Policies in Elastic Desktop Service (EDS) include the rules to manage user experience, security, audits, peripherals, collaboration, and AI. This topic describes security-related rules.
Background information
The security-related rules in a policy involve the following parameters:
Logon security rules: Logon Method Control and CIDR Block Whitelist
Display security rules: Anti-screenshot and Watermark
Transfer rules: Clipboard and Web Client File Transfer
Network security rules: Domain Name Access Control and Security Group Control
Logon security rules
Scenarios
You can configure the Logon Method Control parameter to choose the type of Alibaba Cloud Workspace terminals that can be used by end users.
Example: To ensure the information security of an enterprise, the administrator sets this parameter to Windows Client and macOS Client.
You can configure the CIDR Block Whitelist parameter to allow specific CIDR blocks used by Alibaba Cloud Workspace terminals.
Example: To ensure the information security of an enterprise, the administrator adds the CIDR blocks of all your enterprise offices to the whitelist. Then, employees can only connect to cloud computers from Alibaba Cloud Workspace terminals that run over the CIDR blocks.
Parameters
Parameter | Description |
Logon Method Control | Specifies the types of Alibaba Cloud Workspace terminals that can be used by end users. Valid values:
By default, all the values are selected. Configure this parameter based on your business requirements. |
CIDR Block Whitelist | Specifies the CIDR blocks that can be used by Alibaba Cloud Workspace terminals. Click Add CIDR block. In the Add CIDR block dialog box, enter CIDR blocks based on your business requirements and click OK. Example: |
Display security rules
Scenarios
You can configure the Anti-screenshot parameter to prevent data leaks due to screenshot capturing or screen recording of cloud computers.
Example: To prevent design data leaks, the administrator of a construction company enables anti-screenshot feature for cloud computers in the company. This way, employees are not permitted to use the snipping tools installed on local terminals to capture or record screens.
You can configure the Watermark parameter to prevent data leaks, and facilitate audits if a data leak does occur.
Example: The administrator of an advertisement company enables the watermarking feature. When employees capture the snapshots of internal files stored on cloud computers, watermarks are tiled across the screenshots. This can effectively prevent data leaks. If a data leak does occur, watermarks are important clues for auditing.
Applicable scope
Parameter | Image version | Client version |
Anti-screenshot | N/A | Windows client or macOS client of V5.2.0 |
Enhancement | 1.8.0 | N/A |
Anti-Screen Photo | 1.8.0 | Any client of V6.7.0 |
Parameters
Parameter | Description |
Anti-screenshot | Specifies whether to enable the anti-screenshot feature. This feature is suitable for data leak prevention scenarios. If this parameter is configured, end users cannot use snipping tools on local terminals to capture or record the screens of cloud computers. Note
|
Watermark | Specifies whether to enable the watermarking feature. This feature is used to prevent data leaks and facilitate auditing after a data leak occurs. Visible watermarksVisible watermarks can be clearly seen. You can specify the watermark content and display styles.
During the configuration, you can preview the display style of a watermark in real time in the preview area below. Invisible watermarksInvisible watermarks are hidden from view. EDS provides the default invisible watermark algorithm that can encrypt watermarks for different Alibaba Cloud accounts to prevent tampering. You can configure the following parameters for invisible watermarks:
|
Transfer security rules
Applicable scope
Local disk mapping
Only Windows cloud computers are supported.
Only Windows clients and macOS clients are supported.
Local disk mapping is suitable for accessing files. This feature is not suitable for running programs. Even if you have enabled local disk mapping, you cannot run applications installed on local devices from cloud computers. However, you can run applications that do not require installation on cloud computers. The application will occupy bandwidth resources and compromise the performance of the cloud computer that runs the application. Proceed with caution.
Clipboard
There are no restrictions for text and image transfer.
For file transfer, the Windows client of V7.3.0 or later is required.
Web Client File Transfer: Even if you set this parameter to Allow Upload/Download, this setting does not take effect for high-definition experience (HDX)-based Linux cloud computers. If you want to use the file transfer feature on the cloud computers, use the default policy called All enabled policy.
Parameters
Parameter | Description |
Local Disk Mapping | Maps the disks of local devices to the disks of cloud computers. This enables cloud computers to access the disks of local devices. Valid values:
|
Clipboard | Specifies whether end users can copy and paste texts, images, and files between local devices and cloud computers. |
Web Client File Transfer | Specifies whether files can be transferred between cloud computers and local devices by using the web client. |
Network security rules
Domain name access control
Domain name access control rules are used to configure the domain names that are allowed or not allowed to access cloud computers. Example: Employees in a company cannot access websites unrelated to work during business hours. Then, the administrator adds the websites, such as entertainment websites, to the Domain Name System (DNS) rules and denies the access to the websites.
Scenarios
By default, cloud computers can access all domain names. Domain name control is used to configure domain names that cloud computers can access. You can manage the permissions on domain names in a fine-grained manner based on the parts in a domain name.
Example: The following table describes sample domain names. Configure the domain names in the DNS rules to implement fine-grained management.
Domain name | Example | Access | Description |
Second-level domain name |
| Allow | Cloud computers can access |
Third-level domain name |
| Deny | When cloud computers attempt to access |
| Allow | Cloud computers can access | |
Fourth-level domain name |
| Deny | When cloud computers attempt to access |
| Allow | Cloud computers can access | |
| Allow |
Limits
Domain name
To ensure that end users can use cloud computers as expected, the following reserved domain names are out of the rule control. That is, these domain names are always accessible from cloud computers. If you deny these domain names in DNS rules, the rules will not take effect.
