[go: up one dir, main page]

CN118869289A - Method and device for managing access to Windows assets based on bastion host - Google Patents

Method and device for managing access to Windows assets based on bastion host Download PDF

Info

Publication number
CN118869289A
CN118869289A CN202410901840.9A CN202410901840A CN118869289A CN 118869289 A CN118869289 A CN 118869289A CN 202410901840 A CN202410901840 A CN 202410901840A CN 118869289 A CN118869289 A CN 118869289A
Authority
CN
China
Prior art keywords
asset
user
windows
logged
account
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410901840.9A
Other languages
Chinese (zh)
Inventor
廖胜才
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongdian Cloud Computing Technology Co ltd
Original Assignee
Zhongdian Cloud Computing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongdian Cloud Computing Technology Co ltd filed Critical Zhongdian Cloud Computing Technology Co ltd
Priority to CN202410901840.9A priority Critical patent/CN118869289A/en
Publication of CN118869289A publication Critical patent/CN118869289A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

本申请提供一种基于堡垒机对Windows资产的访问管理方法及装置,涉及网络安全技术领域,该方法包括:响应于已登录用户触发的针对目标Windows资产的访问请求,判断已登录用户的第一账号信息是否已同步至目标Windows资产;若确定已登录用户的第一账号信息已同步至目标Windows资产,则选择第一账号信息所指示的第一用户账号向目标Windows资产发送认证请求;在认证请求通过认证的情况下,响应于已登录用户触发的针对目标Windows资产的多窗口操作请求,选择第二用户账号向目标Windows资产发送登录请求;在第二用户账号成功登录至目标Windows资产的情况下,允许已登录用户通过多个会话窗口访问目标Windows资产,其中,第一用户账号和第二用户账号对应不同的会话窗口。

The present application provides a method and device for managing access to Windows assets based on a bastion host, and relates to the field of network security technology. The method comprises: in response to an access request for a target Windows asset triggered by a logged-in user, determining whether first account information of the logged-in user has been synchronized to the target Windows asset; if it is determined that the first account information of the logged-in user has been synchronized to the target Windows asset, selecting a first user account indicated by the first account information to send an authentication request to the target Windows asset; in the case where the authentication request passes the authentication, in response to a multi-window operation request for the target Windows asset triggered by the logged-in user, selecting a second user account to send a login request to the target Windows asset; in the case where the second user account successfully logs in to the target Windows asset, allowing the logged-in user to access the target Windows asset through multiple session windows, wherein the first user account and the second user account correspond to different session windows.

