This topic describes the security-related rules in Elastic Desktop Service (EDS) policies.
Background
Security-related rules in cloud computer policies include:
User logon control: Logon Method Control and CIDR block allowlist.
Display security: Anti-screenshot and Watermark.
Clipboard control: Management Granularity and Copy Permissions.
Data security: File Transfer, Web Client File Transfer, and full-speed transfer control.
Network access: Security Group Control and Domain Name Access Control.
Screen recording audit.
Image management: Reset Image.
End-user custom snapshots.
User logon control
Use cases
The Logon Method Control rule restricts which types of Alibaba Cloud Workspace clients end users can use to connect to their cloud computers.
Example: To enhance enterprise information security, an administrator sets the rule to allow connections only from the Windows client, macOS client, and Wuying self-developed hardware terminal.
The CIDR Block Whitelist rule restricts the IP address ranges from which Alibaba Cloud Workspace clients can connect to cloud computers.
Example: To bolster security, an administrator adds the office network's IP address range to an allowlist. This ensures that employees can connect to their cloud computers only from the office, blocking access from other locations.
Parameters
Parameter | Description |
Logon method control | Restricts the types of Alibaba Cloud Workspace clients that end users can use. The options include:
By default, all options are selected. You can deselect client types as needed. |
Cidr block allowlist | Specifies the IP address ranges from which Alibaba Cloud Workspace clients can connect to cloud computers. Click Add CIDR Block. In the Add CIDR Block dialog box, enter an allowed Source CIDR Block and then click OK. The IP address range must be a CIDR block. For example: |
Display security
Use cases
The Anti-screenshot feature helps prevent data leaks from screen captures or recordings.
Example: An architectural design firm enables the anti-screenshot rule for its cloud computers to prevent unauthorized copying of design drawings. As a result, no one can use screen capture tools on their local devices to take screenshots or record the cloud computer screen.
The Watermark feature is used for data loss prevention, serving as both a deterrent and an audit tool.
Example: An advertising company enables watermarks on its cloud computers. When an employee takes a screenshot of an internal document, the image is overlaid with an administrator-defined watermark. This effectively discourages internal file leaks and provides a crucial audit trail if a data breach occurs.
Applicability
Feature | Minimum image version | Client and minimum version |
Anti-screenshot | N/A | Windows client and macOS client V5.2 |
Invisible watermark intensity | 1.8.0 | N/A |
Invisible watermark with anti-photography | 1.8.0 | Any client V6.7 |
Parameters
Parameter | Description |
Anti-screenshot | This feature helps prevent data leaks. When enabled, end users cannot use screen capture tools on their local devices to take screenshots or record the cloud computer screen. Note
|
Watermark | This feature is used for data loss prevention, serving as a deterrent and an audit tool. Visible watermarkA visible watermark is a discernible overlay on the screen. You can configure its content and display style.
During configuration, you can see a real-time preview of the visible watermark in the preview area below. Invisible watermarkAn invisible watermark is not discernible to the naked eye. The default algorithm provided by Elastic Desktop Service (EDS) encrypts watermark information based on different Alibaba Cloud account identities to prevent malicious tampering. The parameters for invisible watermarks include:
|
Query transfer logs
For information about how to query detailed records of file transfers, see View file transfer logs.
Data security
Applicability
Local disk mapping
Clipboard control:
No prerequisites are required for transferring text and images.
File transfers require the Windows client V7.3 or later.
Fine-grained control requires cloud computer image version 2.4 or later. Otherwise, all copy operations are blocked.
Web client file transfer: Even if set to Allow Upload/Download, this policy does not take effect for Linux-based cloud computers that use the HDX protocol. To enable file transfers on such cloud computers, you must use the default system policy, which has all features enabled.
Parameters
Parameter | Description |
Local disk mapping | |
Local disk mapping | Maps the disks of a local device to the cloud desktop. This lets you access data on the local disks from the cloud desktop. Options include the following:
|
Clipboard control | |
Management granularity | This parameter determines the scope of the clipboard permission settings. The options include:
|
Text copy permission | Sets clipboard permissions by data type. The options include:
|
Rich text/image copy permission | |
File/folder copy permission | |
Maximum text copy size | Sets the maximum size for copied text. Text that exceeds this limit is truncated. |
Data security | |
Web client file transfer | Controls whether files can be transferred between a cloud computer and a local device by using the Web client. |
Image management | |
Reset cloud computer image | Disabled by default. When enabled, end users can reset their cloud computer to the initial image. All existing data on the cloud computer will be lost. |
Network access
Domain name access control
A domain name access control rule allows or denies access to specific domains from within a cloud computer. For example, to comply with company regulations, an administrator can add entertainment-related domains to a deny list to prevent employees from accessing non-work-related websites during business hours.
Use cases
By default, access to all domains is allowed from a cloud computer. Domain name access control is used to allow or deny access to specific domains and supports multi-level, fine-grained control over domain access.
Example: For the domains listed in the following table, you can configure DNS rules to achieve fine-grained access control.
Domain | Example | Access policy | Description |
Second-level domain |
| Allow | When the cloud computer accesses |
Third-level domain |
| Deny | When the cloud computer accesses |
| Allow | When the cloud computer accesses | |
Fourth-level domain |
| Deny | When the cloud computer accesses |
| Allow | When the cloud computer accesses | |
| Allow |
Limitations
Domain limitations
To ensure that end users can use their cloud computers properly, the following reserved security domains are not subject to DNS rules. Access to these domains is always allowed. If you set the access policy for these domains to Deny, the rule will not take effect.
