Data Loss Prevention

There are many features of the Kasm Workspaces platform that lend themselves to the goal of preventing users from either taking data out of the Kasm Workspaces environment to their local system or from transferring data from their local system to the Kasm Workspaces environment. This guide covers the many disparate features and how they can be used together with these goals in mind.

Group Settings

Many features can be configured via group settings. Users can belong to multiple groups, overlapping settings are applied using the group’s configured priority. The Group with the lower priority value takes precedent. This table covers the group settings which are related to data loss prevention. For example, allowing audio in and out provides additional avenues of potential data exhilaration.

administrator

Allows users to see and edit all attributes of the Kasm application.

allow_kasm_audio

Allow audio streaming for a Kasm.

allow_kasm_clipboard_down

Allows users to paste text from the Kasm to their local computer.

allow_kasm_clipboard_seamless

Allows users to copy and paste text without using Kasm control panel.

This feature is only available on Chrome and Chromium-based client browsers

allow_kasm_clipboard_up

Allow users to paste from their local computer to the Kasm.

allow_kasm_downloads

Allow users to download files from a Kasm.

allow_kasm_gamepad

Allow users to pass local gamepads into the Kasm session. See Gamepad Passthrough for more details.

allow_kasm_microphone

Allow microphone passthrough to a Kasm. When enabled, users can pass their local microphone through to the Kasm session.

allow_kasm_sharing

Allow the user to share access to their session with other users. See Session Sharing for more details.

allow_kasm_uploads

Allow users to upload files to a Kasm.

allow_persistent_profile

Allow the use of persistent profiles if configured on the Workspace. See Persistent Profiles for details

enable_ui_server_logging

If enabled, log messages will be sent from client browser to the Kasm Workspaces server.

expose_user_environment_vars

Expose KASM_USER and KASM_USER_ID environment variables inside the Kasm.

session_time_limit

The amount of time (in seconds) a session will automatically expire. A countdown timer will be displayed to the user.

usage_limit

Limits the total number of hours a user or group can have running sessions.

Type
  • Per User - Each user of the group has their own limit.

  • Per Group - All members share the usage limit.

Interval
  • Daily , Weekly , Monthly , Total.

Hours
  • The number of hours allowed during each interval.

web_filter_policy

Enabled web filtering and sets the Web Filter Policy to be used. Policies can also be set or force disabled on Workspaces. Policies assigned to Workspaces take priority over those defined via Group Settings.

KasmVNC DLP Policy

While group settings provide basic on/off capability for features like the clipboard, KasmVNC DLP Policies allow for a greater level of control. For example, KasmVNC DLP settings allow for defining rate limits for the clipboard and keyboard input. For a full reference of the KasmVNC YAML configuration, see the KasmVNC Docs.

See our how-to guide on Applying KasmVNC DLP Policies to a Kasm Workspaces by utilizing the File Mapping feature.

The following shows the default settings for the DLP section of the KasmVNC configuration. For a detailed explanation of all settings, see the KasmVNC Docs, DLP Section.

data_loss_prevention:
  visible_region:
    # top: 10
    # left: 10
    # right: -40
    # bottom: -40
    concealed_region:
      allow_click_down: false
      allow_click_release: false
  clipboard:
    delay_between_operations: none
    allow_mimetypes:
      - chromium/x-web-custom-data
      - text/html
      - image/png
    server_to_client:
      enabled: true
      size: unlimited
      primary_clipboard_enabled: false
    client_to_server:
      enabled: true
      size: unlimited
  keyboard:
    enabled: true
    rate_limit: unlimited
  logging:
    level: off
  watermark:
    # image: /etc/kasmvnc/picture.png
    # location: 10,10
    # tint: 255,20,20,128
    # repeat_spacing: 10

Web URL Filter

The built-in Web Filter feature allows the administrator to easily define and enforce URL filtering that is applied to Kasm Workspaces container based sessions. Using these policies you can, for example, ensure that users are unable to visit file sharing sites or only visit a whitelist of websites from inside a Kasm Workspaces session.

Environmental Variables

Container based Workspace environments have environmental variables that can be set in the Workspace definition under the Docker Run Config Override setting. The following table shows a listing of available environmental variables that are applicable to DLP for containerized Workspace environments.

Name

Default

Description

DLP_PROCESS_FAIL_SECURE

not set

If set to a value of 1, the container will restart on the failure of any Kasm service running on the container. See the subsection below for more details.

KASM_SVC_AUDIO

not set

If set to 0, the audio out service is not started. This provides additional protection, above disabling audio output in Kasm group settings, by reducing the attack surface area of the container and potential data extraction vectors.

KASM_SVC_AUDIO_INPUT

not set

If set to 0, the audio in service is not started. This provides additional protection, above disabling audio input in Kasm group settings, by reducing the attack surface area of the container and potential data extraction vectors.

KASM_SVC_UPLOADS

not set

If set to 0, the upload in service is not started. This provides additional protection, above disabling uploads in Kasm group settings, by reducing the attack surface area of the container and potential data extraction vectors.

KASM_SVC_GAMEPAD

not set

If set to 0, the gamepad in service is not started. This provides additional protection, above disabling gamepad support in Kasm group settings, by reducing the attack surface area of the container and potential data extraction vectors.

Service Fail Secure

Container based Workspace images have a number of services running that support audio in, audio out, uploads, KasmVNC, game pad, and other features. When one of these processes crash unexpectedly, the default behavior is to merely restart them. When DLP_PROCESS_FAIL_SECURE is enabled, the entire container will instead restart. When the container restarts, all processes are terminated and everything in RAM is lost. Everything on disk will persist once the container restarts. This mode of recovery ensures that potential memory resident malware is lost, but work written to the disk can be recovered.

The following Docker Run Override setting on a Workspace image shows an example of enabling the DLP_PROCESS_FAIL_SECURE feature.

{
  "hostname": "kasm",
  "environment": {
    "DLP_PROCESS_FAIL_SECURE": 1
  }
}

The following shows how to also disable the restart policy on the container, this will result in the container being immediately destroyed if a Kasm service process terminates during runtime.

{
  "hostname": "kasm",
  "environment": {
    "DLP_PROCESS_FAIL_SECURE": 1
  },
  "restart_policy": {
    "Name": "no"
  }
}