Description

Access management method and device for Windows assets based on fort machine
Technical Field
The application relates to the technical field of network security, in particular to a method and a device for managing access to Windows assets based on a fort machine.
Background
The fort is typically used to provide security management protection for Windows assets, etc., which by default do not allow multiple users to access at the same time.
For the same Windows asset, in order to meet the requirement of simultaneous use of multiple users, the current processing method includes: the configuration in Windows assets allows multiple people to use the same account number for multiple users to access the Windows assets based on different session Windows, so that resource sharing can be realized, but when one session is interrupted, other sessions are interrupted, the operation state of the users cannot be reserved, and the use of the users is affected.
Therefore, how to implement multi-session window operation when users access Windows assets based on the fort machine, without affecting each other, is a problem that needs to be solved.
Disclosure of Invention
In order to solve the technical problems, the application provides a method and a device for managing access to Windows assets based on a fort machine.
In a first aspect, the present application provides a method for managing access to Windows assets based on a fort, including:
Responding to an access request for a target Windows asset triggered by a logged-in user, and judging whether first account information of the logged-in user is synchronized to the target Windows asset; the logged-in user refers to a user who has successfully logged in to the fort machine, and the fort machine stores first account information and Windows asset information list of at least one user;
If the first account information of the logged-in user is determined to be synchronized to the target Windows asset, a first user account indicated by the first account information is selected to send an authentication request to the target Windows asset, so that the logged-in user accesses the target Windows asset through the first user account;
under the condition that the authentication request passes authentication, a second user account is selected to send a login request to the target Windows asset in response to a multi-window operation request for the target Windows asset, which is triggered by the logged-in user, wherein the login request is used for requesting to access the target Windows asset based on the second user account;
And allowing the logged-in user to access the target Windows asset through a plurality of session Windows under the condition that the second user account is successfully logged in to the target Windows asset, wherein the first user account and the second user account correspond to different session Windows.
In some embodiments, the method further comprises:
If the first account information of the logged-in user is not synchronized to the target Windows asset, a first account information synchronization request is sent to the target Windows asset through a privileged account of a fort to synchronize the first account information of the logged-in user to the target Windows asset.
In some embodiments, prior to responding to the user-triggered multi-window operation request for the target Windows asset, the method further comprises:
allowing the logged-in user to access the target Windows asset through a session window.
In some embodiments, prior to responding to the logged-in user-triggered access request for the target Windows asset, the method further comprises:
Receiving a login request aiming at the fort machine, which is sent by a user based on a client, and verifying second account information carried by the login request;
and if the authentication is passed, allowing the user to log in the fort machine.
In some embodiments, the determining, in response to an access request for a target Windows asset triggered by a logged-in user, whether account information of the logged-in user is synchronized to the target Windows asset includes:
if the selection operation of the user for any Windows asset in the Windows asset information list is received, taking the selected Windows asset as a target Windows asset;
And receiving an access request aiming at the target Windows asset, judging whether first account information of the logged-in user exists in the first account information of the at least one user stored by the fort machine, and determining whether the account information of the logged-in user is synchronized to the target Windows asset.
In some embodiments, the sending, by the privileged account of the bastion engine, an account information synchronization request to the target Windows asset includes:
And logging in the target Windows asset through the privileged account of the fort machine, and sending an account information synchronous request to the target Windows asset by utilizing a remote management protocol or a secure shell protocol.
In some embodiments, the selecting the first user account indicated by the first account information to send an authentication request to the target Windows asset includes:
sending an authentication request of the first user account to the target Windows asset through a proxy server;
The selecting the second user account to send a login request to the target Windows asset includes:
And sending a login request of the second user account to the target Windows asset through the proxy server.
In a second aspect, the present application provides an access management device for Windows assets based on a fort, including:
The judging module is used for responding to an access request for a target Windows asset triggered by a logged-in user and judging whether first account information of the logged-in user is synchronized to the target Windows asset or not; the logged-in user refers to a user who has successfully logged in to the fort machine, and the fort machine stores first account information and Windows asset information list of at least one user;
The sending module is used for selecting a first user account indicated by the first account information to send an authentication request to the target Windows asset if the first account information of the logged-in user is determined to be synchronized to the target Windows asset, so that the logged-in user accesses the target Windows asset through the first user account;
The sending module is further configured to, in case the authentication request passes authentication, select a second user account to send a login request to the target Windows asset in response to a multi-window operation request for the target Windows asset triggered by the logged-in user, where the login request is used to request access to the target Windows asset based on the second user account;
and the management module is used for allowing the logged-in user to access the target Windows asset through a plurality of session Windows under the condition that the second user account successfully logs in the target Windows asset, wherein the first user account and the second user account correspond to different session Windows.
In some embodiments, the sending module is further configured to send, if it is determined that the first account information of the logged-in user is not synchronized to the target Windows asset, a first account information synchronization request to the target Windows asset through a privileged account of a fort machine, so as to synchronize the first account information of the logged-in user to the target Windows asset.
