchange corresponding automated working place of the administrator of information security, and the security server and database security that are connected to the control and data exchange server domain controller, introduced: in each system information protection from unauthorized user to access the database tools enhanced user authentication, data security system administrator from unauthorized access database funds stronger authentication security administrator, and each database means of strong authentication user connected to the bus of the control and data exchange corresponding automated working place of the user or functionality of the server, and the database tools stronger authentication security administrator is connected to the bus control and communication of the corresponding automated working place of the administrator of information security.
The proposed system of information protection from unauthorized access to the information containing state secrets, protect the information in the automated system at the operating system level at the network level and at the application level, implementation of audit, monitoring the integrity of the software files and data protection I/o on alienable media, operating in closed environments by sharing the discretionary and mandatory rules of access control, as well as the implementation of identification and user authentication using plug-additional devices enhanced identification and authentication. This provides a positive effect : enhanced data security through the use of multiple authentication factors users, excluding the possibility of unauthorized access to information due to a compromised password or smart card theft, based on the integration of additional mechanisms for the enhanced identification and authentication (key holders, biometric scanners, access cards, including contactless)used in access control and management systems.
Figure 1 shows the block diagram of the system of information protection from unauthorized access to the information containing state secrets.
System of information protection from unauthorized access to the information containing state secrets, contains many systems 1 the protection of information from unauthorized access, lot of bus 2 management and data exchange automated workplaces 3 and functional servers 4 in a computer network, connected to each other on the network backbone 5, to which the server is connected to the controller 6 domain and server 7 security and base 8 data security server, which is connected to a bus 9 management and data exchange server controller 6 domain, in addition, at least one connected to the network backbone 5 automated workplace of 10 security of information that has internal bus 11 management and data exchange, and at least one system 12 protection of the information administrator, and each system 1 the protection of information from unauthorized access agent contains 13 security and system 14 separation of user access, United bus 2 management and data exchange corresponding automated working place 1 or functional server 4 and 12 system of protection of the information administrator from unauthorized access contains the agent-the administrator of the 15 security system and 16 division administrator access security, the United bus 11 management and data exchange corresponding automated working place 10 administrator of information security. Each system 1 the protection of information from unauthorized user access can contain a database, 17 data means of strong authentication user connected to the bus 2 management and data exchange corresponding automated working place 3 user or functional server 4. 12 system of protection of the information administrator from unauthorized access contains a database of 18 data means stronger authentication security administrator, connected with the bus 11 management and data exchange corresponding automated working place 10 administrator of information security.
The system of information protection from unauthorized access to the information containing state secrets can be incorporated several automated workplaces 10 information security administrators and several accordingly United with their tires 11 management and data exchange agents administrators 15 security. In this case, each of the information security administrators can efficiently control the work of users in the network. If you want to control the work of the administrators security tires 11 management and data exchange of relevant automated workplaces 10 administrators safety information connect the appropriate agents 13 security.
Works of the proposed system of information protection from unauthorized access to the information containing state secrets, as follows.
Included in the systems 1 the protection of information from unauthorized access agents 13 security included in the protection of information systems 12 administrator from unauthorized access agents administrators 15 security and connected to the bus 9 management and data exchange server controller 6 domain server 7 security and the base of 8 safety data form a system of control and management profiles.
Control system profiles performs the following functions: management of safety profiles, users, groups, and computers; differentiation of users ' access to features of the program "Explorer" (Run command, control panel, taskbar, start menu, display settings etc); determination of the list of permitted to run applications (provision of closed software environment) through the formation of the custom menu in Explorer and control running unauthorized applications; monitoring the status of the computers in the network, collection statistics of work (time of start, time of continuous operation); control of the session interactive users and network users accessing the shared resources; logging of actions of the administrator of information security and users; delimitation of the powers of the administrators security information on the workstations of 10 security administrators information (operator, administrator); notification of administrator security information about unauthorized access attempts, violations of the operation of the integrated system of protection of the information from unauthorized access and other critical situations in the network.
