---
myst:
html_meta:
"description lang=en": "Kasm Workspaces Data Loss Prevention"
"keywords": "Kasm, Server, Configuration, Security, DLP, data loss prevention"
"property=og:locale": "en_US"
---
```{title} Data Loss Prevention
```
# Data Loss Prevention
There are many features of the Kasm Workspaces platform that lend themselves to the goal of preventing users from either taking data out of the Kasm Workspaces environment to their local system or from transferring data from their local system to the Kasm Workspaces environment. This guide covers the many disparate features and how they can be used together with these goals in mind.
## Group Settings
```{eval-rst}
Many features can be configured via :doc:`group settings `. Users can belong to multiple groups, overlapping settings are applied using the group's configured priority. The Group with the lower priority value takes precedent. This table covers the group settings which are related to data loss prevention. For example, allowing audio in and out provides additional avenues of potential data exhilaration.
```
```{eval-rst}
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| allow_kasm_audio | Allow audio streaming for a Kasm. |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| allow_kasm_clipboard_down | Allows users to paste text from the Kasm to their local computer. |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| allow_kasm_clipboard_seamless | Allows users to copy and paste text without using Kasm control panel. |
| | |
| | This feature is only available on Chrome and Chromium-based client browsers |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| allow_kasm_clipboard_up | Allow users to paste from their local computer to the Kasm. |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| allow_kasm_downloads | Allow users to download files from a Kasm. |
| | On `RDP local client` workspaces this has no effect see **allow_kasm_rdp_client_file_transfer_clipboard**. |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| allow_kasm_gamepad | Allow users to pass local gamepads into the Kasm session. |
| | See :doc:`Gamepad Passthrough <../guide/gamepad_passthrough>` for more details. |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| allow_kasm_microphone | Allow microphone passthrough to a Kasm. When enabled, users can pass their local microphone through to the |
| | Kasm session. |
| | On `RDP local client` workspaces this only works with desktop editions of Windows. |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| allow_kasm_printing | Allow printing of documents using local printers |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| allow_kasm_rdp_client_file_transfer_clipboard| This setting only applies to RDP client Kasm sessions. In RDP file transfers are part of the |
| | clipboard and independent directional control of file transfers is not possible. This setting will enable |
| | file transfer in the directions that text clipboard has been enabled via **allow_kasm_clipboard_down** and |
| | **allow_kasm_clipboard_up**. |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| allow_kasm_rdp_map_local_drives | Allow sessions using the RDP Gateway to map client local drives into the RDP target. |
| | This setting is an all or nothing setting. When enabled it will map all client drives into the rdp session. |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| allow_kasm_sharing | Allow the user to share access to their session with other users. |
| | See :doc:`Session Sharing <../guide/session_sharing>` for more details. |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| allow_kasm_uploads | Allow users to upload files to a Kasm. |
| | On `RDP local client` workspaces this has no effect see **allow_kasm_rdp_client_file_transfer_clipboard**. |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| allow_kasm_webcam | Allow webcam passthrough to a Kasm. When enabled, users can pass their local webcam through to the |
| | Kasm session. |
| | On `RDP local client` workspaces this only works with desktop editions of Windows. |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| allow_persistent_profile | Allow the use of persistent profiles if configured on the Workspace. |
| | See :doc:`Persistent Profiles <../guide/persistent_data/persistent_profiles>` for details |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| allow_user_storage_mapping | When enabled the user is allowed to configure their own |
| | :doc:`Storage Mappings <../../guide/storage_mappings>` via their profile. When disabled, new user |
| | configurations will not be allowed, nor will using any previously configured mappings be allowed when new |
| | sessions are created. |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| enable_ui_server_logging | If enabled, log messages will be sent from client browser to the Kasm Workspaces server. |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| expose_user_environment_vars | Expose KASM_USER and KASM_USER_ID environment variables inside the Kasm. |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| session_time_limit | The amount of time (in seconds) a session will automatically expire. A countdown timer will be displayed |
| | to the user. |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| usage_limit | Limits the total number of hours a user or group can have running sessions. |
| | |
| | **Type** |
| | - **Per User** - Each user of the group has their own limit. |
| | - **Per Group** - All members share the usage limit. |
| | **Interval** |
| | - **Daily** , **Weekly** , **Monthly** , **Total**. |
| | **Hours** |
| | - The number of hours allowed during each interval. |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
| web_filter_policy | Enabled web filtering and sets the :doc:`Web Filter Policy <../guide/web_filtering>` to be used. Policies |
| | can also be set or force disabled on Workspaces. Policies assigned to Workspaces take priority over those |
| | defined via Group Settings. |
+----------------------------------------------+--------------------------------------------------------------------------------------------------------------+
```
## KasmVNC DLP Policy
While group settings provide basic on/off capability for features like the clipboard, KasmVNC DLP Policies allow for a greater level of control. For example, KasmVNC DLP settings allow for defining rate limits for the clipboard and keyboard input. For a full reference of the KasmVNC YAML configuration, see the [KasmVNC Docs](https://www.kasmweb.com/kasmvnc/docs/latest/configuration.html).