In some embodiments, the management module is further configured to allow the logged-in user to access the target Windows asset through a session window prior to responding to the user-triggered multi-window operation request for the target Windows asset.
In some embodiments, the apparatus further comprises: the authentication module is used for receiving a login request aiming at the fort machine sent by a user based on a client before responding to an access request aiming at a target Windows asset triggered by a logged-in user, and authenticating second account information carried by the login request;
and if the authentication is passed, allowing the user to log in the fort machine.
In some embodiments, the judging module is specifically configured to, if a selection operation of a user for any one of the Windows assets in the Windows asset information list is received, take the selected Windows asset as a target Windows asset;
And receiving an access request aiming at the target Windows asset, judging whether first account information of the logged-in user exists in the first account information of the at least one user stored by the fort machine, and determining whether the first account information of the logged-in user is synchronized to the target Windows asset.
In some embodiments, the sending module is specifically configured to log in the target Windows asset through a privileged account of the fort machine, and send an account information synchronization request to the target Windows asset by using a remote management protocol or a secure shell protocol.
In some embodiments, the sending module is specifically configured to send, through a proxy server, an authentication request of the first user account to the target Windows asset; and sending a login request of the second user account to the target Windows asset through the proxy server.
In a third aspect, an embodiment of the present application provides an electronic device, including: the system comprises a memory for storing a computer program and a processor for executing the method for managing access to Windows assets based on the fort machine according to the first aspect or any optional implementation manner of the first aspect when the computer program is called.
In a fourth aspect, an embodiment of the present application provides a computer readable storage medium, where a computer program is stored, where the computer program when executed by a processor implements a method for managing access to Windows assets based on a fort machine according to the first aspect or any optional implementation manner of the first aspect.
Compared with the prior art, the technical scheme provided by the embodiment of the application has the following advantages:
The access management method based on the fort machine for Windows assets provided by the embodiment of the application comprises the following steps: responding to an access request for a target Windows asset triggered by a logged-in user, and judging whether first account information of the logged-in user is synchronized to the target Windows asset; the logged-in user refers to a user who has successfully logged in to the fort machine, and the fort machine stores first account information and Windows asset information list of at least one user; if the first account information of the logged-in user is determined to be synchronized to the target Windows asset, a first user account indicated by the first account information is selected to send an authentication request to the target Windows asset, so that the logged-in user accesses the target Windows asset through the first user account; under the condition that the authentication request passes authentication, a second user account is selected to send a login request to the target Windows asset in response to a multi-window operation request for the target Windows asset, which is triggered by the logged-in user, wherein the login request is used for requesting to access the target Windows asset based on the second user account; and allowing the logged-in user to access the target Windows asset through a plurality of session Windows under the condition that the second user account is successfully logged in to the target Windows asset, wherein the first user account and the second user account correspond to different session Windows. After the logged-in user successfully logs in the target Windows asset through the first user account, when a multi-window operation request triggered by the user is received, the logged-in target Windows asset is requested based on the second user account, so that the user can perform multi-session window operation on the target Windows asset based on the session window corresponding to the first user account information and the session window corresponding to the second user account, and the session Windows are not mutually influenced due to the fact that each session window corresponds to different user accounts.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the description of the embodiments or the prior art will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
FIG. 1 is a flow chart of steps of a method for managing access to Windows assets by a fort based machine according to one embodiment of the present application;
FIG. 2 is a block diagram of a device for managing access to Windows assets by a fort based machine according to another embodiment of the present application;
fig. 3 is an internal structure diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, embodiments and advantages of the present application more apparent, an exemplary embodiment of the present application will be described more fully hereinafter with reference to the accompanying drawings in which exemplary embodiments of the application are shown, it being understood that the exemplary embodiments described are merely some, but not all, of the examples of the application.
Based on the exemplary embodiments described herein, all other embodiments that may be obtained by one of ordinary skill in the art without making any inventive effort are within the scope of the appended claims. Furthermore, while the present disclosure has been described in terms of an exemplary embodiment or embodiments, it should be understood that each aspect of the disclosure can be practiced separately from the other aspects. It should be noted that the brief description of the terminology in the present application is for the purpose of facilitating understanding of the embodiments described below only and is not intended to limit the embodiments of the present application. Unless otherwise indicated, these terms should be construed in their ordinary and customary meaning.
The access management method based on the fort machine to the Windows assets provided by the embodiment of the disclosure can be executed by an access management device based on the fort machine to the Windows assets, the device can be realized by software and/or hardware, and the device can be integrated in an electronic device with the access management function based on the fort machine to the Windows assets, such as a mobile phone, a palm computer, a tablet computer, a notebook computer or a desktop computer, etc.