*.gws.aliyun
*.aliyun.com
*.alicdn.com
*.aliyunpds.com
*.aliyuncds.com
*.aliyuncs.com
OS
The DNS rules take effect only for Windows cloud computers.
Rule quantity
You can configure up to 300 rules.
Parameters
To configure DNS rules, you can perform the following operations: Click Add Rule in the Domain Name Access Control (Formerly DNS Feature) section. Configure the following parameters in the Add Rule dialog box. Then, click OK.
Parameter | Description |
Domain Name | Enter the domain name for which you need to configure a DNS rule. You can enter only one domain name each time. Asterisk wildcards ( |
Description | The description of the DNS rule. |
Access Policy | You can select Allow or Deny. Note
|
Security group control
A security group is a security mechanism to control the inbound and outbound traffic of cloud computers. This improves cloud computer security.
Scenarios
A security group rule consists of the following attributes: direction, authorization, priority, protocol type, and port range. Before data communication with cloud computers is established, the system applies the security group rules associated with the cloud computers. Then the system allows or denies access requests based on the rules.
For security group rules in which the Authorization parameter is set to Allow, access is allowed if access requests match the rules.
For security group rules in which the Authorization parameter is set to Deny, access is denied if access requests match the rules.
You can configure security group rules to control inbound and outbound traffic for cloud computers based on your business requirements. You can configure sample security group rules in the following scenarios:
Scenario 1
By default, cloud computers allow all outbound access requests. You can configure the following rule for outbound access. This way, cloud computers can access only specific IP addresses.
Rule 1: Deny all outbound access requests. Sample configurations:
Direction
Authorization
Priority
Protocol type
Port range
Authorization object
Outbound
Deny
2
All
-1/-1
0.0.0.0/0
Rule 2: Allow access to specific IP addresses based on Rule 1. The priority of this rule must be higher than that of Rule 1. Sample configurations:
Direction
Authorization
Priority
Protocol type
Port range
Authorization object
Outbound
Allow
1
Select a protocol type.
Specify a port range.
The CIDR block from which cloud computers can access. Example: 192.168.1.1/32.
Scenario 2
In enterprise private network environments (that is, the VPC environments), you can configure inbound rules, and cloud computers can be accessed from specific IP addresses. Sample configurations:
Direction | Authorization | Priority | Protocol type | Port range | Authorization object |
Inbound | Allow | 1 | Select a protocol type. | Specify a port range. | The CIDR block from which cloud computers can be accessed. Example: 192.168.1.1/32. |
Scenario 3
Assume that Cloud Computers A and B are respectively associated with Policies 1 and 2. In the VPC environments, Cloud Computers A and B cannot access each other, since cloud computers deny all inbound access by default. You can add the following inbound rules in Policies 1 and 2 so that Cloud Computers A and B can access each other.
Add the following inbound rule in Policy 1 to allow access requests from Cloud Computer B: Sample configurations:
Direction
Authorization
Priority
Protocol type
Port range
Authorization object
Inbound
Allow
1
Select a protocol type.
Specify a port range.
The IP address of Cloud Computer B.
Add the following inbound rule in Policy 2 to allow access requests from Cloud Computer A. Sample configurations:
Direction
Authorization
Priority
Protocol type
Port range
Authorization object
Inbound
Allow
1
Select a protocol type.
Specify a port range.
The IP address of Cloud Computer A.
Limits
Rule quantity
You can configure up to 200 security group rules.
Inbound rule
By default, cloud computers allow all outbound access. Inbound access must comply with the following principles:
In the Internet environments, cloud computers do not allow all inbound access requests. Even if you configure inbound rules, the rules will not take effect.
In the VPC environments, though cloud computers deny all inbound access requests by default, you can configure inbound rules to allow valid access requests.
Parameters
In the Security Group Control section, click Add Rule. In the Add Rule dialog box, configure the following parameters and click OK.
Parameter | Description |
Direction |
|
Authorization |
|
Priority | Valid values: 1 to 60. A smaller value specifies a higher priority. For rules of the same type, the rule that has the highest priority takes effect. |
Protocol | The TCP, UDP, ICMP (IPv4), and GRE protocols are supported. |
Port Range | The ports that are allowed for applications or protocols. If you set Protocol to Custom TCP or Custom UDP, you can specify ports. When you specify ports, you can enter a port number such as port |
Authorization Object | The IPv4 CIDR block. |
Description | The description of the security group rule. |
What to do next
By default, cloud computers deny all inbound access requests and allow all outbound access requests. That is, there is a default rule that allows all inbound access requests. If you add a rule that allows outbound access requests, this rule will conflict with the default rule. You may need to adjust the rule priority based on the office networks in which cloud computers reside, so that the rule that you added can take effect.
If your office network ID is in the <Region ID+dir+10 digits> format, the default rule has the lowest priority. That is, the rule that you added immediately takes effect, and no additional adjustment is required.
If your office network ID is in the <Region ID+dir+17 digits> format, the default rule has the highest priority. That is, you must adjust the priority of the rule that you added. To adjust the rule priority, perform the following steps:
Find the office network that you want to manage, click the office network ID.
On the office network details page, click the security group ID.
On the Security Groups page, click the security group ID.
On the Security Group Rules page, click the Outbound tab and modify the priority of the rule.
We recommend that you set the priority to 60. This ensures that all outbound rules you add will immediately take effect.