This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask the community

Essential 8 - Restrict Web Access for Admin Accounts

Go to solution
PearsonJ
New Contributor

‎08-07-2023 07:06 PM - edited ‎08-07-2023 07:07 PM

Good Afternoon folks

 

We're pretty new to Netskope, so please excuse me if this is the wrong place for this question or if it's a particularly basic question, and we're going through the Eseential 8 security process at the moment. To that end, we're looking to prevent Admin accounts from being able to access the internet when logged into machines with Netskope installed.

 

Is this something that Netskope is capable of? I'm assuming it's a policy that we can roll out to a created group of users?

 

Thanks very much

Labels:
0 Likes
2 Solutions
Go to solution
Siva
Contributor

‎08-08-2023 07:59 AM

Hi @PearsonJ , welcome. I'm new to netskope too.

 

One method that comes to mind to achieve your desired result is to use real-time web policy with block for admin user group on NSClient traffic. [Choose all predefined categories for destination]

 

Siva_0-1691506676400.png

 

View solution in original post

Go to solution
Siva
Contributor
In response to PearsonJ

‎08-09-2023 07:17 AM

Hi @PearsonJ  the following should provide some guidance

 

  • Rules are processed from the top-down in the Real-time Protection policies list.
  • When traffic matches rule conditions, the action (Allow/Block) applies without further processing through the rule base. All policies are terminal except for DLP policies set as Alert and Continue.
  • Place any rules applied to individuals or small groups near the top of the list.
  • Place exceptions at the top for block policies.
  • Netskope allows the activity by default if it doesn’t match a policy. [Expect for NPA]

 

Reference - Best Practices for Real-time Protection Policies 

 

 
 

View solution in original post

4 Replies 4
Go to solution
Siva
Contributor

‎08-08-2023 07:59 AM

Hi @PearsonJ , welcome. I'm new to netskope too.

 

One method that comes to mind to achieve your desired result is to use real-time web policy with block for admin user group on NSClient traffic. [Choose all predefined categories for destination]

 

Siva_0-1691506676400.png

 

Go to solution
PearsonJ
New Contributor
In response to Siva

‎08-08-2023 10:51 PM

Thanks very much, I'll test that out now.

Looking at the order of operations in our tenancy, should this be sitting right at the top? It's only going to be blocking web traffic for a few accounts, and I don't want them picking up Allow permissions as they work their way down the order before getting to the policy.

0 Likes
Go to solution
Siva
Contributor
In response to PearsonJ

‎08-09-2023 07:17 AM

Hi @PearsonJ  the following should provide some guidance

 

  • Rules are processed from the top-down in the Real-time Protection policies list.
  • When traffic matches rule conditions, the action (Allow/Block) applies without further processing through the rule base. All policies are terminal except for DLP policies set as Alert and Continue.
  • Place any rules applied to individuals or small groups near the top of the list.
  • Place exceptions at the top for block policies.
  • Netskope allows the activity by default if it doesn’t match a policy. [Expect for NPA]

 

Reference - Best Practices for Real-time Protection Policies 

 

 
 
Go to solution
madhurasridhar
Netskope
Netskope

‎08-08-2023 12:10 PM

Hi, 

 

Yes, if there's a user group created for the admins in your IDP which is integrated with Netskope, you would be able to create a realtime policy that includes the said group, and block access to all the web categories. 

0 Likes
Subscribe

In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below

Sign In