Skip to content

Data Loss Prevention

mmcclaskey edited this page Oct 28, 2021 · 4 revisions

Data Loss Prevention

KasmVNC has added a lot of data loss prevention (DLP) features. These protections are intended to provide more control to administrators to keep users from using KasmVNC to exfiltrate data or bring in potentially malicious binaries.

Regions

The regions feature allows you to select a region of the screen to render to the user. Non-selected portions of the screen will be blacked out.

Absolute Coordinates

Select a region of the screen with x and y absolute coordinates.

-DLP_Region x1,y1,x2,y2

Offset Coordinates

Use negative numbers to offset from boundary. For x1 and y1, this means 0 plus the provided number. In the below example that would be 10. For x2 and y2, that means the maximum x or y resolution minus the provided number. If the resolution was 1080x720 in the below example that would equate to an x2 of 1070 and y2 of 710. Therefore, the example below would be translated to 10,10,1070,710. Using offset coordinates has an advantage of scaling with screen size changes versus using absolute values.

-DLP_Region -10,-10,-10,-10

You can combine absolute values with offset values, such as the following exmaple.

-DLP_Region 50,10,-10,-10

Percentages

Regions does support percent values, which are evaluated as a border that is a percent of the total width and height respectively. Regions does not support mixing percent values and absolute or offset values.

-DLP_Region 10%,10%,20%,20%

Allow Clicking in Unselected Regions

Use the following option to allow mouse button down events within the non-selected regions, by default they are blocked.

-DLP_RegionAllowClick

Allow Click Releases in Unselected Regions

Use the following option to allow mouse button releases within a non-selected region, by default they are blocked until the cursor returns to the selected region.

-DLP_RegionAllowRelease

Clipboard Protections

Server to Client Clipboard

Limit clipboard bytes to send to clients in one transaction. Default 10,000, 0 disables the feature.

-DLP_ClipSendMax 10000

Enable/Disable clipboard from server to client. Default is 1, enabled.

-SendCutText 1

Client to Server Clipboard

Limit clipboard bytes to receive from clients in one transaction. Default 10,000, 0 disables feature.

-DLP_ClipAcceptMax 10000

Enable/Disable clipboard from client to server. Default is 1, enabled.

-AcceptCutText 1

Clipboard Operation Delay

This many milliseconds must pass between clipboard actions. Default 1000.

-DLP_ClipDelay 1000

Keyboard Protections

Keyboard Rate Limit

Reject keyboard presses over this many per second. Default 0 (disabled).

-DLP_KeyRateLimit 0

DLP Logging

Log clipboard and keyboard actions. Info logs just clipboard direction and size, verbose logs keystrokes and clipboard content.

-DLP_Log (off|info|verbose)