Blocking file uploads to all sites, unless safelisted

Copper Contributor

We're trying to verify if we can block file uploads through the browser to all sites, unless these sites are part of an approved list or the user has an exception. We currently have a similar solution through a different vendor, but wanted to see if Defender for Endpoint is an alternative.

So, if someone creates a new site, this site would not be allowed to be uploaded to unless the domain is added to an approved list. The alternative would be to block if the file has a specific label. 

 

Thanks, 

29 Replies
Did you ever manage to solve this? Looking for the same thing myself.

Hi @DanSec 

 

Since you're wanting to set a "safe list" which will block uploads to anything not on this list, you'll likely want to leverage the service domains feature under Endpoint DLP settings in the Microsoft Purview portal.

 

You can set the service domains to be an "Allow" list to achieve this and will need an Endpoint DLP policy configure once you've set the list. The policy itself can have your specific user exclusions set (Endpoint DLP is still identity based).

 

While DLP is typically based on sensitive information, you can set the policy to block uploads based on file types and/or file extensions. As you mentioned, you can also scope it to block based on a specific sensitivity label applied to the file.

@miller34mike, I tried creating a custom DLP policy under https://compliance.microsoft.com.  Scoped it to devices and MCAS, yet I can't see any action that allows me to block the upload to the web page. What  am I doing wrong? Screenshot 2023-06-06 at 19.27.47.pngScreenshot 2023-06-06 at 19.28.58.png

Hi @The737 

 

This is due to selecting both Devices and MDCA. When you scope to multiple locations, you only get the options that are available in both locations.

 

To set and Endpoint policy to block service domain uploads you will need to set the policy to Devices only and then within the rule, you will see service domain uploads.

 

To see this option, select actions > Audit or restrict activities on devices and it will be the first checkbox that you can select.

 

miller34mike_0-1686069546373.png

 

 

MDCA from a DLP perspective would not help you in this scenario. 

 

To set your allowed list of service domains, which means everything else gets blocked, go to compliance.microsoft.com > Data loss prevention > Endpoint DLP settings and find the drop-down for Browser and domain restrictions to sensitive data. Make sure the drop-down for block/allow is set to allow and then set your appropriate sites.

 

miller34mike_1-1686069806732.png

 

 

miller34mike_2-1686069821854.png

 

 

Thanks, that seems to have worked. Created the policy, giving it some time to see if it has the desired behaviour and I'll come back to update the thread.

Hi @The737 

 

Great! I look forward to hearing the results of the policy testing!

Evaluate Defender for Cloud Apps, formerly MCAS.
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/block-access-to-unsanctioned...
Session policy as well as sanctioned/unsanctioned apps comes to mind. Also DLP auto labeling auto encrypt all files to a basic internal label. Users would have to authenticate with their AAD credentials to verify yes/no they have access to permissions on file for encryption.

@miller34mike, it's a no-go unfortunately. Screenshot 2023-06-07 at 10.09.56.pngScreenshot 2023-06-07 at 10.11.06.pngScreenshot 2023-06-07 at 10.10.35.png

@WilliamLeininger , thanks for this. I wouldn't want to classify/label documents. The endpoint should catch that the user is uploading files to a blocked website and prevent the action. 

@The737 

 

Just to confirm, are you performing your testing on a Microsoft Purview Onboarded device and using an Azure AD Identity with an E5 license to log in to the machine?

@miller34mike, yScreenshot 2023-06-07 at 20.37.51.pnges. Full E5 licensed tenant, device enrolled in Intune and onboarded in MDE as per the device inventory (screenshot below).

@The737 

 

Perfect! The final check to perform is under settings within the compliance portal at the link below, confirm that device onboarding has been enabled and that the same device from MDE shows up under Purview (it may take up-to an hour to complete the onboarding). Enabling Device onboarding within the compliance portal will automatically ingest all MDE-onboarded devices into purview, which is the final step to make sure that Endpoint DLP policies can be pushed to the device.

 

miller34mike_0-1686159867208.png

 

@miller34mike, thanks for this. Checked and they are there.Screenshot 2023-06-07 at 20.47.16.png

@The737 

 

Sorry, here is the link to the compliance settings page

 

Settings - Microsoft Purview

 

Also just to note, onboarding these devices to Purview itself has no impact. The impact occurs when an Endpoint DLP policy is assigned to an identity that logs into an onboarded device.

@The737 

 

What conditions did you set on the policy?

@miller34mike, only the file extensions are set.Screenshot 2023-06-07 at 20.55.19.png

@The737 

 

do you see the cloud upload activities within Activity Explorer?

 

also, I do usually recommend including the “.” In the extension, like .docx

 

on the onboarded devices page, you should be able to select a device and see what policies are active on it. Can you confirm this policy appears for the test device?

@miller34mike , nope, the upload isn't even visible in the Activity Explorer. In terms of the extensions, I entered them with the "." yet it got removed.
Interesting thing though... if I go on the onboarded devices page and look at the overview of the machine, the MDE Enrolment status is N/A. This gives me something to dig into....

 

Screenshot 2023-06-07 at 21.35.17.png

@The737 

 

I'm going to duplicate your policy and blocked domains to see what my test results in.

 

The MDE status is because you're managing it with Intune versus using Microsoft Defender for Endpoint Security Configuration Management.