This topic describes the security-related policies in WUYING Workspace.
Background information
The security-related policies for cloud desktops include the following:
User logon control: Logon method control and cloud desktop access IP address whitelist.
Display security: Anti-screenshot and watermark.
Clipboard control: Control granularity and copy permissions.
Data security: File transfer, web client file transfer, and full-speed transfer control.
Network access: Security group control and domain name access control.
Screen recording audit.
Image management: Resetting cloud desktop images.
End user-defined snapshots.
User logon control
Scenarios
The Logon Method Control policy restricts the types of WUYING Terminals that end users can use to connect to cloud desktops.
For example, to ensure enterprise information security, an administrator can configure the policy to allow connections to cloud desktops only from the Windows client, macOS client, and .
The Cloud Desktop Access IP Whitelist policy restricts the IP address ranges of WUYING Terminals that can be used to connect to cloud desktops.
For example, to ensure enterprise information security, an administrator can add the CIDR block of the WUYING Terminals in the office to the whitelist. This ensures that employees can connect to cloud desktops only from WUYING Terminals in the office and not from other locations.
Configuration
Configuration item | Description |
Logon Method Control | Restricts the WUYING Terminal types that end users can use. The options include the following:
By default, all options are selected. Clear the terminal types as needed. |
Cloud Desktop Access IP Whitelist | Specifies the IP address ranges of WUYING Terminals that can connect to cloud desktops. Click Add IP Address Range. In the Add IP CIDR Block dialog box, enter the allowed Source CIDR Block, and then click OK. The IP address range must be in CIDR format. For example, |
Display security
Scenarios
The Anti-screenshot feature prevents data breaches caused by screen captures or screen recordings.
For example, to prevent the unauthorized use of design drawings, an architectural design company enables the anti-screenshot policy for its cloud desktops. This prevents users from using screenshot tools on on-premises devices to capture or record the cloud desktop screen.
The Watermark feature helps prevent data breaches and provides an audit trail.
For example, an advertising company enables watermarks for its cloud desktops. If an employee takes a screenshot of an internal file on a cloud desktop, the screenshot contains the watermark specified by the administrator. This can effectively prevent internal files from being leaked. If a data breach occurs, the watermark can also provide an important audit trail.
Applicable scope
Configuration item | Minimum image version | Client and minimum version |
Anti-screenshot | No requirement | Windows client and macOS client V5.2 |
Invisible watermark strength | 1.8.0 | No requirement |
Anti-photo for invisible watermark | 1.8.0 | Any client V6.7 |
Configuration
Configuration item | Description |
Anti-screenshot | The anti-screenshot feature is used for data breach prevention. After you enable this feature, end users cannot use screenshot tools on their on-premises devices to capture or record the cloud desktop screen. Note
|
Watermark | The watermark feature is used for data breach prevention. It serves both a preventive and an auditing role. Visible watermarkA visible watermark is visible to the naked eye. You can set the content and display style of the watermark.
During configuration, you can preview the display style of a visible watermark in the preview area below. Invisible watermarkAn invisible watermark is not visible to the naked eye. The default invisible watermark algorithm provided by WUYING Workspace encrypts watermark information based on different Alibaba Cloud account identities to prevent malicious tampering. The configuration items for invisible watermarks include the following:
|
Query transfer logs
For more information about how to query detailed records of file transfers, see View file transfer logs.
Data security
Applicable scope
Local disk mapping
Clipboard control:
Text and images can be transferred without any conditions.
File transfers require the Windows client (V7.3 or later).
Fine-grained control requires the cloud desktop image version to be 2.4 or later. Otherwise, all copy operations are denied.
Web client file transfer: Even if set to Allow Upload and Download, this setting does not take effect for Linux cloud desktops that use the HDX protocol. To use the file transfer feature on these cloud desktops, you must use the default system policy (All enabled policy).
