-
Notifications
You must be signed in to change notification settings - Fork 311
Data Loss Prevention
KasmVNC has added a lot of data loss prevention (DLP) features. These protections are intended to provide more control to administrators to keep users from using KasmVNC to exfiltrate data or bring in potentially malicious binaries.
The regions feature allows you to select a region of the screen to render to the user. Non-selected portions of the screen will be blacked out.
Select a region of the screen with x and y absolute coordinates.
-DLP_Region x1,y1,x2,y2
Use negative numbers to offset from boundary. For x1 and y1, this means 0 plus the provided number. In the below example that would be 10. For x2 and y2, that means the maximum x or y resolution minus the provided number. If the resolution was 1080x720 in the below example that would equate to an x2 of 1070 and y2 of 710. Therefore, the example below would be translated to 10,10,1070,710. Using offset coordinates has an advantage of scaling with screen size changes versus using absolute values.
-DLP_Region -10,-10,-10,-10
You can combine absolute values with offset values, such as the following exmaple.
-DLP_Region 50,10,-10,-10
Regions does support percent values, which are evaluated as a border that is a percent of the total width and height respectively. Regions does not support mixing percent values and absolute or offset values.
-DLP_Region 10%,10%,20%,20%
Use the following option to allow mouse button down events within the non-selected regions, by default they are blocked.
-DLP_RegionAllowClick
Use the following option to allow mouse button releases within a non-selected region, by default they are blocked until the cursor returns to the selected region.
-DLP_RegionAllowRelease
Limit clipboard bytes to send to clients in one transaction. Default 10,000, 0 disables the feature.
-DLP_ClipSendMax 10000
Enable/Disable clipboard from server to client. Default is 1, enabled.
-SendCutText 1
Limit clipboard bytes to receive from clients in one transaction. Default 10,000, 0 disables feature.
-DLP_ClipAcceptMax 10000
Enable/Disable clipboard from client to server. Default is 1, enabled.
-AcceptCutText 1
This many milliseconds must pass between clipboard actions. Default 1000.
-DLP_ClipDelay 1000
Reject keyboard presses over this many per second. Default 0 (disabled).
-DLP_KeyRateLimit 0
Log clipboard and keyboard actions. Info logs just clipboard direction and size, verbose logs keystrokes and clipboard content.
-DLP_Log (off|info|verbose)