Solved

Essential 8 - Restrict Web Access for Admin Accounts

  • 8 August 2023
  • 4 replies
  • 4 views

Badge

Good Afternoon folks

 

We're pretty new to Netskope, so please excuse me if this is the wrong place for this question or if it's a particularly basic question, and we're going through the Eseential 8 security process at the moment. To that end, we're looking to prevent Admin accounts from being able to access the internet when logged into machines with Netskope installed.

 

Is this something that Netskope is capable of? I'm assuming it's a policy that we can roll out to a created group of users?

 

Thanks very much

icon

Best answer by Siva 8 August 2023, 16:59

View original

4 replies

Badge +12

Hi @PearsonJ , welcome. I'm new to netskope too.

 

One method that comes to mind to achieve your desired result is to use real-time web policy with block for admin user group on NSClient traffic. [Choose all predefined categories for destination]

 

 

Userlevel 3
Badge +10

Hi, 

 

Yes, if there's a user group created for the admins in your IDP which is integrated with Netskope, you would be able to create a realtime policy that includes the said group, and block access to all the web categories. 

Badge

Thanks very much, I'll test that out now.

Looking at the order of operations in our tenancy, should this be sitting right at the top? It's only going to be blocking web traffic for a few accounts, and I don't want them picking up Allow permissions as they work their way down the order before getting to the policy.

Badge +12

Hi @PearsonJ  the following should provide some guidance

 

  • Rules are processed from the top-down in the Real-time Protection policies list.
  • When traffic matches rule conditions, the action (Allow/Block) applies without further processing through the rule base. All policies are terminal except for DLP policies set as Alert and Continue.
  • Place any rules applied to individuals or small groups near the top of the list.
  • Place exceptions at the top for block policies.
  • Netskope allows the activity by default if it doesn’t match a policy. [Expect for NPA]

 

Reference - Best Practices for Real-time Protection Policies 

 

 
 

Reply