Control system profiles implements functions on the delimitation of the access applications (programs)that runs on workstations 3 and functional 4 servers, registration of security events (audit), checking the integrity of the software files and data, protection of the I/o alienable media.
The input to the control system profiles are: information on the composition of the registered users in the Central base of 8 safety data of the automated system (domain controller), entries in the system logs and security on the automated workplace 3 user or functional server 4 and the administrator of information security.
The output of a control system profiles are protocols administrators on the workstations of 10 administrators security information and event-unauthorized access to information integrity monitoring, work with external carriers in the automated system, information on the status of computers, services, applications, and security policy settings.
Control system profiles uses the object ideology, i.e. the whole structure of the computer network and the management information is presented as objects of control. All devices operate with control objects (objects SMS). All managed objects stored in the 8 data security server.
Base 8 data security server contains the main root object of the control that contains the objects of management, as domains or workgroups base operating system, containing, in turn, objects such as computers, custom applications, user profiles, group profiles of users, the security profiles and devices (disk drives, ports etc).
Each object management characterize the main attributes and its specific set of additional attributes, methods, access, and manage this object management.
Server 7 security provides synchronization of control objects with agents 13 security agents administrators 15 security and other servers 7 security: establishing a logical connection with the agents of 13 security agents and administrators 15 security check of the availability of logical connections with agents 13 security agents and administrators 15 security, reception and processing of requests from the agent-administrator 15 security on adding/excluding objects control in the database profile and modify their attributes, reception and processing of requests from agents 13 security to receive user profile and composition of the available applications, responding to these requests, receiving and processing messages from agents 13 security agents and administrators 15 security when events-unauthorized access to information in the system logs agents 13 security, logging the actions of the administrators security on the workstations of 10 security administrators the information in terms of control and management profiles.
Between server 7 security agents 13 security agents and administrators 15 security are logical connections. Every installed logical connection has an ID, which allows a server to 7 security define what agents 13 security or agents administrators 15 security information exchange. If the connection is successful, it is assigned an ID, and agents 13 security or agents administrators 15 security is sent to the corresponding message.
After establishing a connection, a server 7 security agents 13 security agents and administrators 15 security exchange messages containing requests and responses.
Agents 13 security send the server 7 security the following types of queries: information about the underlying operating system on gap junction on the test connection to transfer user applications to receive user profile on the processing of events on the computer receiving devices of the computer to obtain the list of files to check. The agents 13 safety information about your computer, the current user and events, and server 7 security passes agents 13 safety information about profiles, on the composition of the application, the scanned files and devices.
Agents administrators 15 security send the server 7 security the following types of queries: the registration of connection to transfer the domains to add the domain to delete the domain to enumerate computers in a domain, append the computer removing the computer to transfer the domain application, the add application, remove the application, on the enumeration of the domain users on adding a user, deleting a user, change the state of the computer database, change the properties of a user to change the properties of the computer, change the properties of a domain, change the properties of the application, the remote control of your computer to transfer user groups to add a group of users to delete a user group, to change the properties of user groups, on account of the Protocol of the administrator, read the Protocol of the administrator, to receive a list of running applications on completion applications treatment Protocol of the administrator, on clearance of the alarm to set the properties to a group of users to read the event log, the enumeration of the profiles of security, add security profile to remove a profile security, to change the profile properties : security, device enumeration, the change in the properties of the device adding a device, remove the device, to change the list of files to check, to clean the Protocol events, obtain the properties of the GMI (flash memory, LD), read the archive, Protocol events, read the archive of the Protocol.
Server 7 security produces a survey of the status of agents 13 security (on the composition of the running applications, the current user), and also carries out a restart PC shutdown, logoff, startup/shutdown application.
Server 7 security passes agent administrator 15 security requests on the state of computer security agents, part of the running application, the application starts, and of the events.