The method for managing access to Windows assets based on the fort machine provided by the application will be described and illustrated by a specific exemplary embodiment, where the target Windows assets in the embodiment of the application may be any Windows asset, the Windows asset includes a virtual machine, a physical host, etc. where a Windows system is deployed, and the fort machine may be an asset management and access agent platform, and a communication connection is established between a client and the fort machine.
Fig. 1 is a flowchart of a method for managing access to Windows assets by a fort based on an embodiment of the present application, and referring to fig. 1, the method for managing access to Windows assets by a fort based on the embodiment of the present application includes the following steps S11 to S14.
S11, the fort machine responds to an access request for the target Windows asset triggered by the logged-in user, and judges whether the first account information of the logged-in user is synchronized to the target Windows asset.
The logged-in user refers to a user who has successfully logged in to the fort machine, the fort machine stores first account information and a Windows asset information list of at least one user, the first account information comprises a corresponding first user account and a password, the Windows asset information list stores information of at least one Windows asset authorized by the fort machine, such as a Windows asset identifier, wherein the target Windows asset can be any Windows asset indicated by the Windows asset identifier in the Windows asset information list.
In some embodiments, prior to responding to the logged-in user-triggered access request for the target Windows asset, further comprising: receiving a login request sent by a user based on a client and aiming at the fort machine, and verifying second account information carried by the login request; and if the authentication is passed, allowing the user to log in the fort machine.
The first account information is dedicated account information of a client user for logging in and accessing a target Windows asset, the first account information of at least one user stored in the fort machine is account information synchronized to the target Windows asset, a Windows asset information list contains at least one piece of information of Windows asset authorized to access the user, for example, the Windows asset information list contains authorized Windows asset list information, and the target Windows asset can be any one Windows asset in the Windows asset information list.
In some embodiments, if a selection operation of a user for any one of the Windows assets in the Windows asset information list is received, the selected Windows asset is used as a target Windows asset; and receiving an access request aiming at a target Windows asset, judging whether first account information of the logged-in user exists in account information of at least one user stored by a fort machine, and determining whether the account information of the logged-in user is synchronized to the target Windows asset. The selection operation may be a clicking operation, a selecting operation, or the like, which is not limited in the embodiment of the present application.
Illustratively, a user may access an authorized Windows asset information list upon successful login of the bastion based on a browser on the client, and may trigger an access request for a target Windows asset in the Windows asset information list by a selection operation. For example, assuming that the Windows asset information list includes Windows asset information such as Windows asset 1, windows asset 2, windows asset 3, windows asset 4, etc., when the user clicks on Windows asset 3, windows asset 3 is a target Windows asset, and the user triggers an access request for Windows asset 3 by clicking on Windows asset 3.
In some embodiments, whether the first account information of the logged-in user has been synchronized to the target Windows asset may be determined by determining whether the first account information of the logged-in user exists in the first account information of the at least one user stored in the bastion engine; if the first account information of the logged-in user exists in the first account information of at least one user stored in the fort machine, determining that the first account information of the logged-in user is synchronized to the target Windows asset; if the first account information of the logged-in user does not exist in the first account information of the at least one user stored by the fort, determining that the first account information of the logged-in user is not synchronized to the target Windows asset.
And S12, if the first account information of the logged-in user is determined to be synchronized to the target Windows asset, selecting the first user account indicated by the first account information to send an authentication request to the target Windows asset, so that the logged-in user accesses the target Windows asset through the first user account.
The authentication request is used for requesting authentication of the first user account to the target Windows asset, and the target Windows asset allows the first user account to log in when the authentication of the first user account is passed, and then the user can remotely access the target Windows asset based on the client. The first user account is a dedicated account of the user, and the user under a certain first user account exclusively shares the resources and rights of the first user account, for example, in the process of accessing the target Windows asset based on the first user account a, other users are not allowed to log in the target Windows asset to acquire the resources by using the first user account a.
If the first account information of the logged-in user is not synchronized to the target Windows asset, a first account information synchronization request is sent to the target Windows asset through a privileged account of a fort to synchronize the first account information of the logged-in user to the target Windows asset.
For example, if it is determined that the first account information of the logged-in user is not synchronized to the target Windows asset, displaying a login page on the client page, where the login page is used to remind the user to input the first account information of the logged-in target Windows asset, for example, remind the user to input a Windows account and a password; after receiving the first account information input by the user, the fort machine sends a first account information synchronization request to the target Windows asset.
The privileged account number of the bastion machine can be understood as an account number of the bastion machine used for logging in a target Windows asset, the target Windows asset is logged in through the privileged account number of the bastion machine, and the account number information synchronization request is sent to the target Windows asset by using a remote management protocol WinRM (Windows Remote Management) or a secure shell protocol SSH (Secure Shell).
In the embodiment of the application, the fort machine can interact with the target Windows assets through a proxy server, wherein the proxy server can be a VNC server, an RDP server and the like, and interacts with the Windows assets through the proxy server. For example, the fort machine may send, through the proxy server, an authentication request of the first user account corresponding to the first account information to the target Windows asset.
