Security-related rules

更新时间:
复制 MD 格式

This topic describes the security-related rules in Elastic Desktop Service (EDS) policies.

Background

Security-related rules in cloud computer policies include:

  • User logon control: Logon Method Control and CIDR block allowlist.

  • Display security: Anti-screenshot and Watermark.

  • Clipboard control: Management Granularity and Copy Permissions.

  • Data security: File Transfer, Web Client File Transfer, and full-speed transfer control.

  • Network access: Security Group Control and Domain Name Access Control.

  • Screen recording audit.

  • Image management: Reset Image.

  • End-user custom snapshots.

User logon control

Use cases

  • The Logon Method Control rule restricts which types of Alibaba Cloud Workspace clients end users can use to connect to their cloud computers.

    Example: To enhance enterprise information security, an administrator sets the rule to allow connections only from the Windows client, macOS client, and Wuying self-developed hardware terminal.

  • The CIDR Block Whitelist rule restricts the IP address ranges from which Alibaba Cloud Workspace clients can connect to cloud computers.

    Example: To bolster security, an administrator adds the office network's IP address range to an allowlist. This ensures that employees can connect to their cloud computers only from the office, blocking access from other locations.

Parameters

Parameter

Description

Logon method control

Restricts the types of Alibaba Cloud Workspace clients that end users can use. The options include:

  • Windows client

  • macOS client

  • iOS client

  • Android client

  • Web client

  • Wuying self-developed hardware terminal

By default, all options are selected. You can deselect client types as needed.

Cidr block allowlist

Specifies the IP address ranges from which Alibaba Cloud Workspace clients can connect to cloud computers.

Click Add CIDR Block. In the Add CIDR Block dialog box, enter an allowed Source CIDR Block and then click OK.

The IP address range must be a CIDR block. For example: 192.0.XX.XX/32 or 10.0.XX.XX/8.

Display security

Use cases

  • The Anti-screenshot feature helps prevent data leaks from screen captures or recordings.

    Example: An architectural design firm enables the anti-screenshot rule for its cloud computers to prevent unauthorized copying of design drawings. As a result, no one can use screen capture tools on their local devices to take screenshots or record the cloud computer screen.

  • The Watermark feature is used for data loss prevention, serving as both a deterrent and an audit tool.

    Example: An advertising company enables watermarks on its cloud computers. When an employee takes a screenshot of an internal document, the image is overlaid with an administrator-defined watermark. This effectively discourages internal file leaks and provides a crucial audit trail if a data breach occurs.

Applicability

Feature

Minimum image version

Client and minimum version

Anti-screenshot

N/A

Windows client and macOS client V5.2

Invisible watermark intensity

1.8.0

N/A

Invisible watermark with anti-photography

1.8.0

Any client V6.7

Parameters

Parameter

Description

Anti-screenshot

This feature helps prevent data leaks. When enabled, end users cannot use screen capture tools on their local devices to take screenshots or record the cloud computer screen.

Note
  • The anti-screenshot feature is supported only on Windows client and macOS client versions 5.2.0 and later.

  • Support for the anti-screenshot feature varies among different types of Alibaba Cloud Workspace clients. If you enable this feature, we recommend that you configure the logon method control policy to allow connections from supported clients.

Watermark

This feature is used for data loss prevention, serving as a deterrent and an audit tool.

Visible watermark

A visible watermark is a discernible overlay on the screen. You can configure its content and display style.

  • Watermark content (Select up to 3)

    • Username: For example, testuser01.

    • Cloud Computer ID: For example, ecd-66twv7ri4nmgh****.

    • Cloud computer IP address: For example, 192.0.2.0.

    • Client IP address: For example, 192.0.2.254.

    • The current time on the cloud computer. For example, 20230101.

    • Custom text: The custom text that you enter, such as Internal Data.

      Note

      The custom content can be up to 20 characters long. Supported characters include uppercase and lowercase letters, numbers, Chinese characters, and the following special characters: ~!@#$%^&*()-_=+|{};:',<.?. Using line breaks or other special characters may cause the custom content to not take effect.

