Order of Policies Regarding Blocking Access to Filesharing Web Sites

JFGeorge · ‎04-26-2022

Hello,

As part of our data loss prevention directive, my boss has decreed that he wants to prevent our users from using web-based file sharing sites like Dropbox, Google Drive, etc. He also wants to prevent the use of their proprietary apps/APIs. for example, the Dropbox app. However, he also wants me to create exceptions for those offices/users who have a legitimate business need to use those sites. I need some guidance from people who might have faced a similar assignment.

I know that policy precedence and policy order is critical to achieving this. The problems I have are when one user is blocked from Dropbox, but allowed for Google Drive while another user has the opposite (i.e. Dropbox allowed & Google Drive blocked). How would you accomplish this? Something like this?

1-Allow Google Drive (applies to specific AD groups or user accounts)

2-Allow DropBox (applies to specific AD groups or user accounts)

3-Block Access to Dropbox, Google Drive, etc. (applies to everyone)

4-Default policy.

If Bob is allowed access to both sites, will he actually only be allowed to access Google Drive (since it is first) while he will be blocked access to Dropbox (and the 5-6 other sites I specify)? So, evaluation of the top policy asks "Does this policy apply to Bob? If yes, grant Google Drive access and STOP FURTHER POLICY EVALUATIONS." In my understanding, that means that Bob will never be blocked from any file sharing site as policy 3 is never evaluated for him. Am I correct in this belief?

How would you accomplish this? Can this be accomplished?

Jon Marshall · ‎04-26-2022

Not sure what you are implementing this on but what you have should work fine because the rules are evaluated in order and only after a match rule would it stop being evaluated.

So as long as your AD groups have the correct users in them and some users might be in both groups it should be fine.

Jon