You can create policies that have different configurations and associate the policies with cloud desktops. This way, you can manage the security configurations of cloud desktops in a centralized manner and ensure cloud desktop security.

Background information

A policy is a set of security rules that are used to manage security configurations when regular users use cloud desktops. A policy consists of a basic policy, such as USB redirection and watermarking, and one or more security group rules, such as inbound and outbound traffic rules. For more information, see Policy overview.

Procedure

  1. Go to the Policy Management page.
    1. Log on to the Elastic Desktop Service (EDS) console.
    2. In the top navigation bar, select a region.
    3. In the left-side navigation pane, click Policy Management.
  2. On the Policy Management page, click Create Policy.
  3. In the Create Policy panel, configure the basic policy settings:
    1. Specify the policy name.
    2. Configure the following parameters based on your business requirements.
      Parameter Description
      USB Redirection Specifies whether to enable the USB redirection feature. If you set this parameter to Enable, you can access USB flash drives that are connected to your computer from your cloud desktops.
      Watermark Specifies whether to use watermarks. If you set this parameter to Enable, you can configure the transparency and the content of the watermarks. The watermarks are tiled across the display of cloud desktops. You can configure the following parameters for the watermarks:
      • Watermark content: Specify the content of the watermarks. You can select Show Username, Show Desktop ID, or both.
      • Transparency: Specify the transparency level of the watermarks. You can select Light, Medium, or Dark.
      Local Disk Mapping Specifies whether to allow read and write operations on the drives that map to the disks of your computer. Valid values:
      • Disable: No drives that map to the disks of your computer.
      • Read-only: The drives that map to the disks of your computer are accessible from cloud desktops. You can only read or copy local files, but you cannot modify these files.
      • Read/Write: The drives that map to the disks of your computer are accessible from cloud desktops. You can read, copy, and modify local files.
      Clipboard Specifies whether to allow copy operations between your computer and cloud desktops. Valid values:
      • Enable One-way Transfer: You can copy files only from your computer to cloud desktops.
      • Enable Two-way Transfer: You can copy files between your computer and cloud desktops.
      • Disable Two-way Transfer: You cannot copy files between your computer and cloud desktops.
      Allow Preemption To improve user experience and ensure data security, multiple regular users are not allowed to log on to the same cloud desktop. By default, this feature is disabled and cannot be modified.
      Image Display Quality Specifies the display quality on a Windows desktop. You can configure this parameter based on your business requirements and bandwidth. Valid values: Adaptive, LD, HD, and Lossless.
      HTML5 Client File Transfer Specifies whether you can transfer files between cloud desktops and your computer when you log on to the cloud desktops by using the web client. Valid values:
      • Disable: You cannot transfer files between cloud desktops and your computer.
      • Allow Upload: You can upload local files from your computer to cloud desktops, but you cannot download the files on the cloud desktops to your computer.
      • Allow Download: You can download the files on cloud desktops to your computer, but you cannot upload the local files from your computer to cloud desktops.
      • Allow Upload/Download: You can upload the local files from your computer to cloud desktops, and you can also download the files on cloud desktops to your computer.
      Note This parameter is valid only on Windows cloud desktops. If you want to use the file transfer feature on a Linux cloud desktop, you must associate the default system policy with the cloud desktop.
      Printer Redirection Specify whether you can use printers on cloud desktops. Valid values:
      • Enabled: You can use printers on cloud desktops.
      • Disabled: You cannot use printers on cloud desktops.
      Note
      • If a regular user wants to use a USB printer on cloud desktops, the printer redirection and USB redirection features must be enabled.
      • If an AD user wants to use a printer on cloud desktops, the group policy of the AD domain and the printer redirection feature must be enabled.
  4. In the Create Policy panel, click Logon Mode to configure the logon settings.
    By default, a regular user can use all types of clients to log on to cloud desktops. Select a client based on your business requirements.
  5. Optional:In the Create Policy panel, click Security Group Control and configure the security group settings.
    1. Click Add Security Group Rule.
      By default, cloud desktops deny all inbound access requests and allow all outbound access requests. You can add inbound or outbound rules based on your business requirements.
    2. Configure properties for the rule.
      To define a security group rule, you must specify the rule direction, priority, CIDR block, protocol type, port range, and authorization policy. The following table describes the property parameters.
      Parameter Description
      Rule Direction Valid values:
      • Inbound: The rule applies to traffic that is destined for cloud desktops.
      • Outbound: The rule applies to traffic that originates from cloud desktops.
      Priority Priority values range from 1 to 60. A smaller value specifies a higher priority. For rules of the same type, the rule that has the highest priority takes effect.
      CIDR Block The IPv4 CIDR block. You can configure this parameter based on your business requirements.
      Protocol Type Valid values: Custom TCP, Custom UDP, Custom ICMP (IPv4), and All GRE. You can configure this parameter based on your business requirements.
      Port Range The ports enabled for applications or protocols. When you set Protocol Type to Custom TCP or Custom UDP, you can specify a port number such as 80 or a port range such as 1/80.