Configuration
Configuration item | Description |
Local disk mapping | |
Local disk mapping | Maps the disks of local devices to the disks of cloud computers. This enables cloud computers to access the disks of local devices. Valid values:
|
Clipboard control | |
Control granularity | Select the scope for which the clipboard permission settings take effect. The options include the following:
|
Text copy permission | Set clipboard permissions by data type. The options include the following:
|
Rich text/image copy permission | |
File/folder copy permission | |
Text copy limit | Set the upper limit for copied text. When an end user copies text, the part that exceeds the limit is cropped. |
Data security | |
Web client file transfer | Set whether files can be transferred between the cloud desktop and the on-premises device using the web client. |
Network access
Domain name access control
Domain name access control policies allow or deny access to specified domain names from within a cloud desktop. For example, if company regulations prohibit employees from visiting websites unrelated to work during work hours, an administrator can add the domain names of entertainment websites to a DNS deny rule.
Scenarios
By default, access to any domain name is allowed from within a cloud desktop. Domain name access control is used to allow or deny access to specified domain names and supports multi-level, fine-grained control over domain name access permissions.
For example, assume you have the domain names shown in the following table. You can configure DNS rules as shown in the table to implement fine-grained permission control.
Domain name | Example | Access policy | Description |
Second-level domain name |
| Allow | When a cloud desktop accesses |
Third-level domain name |
| Deny | When a cloud desktop accesses |
| Allow | When a cloud desktop accesses | |
Fourth-level domain name |
| Deny | When a cloud desktop accesses |
| Allow | When a cloud desktop accesses | |
| Allow |
Limits
Domain name limits
To ensure that end users can use cloud desktops normally, the following reserved security domain names are not subject to DNS rules. This means that cloud desktops can always access these domain names. If you set the access policy for these domain names to Deny, the rule does not take effect.
*.gws.aliyun*.aliyun.com*.alicdn.com*.aliyunpds.com*.aliyuncds.com*.aliyuncs.com
Operating system limits
Domain name access control policies take effect only on cloud desktops that run the Windows operating system.
Rule quantity limit
You can configure a maximum of 300 DNS rules.
Configuration
In the Domain Name Access Control (formerly DNS Policy) section, click Add DNS Rule. In the Add DNS Rule dialog box, complete the following configurations and click OK.
Configuration item | Description |
Domain Name | Enter the domain name for which you want to set a DNS rule. You can add only one domain name at a time. The wildcard character |
Description | A custom description for the DNS rule. |
Access Policy | You can select Allow or Deny. Note
|
Security group control
A security group is a security mechanism that controls the inbound and outbound traffic of a cloud desktop to improve its security.
Scenarios
A security group rule is defined by properties such as rule direction, authorization policy, priority, protocol type, and port range. Before data communication is established with a cloud desktop, the system checks the security group rules in the policy that is associated with the cloud desktop to determine whether to allow the access request:
For rules with the authorization policy set to Allow, if an access request matches the rule, the access request is allowed.
For rules with the authorization policy set to Deny, if an access request matches the rule, the access request is intercepted and the data packet is discarded.
You can add inbound or outbound security group rules as needed to control the inbound and outbound traffic of your cloud desktops. The following sections provide example configurations for security group rules in different scenarios:
Example 1
By default, cloud desktops allow all outbound access. You can add the following outbound rules to allow cloud desktops to access only specific IP addresses:
Rule 1: Deny all outbound access. For example:
Rule direction
Authorization
Priority
Protocol Type
Port range
Authorization object
Outbound
Reject
2
All
-1/-1
0.0.0.0/0
Rule 2: Allow access to a specific IP address. This rule is based on Rule 1 and must have a higher priority than Rule 1. For example:
Rule direction
Authorization
Priority
Protocol Type
Port range
Authorization object
Outbound
Allow
1
Select the applicable protocol type.
Set an appropriate port range.
The IP address that is allowed access, for example, 192.168.1.1/32.