*.gws.aliyun*.aliyun.com*.alicdn.com*.aliyunpds.com*.aliyuncds.com*.aliyuncs.com
Operating system limitations
Domain name access control rules apply only to cloud computers that run the Windows operating system.
Rule quantity limit
You can create up to 300 DNS rules.
Parameters
In the Domain Name Access Control (Formerly DNS Feature) section, click Add Rule. In the Add Rule dialog box, configure the following parameters and click OK.
Parameter | Description |
Domain name | Enter the domain name for which you want to set DNS rules. You can add only one domain name at a time. The |
Description | A custom description for the DNS rule. |
Access policy | Select Allow or Reject. Note
|
Security group control
A security group is a security mechanism that controls the inbound and outbound traffic of a cloud computer to enhance its security.
Use cases
A security group rule is defined by properties such as direction, policy, priority, protocol type, and port range. Before establishing data communication with a cloud computer, the system evaluates the request against the security group rules in the associated policy to determine whether to grant access:
For rules with a policy of Allow, if the access request matches the rule, the request is permitted.
For rules with a policy of Deny, if the access request matches the rule, the request is blocked and the data packet is dropped immediately.
You can add inbound or outbound security group control rules to further control the traffic of your cloud computers. The following are example configurations for security group control rules:
Scenario 1
By default, all outbound access from a cloud computer is allowed. You can add the following outbound rules to allow access only to specific IP addresses:
Rule 1: Deny all outbound access. Example:
Direction
Policy
Priority
Protocol type
Port range
Authorization object
Outbound
Deny
2
All
-1/-1
0.0.0.0/0
Rule 2: Allow access to a specific IP address. The priority of this rule must be higher than that of Rule 1. Example:
Direction
Policy
Priority
Protocol type
Port range
Authorization object
Outbound
Allow
1
Select the applicable protocol type.
Set an appropriate port range.
The IP address to allow access to, for example: 192.168.1.1/32.
Scenario 2
In a VPC environment, you can add an inbound rule to allow access from a specific IP address to the cloud computer. Example:
Direction | Policy | Priority | Protocol type | Port range | Authorization object |
Inbound | Allow | 1 | Select the applicable protocol type. | Set an appropriate port range. | The IP address to allow access from, for example: 192.168.1.1/32. |
Scenario 3
Assume Cloud Computer A is associated with Policy A, and Cloud Computer B is associated with Policy B. In a VPC environment, Cloud Computer A and Cloud Computer B cannot communicate with each other because all inbound access is denied by default. You can add the following inbound rules to Policy A and Policy B to enable network communication between them:
In Policy A, add an inbound rule to allow access from Cloud Computer B. Example:
Direction
Policy
Priority
Protocol type
Port range
Authorization object
Inbound
Allow
1
Select the applicable protocol type.
Set an appropriate port range.
IP address of Cloud Computer B.
In Policy B, add an inbound rule to allow access from Cloud Computer A. Example:
Direction
Policy
Priority
Protocol type
Port range
Authorization object
Inbound
Allow
1
Select the applicable protocol type.
Set an appropriate port range.
IP address of Cloud Computer A.
Limitations
Rule quantity limit
You can create up to 200 security group control rules.
Limitations on inbound rules
By default, a cloud computer allows all outbound access. Inbound access follows these principles:
Over the internet, a cloud computer does not support any inbound access. Even if you set an inbound security group rule to Allow, the rule does not take effect.
In a VPC environment, a cloud computer denies all inbound access by default. However, you can set an inbound security group rule to Allow to permit specific access requests.
Parameters
In the Security Group Control section, click Add Rule. In the Add Rule dialog box, configure the following parameters and click OK.
Parameter | Description |
Direction |
|
Policy |
|
Priority | A value from 1 to 60, where a smaller value indicates a higher priority. Higher-priority rules take precedence. |
Protocol type | TCP, UDP, ICMP (IPv4), and GRE are supported. |
Port range | The port used by the application or protocol. When the selected protocol type is Custom TCP or Custom UDP, you can set a custom port. You can enter a specific port, such as |
Authorization object | An IPv4 address range in CIDR format. |
Description | A custom description for the rule. |
Next steps
By default, cloud computers deny all inbound traffic but allow all outbound traffic. This is managed by a default rule that allows all outbound access. Outbound rules that you add will conflict with the default rule. Depending on the office network to which your cloud computer belongs, you may need to adjust the priority of the default rule for your new rules to take effect.
If you are using a new office network (ID format:
region ID+dir+10 digits), the default rule has the lowest priority, so your added rules will take effect immediately without any extra steps.If you are using an office network that was upgraded from an older version (ID format:
region ID+dir+17 letters and digits), the default rule has the highest priority. You must manually adjust the priority of the default rule. To do this, perform the following steps:Find the office network to which the cloud computer belongs and click its office network ID.
On the office network details page, click the security group ID.
On the Security Groups page, click the security group ID.
On the Security Group Rules page, click the Outbound tab and modify the priority of the corresponding rule.
We recommend that you set the priority to 60. This ensures that any outbound rules that you add manually will take effect immediately.
End-user custom snapshots
End-user custom snapshots
The end-user custom snapshot rule lets you control whether end users can create their own restore points in the client.
Use cases
End users can use restore points to back up and restore data on their cloud computers. For example, they can create a restore point before they perform high-risk operations such as modifying critical system files.
To prevent operational errors or resource waste, administrators can use this policy to manage the creation of custom restore points by end users.
Limitations
This feature is available only when a cloud computer is assigned to a single user.
Parameters
When the End-user custom snapshots option is Enabled, end users can create custom restore points on the Management page of their cloud computer's desktop card.
When the End-user custom snapshots option is Disabled, the custom restore point feature is hidden from end users on the Management page.