You can create policies with different configurations and associate the policies with cloud desktops. This way, you can manage the security configurations for cloud desktops in a centralized manner and ensure security for cloud desktops.

Background information

A policy is a set of security rules used to control security configurations when regular users use cloud desktops. A policy contains a basic policy (USB redirection and watermarking) and one or more network control rules (inbound and outbound throttling rules). For more information, see Policy overview.

Procedure

  1. Log on to the EDS console.
  2. In the top navigation bar, select a region.
  3. In the left-side navigation pane, click Policy Management.
  4. On the Policy Management page, click Create Policy.
  5. In the Create Policy panel, perform the following operations to specify parameters for the basic policy:
    1. Specify the Policy Name parameter.
    2. Configure parameters described in the following table.
      Parameter Description
      USB Redirection Specify whether to enable the USB redirection feature. After you set this parameter to Enable, you can connect USB flash drives to cloud desktops.
      Watermark Specify whether to enable the watermarking feature. After you set this parameter to Enable, you can configure the information and transparency of watermarks to display on the cloud desktop. You can make the following configurations for watermarking:
      • Watermark information: Specify the watermark information to display. You can select Show Username, Show Desktop Name, or both.
      • Transparency: Specify the transparency level of watermarks. You can select Light, Medium, or Dark.
      Local Disk Mapping Specify whether to allow read and write operations on the mapped drives of local disks on cloud desktops. Valid values:
      • Disable: No mapped drives of local disks are available on cloud desktops.
      • Read Only: The mapped drives of local disks are available on cloud desktops. You can only read or copy local files and cannot modify local files.
      • Read/Write: The mapped drives of local disks are available on cloud desktops. You can read, copy, or modify local files.
      Clipboard Specify whether to allow copy operations between local devices and cloud desktops. Valid values:
      • Disable: You cannot copy files between local devices and cloud desktops.
      • Read Only: You can copy files only from local devices to cloud desktops and cannot copy files from cloud desktops to local devices.
      • Read/Write: You can copy files between local devices and cloud desktops.
      Whether to Allow User Preemption Specify whether to allow a regular user to preemptively log on to a cloud desktop to which another regular user has been logged on. Valid values:
      • Allow: When a regular user is logged on to a cloud desktop, other regular users can preemptively log on to the cloud desktop. The original regular user is forcibly disconnected, and the cloud desktop window is closed.
      • Disallow: When a regular user is logged on to a cloud desktop, other regular users cannot log on to the cloud desktop.
  6. Optional:In the Create Policy panel, configure parameters for the network control rule.
    1. Click Add Network Control Rule.
      By default, cloud desktops deny all inbound access and allow all outbound access. You can add inbound or outbound rules to meet your business requirements.
    2. Configure parameters for the rule.
      To define a network control rule, you must specify the rule direction, priority, CIDR block, protocol type, port range, and authorization policy. The following table describes the parameters.
      Parameter Description
      Rule Direction Valid values:
      • Inbound: controls whether to allow access requests to cloud desktop.
      • Outbound: controls whether to allow requests of the cloud desktop to access other applications.
      Priority Priority values range from 1 to 60. A smaller value indicates a higher priority. For rules of the same type, the rule that has the highest priority takes effect.
      CIDR Block The IPv4 CIDR block. Specify this parameter based on your requirements.
      Protocol Type Valid values: TCP, UDP, ICMP (IPv4), and GRE. Specify this parameter based on your requirements.
      Port Range The ports enabled for applications or protocols. When you set Protocol Type to Custom TCP or Custom UDP, you can customize the port range. You can specify a specific port number such as 80 or a port range such as 1/80.

      For more information, see Common ports used by applications.

      Description The description of the rule.
      Authorization Policy Specify whether to allow or deny access requests.
      • Allow access requests.
      • Block access requests and drop the data packets. No response is returned.
      Note You can add up to 20 network control rules to a policy. When you add a network control rule, we recommend that you follow the principle of least privilege to grant permissions on a specific IP address and a specific port number. Proceed with caution when you grant permissions on all CIDR blocks such as 0.0.0.0/0 and a large port range such as 1/65535.
  7. Click Create.

What to do next

If you add an outbound network control rule to your policy and your workspace is upgraded from an earlier version of a directory, you must manually adjust the priority of the default rule.

By default, cloud desktops deny all inbound access and allow all outbound access. Default outbound rules allow all outbound access. In this case, the outbound rule that you add is in conflict with the default rule. You may need to adjust the priority of the default rule based on the workspace to which your cloud desktop belongs so that your added rule can take effect.
  • If your workspace is of the latest version, which is in the format of <region ID> + dir + <10 digits>, your added rule directly takes effect without the need of manual operations because the default priority is in the lowest priority.
  • If your workspace is upgraded from an earlier version of a directory whose ID is in the format of <region ID> + dir + <17 letters and digits>, you must manually adjust the priority of the default rule because the default rule is in the highest priority. Perform the following operations:
    1. Find the workspace to which the cloud desktop belongs and click the workspace ID.
    2. On the workspace details page, click the security group ID.
    3. On the Security Groups page, click the security group ID.
    4. On the Security Groups Rules page, click the Outbound tab.
    5. Modify the priority of the corresponding rule.

      We recommend that you set the priority to at least 60 so that all the outbound rules that you manually add can directly take effect.