In some cases, after the first account information of the logged-in user is synchronized to the target Windows asset, the bastion machine stores the first account information of the logged-in user, so that when the user requests to access the Windows asset next time, the bastion machine can directly select the corresponding first account information to send an authentication request to the target Windows asset without reminding the user to input the first account information.
In the embodiment of the application, the first user account corresponding to the first account information is directly selected by the fort machine to send the authentication request to the target Windows asset, so that the user does not need to care about the first user account and the password, and the efficiency and experience of logging in the target Windows asset by the user are improved.
And S13, under the condition that the authentication request passes the authentication, responding to a multi-window operation request which is triggered by the logged-in user and aims at the target Windows asset, selecting a second user account to send a login request to the target Windows asset.
The login request is used for requesting to access the target Windows asset based on the second user account, the second user account is a public account, the second user account enjoys the access right of the target Windows asset, the second user account comprises at least one public account, and the multi-window operation request can be understood as an access request which is triggered by the logged-in user again and is aimed at the target Windows asset under the condition that the first user account successfully logs in the target Windows asset. A login request for the second user account may be sent to the target Windows asset through the proxy server.
And under the condition that the authentication request of the first user account passes, displaying a session window on the client side, allowing the logged-in user to access the target Windows asset, wherein the multi-window operation request for the target Windows asset, triggered by the logged-in user, is performed in the logged-in state of the first user account, and if the re-triggering operation of the logged-in user for the target Windows asset is received, selecting one of at least one second user account, and sending the login request of the second user account to the target Windows asset.
Or the multi-window operation request triggered by the user can be a login request for other Windows assets with rights in the Windows asset information list, for example, after the authentication request of the first user account passes, the login request is in a login state, if a trigger operation of the logged-in user for other Windows assets with rights in the Windows asset information list is received, one of at least one second user account is selected, and the login request of the second user account is sent to the Windows asset.
In the embodiment of the present application, the multi-window operation request also includes a trigger request of the logged-in user more than two times, for example, in the case that the first user account and one second user account are both logged-in target Windows assets, the logged-in user may still trigger the multi-window operation request again, and in the case that the first user account and two second user accounts are both logged-in target Windows assets, the logged-in user may still trigger the multi-window operation request again, which is not exemplified here.
And S14, allowing the logged-in user to access the target Windows asset through a plurality of session Windows under the condition that the second user account is successfully logged in to the target Windows asset.
The first user account and the second user account correspond to different session windows.
After the authentication request of the first user account passes, the first user account is in a login state, if a re-triggering operation of a logged-in user for a target Windows asset is received, one of the second user accounts is selected, the login request of the second user account is sent to the target Windows asset, the target Windows asset allows the second user account to login to the target Windows asset after the login request is successfully verified, and the fort machine allows another session window to be displayed on the client.
In some embodiments, after the authentication request of the first user account passes, the first user account is in a login state, if a trigger operation of the logged-in user on other authorized Windows assets in the Windows asset information list is received, one of the second user accounts is selected, the login request of the second user account is sent to the Windows asset, the second user account is allowed to log in after the login request is successfully verified by the Windows asset, and the fort machine allows another session window to be displayed on the client.
That is, when the authentication request of the first user account passes, a session window is displayed on the client for the logged-in user to access the target Windows asset, and when the second user account successfully logs in to the target Windows asset, a session window operated based on the second user account is displayed on the client, each second user account corresponds to one session window, and the logged-in user can operate the target Windows asset based on a plurality of session Windows at the same time; alternatively, the logged-on user may operate on different Windows assets simultaneously based on multiple Windows. The first user account corresponds to a session window, and each second user account corresponds to a session window.
Because the second user account enjoys the access right of the first user account to the target Windows asset, when the user performs multi-session window operation on the target Windows asset based on the first user account and the second user account, not only can multiple users simultaneously use the resources on the target Windows asset, but also the resource sharing between session Windows can be realized, and the problem of resource isolation is avoided.
The embodiment of the application provides a method and a device for managing access to Windows assets based on a fort machine, wherein the method comprises the following steps: responding to an access request for a target Windows asset triggered by a logged-in user, and judging whether first account information of the logged-in user is synchronized to the target Windows asset; the logged-in user refers to a user who has successfully logged in to the fort machine, and the fort machine stores first account information and Windows asset information list of at least one user; if the first account information of the logged-in user is determined to be synchronized to the target Windows asset, a first user account indicated by the first account information is selected to send an authentication request to the target Windows asset, so that the logged-in user accesses the target Windows asset through the first user account; under the condition that the authentication request passes authentication, a second user account is selected to send a login request to the target Windows asset in response to a multi-window operation request for the target Windows asset, which is triggered by the logged-in user, wherein the login request is used for requesting to access the target Windows asset based on the second user account; and allowing the logged-in user to access the target Windows asset through a plurality of session Windows under the condition that the second user account is successfully logged in to the target Windows asset, wherein the first user account and the second user account correspond to different session Windows. After the logged-in user successfully logs in the target Windows asset through the first user account, when a multi-window operation request triggered by the user is received, the logged-in target Windows asset is requested based on the second user account, so that the user can perform multi-session window operation on the target Windows asset based on the session window corresponding to the first user account information and the session window corresponding to the second user account, and the session Windows are not mutually influenced due to the fact that each session window corresponds to different user accounts.