Agent 13 security performs the following functions: monitoring of the state automated working place of the user or functional server, monitoring the status of the session interactive user, setting the user's environment and setting limits, monitoring the status of applications and processes, keeping track of the contents of the system log files, execute commands as administrator security (reboot, start/stop applications, or lock the system).
Agent 13 safety establishes a connection (registration) server 7 security and then periodically queries the server of 7 safety request to check the availability of the connections and processes the response. Interaction with the server, 7 security after the establishment of a logical connection is carried out on the basis of a request-response mechanism
Agent 13 security is responsible for monitoring the events of attempts of unauthorized access to information, statistical information (user name, start and end time of a user session, the on and off the computer, etc), information on the status of the tasks and processes, control of integrity of files on the workstation user or a functional server.
Agent 13 executes the commands received from the agent administrator 15 through server 7 security on the network and sends 7 safety information about your computer, the current user profiles, part of the application, the results of monitoring the integrity of files to be scanned and events-unauthorized access to information.
Agent 13 security after the establishment of a logical connection with the server 7 security receives a message with a system policy computer. Server 7 security of transmitted information about the type of the underlying operating system.
When a user logs in, the agent 13 security sends 7 security of user information (user name, when the session is started). Server 7 security transmits information about the system policy to the user. When you install system policy computer and user agent 13 security changes the values in the registry.
Next, the agent 13 security generates and sends 7 security requests for transfer of user applications to receive a profile, on receiving devices of the computer and the list of files to check. To the user's applications are the main executables are run via the start menu, and auxiliary executables to be run from the main application. The responses from the 7 security agent processes 13 security, install the user profile in the registry, composition him to affordable, essential applications in the start menu and content of additional applications launched from the main application.
Agent 13 security checks integrity by computing the checksums of files, systems of information protection system and user files and comparing them with appropriate reference values. The control function of integrity can detect any change (deletion, addition, replacement) of file data and file structure as a whole. Integrity control is made by calculating the . When you change the checksum files, or the absence of any file generated message for the server 7 security of violation of integrity.
Agent 13 security exercises control over the processes running in the system. Collects information about files, processes, search Windows processes and transfer processes information server 7 security. Start and stop processes on request from the server 7 security, generated, in turn, at the command of the agent's administrator 15 security.
Agent 13 security monitors system events by tracking the contents of the system log, and when the events of attempts of unauthorized access to information and other critical events transmits messages of their emergence server 7 security.
Agent 13 executes control running all the applications and determines the main or auxiliary Appendix to the number allowed to run. If not, then the application cannot be started and the server has 7 safety message is sent to the event of unauthorized access to information.
Furthermore, the agent 13 security checks messages about the beginning of work of the system of differentiation of access. If successful beginning of the work of the system of differentiation of access are stored in the registry settings. Otherwise, restore settings, system of access control in the registry and restart your computer. If the recovery does not lead to a successful launch of a system of differentiation of access, an entry is created for the administrator of the failure of the restoration of the system is blocked initialization agent 13 security.
Agent 13 executes control over installation of external media reported from the monitor file system (drivemon.sys) about the volume is mounted. Next, the agent 13 security generates a query about safety profile (descriptor) device server 7 security. After receiving the safety profile of the system of access monitoring the access of the user logged on the computer to the device. Allowing access operations are conducted with the external carrier of information. After that the device is closed. When copying to media fact copy is sent to the server 7 security. Server 7 security passes facts execution of operations with bearer of information, including events-the attempts of unauthorized access to information on the workstations of 10 security administrators the information in the log.
Agent-administrator of the 15 security performs the following functions: maintaining a database server security (creation, modification, deletion of objects), monitoring of facilities (computers, applications), computer management and sessions of users logging the actions of the administrators and operators, displaying, and printing protocols administrators and operators.
Agent-administrator of the 15 security is the basic module for implementation of control functions, set the basic parameters and monitoring events on the network.
