Just for grins, say I'm getting beaten on for blocking cloud storage like Dropbox and Skydrive. (I am.) We are concerned about data leakage, but so many partners including other agencies are sending my users links to files.
I was wondering if anybody has implemented rules that permit read-only access to personal network storage sites, but block uploading of files. I think this could resolve about 90% of the griping I hear. I'm not really enjoying having a shouting match with an executive over what I assume he thinks is my power trip, rather than trying to reduce risk...
Well, it certainly can be done. It's just a matter of if you want that to be your policy. It's more of a policy decision than a technological one.
Take a look at this video on box.com to see some of the things you can do with MWG.
part 2 of the demo shows somethings about making sites read-only.
Yes. Have done pretty much exactly what you're asking about.
Using Dropbox as example...
Client tries to go to Dropbox site to download file and is presented with a coaching page that both includes corporate acceptable use policy and a reiteration that data on the target service may be stored in multiple countries + file upload and/or creation is prohibited and how frequently the coaching page will reappear.
The page also states that if the client selects the "I Accept" button on the coaching page, they are confirming their acceptance of the specific terms that have been highlighted + the corporate acceptable use policy. Once they select I Accept, they will be redirected to the page originally requested.
There are multiple ways to implement this technically, but my solution looks something like this:
Web Content Filter
-- Coaching, criteria = Always
-- Dropbox Download, criteria = URL.Host.BelongsToDomains (Dropbox) equals true and URL.Categories<Default> contains Personal Network Storage. Dropbox domains are defined as dropbox.com and dd.tt.
-- Coaching Redirect (Dropbox Download), criteria = Quota.Coaching.IsActivationRequest.Strict<Dropbox Download> equals true, action = Redirect
-- Coaching AUP (Dropbox Download), criteria = Quota.Coaching.SessionExceeded<Dropbox Download> equals true, action = Block <AUP Dropbox Download> -- this file contains my display text and the activation of coaching via: <input class="button" type="button" id="activatebutton" value="I accept." onClick="$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.coaching.js.activatesession"/>$">
-- Upload Block (Dropbox Download), criteria = (Command.Name equals "POST" OR Command.Name equals "PUT") AND (URL.Path does not match in list Read-Only Exceptions AND Media.Type.EnsuredTypes none in list Media Types for Normal Operations), action = Block<Block Upload>. Read-Only Exceptions includes several wildcard expressions: *login*, *logon*, *logout*, *logoff*, *auth*, *browse*, *comments*, *signup*. Media Types for Normal Operations includes: application/x-empty and application/x-www-form-urlencoded
-- Coaching Check (Dropbox Download), criteria = Quota.Coaching.SessionExceeded<Dropbox Download> equals false, action = Stop Rule Set, events = set User-Defined.CoachedDownloadDropbox = true
The rule set above handles the coaching portion and the upload block.
-- Exceptions (at same level as Coaching), criteria = Always
-- Dropbox Download Exception, criteria = URL.Host.BelongsToDomains (Dropbox) equals true AND User-Defined.CoachedDownloadDropbox equals true, action = Stop Rule Set, Events = Set User-Defined CategoryException = true
The rule set above takes criteria from the original request and sets a new user defined property.
-- Standard Policy, criteria = User-Defined.CategoryException equals false
...normal category block rules based on which categories you are blocking
The rule set above is skipped if the user defined property of CategoryException is true.
CAVEATS and NOTES:
- It's relatively easy to implement this on Dropbox, but there are other sites classified as Personal Network Storage that require much more tweaking of the upload blocking -- Google Docs, for example.
- This rule set does not absolutely guarantee that you won't leak data. By the nature of how things work, you have to permit x-www-form-urlencoded so that logins to sites will succeed so there's some risk there in that it is not easily verifiable that the data sent via that method is not data that you don't want leaked.
- Theoretically, you could do a blanket rule for the Personal Network Storage category, but that might not catch all the possibilities (see above re: Google Docs).
- You cannot use the original User-Defined.Coached* property as your determining factor for bypassing the standard policy blocks -- that would mean that if someone had been coached for anything, they would then bypass the standard policy blocks for everything.
- There is probably a more elegant way to do this.
Trying to revive this post.
I tried creating a rule for blocking only the upload as stated by btlyric. But I could still upload files after I set the rules.
I didnt include the coaching ruleset since I just need to block the upload and no coaching is needed.
I did the exact rule under "Upload Block" of the above response.
Is there any rule that I should enable or check first? Say with the SSL Scanner?
I checked the rule trace, and it says there the upload block rule didnt meet my criteria.
The Command.Name of POST and PUT shows a "false" result.
Can you possibly include the XML ruleset for this. I've tried to replicate and cant seem to get it working. Any assistance is appreciated. This is a * brilliant* idea.
I attached a set of rules that can be imported into 220.127.116.11-16052 and above.
here's the basic rule set. It globally blocks POSTing to the specific categories except for certain users or groups you define. It does not have the all the coaching stuff talked about above.
|1||Blogs / Wiki|
|2||Personal Network Storage|
Message was edited by: eelsasser on 1/9/14 7:51:03 PM EST
If there is significant interest, I will try to find the time to dump my ruleset and clean it up for public consumption.
Yes please also.....This is an issue we are encountering within our Organisation. It would be a massive assist to see your Ruleset Output.
This looks great. My work is blocking SlideShare.net -- because it allows registered users to upload documents. I just want people to see the presentations. Could this Read Only Rule allow anyone to see a website, but prevent them from uploading documents?