All Products
Search
Document Center

Elastic Desktop Service:Security-related rules

Last Updated:Nov 05, 2024

Policies in Elastic Desktop Service (EDS) include the rules to manage user experience, security, audits, peripherals, collaboration, and AI. This topic describes security-related rules.

Background information

The security-related rules in a policy involve the following parameters:

  • Logon security rules: Logon Method Control and CIDR Block Whitelist

  • Display security rules: Anti-screenshot and Watermark

  • Transfer rules: Clipboard and Web Client File Transfer

  • Network security rules: Domain Name Access Control and Security Group Control

Logon security rules

Scenarios

  • You can configure the Logon Method Control parameter to choose the type of Alibaba Cloud Workspace terminals that can be used by end users.

    Example: To ensure the information security of an enterprise, the administrator sets this parameter to Windows Client and macOS Client.

  • You can configure the CIDR Block Whitelist parameter to allow specific CIDR blocks used by Alibaba Cloud Workspace terminals.

    Example: To ensure the information security of an enterprise, the administrator adds the CIDR blocks of all your enterprise offices to the whitelist. Then, employees can only connect to cloud computers from Alibaba Cloud Workspace terminals that run over the CIDR blocks.

Parameters

Parameter

Description

Logon Method Control

Specifies the types of Alibaba Cloud Workspace terminals that can be used by end users. Valid values:

  • Windows Client

  • macOS Client

  • iOS Client

  • Android Client

  • Web Client

By default, all the values are selected. Configure this parameter based on your business requirements.

CIDR Block Whitelist

Specifies the CIDR blocks that can be used by Alibaba Cloud Workspace terminals.

Click Add CIDR block. In the Add CIDR block dialog box, enter CIDR blocks based on your business requirements and click OK.

Example: 192.0.XX.XX/32 or10.0.XX.XX/8.

Display security rules

Scenarios

  • You can configure the Anti-screenshot parameter to prevent data leaks due to screenshot capturing or screen recording of cloud computers.

    Example: To prevent design data leaks, the administrator of a construction company enables anti-screenshot feature for cloud computers in the company. This way, employees are not permitted to use the snipping tools installed on local terminals to capture or record screens.

  • You can configure the Watermark parameter to prevent data leaks, and facilitate audits if a data leak does occur.

    Example: The administrator of an advertisement company enables the watermarking feature. When employees capture the snapshots of internal files stored on cloud computers, watermarks are tiled across the screenshots. This can effectively prevent data leaks. If a data leak does occur, watermarks are important clues for auditing.

Applicable scope

Parameter

Image version

Client version

Anti-screenshot

N/A

Windows client or macOS client of V5.2.0

Enhancement

1.8.0

N/A

Anti-Screen Photo

1.8.0

Any client of V6.7.0

Parameters

Parameter

Description

Anti-screenshot

Specifies whether to enable the anti-screenshot feature. This feature is suitable for data leak prevention scenarios. If this parameter is configured, end users cannot use snipping tools on local terminals to capture or record the screens of cloud computers.

Note
  • The parameter takes effect only for the Windows client and macOS client of Alibaba Cloud Workspace V5.2.0 and later.

  • If you configure this parameter, we recommend that you select the corresponding type of client when you configure the Logon Method Control parameter, to allow the feature to take effect.

Watermark

Specifies whether to enable the watermarking feature. This feature is used to prevent data leaks and facilitate auditing after a data leak occurs.

Visible watermarks

Visible watermarks can be clearly seen. You can specify the watermark content and display styles.

  • Content (up to 3 items to display)

    • Username. Example: testuser01.

    • Cloud Computer ID. Example: ecd-66twv7ri4nmgh****.

    • Cloud Computer IP. Example: 192.0.2.0.

    • Client IP. Example: 192.0.2.254.

    • Current Time. Example: 20230101.

    • Custom Text. Example: Internal Data.

      Note

      You can enter 1 to 20 characters as the custom text, which can contain letters, digits, and the following special characters: ~ ! @ # $ % ^ & * ( ) - _ = + | { } ; : ' , < . ?. If you use line breaks or other special characters, the custom text may not be displayed.

  • Display style

    • Font Size: The watermark content size. Valid values: 10 to 20. Default value:12. Unit: pixels (px).

    • Font Color: The watermark color. Default value: #FFFFFF, which indicates white.

    • Opacity: The watermark opacity. Valid values: 10 to 100. Unit: percentage (%). If you set this parameter to 0, the watermarks are opaque. If you set it to 100, the watermarks are transparent. Default value: 25.

    • Rotation: The watermark rotation. Valid values: -30 to -10. Default value: -25.

    • Watermark Density: The number of watermark columns and rows. Valid values: 3 to 10. Default value: 3.

During the configuration, you can preview the display style of a watermark in real time in the preview area below.

Invisible watermarks

Invisible watermarks are hidden from view. EDS provides the default invisible watermark algorithm that can encrypt watermarks for different Alibaba Cloud accounts to prevent tampering. You can configure the following parameters for invisible watermarks:

  • Security Priority: Since invisible watermarks rely on the Alibaba Cloud Workspace client and images of specific versions, we recommend that you enable this option.