  • Display style

    • Font size: The value range is 10 to 20 px. The default value is 12 px.

    • Font color: The RGB color value. The default value is #FFFFFF (white).

    • Transparency: The value must be an integer from 10 to 100. A value of 0 means opaque and 100 means fully transparent. The default value is 25.

    • Tilt: The value can range from -30 to -10. The default value is -25.

    • Watermark density: The value range for both rows and columns is 3 to 10. The default value for both is 3.

During configuration, you can see a real-time preview of the visible watermark in the preview area below.

Invisible watermark

An invisible watermark is not discernible to the naked eye. The default algorithm provided by Elastic Desktop Service (EDS) encrypts watermark information based on different Alibaba Cloud account identities to prevent malicious tampering. The parameters for invisible watermarks include:

  • Security Priority: Because the invisible watermark feature depends on specific client and image versions, we recommend that you enable this option.

    • If enabled, an end user can connect to a cloud computer only if both the client and the image meet the version requirements.

    • If disabled, an end user can still connect even if the client or image does not meet the version requirements, but the invisible watermark will not be effective.

  • Invisible watermark intensity: A higher intensity increases the granularity of the cloud computer desktop display and improves the success rate of watermark parsing. Adjust the intensity based on your needs. This feature requires an image of version 1.8.0 or later.

  • Watermark content (Select up to 2):

    • Cloud Computer ID: For example, ecd-66twv7ri4nmgh****.

    • Cloud computer IP address: For example, 192.0.2.0.

    • Client IP address: For example, 192.0.2.254.

    • The current time of the cloud computer. For example: 20230101.

  • Anti-photography: This feature requires an image of version 1.8.0 or later and an Alibaba Cloud Workspace client of version 6.7.0 or later.

Query transfer logs

For information about how to query detailed records of file transfers, see View file transfer logs.

Data security

Applicability

  • Local disk mapping

  • Clipboard control:

    • No prerequisites are required for transferring text and images.

    • File transfers require the Windows client V7.3 or later.

    • Fine-grained control requires cloud computer image version 2.4 or later. Otherwise, all copy operations are blocked.

  • Web client file transfer: Even if set to Allow Upload/Download, this policy does not take effect for Linux-based cloud computers that use the HDX protocol. To enable file transfers on such cloud computers, you must use the default system policy, which has all features enabled.

Parameters

Parameter

Description

Local disk mapping

Local disk mapping

Maps the disks of a local device to the cloud desktop. This lets you access data on the local disks from the cloud desktop. Options include the following:

  • Read-only: You can view and copy data from local disks, but you cannot write data to the disks.

  • Disabled: Prevents access to data on local disks from the cloud desktop.

  • Read/write: You can view, copy, and modify data on local disks from the cloud desktop.

Clipboard control

Management granularity

This parameter determines the scope of the clipboard permission settings. The options include:

  • Global: Applies a single clipboard permission to text, rich text/images, and files/folders.

  • Fine-grained: Sets separate clipboard permissions for text, rich text/images, and files/folders.

    Note

    This option is not supported on cloud computers with an image version earlier than 2.4. On these cloud computers, all copy operations are blocked.

Text copy permission

Sets clipboard permissions by data type. The options include:

  • Allow Two-way Copy: Allows cutting, copying, and pasting data between the cloud computer and the local device.

  • Deny Two-way Copy: Prohibits cutting, copying, and pasting data between the cloud computer and the local device.

  • Allow Copy from Local Device to Cloud Computer

  • Allow Copy from Cloud Computer to Local Device

Rich text/image copy permission

File/folder copy permission

Maximum text copy size

Sets the maximum size for copied text. Text that exceeds this limit is truncated.

Data security

Web client file transfer

Controls whether files can be transferred between a cloud computer and a local device by using the Web client.

Image management

Reset cloud computer image

Disabled by default. When enabled, end users can reset their cloud computer to the initial image. All existing data on the cloud computer will be lost.

