Elastic Desktop Service (EDS) Enterprise policies define rules for user experience, security, audits, peripherals, collaboration, and AI. This topic describes how to ensure the security of cloud computers by using EDS Enterprise policies.
Background information
To ensure the security of cloud computers, consider the following security-related rules:
Logon control: Logon Method Control and CIDR Block Whitelist
Display control: Anti-screenshot and Watermark
Transfer control: Clipboard and Web Client File Transfer
Network control: Domain Name Access Control and Security Group Control
Logon control
Scenarios
You can configure the Logon Method Control parameter to choose the type of Alibaba Cloud Workspace terminals that can be used by end users.
Example: To ensure the information security of an enterprise, the administrator sets this parameter to Windows Client and macOS Client.
You can configure the CIDR Block Whitelist parameter to specify the allowed CIDR blocks for accessing cloud computers from Alibaba Cloud Workspace terminals.
Example: To enhance enterprise information security, the administrator adds the CIDR blocks of all office-based Alibaba Cloud Workspace terminals to the whitelist. This restricts employees to connecting to cloud computers only from these whitelisted Alibaba Cloud Workspace terminals.
Parameters
Parameter | Description |
Logon Method Control | The types of Alibaba Cloud Workspace terminals that can be used by end users to connect to cloud computers. The following types of Alibaba Cloud Workspace terminals are supported:
By default, all the types are selected. Configure this parameter based on your business requirements. |
CIDR Block Whitelist | The allowed IP ranges (CIDR blocks) from which Alibaba Cloud Workspace terminals can access cloud computers. Click Add CIDR block. In the Add CIDR block dialog box, enter CIDR blocks based on your business requirements and click OK. Examples: |
Display control
Scenarios
You can configure the Anti-screenshot parameter to prevent data leaks due to screenshot capturing or screen recording of cloud computers.
Example: To prevent design data leaks, the administrator of a construction company enables anti-screenshot feature for cloud computers in the company. This restricts employees from using snipping tools on local terminals to capture or record cloud computer screens.
You can configure the Watermark parameter to prevent data leaks, and facilitate audits if a data leak does occur.
Example: The administrator of an advertising company enables the watermarking feature. When employees take screenshots of internal files stored on cloud computers, watermarks are tiled across the images, effectively preventing data leaks. In the event of a data leak, watermarks serve as critical audit trail markers for investigation and accountability.
Applicable scope
Parameter | Minimum image version | Minimum client version |
Anti-screenshot | N/A | Windows client or macOS client of Alibaba Cloud Workspace V5.2 |
Enhancement | 1.8.0 | N/A |
Anti-Screen Photo | 1.8.0 | Any client of Alibaba Cloud Workspace V6.7 |
Parameters
Parameter | Description |
Anti-screenshot | Specifies whether to enable the anti-screenshot feature. This feature is designed to prevent data leaks. When this feature is enabled, end users are restricted from using local snipping tools to capture or record cloud computer screens. Note
|
Watermark | Specifies whether to enable the watermarking feature. This feature is used to prevent data leaks and facilitate auditing after a data leak occurs. Visible watermarkVisible watermarks are easily identifiable, allowing you to customize both the content and display styles as needed.
During the configuration, you can preview the display style of a watermark in real time within the preview area. Invisible watermarkInvisible watermarks are embedded discreetly within content. EDS Enterprise provides a default algorithm for invisible watermarking, enabling encryption tailored to different Alibaba Cloud accounts to safeguard against tampering. To enable this feature, you can configure the following parameters:
|
Query data transfer logs
For information about how to query data transfer logs, see View file transfer logs.
Data transfer control
Applicable scope
Local Disk Mapping
Only Windows cloud computers are supported.
Only Windows clients and macOS clients are supported.