    • If you enable security priority, invisible watermark configurations take effect only when end users connect to cloud computers that use the specified versions of images and that are connected from the specified versions of clients.

    • If you disable this option, invisible watermark configurations do not take effect. However, end users can still connect to cloud computers from invalid clients or use invalid images.

  • Enhancement: Higher watermark enhancement indicates a grainier desktop of a cloud computer, which increases the success rate of parsing invisible watermarks. Adjust the watermark enhancement based on your business requirements. This feature requires images of V1.8.0 or later.

  • Content (choose up to 2 items to display):

    • Cloud Computer ID. Example: ecd-66twv7ri4nmgh****.

    • Cloud Computer IP. Example: 192.0.2.0.

    • Client IP. Example: 192.0.2.254.

    • Current Time. Example: 20230101.

  • Anti-Screen Photo: This feature requires images of V1.8.0 or later and the Alibaba Cloud Workspace client of V6.7.0 or later.

Transfer security rules

Applicable scope

  • Local disk mapping

    • Only Windows cloud computers are supported.

    • Only Windows clients and macOS clients are supported.

    • Local disk mapping is suitable for accessing files. This feature is not suitable for running programs. Even if you have enabled local disk mapping, you cannot run applications installed on local devices from cloud computers. However, you can run applications that do not require installation on cloud computers. The application will occupy bandwidth resources and compromise the performance of the cloud computer that runs the application. Proceed with caution.

  • Clipboard

    • There are no restrictions for text and image transfer.

    • For file transfer, the Windows client of V7.3.0 or later is required.

  • Web Client File Transfer: Even if you set this parameter to Allow Upload/Download, this setting does not take effect for high-definition experience (HDX)-based Linux cloud computers. If you want to use the file transfer feature on the cloud computers, use the default policy called All enabled policy.

Parameters

Parameter

Description

Local Disk Mapping

Maps the disks of local devices to the disks of cloud computers. This enables cloud computers to access the disks of local devices. Valid values:

  • Read-only: You can view and copy data stored in the disks of local devices from cloud computers. However, you do not have permissions to modify data.

  • Close: You are not allowed to access data stored in the disks of local devices from cloud computers.

  • Read/Write: You can view, copy, and modify data stored in the disks of local devices from cloud computers.

Clipboard

Specifies whether end users can copy and paste texts, images, and files between local devices and cloud computers.

Web Client File Transfer

Specifies whether files can be transferred between cloud computers and local devices by using the web client.

Network security rules

Domain name access control

Domain name access control rules are used to configure the domain names that are allowed or not allowed to access cloud computers. Example: Employees in a company cannot access websites unrelated to work during business hours. Then, the administrator adds the websites, such as entertainment websites, to the Domain Name System (DNS) rules and denies the access to the websites.

Scenarios

By default, cloud computers can access all domain names. Domain name control is used to configure domain names that cloud computers can access. You can manage the permissions on domain names in a fine-grained manner based on the parts in a domain name.

Example: The following table describes sample domain names. Configure the domain names in the DNS rules to implement fine-grained management.

Domain name

Example

Access

Description

Second-level domain name

example.com

Allow

Cloud computers can access example.com, and end users can open the web page on the cloud computers as expected.

Third-level domain name

writer.examplec.com

Deny

When cloud computers attempt to access writer.example.com, error code 404 is returned.

developer.example.com

Allow

Cloud computers can access developer.example.com, and end users can open the web page on the cloud computers as expected.

Fourth-level domain name

image.developer.example.com

Deny

When cloud computers attempt to access image.developer.example.com, error code 404 is returned.

video.developer.example.com

Allow

Cloud computers can access video.developer.example.com and guide.developer.example.com, and end users can open the web pages on the cloud computers as expected.

guide.developer.example.com

Allow

Limits

  • Domain name

    To ensure that end users can use cloud computers as expected, the following reserved domain names are out of the rule control. That is, these domain names are always accessible from cloud computers. If you deny these domain names in DNS rules, the rules will not take effect.

    • *.gws.aliyun

    • *.aliyun.com

    • *.alicdn.com

    • *.aliyunpds.com

    • *.aliyuncds.com

    • *.aliyuncs.com

  • OS

    The DNS rules take effect only for Windows cloud computers.

  • Rule quantity

    You can configure up to 300 rules.

Parameters

To configure DNS rules, you can perform the following operations: Click Add Rule in the Domain Name Access Control (Formerly DNS Feature) section. Configure the following parameters in the Add Rule dialog box. Then, click OK.

Parameter

Description

Domain Name

Enter the domain name for which you need to configure a DNS rule. You can enter only one domain name each time. Asterisk wildcards (*) are supported.

Description

The description of the DNS rule.

Access Policy

You can select Allow or Deny.

Note
  • If you need to configure multiple DNS rules in which the Access Policy parameter is set to Allow, you must add a rule in which the parameter is set to Deny.

  • The priorities of rules are based on the display order in the rule list. The first rule in the list has the highest priority. You can move the display order to adjust priorities.