Network access

Domain name access control

A domain name access control rule allows or denies access to specific domains from within a cloud computer. For example, to comply with company regulations, an administrator can add entertainment-related domains to a deny list to prevent employees from accessing non-work-related websites during business hours.

Use cases

By default, access to all domains is allowed from a cloud computer. Domain name access control is used to allow or deny access to specific domains and supports multi-level, fine-grained control over domain access.

Example: For the domains listed in the following table, you can configure DNS rules to achieve fine-grained access control.

Domain

Example

Access policy

Description

Second-level domain

example.com

Allow

When the cloud computer accesses example.com, the webpage opens normally.

Third-level domain

writer.examplec.com

Deny

When the cloud computer accesses writer.example.com, the web page displays a 404 error.

developer.example.com

Allow

When the cloud computer accesses developer.example.com, the webpage opens successfully.

Fourth-level domain

image.developer.example.com

Deny

When the cloud computer accesses image.developer.example.com, the webpage displays 404.

video.developer.example.com

Allow

When the cloud computer accesses video.developer.example.com and guide.developer.example.com, the web pages open correctly.

guide.developer.example.com

Allow

Limitations

  • Domain limitations

    To ensure that end users can use their cloud computers properly, the following reserved security domains are not subject to DNS rules. Access to these domains is always allowed. If you set the access policy for these domains to Deny, the rule will not take effect.

    • *.gws.aliyun

    • *.aliyun.com

    • *.alicdn.com

    • *.aliyunpds.com

    • *.aliyuncds.com

    • *.aliyuncs.com

  • Operating system limitations

    Domain name access control rules apply only to cloud computers that run the Windows operating system.

  • Rule quantity limit

    You can create up to 300 DNS rules.

Parameters

In the Domain Name Access Control (Formerly DNS Feature) section, click Add Rule. In the Add Rule dialog box, configure the following parameters and click OK.

Parameter

Description

Domain name

Enter the domain name for which you want to set DNS rules. You can add only one domain name at a time. The * wildcard character is supported.

Description

A custom description for the DNS rule.

Access policy

Select Allow or Reject.

Note
  • If you set multiple DNS rules with an access policy of Allow, you must also add a DNS rule with an access policy of Deny to serve as a fallback rule.

  • When multiple DNS rules exist, the rule that is higher in the list takes precedence. You can move rules to adjust their priority.

Security group control

A security group is a security mechanism that controls the inbound and outbound traffic of a cloud computer to enhance its security.

Use cases

A security group rule is defined by properties such as direction, policy, priority, protocol type, and port range. Before establishing data communication with a cloud computer, the system evaluates the request against the security group rules in the associated policy to determine whether to grant access:

  • For rules with a policy of Allow, if the access request matches the rule, the request is permitted.

  • For rules with a policy of Deny, if the access request matches the rule, the request is blocked and the data packet is dropped immediately.

You can add inbound or outbound security group control rules to further control the traffic of your cloud computers. The following are example configurations for security group control rules:

Scenario 1

By default, all outbound access from a cloud computer is allowed. You can add the following outbound rules to allow access only to specific IP addresses:

  • Rule 1: Deny all outbound access. Example:

    Direction

    Policy

    Priority

    Protocol type

    Port range

    Authorization object

    Outbound

    Deny

    2

    All

    -1/-1

    0.0.0.0/0

  • Rule 2: Allow access to a specific IP address. The priority of this rule must be higher than that of Rule 1. Example:

    Direction

    Policy

    Priority

    Protocol type

    Port range

    Authorization object

    Outbound

    Allow

    1

    Select the applicable protocol type.

    Set an appropriate port range.

    The IP address to allow access to, for example: 192.168.1.1/32.

Scenario 2

In a VPC environment, you can add an inbound rule to allow access from a specific IP address to the cloud computer. Example:

Direction

Policy

Priority

Protocol type

Port range

Authorization object

Inbound

Allow

1

Select the applicable protocol type.

Set an appropriate port range.

