Well, it certainly can be done. It's just a matter of if you want that to be your policy. It's more of a policy decision than a technological one.
Take a look at this video on box.com to see some of the things you can do with MWG.
part 2 of the demo shows somethings about making sites read-only.
Yes. Have done pretty much exactly what you're asking about.
Using Dropbox as example...
Client tries to go to Dropbox site to download file and is presented with a coaching page that both includes corporate acceptable use policy and a reiteration that data on the target service may be stored in multiple countries + file upload and/or creation is prohibited and how frequently the coaching page will reappear.
The page also states that if the client selects the "I Accept" button on the coaching page, they are confirming their acceptance of the specific terms that have been highlighted + the corporate acceptable use policy. Once they select I Accept, they will be redirected to the page originally requested.
There are multiple ways to implement this technically, but my solution looks something like this:
Web Content Filter
-- Coaching, criteria = Always
-- Dropbox Download, criteria = URL.Host.BelongsToDomains (Dropbox) equals true and URL.Categories<Default> contains Personal Network Storage. Dropbox domains are defined as dropbox.com and dd.tt.
-- Coaching Redirect (Dropbox Download), criteria = Quota.Coaching.IsActivationRequest.Strict<Dropbox Download> equals true, action = Redirect
-- Coaching AUP (Dropbox Download), criteria = Quota.Coaching.SessionExceeded<Dropbox Download> equals true, action = Block <AUP Dropbox Download> -- this file contains my display text and the activation of coaching via: <input class="button" type="button" id="activatebutton" value="I accept." onClick="$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.coaching.js.activatesession"/>$">
-- Upload Block (Dropbox Download), criteria = (Command.Name equals "POST" OR Command.Name equals "PUT") AND (URL.Path does not match in list Read-Only Exceptions AND Media.Type.EnsuredTypes none in list Media Types for Normal Operations), action = Block<Block Upload>. Read-Only Exceptions includes several wildcard expressions: *login*, *logon*, *logout*, *logoff*, *auth*, *browse*, *comments*, *signup*. Media Types for Normal Operations includes: application/x-empty and application/x-www-form-urlencoded
-- Coaching Check (Dropbox Download), criteria = Quota.Coaching.SessionExceeded<Dropbox Download> equals false, action = Stop Rule Set, events = set User-Defined.CoachedDownloadDropbox = true
The rule set above handles the coaching portion and the upload block.
-- Exceptions (at same level as Coaching), criteria = Always
-- Dropbox Download Exception, criteria = URL.Host.BelongsToDomains (Dropbox) equals true AND User-Defined.CoachedDownloadDropbox equals true, action = Stop Rule Set, Events = Set User-Defined CategoryException = true
The rule set above takes criteria from the original request and sets a new user defined property.
-- Standard Policy, criteria = User-Defined.CategoryException equals false
...normal category block rules based on which categories you are blocking
The rule set above is skipped if the user defined property of CategoryException is true.
CAVEATS and NOTES:
- It's relatively easy to implement this on Dropbox, but there are other sites classified as Personal Network Storage that require much more tweaking of the upload blocking -- Google Docs, for example.
- This rule set does not absolutely guarantee that you won't leak data. By the nature of how things work, you have to permit x-www-form-urlencoded so that logins to sites will succeed so there's some risk there in that it is not easily verifiable that the data sent via that method is not data that you don't want leaked.
- Theoretically, you could do a blanket rule for the Personal Network Storage category, but that might not catch all the possibilities (see above re: Google Docs).
- You cannot use the original User-Defined.Coached* property as your determining factor for bypassing the standard policy blocks -- that would mean that if someone had been coached for anything, they would then bypass the standard policy blocks for everything.
- There is probably a more elegant way to do this.
Trying to revive this post.
I tried creating a rule for blocking only the upload as stated by btlyric. But I could still upload files after I set the rules.
I didnt include the coaching ruleset since I just need to block the upload and no coaching is needed.
I did the exact rule under "Upload Block" of the above response.
Is there any rule that I should enable or check first? Say with the SSL Scanner?
I checked the rule trace, and it says there the upload block rule didnt meet my criteria.
The Command.Name of POST and PUT shows a "false" result.
I attached a set of rules that can be imported into 18.104.22.168-16052 and above.
here's the basic rule set. It globally blocks POSTing to the specific categories except for certain users or groups you define. It does not have the all the coaching stuff talked about above.
Read Only: Web ✘Disabled
Applies to: [✔] Requests [✘] Responses [✘] Embedded Objects
1: Command.Name equals "POST"
Enabled Rule Action Events Comments ✔Enabled ReadOnly: Allowed Users or ReadOnly: Allowed Groups
1: Authentication.UserName is in list ReadOnly: Allowed Users°
2: OR Authentication.UserGroups at least one in list ReadOnly: Allowed Groups°
Stop Rule Set Exception Users or Groups that are allowed to POST ✔Enabled ReadOnly: Allowed Domains or ReadOnly: Allowed URLs
1: URL.Host.BelongsToDomains(ReadOnly: Allowed Domains°) equals true
2: OR URL matches in list ReadOnly: Allowed URLs
Stop Rule Set Exception Domains or URLs that are allowed to POST ✔Enabled ReadOnly: Categories
1: URL.Categories<URL Filter: Default> at least one in list ReadOnly: Categories
Block<Application Control> Statistics.Counter.Increment("BlockedByApplControl",1)<Default> Categories that are not allowed to POST ✔Enabled ReadOnly: Applications
1: Application.Name is in list ReadOnly: Applications
Block<Application Control> Statistics.Counter.Increment("BlockedByApplControl",1)<Default> Applications that are not allowed to POST ✔Enabled ReadOnly: Domains or ReadOnly: URLs
1: URL.Host.BelongsToDomains(ReadOnly: Domains°) equals true
2: OR URL matches in list ReadOnly: URLs°
Block<Application Control> Domains that are not allowed to POST # ReadOnly: Categories Category Comment 1 Blogs / Wiki 2 Personal Network Storage