Based on the same inventive concept, as an implementation of the method, the embodiment of the present application further provides an access management device based on the fort machine for Windows assets, where the embodiment of the device corresponds to the embodiment of the method, and for convenience of reading, the embodiment of the device does not repeat details of the embodiment of the method one by one, but it should be clear that the access management device based on the fort machine for Windows assets in the embodiment of the present application can correspondingly implement all the details of the embodiment of the method.
Fig. 2 is a schematic structural diagram of an access management device for Windows assets based on a fort machine according to an embodiment of the present application, and as shown in fig. 2, an access management device 200 for Windows assets based on a fort machine according to the present embodiment includes:
A judging module 210, configured to respond to an access request for a target Windows asset triggered by a logged-in user, and judge whether first account information of the logged-in user is synchronized to the target Windows asset; the logged-in user refers to a user who has successfully logged in to the fort machine, and the fort machine stores first account information and Windows asset information list of at least one user;
A sending module 220, configured to, if it is determined that the first account information of the logged-in user is synchronized to the target Windows asset, select a first user account indicated by the first account information to send an authentication request to the target Windows asset, so that the logged-in user accesses the target Windows asset through the first user account;
the sending module 220 is further configured to, in case the authentication request passes the authentication, select a second user account to send a login request to the target Windows asset, where the login request is used to request access to the target Windows asset based on the second user account, in response to a multi-window operation request for the target Windows asset triggered by the logged-in user;
and the management module 230 is configured to allow the logged-in user to access the target Windows asset through a plurality of session Windows when the second user account successfully logs in to the target Windows asset, where the first user account and the second user account correspond to different session Windows.
In some embodiments, the sending module 220 is further configured to send, if it is determined that the first account information of the logged-in user is not synchronized to the target Windows asset, a first account information synchronization request to the target Windows asset through a privileged account of a fort machine, so as to synchronize the first account information of the logged-in user to the target Windows asset.
In some embodiments, the management module 230 is further configured to allow the logged-in user to access the target Windows asset through a session window before responding to the user-triggered multi-window operation request for the target Windows asset.
In some embodiments, the apparatus further comprises: the authentication module is used for receiving a login request aiming at the fort machine sent by a user based on a client before responding to an access request aiming at a target Windows asset triggered by a logged-in user, and authenticating second account information carried by the login request; and if the authentication is passed, allowing the user to log in the fort machine.
In some embodiments, the determining module 210 is specifically configured to, if a selection operation of a user for any one of the Windows assets in the Windows asset information list is received, take the selected Windows asset as a target Windows asset; and receiving an access request aiming at the target Windows asset, judging whether first account information of the logged-in user exists in the account information of the at least one user stored by the fort machine, and determining whether the first account information of the logged-in user is synchronized to the target Windows asset.
In some embodiments, the sending module 220 is specifically configured to log in to the target Windows asset through a privileged account of the fort machine, and send an account information synchronization request to the target Windows asset by using a remote management protocol or a secure shell protocol.
In some embodiments, the sending module 220 is specifically configured to send, through a proxy server, an authentication request of the first user account to the target Windows asset; and sending a login request of the second user account to the target Windows asset through the proxy server.
The access management device based on the fort machine for the Windows assets provided in the embodiment can execute the access management method based on the fort machine for the Windows assets provided in the embodiment of the method, and the implementation principle and the technical effect are similar, and are not repeated here. The various modules in the barrier-based access management device to Windows assets may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, an electronic device is provided that includes a memory storing a computer program and a processor that when executing the computer program performs the steps of any of the method embodiments described above for managing access to Windows assets based on a fort.
Fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 3, the electronic device provided in this embodiment includes: a memory 31 and a processor 32, the memory 31 for storing a computer program; the processor 32 is configured to execute steps in the access management method for Windows assets based on the fort machine provided in the foregoing method embodiment when the computer program is invoked, and its implementation principle and technical effects are similar, and will not be described herein. It will be appreciated by those skilled in the art that the structure shown in fig. 3 is merely a block diagram of a portion of the structure associated with the present inventive arrangements and is not limiting of the electronic device to which the present inventive arrangements are applied, and that a particular electronic device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer readable storage medium is provided, on which a computer program is stored, which when executed by a processor implements the steps of any of the method embodiments described above for barrier-based access management of Windows assets.