      For more information, see Common ports used by applications.

      Description The description of the rule.
      Authorization Policy Specifies whether to allow or deny access requests.
      • Allow: Access requests are allowed.
      • Deny: Access requests are denied. The data packets are dropped, and no response is returned.
      Note You can add up to 20 security group rules to a policy. When you add a security group rule, we recommend that you follow the principle of least privilege to grant permissions on a specific IP address and port range. Proceed with caution when you grant permissions on all CIDR blocks such as 0.0.0.0/0, and on a large port range such as 1/65535.
  6. Optional:In the Create Policy panel, click Domain name whitelist and blacklist, and configure the settings.
    1. Select Blacklist or Whitelist based on your business requirements.
      You can configure the Domain name whitelist and blacklist parameter based on the following description:
      • If you specify domain names only in Blacklist, cloud desktops cannot access the domain names in the blacklist.
      • If you specify domain names only in Whitelist, cloud desktops can access only the domain names in the whitelist.
      • If you do not specify domain names for both Blacklist and Whitelist, cloud desktops can access all domain names.
      • The blacklist and whitelist are mutually exclusive. Only one list takes effect at a time. If you attempt to set both, only the list you configured last takes effect.
    2. Click + and enter a domain name in the field.
      • You can enter only one domain name in each filed. The asterisk (*) wildcard is supported as the leftmost label of a domain name, such as *.example.com. The wildcard cannot appear as the leftmost character and the rightmost character at the same time, such as *.example.com*.
      • To add a domain name, click + and enter a domain name. To delete a domain name, select a field and click -.
      Note You can add up to 500 domain names to the blacklist, and you can add up to 500 domain names to the whitelist.
  7. Optional:In the Create Policy panel, click Client IP Whitelist.
    If the Client IP Whitelist parameter is left empty, a regular user can connect to cloud desktops by using all EDS clients. If you specify CIDR blocks for the parameter, only the EDS clients that use the these CIDR blocks can connect to the cloud desktops.
    1. Enter a CIDR block and description in the fields.
      You can specify an IPv4 CIDR block based on your business requirements. Example: 192.0.XX.XX/32 and 10.0.XX.XX/8.
    2. To add multiple CIDR blocks, click Add and enter the CIDR blocks and description in the fields.
  8. Click Create.

What to do next

If you add an outbound security group rule to your policy and your workspace is upgraded from a directory of an earlier version, you must manually adjust the priority of the default rule.

By default, cloud desktops deny all inbound access requests and allow all outbound access requests. All cloud desktops have a default outbound rule that allows all outbound requests to external applications. The outbound rule that you add may conflict with the default rule. In this case, you must adjust the priority of the default rule based on the workspace to which your cloud desktop belongs. Otherwise, the rule that you add may not take effect.
  • If your workspace is of the latest version and has an ID that is in the <Region ID> + dir + <10-digit string> format, the rule that you added takes effect immediately because the default rule has the lowest priority.
  • If your workspace is upgraded from a directory of an earlier version and has an ID that is in the <Region ID> + dir + <17-character string consisting of letters and digits> format, you must manually adjust the priority of the default rule because the default rule has the highest priority. To adjust the priority of the default rule, perform the following operations:
    1. Find the workspace to which the cloud desktop belongs and click the workspace ID.
    2. On the workspace details page, click the security group ID.
    3. On the Security Groups page, click the security group ID.
    4. On the Security Group Rules page, click the Outbound tab.
    5. Adjust the priority of the required rule.

      We recommend that you set the priority to at least 60. This ensures that all the outbound rules that you add take effect immediately.