Agent-administrator of the 15 security interacts with a server 7 security. Participates in the exchange of management and studs information about tasks, processes and events on the workstations of 3 users or functional 4 servers.
Display and user interface are implemented in a graphical form.
Agent startup-administrator 15 security initializes the process of establishing the connection (registration) server 7 security. Agent-administrator of the 15 security generates a request for registration (establish) connections to the server 7 security and processes the response. Periodically agent-administrator of the 15 security server sends 7 security request to check the availability of the connections and processes the response. The interaction agent, administrator of the 15 security server 7 security after the establishment of a logical connection occurs primarily on the basis of a request-response mechanism.
A group of functions that work with the objects of the base 8 data security server allows the agent administrator to 15 form requests to server 7 security to receive a list of items to add, delete and change the properties of objects domains, computers, users, groups, applications, security profiles). Queries are formed administrator command security through a graphical interface and processed the received answers. In memory stores information on the composition and state of the managed objects, their attributes and parameters of the similar information in base 8 data security server. Upon receiving the response from the server 7 security changes the state of the database in RAM automated working place 10 administrator of information security. Storing objects in RAM, allows you to increase the performance of operations on the graphic display of the status of objects. For example, for a computer to this group functions include: requests/responses to retrieve a list of the computers in the domain, to add a computer, remove the computer, change the properties of the computer.
A group of functions related to the Protocol (magazine) events allows to process requests/responses for viewing and cleaning of Protocol events, obtaining an archive of Protocol events.
A group of functions related to the Protocol (journal) of the administrator of information security allows to process requests/responses for viewing and cleaning the Protocol security administrator information on obtaining an archive log information-security administrator.
Group management functions of the computer provides forming of requests to the server 7 security and processing of the responses to receive information, list of the running applications, remote reboot, shutdown or logoff, remote launch applications querying the remote end the application, to receive information about the current user of the computer.
A group of functions for processing requests from the server 7 security about the state of objects provides processing and display of information about the status of computers running apps users, events-unauthorized access to information.
Group control functions for integrity is designed to query server 7 security and processing of the responses to retrieve or modify the list of files for checksumming for computers in a domain.
Access restriction system is a Supplement integrated into the core operating system security credentials access model, which implies the presence of subject and object access hierarchical attributes (confidential) and non-hierarchical attributes (access categories).
Main principle of work of the security of the underlying operating system is concentration of the Central verification procedures, rights of access to monitor security, which is part of the base operating system kernel. Monitor function security are invoked Manager objects of the base operating system, if they address any system entity to confirm the authority of a requesting entity. Thus in the security monitor carries all the information necessary for the evaluation of the security attributes of a subject and object access.
The main method changes the security of the underlying operating system in the proposed system of differentiation of access is to intercept functions authentication monitor security and addition of handles security of objects and subjects of mandatory access attributes without violating the internal structure of descriptors. The mapping descriptor object, its storage and access restriction is implemented the standard features of the underlying operating system.
In the security descriptor of the subject access (access token, Token) credentials attributes are listed on the stage of registration of the user in the system and are located in specially marked elements of a list of the groups to which a user belongs. These attributes consist of secrecy order, submitted when creating a predefined system security identifier (SID), and multiple access categories, each of which is provided security identifier defined in the security Agency groups of users (such identifiers are unique for each Agency). The storage of this information is the basis of 8 data security of the underlying operating system, each user of the system corresponds to multiple records in the database: basic record containing standard user attributes in the base operating system, and one record for each of secrecy order, which allowed the user containing a list of categories for the corresponding vulture and the user.
Access restriction system implements the algorithm for checking access rights, created on the basis of a standard algorithm monitor security and completes the validation of the credentials of the attributes of the object and the subject.
Processing of mandatory attributes of the subject and the object of the rules are as follows.
The subject has access to an object if all listed in the security descriptor (descriptor protection) object access category are included in the access token of the subject.
Everyone has read access and change the object, if declassified object has a value of not more declassifying the subject.