The IP address to allow access from, for example: 192.168.1.1/32.

Scenario 3

Assume Cloud Computer A is associated with Policy A, and Cloud Computer B is associated with Policy B. In a VPC environment, Cloud Computer A and Cloud Computer B cannot communicate with each other because all inbound access is denied by default. You can add the following inbound rules to Policy A and Policy B to enable network communication between them:

  • In Policy A, add an inbound rule to allow access from Cloud Computer B. Example:

    Direction

    Policy

    Priority

    Protocol type

    Port range

    Authorization object

    Inbound

    Allow

    1

    Select the applicable protocol type.

    Set an appropriate port range.

    IP address of Cloud Computer B.

  • In Policy B, add an inbound rule to allow access from Cloud Computer A. Example:

    Direction

    Policy

    Priority

    Protocol type

    Port range

    Authorization object

    Inbound

    Allow

    1

    Select the applicable protocol type.

    Set an appropriate port range.

    IP address of Cloud Computer A.

Limitations

  • Rule quantity limit

    You can create up to 200 security group control rules.

  • Limitations on inbound rules

    By default, a cloud computer allows all outbound access. Inbound access follows these principles:

    • Over the internet, a cloud computer does not support any inbound access. Even if you set an inbound security group rule to Allow, the rule does not take effect.

    • In a VPC environment, a cloud computer denies all inbound access by default. However, you can set an inbound security group rule to Allow to permit specific access requests.

Parameters

In the Security Group Control section, click Add Rule. In the Add Rule dialog box, configure the following parameters and click OK.

Parameter

Description

Direction

  • Inbound: Controls whether to allow requests to the cloud computer.

  • Outbound: Controls whether to allow requests from the cloud computer to other applications.

Policy

  • Allow: Permits the access request.

  • Deny: Blocks the access request and drops the data packet without returning any information.

Priority

A value from 1 to 60, where a smaller value indicates a higher priority. Higher-priority rules take precedence.

Protocol type

TCP, UDP, ICMP (IPv4), and GRE are supported.

Port range

The port used by the application or protocol. When the selected protocol type is Custom TCP or Custom UDP, you can set a custom port. You can enter a specific port, such as 80, or a port range, such as 1/80. For more information, see Common Ports.

Authorization object

An IPv4 address range in CIDR format.

Description

A custom description for the rule.

Next steps

By default, cloud computers deny all inbound traffic but allow all outbound traffic. This is managed by a default rule that allows all outbound access. Outbound rules that you add will conflict with the default rule. Depending on the office network to which your cloud computer belongs, you may need to adjust the priority of the default rule for your new rules to take effect.

  • If you are using a new office network (ID format: region ID+dir+10 digits), the default rule has the lowest priority, so your added rules will take effect immediately without any extra steps.

  • If you are using an office network that was upgraded from an older version (ID format: region ID+dir+17 letters and digits), the default rule has the highest priority. You must manually adjust the priority of the default rule. To do this, perform the following steps:

    1. Find the office network to which the cloud computer belongs and click its office network ID.

    2. On the office network details page, click the security group ID.

    3. On the Security Groups page, click the security group ID.

    4. On the Security Group Rules page, click the Outbound tab and modify the priority of the corresponding rule.

      We recommend that you set the priority to 60. This ensures that any outbound rules that you add manually will take effect immediately.

End-user custom snapshots

End-user custom snapshots

The end-user custom snapshot rule lets you control whether end users can create their own restore points in the client.

Use cases

End users can use restore points to back up and restore data on their cloud computers. For example, they can create a restore point before they perform high-risk operations such as modifying critical system files.

To prevent operational errors or resource waste, administrators can use this policy to manage the creation of custom restore points by end users.

Limitations

This feature is available only when a cloud computer is assigned to a single user.

Parameters

When the End-user custom snapshots option is Enabled, end users can create custom restore points on the Management page of their cloud computer's desktop card.

When the End-user custom snapshots option is Disabled, the custom restore point feature is hidden from end users on the Management page.

References