```{eval-rst}
See our how-to guide on :doc:`Applying KasmVNC DLP Policies <../how_to/kasmvnc_dlp_policies>` to a Kasm Workspaces by utilizing the :doc:`File Mapping <../guide/file_mappings>` feature.
```
The following shows the default settings for the DLP section of the KasmVNC configuration. For a detailed explanation of all settings, see the [KasmVNC Docs, DLP Section](https://www.kasmweb.com/kasmvnc/docs/latest/configuration.html#data-loss-prevention).
```yaml
data_loss_prevention:
visible_region:
# top: 10
# left: 10
# right: -40
# bottom: -40
concealed_region:
allow_click_down: false
allow_click_release: false
clipboard:
delay_between_operations: none
allow_mimetypes:
- chromium/x-web-custom-data
- text/html
- image/png
server_to_client:
enabled: true
size: unlimited
primary_clipboard_enabled: false
client_to_server:
enabled: true
size: unlimited
keyboard:
enabled: true
rate_limit: unlimited
logging:
level: off
watermark:
# image: /etc/kasmvnc/picture.png
# location: 10,10
# tint: 255,20,20,128
# repeat_spacing: 10
```
## RDP DLP Policy
In addition to the existing Data Loss Prevention (DLP) capabilities within KasmVNC, the platform extends its security measures to Remote Desktop Protocol (RDP) sessions by providing both text and image based watermarking remote desktop access.
```{eval-rst}
For more details, see :ref:`RDP Session Watermarking `.
```
## Web URL Filter
```{eval-rst}
The built-in :doc:`Web Filter <../guide/web_filtering>` feature allows the administrator to easily define and enforce URL filtering that is applied to Kasm Workspaces container based sessions. Using these policies you can, for example, ensure that users are unable to visit file sharing sites or only visit a whitelist of websites from inside a Kasm Workspaces session.
```
## Environmental Variables
```{eval-rst}
Container based Workspace environments have environmental variables that can be set in the :doc:`Workspace <../guide/workspaces>` definition under the **Docker Run Config Override** setting. The following table shows a listing of available environmental variables that are applicable to DLP for containerized Workspace environments.
```
| Name | Default | Description |
|------|---------|-------------|
| DLP_PROCESS_FAIL_SECURE | not set | If set to a value of `1`, the container will restart on the failure of any Kasm service running on the container. See the subsection below for more details. |
| KASM_SVC_AUDIO | not set | If set to `0`, the audio out service is not started. This provides additional protection, above disabling audio output in Kasm group settings, by reducing the attack surface area of the container and potential data extraction vectors. |
| KASM_SVC_AUDIO_INPUT | not set | If set to `0`, the audio in service is not started. This provides additional protection, above disabling audio input in Kasm group settings, by reducing the attack surface area of the container and potential data extraction vectors. |
| KASM_SVC_UPLOADS | not set | If set to `0`, the upload in service is not started. This provides additional protection, above disabling uploads in Kasm group settings, by reducing the attack surface area of the container and potential data extraction vectors. |
| KASM_SVC_GAMEPAD | not set | If set to `0`, the gamepad in service is not started. This provides additional protection, above disabling gamepad support in Kasm group settings, by reducing the attack surface area of the container and potential data extraction vectors. |
### Service Fail Secure
Container based Workspace images have a number of services running that support audio in, audio out, uploads, KasmVNC, game pad, and other features. When one of these processes crash unexpectedly, the default behavior is to merely restart them. When DLP_PROCESS_FAIL_SECURE is enabled, the entire container will instead restart. When the container restarts, all processes are terminated and everything in RAM is lost. Everything on disk will persist once the container restarts. This mode of recovery ensures that potential memory resident malware is lost, but work written to the disk can be recovered.
The following **Docker Run Override** setting on a Workspace image shows an example of enabling the `DLP_PROCESS_FAIL_SECURE` feature.
```json
{
"hostname": "kasm",
"environment": {
"DLP_PROCESS_FAIL_SECURE": 1
}
}
```
The following shows how to also disable the restart policy on the container, this will result in the container being immediately destroyed if a Kasm service process terminates during runtime.
```json
{
"hostname": "kasm",
"environment": {
"DLP_PROCESS_FAIL_SECURE": 1
},
"restart_policy": {
"Name": "no"
}
}
```