Block Unauthorized VPN Software

A common request from customers is the ability to block VPN and remote access software in order to prevent data exfiltration and enforce compliance. This software can allow users to create a backdoor into your network and bypass authorization policies. Malware and malicious actors often install this software as an easy way to maintain a foothold in a compromised network.

Blocking VPNs might seem daunting since new "free" VPN apps appear all the time. If you're already using lockdown mode and approval workflows in Workshop, the Risk Engine lets you create dynamic rules that flag on code signature properties, including entitlements. By setting up a blockable rule in Workshop, you can make sure that VPN software will never get approved without admin review.

This rule uses Workshop's Risk Engine to automatically flag any software with VPN-related entitlements for admin review. When users try to run VPN software, they'll be prompted to request approval, and admins can review before allowing.

This works even for brand new VPN apps that appear after you've deployed the rule, since it's based on code signature entitlements rather than specific app identifiers.

Make sure you're using Workshop's lockdown mode and approval workflows for this to be effective.

Legitimate VPN software used by your organization will be flagged:

• Corporate VPN clients (Cisco AnyConnect, Palo Alto GlobalProtect, etc.)
• Personal VPN apps (NordVPN, ExpressVPN, etc.)

Create allowlist rules for approved corporate VPN clients. Personal VPN usage should be reviewed based on your organization's security policy.