Example 2
In an enterprise private network environment, you can add an inbound rule to allow access from a specific IP address. This enables the IP address to access the cloud desktop. For example:
Rule direction | Authorization | Priority | Protocol Type | Port range | Authorization object |
Inbound | Allow | 1 | Select the applicable protocol type. | Set an appropriate port range. | The IP address that is allowed access, for example, 192.168.1.1/32. |
Example 3
Assume that cloud desktop A is associated with policy A, and cloud desktop B is associated with policy B. In an enterprise private network environment, cloud desktops A and B cannot access each other because cloud desktops deny all inbound access by default. You can add the following inbound rules to policies A and B to enable network communication between cloud desktops A and B:
In policy A, add an inbound rule to allow access from cloud desktop B. For example:
Rule direction
Authorization
Priority
Protocol Type
Port range
Authorization object
Inbound
Allow
1
Select the applicable protocol type.
Set an appropriate port range.
The IP address of cloud desktop B.
In policy B, add an inbound rule to allow access from cloud desktop A. For example:
Rule direction
Authorization
Priority
Protocol Type
Port range
Authorization object
Inbound
Allow
1
Select the applicable protocol type.
Set an appropriate port range.
The IP address of cloud desktop A.
Limits
Rule quantity limit
You can configure a maximum of 200 security group rules.
Limits on inbound rules
By default, cloud desktops allow all outbound access. Inbound access is subject to the following principles:
In an Internet environment, cloud desktops do not support inbound access. Even if you configure an inbound security group rule to allow access, the rule does not take effect.
In an enterprise private network environment, cloud desktops deny all inbound access by default. However, you can configure an inbound security group rule to allow access requests that meet specific requirements.
Configuration
In the Security Group Control section, click Add Security Group Rule. In the Add Security Group Rule dialog box, complete the following configurations and click OK.
Configuration item | Description |
Rule direction |
|
Authorization |
|
Priority | The priority value ranges from 1 to 60. A smaller value indicates a higher priority. For rules of the same type, the rule with the highest priority takes effect. |
Protocol Type | Supports TCP, UDP, ICMP (IPv4), and GRE protocols. |
Port range | The port opened by the application or protocol. If you select Custom TCP or Custom UDP for Protocol Type, you can set a custom port. When setting a port, you can enter a specific port (such as |
Authorization object | An IPv4 address range in CIDR format. |
Description | A custom description for the rule. |
What to do next
By default, cloud desktops deny all inbound access and allow all outbound access. This means a default rule exists that allows all outbound access. In this case, the outbound rule that you add conflicts with the default rule. Depending on the office network to which the cloud desktop belongs, you may need to adjust the priority of the default rule so that your new rule can take effect.
If you are using a new version of an office network (ID format: region ID+dir+10 digits), the default rule has the lowest priority. The rule that you add takes effect immediately, and no extra action is required.
If you are using an office network that was upgraded from an older directory (ID format: region ID+dir+17 letters and digits), the default rule has the highest priority. You must manually adjust the priority of the default rule. The steps are as follows:
Find the office network to which the cloud desktop belongs and click its office network ID.
On the office network details page, click the security group ID.
On the Security Groups page, click the security group ID.
On the Security Group Rules page, click the Outbound tab and modify the priority of the corresponding rule.
We recommend that you set the priority to 60. This ensures that any outbound rules that you manually add later take effect immediately.
End user-defined snapshots
End user-defined snapshots
The end user-defined snapshot policy controls whether end users can create custom restore points in the client.
Scenarios
End users can use restore points to back up and restore cloud desktop data. For example, before performing a risky operation, such as modifying critical system files, an end user can create a restore point.
To prevent resource waste from user errors or the creation of an excessive number of restore points, administrators can use this policy to control whether end users can create custom restore points.
Limits
This feature is available only when a cloud desktop is assigned to a single user.
Configuration
If the switch to the right of the End user-defined snapshots section is turned On, end users can set custom restore points on the Management page of the cloud desktop card.
If the switch to the right of the End user-defined snapshots section is Disabled, the entry for the custom restore point feature is hidden on the Management page and is invisible to end users.