Security group control

A security group is a security mechanism to control the inbound and outbound traffic of cloud computers. This improves cloud computer security.

Scenarios

A security group rule consists of the following attributes: direction, authorization, priority, protocol type, and port range. Before data communication with cloud computers is established, the system applies the security group rules associated with the cloud computers. Then the system allows or denies access requests based on the rules.

  • For security group rules in which the Authorization parameter is set to Allow, access is allowed if access requests match the rules.

  • For security group rules in which the Authorization parameter is set to Deny, access is denied if access requests match the rules.

You can configure security group rules to control inbound and outbound traffic for cloud computers based on your business requirements. You can configure sample security group rules in the following scenarios:

Scenario 1

By default, cloud computers allow all outbound access requests. You can configure the following rule for outbound access. This way, cloud computers can access only specific IP addresses.

  • Rule 1: Deny all outbound access requests. Sample configurations:

    Direction

    Authorization

    Priority

    Protocol type

    Port range

    Authorization object

    Outbound

    Deny

    2

    All

    -1/-1

    0.0.0.0/0

  • Rule 2: Allow access to specific IP addresses based on Rule 1. The priority of this rule must be higher than that of Rule 1. Sample configurations:

    Direction

    Authorization

    Priority

    Protocol type

    Port range

    Authorization object

    Outbound

    Allow

    1

    Select a protocol type.

    Specify a port range.

    The CIDR block from which cloud computers can access. Example: 192.168.1.1/32.

Scenario 2

In enterprise private network environments (that is, the VPC environments), you can configure inbound rules, and cloud computers can be accessed from specific IP addresses. Sample configurations:

Direction

Authorization

Priority

Protocol type

Port range

Authorization object

Inbound

Allow

1

Select a protocol type.

Specify a port range.

The CIDR block from which cloud computers can be accessed. Example: 192.168.1.1/32.

Scenario 3

Assume that Cloud Computers A and B are respectively associated with Policies 1 and 2. In the VPC environments, Cloud Computers A and B cannot access each other, since cloud computers deny all inbound access by default. You can add the following inbound rules in Policies 1 and 2 so that Cloud Computers A and B can access each other.

  • Add the following inbound rule in Policy 1 to allow access requests from Cloud Computer B: Sample configurations:

    Direction

    Authorization

    Priority

    Protocol type

    Port range

    Authorization object

    Inbound

    Allow

    1

    Select a protocol type.

    Specify a port range.

    The IP address of Cloud Computer B.

  • Add the following inbound rule in Policy 2 to allow access requests from Cloud Computer A. Sample configurations:

    Direction

    Authorization

    Priority

    Protocol type

    Port range

    Authorization object

    Inbound

    Allow

    1

    Select a protocol type.

    Specify a port range.

    The IP address of Cloud Computer A.

Limits

  • Rule quantity

    You can configure up to 200 security group rules.

  • Inbound rule

    By default, cloud computers allow all outbound access. Inbound access must comply with the following principles:

    • In the Internet environments, cloud computers do not allow all inbound access requests. Even if you configure inbound rules, the rules will not take effect.

    • In the VPC environments, though cloud computers deny all inbound access requests by default, you can configure inbound rules to allow valid access requests.

Parameters

In the Security Group Control section, click Add Rule. In the Add Rule dialog box, configure the following parameters and click OK.

Parameter

Description

Direction

  • Inbound: controls whether to allow requests destined for cloud computers.

  • Outbound: controls whether to allow requests originating from cloud computers.

Authorization

  • Allow: allows access requests.

  • Deny: denies access requests, drops data packets, and returns no responses.

Priority

Valid values: 1 to 60. A smaller value specifies a higher priority. For rules of the same type, the rule that has the highest priority takes effect.

Protocol

The TCP, UDP, ICMP (IPv4), and GRE protocols are supported.

Port Range

The ports that are allowed for applications or protocols. If you set Protocol to Custom TCP or Custom UDP, you can specify ports. When you specify ports, you can enter a port number such as port 80 or port range such as 1/80. For more information, see Common ports.

Authorization Object

The IPv4 CIDR block.

Description

The description of the security group rule.

What to do next

By default, cloud computers deny all inbound access requests and allow all outbound access requests. That is, there is a default rule that allows all inbound access requests. If you add a rule that allows outbound access requests, this rule will conflict with the default rule. You may need to adjust the rule priority based on the office networks in which cloud computers reside, so that the rule that you added can take effect.

  • If your office network ID is in the <Region ID+dir+10 digits> format, the default rule has the lowest priority. That is, the rule that you added immediately takes effect, and no additional adjustment is required.

  • If your office network ID is in the <Region ID+dir+17 digits> format, the default rule has the highest priority. That is, you must adjust the priority of the rule that you added. To adjust the rule priority, perform the following steps:

    1. Find the office network that you want to manage, click the office network ID.

    2. On the office network details page, click the security group ID.

    3. On the Security Groups page, click the security group ID.

    4. On the Security Group Rules page, click the Outbound tab and modify the priority of the rule.

      We recommend that you set the priority to 60. This ensures that all outbound rules you add will immediately take effect.

References