I would try not to block the POSTs that are used for uploading videos. Instead I would block all POSTs and build some exceptions for required POSTs such as login and search. The good thing is, if the URLs change you will not accidentally allow the restricted group to fully use Youtube, but if something changes the worst thing that could happen is that they are blocked when trying to login or search.
If the users are missing their rights they will call the help desk and the administrators will notice that changes may be required. If they find out that they can suddently access everything they will not tell anyone and you will never notice :-)
Is AD Group 1 basically allowed to do everything?
What does "read-only" mean? Technically logging in with your account and searching are also "write" operations. Should such common things be allowed?
Andre - Thank you for your feedback.
I understand your recommendation as being a more secure way to implement the restriction. Unfortunately it still has me maintaining login URLs and search URLs should they change.
Would it make sense to create a policy that limits POST by the size? So AD group1 = unlimited size which would include uploads. AD group2 = limited to the size of a comment post (500 characters). The last group of read-only would be challenge if search is allowed (and I assume it would be).
I did suggest limiting video uploads only to our company owned channels, but that idea was shot down.
Regarding your rights question for "read-only", I believe search would be allowed, but login is unknown. I will have to circle back around to my security area to see exactly what they want to allow.
you are right, maintaining the list of paths is the question here. We could be happy and Youtube will never change the paths, but no one can tell. If they want they could change it every day :-(
Limiting the POSTs by size may be a good idea. You can limit them to just a few KB which should be suitable for logging in and/or searching. I just did a quick try with the following rule:
(note that you need to wrap some rules around it to restrict this to Youtube :-))
The result is that I can search and login (didn't try commenting...). When I upload the requests are blocked:
It needs some more tweaking, but maybe it is something you can start with.
Andre - Once again, thank you for the feedback.
I have created a rule set that I am currently testing (see below). This particular rule set is part of the application control/YouTube Application rule set. I am using that to identify the YouTube traffic. Once in that logic tree, I am just looking for POST entries and then applying conditions as appropriate.
I am going to demo this for our security and business teams to solicit feedback, but I think I am on the right path.