If declassified object more secrecy order of subject and object is a container (contains other objects), the entity has access to add the object of subobjects.
If access is permitted only in accordance with the mandatory rules of differentiation of access, but is not allowed according to discretionary (or Vice versa), the access is denied.
System of additional information protection is in addition integrated into the core operating system of the modified system security, implementing the algorithm checking access rights, created on the basis of a standard algorithm monitor security and completes the validation of the credentials of the attributes of the object and the subject.
System of additional information protection at user logon implements the additional algorithm of its authentication by means of enhanced authentication, biometric sensors, key holders, card readers and smart cards etc).
For this to the standard elements of the modified system security type «library expansion of the base system user identification and authentication, storage authentication data for which is imposed on the base 17 data means of strong authentication user base and 18 of these funds stronger authentication security administrator.
When a user logs the agent 13 security and agent administrator 15 security using stored in the underlying basis of 17 of these funds enhanced user authentication and 18 data in the database funds stronger authentication security administrator check if they are installed and enabled on the run for more information protection system (means of stronger authentication), and if a positive result, they issue commands to check the authentication information to the enhanced authentication, biometric sensors, key holders, smart cards etc).
After successful authentication, the user means stronger authentication information of the user is transmitted to the control system of profiles for further full-time job.
Usability means stronger authentication due to the lack of remembering user complex passwords, because they use technical means enhanced authentication, biometric sensors, key holders, readers, smart cards etc).
The proposed system of information protection from unauthorized access to the information containing state secrets, in the automated system is realized with software when installed on domain computers (workstations 3 users or functional 4 servers in network computing) the base operating system Windows 7 (8) Professional, and the server is a domain controller, the underlying operating system Windows 2003 (2008) or higher.
The proposed information security system integrates seamlessly with the system to further protect information without having to modify the code of the library login access control of the proposed information security system (when using Windows XP operating systems Profeccional / Windows 2000 Server is needed for each additional function to rewrite and recompile the library code, login with its subsequent certification, etc).
Using the proposed system of information protection from unauthorized access to the information containing information constituting the state secret is possible to increase the security of information, sharing of discretionary and mandatory rules restricting access on the basis of integration of additional mechanisms enhanced identification and authentication (key holders, biometric scanners, access cards, including contactless) through the joint application of several factors authenticate users, which excludes the possibility of unauthorized access to information due to a compromised password or smart card theft.
Literature
1. EN 2263950 C2 (Б J.V., Dobrodeyev, A., Sviridyuk Y.P., Tereshkin ..), 10.11.2005.
2. Security in Windows XP. - www.hardtek.ru/sistem/winxp_security.shtm1.
3. Security in Windows 7. - www.computerra.ru/terralab/sorterra/487920.
4. EN 2434283 C1 (Б J.V., Б A.G., Dobrodeyev, A., Korotkov S.V., Nashchyokin P.A., Nepomnyashchikh AV), 20.11.2011.
System of information protection from unauthorized access to the information containing state secrets, containing a number of automated workplaces of users or functional servers, at least one automated workplace of the Manager of information security and server-domain controller in a computer network, connected to each other on the network backbone, a number of systems for protection of information from unauthorized access, each of which contains the appropriate agent security system and separation of user access, United bus control and data exchange corresponding automated working place of the user or functional server, information protection systems administrator from unauthorized access, containing the agent administrator security and a system of separation of administrator access security, the United bus control and data exchange corresponding automated working place of the administrator of information security, and the security server and database security that are connected to the control and data exchange server-domain controller, characterized in that in each system of information protection from unauthorized user access and information protection systems administrator from unauthorized access entered the database tools enhanced user authentication and database tools stronger authentication security administrator, and each database means of strong authentication user connected to the bus of the control and data exchange corresponding automated working place of the user or functionality of the server, and the database tools strong authentication security administrator connected to the bus of the control and data exchange corresponding automated working place of the administrator of information security.