Those skilled in the art will appreciate that implementing all or part of the above-described methods may be accomplished by way of a computer program, which may be stored on a non-transitory computer readable storage medium and which, when executed, may comprise the steps of the above-described embodiments of the methods. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, or the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms, such as static random access memory (Static Random Access Memory, SRAM), dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing is only a specific embodiment of the application to enable those skilled in the art to understand or practice the application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown and described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. The access management method for Windows assets based on the fort machine is characterized by comprising the following steps:
Responding to an access request for a target Windows asset triggered by a logged-in user, and judging whether first account information of the logged-in user is synchronized to the target Windows asset; the logged-in user refers to a user who has successfully logged in to the fort machine, and the fort machine stores first account information and Windows asset information list of at least one user;
If the first account information of the logged-in user is determined to be synchronized to the target Windows asset, a first user account indicated by the first account information is selected to send an authentication request to the target Windows asset, so that the logged-in user accesses the target Windows asset through the first user account;
under the condition that the authentication request passes authentication, a second user account is selected to send a login request to the target Windows asset in response to a multi-window operation request for the target Windows asset, which is triggered by the logged-in user, wherein the login request is used for requesting to access the target Windows asset based on the second user account;
And allowing the logged-in user to access the target Windows asset through a plurality of session Windows under the condition that the second user account is successfully logged in to the target Windows asset, wherein the first user account and the second user account correspond to different session Windows.
2. The method according to claim 1, wherein the method further comprises:
If the first account information of the logged-in user is not synchronized to the target Windows asset, a first account information synchronization request is sent to the target Windows asset through a privileged account of a fort to synchronize the first account information of the logged-in user to the target Windows asset.
3. The method of claim 1, wherein prior to responding to the user-triggered multi-window operation request for the target Windows asset, the method further comprises:
allowing the logged-in user to access the target Windows asset through a session window.
4. The method of claim 1, wherein prior to responding to an access request for a target Windows asset triggered by a logged-in user, the method further comprises:
Receiving a login request aiming at the fort machine, which is sent by a user based on a client, and verifying second account information carried by the login request;
and if the authentication is passed, allowing the user to log in the fort machine.
5. The method of claim 1, wherein the determining whether account information of the logged-in user has been synchronized to the target Windows asset in response to an access request for the target Windows asset triggered by the logged-in user comprises:
if the selection operation of the user for any Windows asset in the Windows asset information list is received, taking the selected Windows asset as a target Windows asset;
And receiving an access request aiming at the target Windows asset, and judging whether first account information of the logged-in user exists in the account information of the at least one user stored by the fort machine so as to determine whether the first account information of the logged-in user is synchronized to the target Windows asset.
6. The method of claim 2, wherein the sending an account information synchronization request to the target Windows asset through a privileged account of a fort comprises:
And logging in the target Windows asset through the privileged account of the fort machine, and sending an account information synchronous request to the target Windows asset by utilizing a remote management protocol or a secure shell protocol.
7. The method of any of claims 1-6, wherein the selecting the first user account indicated by the first account information to send an authentication request to the target Windows asset comprises:
sending an authentication request of the first user account to the target Windows asset through a proxy server;
The selecting the second user account to send a login request to the target Windows asset includes:
And sending a login request of the second user account to the target Windows asset through the proxy server.
8. An access management device for Windows assets based on a fort machine is characterized by comprising:
The judging module is used for responding to an access request for a target Windows asset triggered by a logged-in user and judging whether first account information of the logged-in user is synchronized to the target Windows asset or not; the logged-in user refers to a user who has successfully logged in to the fort machine, and the fort machine stores first account information and Windows asset information list of at least one user;
The sending module is used for selecting a first user account indicated by the first account information to send an authentication request to the target Windows asset if the first account information of the logged-in user is determined to be synchronized to the target Windows asset, so that the logged-in user accesses the target Windows asset through the first user account;
The sending module is further configured to, in case the authentication request passes authentication, select a second user account to send a login request to the target Windows asset in response to a multi-window operation request for the target Windows asset triggered by the logged-in user, where the login request is used to request access to the target Windows asset based on the second user account;
and the management module is used for allowing the logged-in user to access the target Windows asset through a plurality of session Windows under the condition that the second user account successfully logs in the target Windows asset, wherein the first user account and the second user account correspond to different session Windows.
9. An electronic device, comprising: a memory and a processor, the memory storing a computer program, wherein the processor when executing the computer program implements the method of barrier-based access management of Windows assets of any one of claims 1 to 7.
10. A computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the method of barrier-based access management of Windows assets of any one of claims 1 to 7.
CN202410901840.9A 2024-07-05 2024-07-05 Method and device for managing access to Windows assets based on bastion host Pending CN118869289A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410901840.9A CN118869289A (en) 2024-07-05 2024-07-05 Method and device for managing access to Windows assets based on bastion host