Local disk mapping is suitable for accessing files. This feature is not suitable for running programs. Even if you have enabled local disk mapping, you cannot run applications installed on local devices from cloud computers. However, you can run applications that do not require installation on cloud computers. The application will occupy bandwidth resources and compromise the performance of the cloud computer that runs the application. Proceed with caution.
Clipboard Control
Text and image transfer is unrestricted.
For file transfer, the Windows client of Alibaba Cloud Workspace V7.3.0 or later is required.
This feature takes effect only for cloud computers whose image version is V2.4 or later. Otherwise, all copy operations are prohibited.
Web Client File Transfer: Even if you set this parameter to Allow Upload/Download, this setting does not take effect for high-definition experience (HDX)-based Linux cloud computers. If you want to use the file transfer feature on these cloud computers, use the default policy called All enabled policy.
Parameters
Parameter | Description |
Local Disk Mapping | |
Local Disk Mapping | Maps the disks of local devices to the disks of cloud computers. This enables cloud computers to access the disks of local devices. Valid values:
|
Clipboard Control | |
Management Granularity | The effective scope of clipboard permission settings. Valid values:
|
Text Copy | Specifies the permissions on the clipboard, which are determined by data types. Valid values:
|
Rich Text/Image Copy | |
File/Folder Copy | |
Max. Text Copy Size | Specifies the maximum size of the text you can copy. If the size of the text you want to copy exceeds the upper limit, the excess part is cut off. |
Data Security | |
Web Client File Transfer | Specifies whether files can be transferred between cloud computers and on-premises devices by using the web client. |
Network control
Domain name access control
Domain name access control rules determine which domain names are allowed or restricted on cloud computers. For example, administrators can block access to non-work-related websites, such as entertainment platforms, during business hours by adding them to the Domain Name System (DNS) deny list. This ensures compliance with organizational regulations.
Scenarios
By default, cloud computers can access all domain names. Domain name access control enables the configuration of permitted or restricted domain names on cloud computers. It also supports multi-level, fine-grained management of domain access permissions.
The following table describes sample domain names. Configure the domain names in the DNS rules to implement fine-grained management.
Domain name | Example | Access policy | Description |
Second-level domain name |
| Allow | Cloud computers can access |
Third-level domain name |
| Deny | When cloud computers attempt to access |
| Allow | Cloud computers can access | |
Fourth-level domain name |
| Deny | When cloud computers attempt to access |
| Allow | Cloud computers can access | |
| Allow |
Limitations
Domain name
To maintain optimal performance of cloud computers, the following reserved domain names are excluded from DNS rule control. These domain names will remain accessible from cloud computers, and blocking them by using DNS rules will be ineffective.
*.gws.aliyun*.aliyun.com*.alicdn.com*.aliyunpds.com*.aliyuncds.com*.aliyuncs.com
OS
Domain name access control takes effect only on Windows cloud computers.
Rule quantity
You can configure only up to 300 DNS rules.
Parameters
To configure DNS rules, you can perform the following operations: Click Add Rule in the Domain Name Access Control (Formerly DNS Feature) section. Configure the following parameters in the Add Rule dialog box. Then, click OK.
Parameter | Description |
Domain Name | The domain name for which you need to configure a DNS rule. You can enter only one domain name each time. Asterisk wildcards ( |
Description | The description of the DNS rule. |
Access Policy | The access policy. You can select Allow or Deny. Note
|
Security group control
A security group controls the inbound and outbound traffic of cloud computers, enhancing their security.
Scenarios
A security group rule consists of the following attributes: direction, authorization, priority, protocol type, and port range. Prior to data communication with cloud computers, the system enforces the relevant security group rules and allows or denies access based on those rules.
When security group rules with the Authorization parameter set to Allow are enforced, access requests that match the defined rules will be allowed.
When security group rules with the Authorization parameter set to Deny are enforced, access requests that match the defined rules will be denied.
You can configure security group rules to control inbound and outbound traffic for cloud computers based on your business requirements. The following scenarios provide sample configurations for security group rules:
Scenario 1
By default, cloud computers allow all outbound access. You can configure outbound access rules to restrict connections to specific IP addresses.
