4 Replies Latest reply on Mar 12, 2013 12:21 PM by ctsean

    Conditionally allow YouTube uploads

    ctsean

      I am looking for assistance on a YouTube blocking issue.  I have implemented the YouTube application controls but need to expand upon the controls to meet our security policy.  I am trying to solve the following requirements:

       

      1. AD Group 1 is allowed to upload video and comment on user videos
      2. AD Group 2 is allowed to comment on user videos only
      3. Default for everyone else is read only

       

      I understand it will involve blocking POSTs to URL(s), but that is where my issue comes in.  What is the best way to identify video uploading URLs so I can differentiate controls from group 1 and group 2?  Is there a list of the possible YouTube upload sites and what would be the best way to maintain it?  Is there a better way to solve this problem?  I have identified “upload.youtube.com” and “https://www.youtube.com/my_videos_upload” so far. 

       

      Has anyone else already solved this problem?  Any insight would be greatly appreciated

       

      Thank you,
      -Sean

        • 1. Re: Conditionally allow YouTube uploads
          asabban

          Hello,

           

          I would try not to block the POSTs that are used for uploading videos. Instead I would block all POSTs and build some exceptions for required POSTs such as login and search. The good thing is, if the URLs change you will not accidentally allow the restricted group to fully use Youtube, but if something changes the worst thing that could happen is that they are blocked when trying to login or search.

           

          If the users are missing their rights they will call the help desk and the administrators will notice that changes may be required. If they find out that they can suddently access everything they will not tell anyone and you will never notice :-)

           

          Is AD Group 1 basically allowed to do everything?

          What does "read-only" mean? Technically logging in with your account and searching are also "write" operations. Should such common things be allowed?

           

          Best,

          Andre

          • 2. Re: Conditionally allow YouTube uploads
            ctsean

            Andre - Thank you for your feedback.

             

            I understand your recommendation as being a more secure way to implement the restriction.  Unfortunately it still has me maintaining login URLs and search URLs should they change. 

             

            Would it make sense to create a policy that limits POST by the size?  So AD group1 = unlimited size which would include uploads.  AD group2 = limited to the size of a comment post (500 characters).  The last group of read-only would be challenge if search is allowed (and I assume it would be).

             

            I did suggest limiting video uploads only to our company owned channels, but that idea was shot down.

             

            Regarding your rights question for "read-only", I believe search would be allowed, but login is unknown.  I will have to circle back around to my security area to see exactly what they want to allow.

             

            Thanks again,

            -Sean

            • 3. Re: Conditionally allow YouTube uploads
              asabban

              Hi Sean,

               

              you are right, maintaining the list of paths is the question here. We could be happy and Youtube will never change the paths, but no one can tell. If they want they could change it every day :-(

               

              Limiting the POSTs by size may be a good idea. You can limit them to just a few KB which should be suitable for logging in and/or searching.  I just did a quick try with the following rule:

               

              Auswahl_242.png

              (note that you need to wrap some rules around it to restrict this to Youtube :-))

               

              The result is that I can search and login (didn't try commenting...). When I upload the requests are blocked:

               

              Auswahl_241.png

               

              It needs some more tweaking, but maybe it is something you can start with.

               

              Best,

              Andre

              • 4. Re: Conditionally allow YouTube uploads
                ctsean

                Andre - Once again, thank you for the feedback. 

                 

                I have created a rule set that I am currently testing (see below).  This particular rule set is part of the application control/YouTube Application rule set.  I am using that to identify the YouTube traffic.  Once in that logic tree, I am just looking for POST entries and then applying conditions as appropriate. 

                 

                I am going to demo this for our security and business teams to solicit feedback, but I think I am on the right path.

                 

                Thanks again,

                -Sean

                 

                 

                 

                POST-Block-Policy.JPG