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410901840.9A CN118869289A (en) 2024-07-05 2024-07-05 Method and device for managing access to Windows assets based on bastion host

Publications (1)

Publication Number Publication Date
CN118869289A true CN118869289A (en) 2024-10-29

Family

ID=93158532

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410901840.9A Pending CN118869289A (en) 2024-07-05 2024-07-05 Method and device for managing access to Windows assets based on bastion host

Country Status (1)

Country Link
CN (1) CN118869289A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119892523A (en) * 2025-03-31 2025-04-25 北京久安世纪科技有限公司 Method, system and storage medium for improving security of fort machine

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119892523A (en) * 2025-03-31 2025-04-25 北京久安世纪科技有限公司 Method, system and storage medium for improving security of fort machine

Similar Documents

Publication Publication Date Title
US20230370464A1 (en) Systems and methods for controlling sign-on to web applications
CN112995219B (en) Single sign-on method, device, equipment and storage medium
US11218460B2 (en) Secure authentication for accessing remote resources
US9699257B2 (en) Online business method, system and apparatus based on open application programming interface
US9043886B2 (en) Relying party platform/framework for access management infrastructures
CN101771532B (en) Method, device and system for realizing resource sharing
US6341352B1 (en) Method for changing a security policy during processing of a transaction request
US9401909B2 (en) System for and method of providing single sign-on (SSO) capability in an application publishing environment
CN105991614B (en) It is a kind of it is open authorization, resource access method and device, server
WO2021027600A1 (en) Single log-in method, apparatus and device, and computer-readable storage medium
US20210203668A1 (en) Systems and methods for malicious client detection through property analysis
US20240146737A1 (en) Authentication service for automated distribution and revocation of shared credentials
US20180026964A1 (en) Login proxy for third-party applications
WO2017088677A1 (en) User key storage method and server
CN110138798A (en) Cloud desktop management method, apparatus, equipment and readable storage medium storing program for executing
CN118869289A (en) Method and device for managing access to Windows assets based on bastion host
US10032027B2 (en) Information processing apparatus and program for executing an electronic data in an execution environment
CN114338130B (en) Information processing method, device, server and storage medium
JP6205013B1 (en) Application usage system
US8474013B2 (en) Securely managing password access to a computer system
CN112836186A (en) A kind of page control method and device
CN117251837A (en) A system access method, device, electronic equipment and storage medium
CN112131588B (en) Application access method, device, electronic equipment and storage medium
JP2015118459A (en) Image forming apparatus, information terminal, server apparatus, data processing system, image forming apparatus communication method, information terminal communication method, server apparatus communication method, and program
CN114844699B (en) A method, device and medium for accessing BMC console

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination