Data Loss Prevention
There are many features of the Kasm Workspaces platform that lend themselves to the goal of preventing users from either taking data out of the Kasm Workspaces environment to their local system or from transferring data from their local system to the Kasm Workspaces environment. This guide covers the many disparate features and how they can be used together with these goals in mind.
Group Settings
Many features can be configured via group settings. Users can belong to multiple groups, overlapping settings are applied using the group’s configured priority. The Group with the lower priority value takes precedent. This table covers the group settings which are related to data loss prevention. For example, allowing audio in and out provides additional avenues of potential data exhilaration.
allow_kasm_audio |
Allow audio streaming for a Kasm. |
allow_kasm_clipboard_down |
Allows users to paste text from the Kasm to their local computer. |
allow_kasm_clipboard_seamless |
Allows users to copy and paste text without using Kasm control panel. This feature is only available on Chrome and Chromium-based client browsers |
allow_kasm_clipboard_up |
Allow users to paste from their local computer to the Kasm. |
allow_kasm_downloads |
Allow users to download files from a Kasm. On RDP local client workspaces this has no effect see allow_kasm_rdp_client_file_transfer_clipboard. |
allow_kasm_gamepad |
Allow users to pass local gamepads into the Kasm session. See Gamepad Passthrough for more details. |
allow_kasm_microphone |
Allow microphone passthrough to a Kasm. When enabled, users can pass their local microphone through to the Kasm session. On RDP local client workspaces this only works with desktop editions of Windows. |
allow_kasm_printing |
Allow printing of documents using local printers |
allow_kasm_rdp_client_file_transfer_clipboard |
This setting only applies to RDP client Kasm sessions. In RDP file transfers are part of the clipboard and independent directional control of file transfers is not possible. This setting will enable file transfer in the directions that text clipboard has been enabled via allow_kasm_clipboard_down and allow_kasm_clipboard_up. |
allow_kasm_rdp_map_local_drives |
Allow sessions using the RDP Gateway to map client local drives into the RDP target. This setting is an all or nothing setting. When enabled it will map all client drives into the rdp session. |
allow_kasm_sharing |
Allow the user to share access to their session with other users. See Session Sharing for more details. |
allow_kasm_uploads |
Allow users to upload files to a Kasm. On RDP local client workspaces this has no effect see allow_kasm_rdp_client_file_transfer_clipboard. |
allow_kasm_webcam |
Allow webcam passthrough to a Kasm. When enabled, users can pass their local webcam through to the Kasm session. On RDP local client workspaces this only works with desktop editions of Windows. |
allow_persistent_profile |
Allow the use of persistent profiles if configured on the Workspace. See Persistent Profiles for details |
allow_user_storage_mapping |
When enabled the user is allowed to configure their own Storage Mappings via their profile. When disabled, new user configurations will not be allowed, nor will using any previously configured mappings be allowed when new sessions are created. |
enable_ui_server_logging |
If enabled, log messages will be sent from client browser to the Kasm Workspaces server. |
expose_user_environment_vars |
Expose KASM_USER and KASM_USER_ID environment variables inside the Kasm. |
session_time_limit |
The amount of time (in seconds) a session will automatically expire. A countdown timer will be displayed to the user. |
usage_limit |
Limits the total number of hours a user or group can have running sessions.
|
web_filter_policy |
Enabled web filtering and sets the Web Filter Policy to be used. Policies can also be set or force disabled on Workspaces. Policies assigned to Workspaces take priority over those defined via Group Settings. |
KasmVNC DLP Policy
While group settings provide basic on/off capability for features like the clipboard, KasmVNC DLP Policies allow for a greater level of control. For example, KasmVNC DLP settings allow for defining rate limits for the clipboard and keyboard input. For a full reference of the KasmVNC YAML configuration, see the KasmVNC Docs.
See our how-to guide on Applying KasmVNC DLP Policies to a Kasm Workspaces by utilizing the File Mapping feature.
The following shows the default settings for the DLP section of the KasmVNC configuration. For a detailed explanation of all settings, see the KasmVNC Docs, DLP Section.
data_loss_prevention:
visible_region:
# top: 10
# left: 10
# right: -40
# bottom: -40
concealed_region:
allow_click_down: false
allow_click_release: false
clipboard:
delay_between_operations: none
allow_mimetypes:
- chromium/x-web-custom-data
- text/html
- image/png
server_to_client:
enabled: true
size: unlimited
primary_clipboard_enabled: false
client_to_server:
enabled: true
size: unlimited
keyboard:
enabled: true
rate_limit: unlimited
logging:
level: off
watermark:
# image: /etc/kasmvnc/picture.png
# location: 10,10
# tint: 255,20,20,128
# repeat_spacing: 10
RDP DLP Policy
In addition to the existing Data Loss Prevention (DLP) capabilities within KasmVNC, the platform extends its security measures to Remote Desktop Protocol (RDP) sessions by providing both text and image based watermarking remote desktop access.
For more details, see RDP Session Watermarking.
Web URL Filter
The built-in Web Filter feature allows the administrator to easily define and enforce URL filtering that is applied to Kasm Workspaces container based sessions. Using these policies you can, for example, ensure that users are unable to visit file sharing sites or only visit a whitelist of websites from inside a Kasm Workspaces session.
Environmental Variables
Container based Workspace environments have environmental variables that can be set in the Workspace definition under the Docker Run Config Override setting. The following table shows a listing of available environmental variables that are applicable to DLP for containerized Workspace environments.
Name |
Default |
Description |
|---|---|---|
DLP_PROCESS_FAIL_SECURE |
not set |
If set to a value of |
KASM_SVC_AUDIO |
not set |
If set to |
KASM_SVC_AUDIO_INPUT |
not set |
If set to |
KASM_SVC_UPLOADS |
not set |
If set to |
KASM_SVC_GAMEPAD |
not set |
If set to |
Service Fail Secure
Container based Workspace images have a number of services running that support audio in, audio out, uploads, KasmVNC, game pad, and other features. When one of these processes crash unexpectedly, the default behavior is to merely restart them. When DLP_PROCESS_FAIL_SECURE is enabled, the entire container will instead restart. When the container restarts, all processes are terminated and everything in RAM is lost. Everything on disk will persist once the container restarts. This mode of recovery ensures that potential memory resident malware is lost, but work written to the disk can be recovered.
The following Docker Run Override setting on a Workspace image shows an example of enabling the DLP_PROCESS_FAIL_SECURE feature.
{
"hostname": "kasm",
"environment": {
"DLP_PROCESS_FAIL_SECURE": 1
}
}
The following shows how to also disable the restart policy on the container, this will result in the container being immediately destroyed if a Kasm service process terminates during runtime.
{
"hostname": "kasm",
"environment": {
"DLP_PROCESS_FAIL_SECURE": 1
},
"restart_policy": {
"Name": "no"
}
}