Rule 1: Deny all outbound access. Sample configurations:
Direction
Authorization
Priority
Protocol type
Port range
Authorization object
Outbound
Deny
2
All
-1/-1
0.0.0.0/0
Rule 2: Allow access to specific IP addresses based on Rule 1. This rule must have a higher priority than Rule 1. Sample configurations:
Direction
Authorization
Priority
Protocol type
Port range
Authorization object
Outbound
Allow
1
Select a protocol type.
Specify a port range.
The CIDR block that cloud computers can access. Example: 192.168.1.1/32.
Scenario 2
In enterprise private network environments such as virtual private clouds (VPCs), you can configure inbound rules to allow access to cloud computers from specific IP addresses. Sample configurations:
Direction | Authorization | Priority | Protocol type | Port range | Authorization object |
Inbound | Allow | 1 | Select a protocol type. | Specify a port range. | The CIDR block from which cloud computers can be accessed. Example: 192.168.1.1/32. |
Scenario 3
Cloud Computers A and B are associated with Policies 1 and 2, respectively. By default, cloud computers in VPC environments deny all inbound access, preventing communication between Cloud Computers A and B. To enable access between them, you can add the following inbound rules to Policies 1 and 2.
Add the following inbound rule to Policy 1 to allow access from Cloud Computer B: Sample configurations:
Direction
Authorization
Priority
Protocol type
Port range
Authorization object
Inbound
Allow
1
Select a protocol type.
Specify a port range.
The IP address of Cloud Computer B.
Add the following inbound rule to Policy 2 to allow access from Cloud Computer B. Sample configurations:
Direction
Authorization
Priority
Protocol type
Port range
Authorization object
Inbound
Allow
1
Select a protocol type.
Specify a port range.
The IP address of Cloud Computer A.
Limitations
Rule quantity
You can configure up to 200 security group rules.
Inbound rule
By default, cloud computers allow all outbound access. Inbound access is subject to the following principles:
In Internet environments, cloud computers do not permit any inbound access requests. Inbound rules, even if configured, will not take effect.
In enterprise VPC environments, cloud computers deny all inbound access requests by default. However, you can configure inbound rules to allow access requests from specific IP addresses.
Parameters
In the Security Group Control section, click Add Rule. In the Add Rule dialog box, configure the following parameters as needed and click OK.
Parameter | Description |
Direction |
|
Authorization |
|
Priority | Valid values: 1 to 60. A smaller value specifies a higher priority. The rule with the highest priority applies when multiple rules of the same type exist. |
Protocol | The TCP, UDP, ICMP (IPv4), and GRE protocols are supported. |
Port Range | The ports that are allowed for applications or protocols. If you set the Protocol parameter to Custom TCP or Custom UDP, you can specify ports. When you specify ports, you can enter a port number, such as port |
Authorization Object | The IPv4 CIDR block. |
Description | The description of the security group rule. |
What to do next
By default, cloud computers deny all inbound access and allow all outbound access. If you add a rule to allow outbound access, it will conflict with the default rule. You may need to adjust the rule priority based on the office networks in which cloud computers reside. This way, the rule that you add can take effect.
If your office network ID is in the <Region ID+dir+10 digits> format, the default rule has the lowest priority. In this case, the rule that you add immediately takes effect, and no additional adjustment is required.
If your office network ID is in the <Region ID+dir+17 digits> format, the default rule has the highest priority. In this case, you must adjust the priority of the rule that you add. To adjust the rule priority, perform the following steps:
Find the office network that you want to manage, and click the office network ID.
On the office network details page, click the security group ID.
On the Security Groups page, click the security group ID.
On the Security Group Rules page, click the Outbound tab and modify the priority of the rule.
We recommend that you set the priority to 60. This ensures that all outbound rules you add will immediately take effect.