Web Security - Managing Policies

Updated

This article explains how to set up and maintain policies for Mimecast Web Security​​, and is intended for use by Administrators.

Introduction to Mimecast Web Security​​ Policies

Mimecast Web Security policies define the rules applied to user activity in your organization's environment, at the server level or front line layer of the web. A multi-layer security approach can be taken, where you have the flexibility to:
      • Define specific domains that should be blocked or allowed.
      • Define the site categories that should be blocked from user access.
      • Select whether a policy applies to everyone in your organization, or to a specific user or group.
      • Select whether a policy applies to a specific location.

If you have previously configured a policy covering a target, creating another policy for the same target could render both policies ineffective. See Policy Precedence and Specificity for full details.

Policy Types

This article will guide you through the process of creating the following policy types:

      • Advanced Security: Allows you to configure advanced options (e.g. SafeSearch, Web Proxies).
      • Application Control: Allows you to control the use of cloud applications.
      • Block or Allow List: Allows you to specify whether to block or allow access to one or more domain / URLs. This policy type overrides all other web security policies.

        A Block or Allow List policy takes precedence over any TTP managed URL. For example, if .com is in your managed URL list, but blocked in a policy, access to the domain is blocked. If your Block or Allow List contains URLs, you must have an Advanced Security policy with the Web Proxy option enabled for those targets.

      • Category Filtering: Allows you to block domains / URLs based on their category (e.g. security, adult, etc.). You can block or allow all domains in a category group, or choose the block individual categories in a group.
      • Log Settings: Allows you to comply with regional specific data and privacy regulations by managing what web security information is logged.
      • Targeted Threat Protection: Allows you to utilize the managed URLs and advanced similarity checks in the URL Protection product. This policy type is only visible if the URL Protection package is enabled for your account. See Configuring URL Protection for more information.

        If your managed URLs list contains both URLs and domains and you wish to filter both, you must have an Advanced Security policy with the Web Proxy option enabled for those targets.

Reviewing your Default Category Policy

A default category policy is created on your account, but it should be reviewed to ensure it meets your requirements.
You can do this by using the following steps:

  1. Log into the Mimecast Administration Console.
  2. Navigate to Web Security | Policies.
  3. Click on the "..."  icon to the right of the Default Category Policy.
  4. Select the Edit menu item.
  5. Review the following sections:

    Click on each section in the left hand navigation panel to progress to each one.

      • Security Categories: We recommend you block all Security Categories.
      • Content Categories: Click on the triangle to the left of a category to expand its contents.

        Web-based email is blocked by default in the "Productivity" category. Uncheck this if your users are allowed access to web-based email.

      • Applies To.
  1. Click on the Save & Close button.

Configuring a Block or Allow List Policy

Note that this policy type takes precedence over all other Mimecast Web Security policies, e.g. any TTP managed URL.
If <domain>.com is in your managed URL list, but blocked in a policy, access to the domain is blocked.

To configure a Block or Allow List policy, you can block or allow access to:

      • Individual domains / URLs by manually entering them.
      • Multiple domains / URLs by importing a CSV file.

If your policy contains URLs, you must have an Advanced Security policy with the "Web Proxy" option enabled for those targets.

Manually creating a new Block or Allow List Policy

You can create a new policy, by using the following steps:

  1. Log on to the Mimecast Administration Console.
  2. Navigate to Web Security | Policies.
  3. Click on the Create New Policy button.
  4. In the Set the policy details screen, enter the required details for your policy:
      • In the Name field, enter a name for your policy.
      • Select the Type of Block or Allow List.
  1. Click on the Next button.
  2. In the Add blocked and allowed domains and URLs screen, add items as required:
      • To Block a domain or URL:
        • Select the Block radio button.
        • Enter the domain or URL you wish to block, e.g. company.com.
        • Click on the Block button.
        • Repeat the process to add any further domains or URLs to be blocked.
      • To Allow a domain or URL:
        • Select the Allow radio button.
        • Enter the domain or URL you wish to allow, e.g. company.com. See Block or Allow List Syntax and Examples for further details.
        • Click on the Allow button.
        • Repeat the process to add any further domains or URLs to be blocked.
  1. Click on the Next button.
  2. In the Select who this policy applies to screen, select who the policy applies to:
      • Everyone: The policy applies to all users in your organization.
      • Locations, Groups and Users: Select specific Locations, Groups and users in your organization, to apply the policy to.

        You can add multiple locations, users, and groups to a single policy.

      • Devices and Device Groups: Select specific Devices and Device Groups in your organization, to apply the policy to.

        You can add multiple Devices or Device Groups. To enforce device-based policy over user-level policy, enable the Enforce Device Policy option.

  1. Click on the Next button.
  2. In the Review and create the policy screen, check that all details are correct. You can click on Previous to step back, review and amend, as required.
  3. Click on Create Policy.

Amending a Policy

You can amend the details or status of a policy, by using the following steps:

  1. Log on to the Mimecast Administration Console.
  2. Navigate to Web Security | Policies.
  3. There are several ways of selecting a policy for amendment:
      • Click on it directly, to bring up the Policy Details slide-out, which allows you to:
        • Edit the policy (follow sub-steps under b. below, to complete the editing process).
        • Duplicate the policy, which allows you two create a copy of the policy, amend it, and Save & Close as required.
        • Delete the policy (you'll be prompted, to confirm deletion).
        • Toggle the status of the policy between Enabled and Disabled (you'll be prompted, to confirm this change the state).
      • Click on the ellipsis "..." next to the policy, which allows you to:
        • Edit the policy Name.
        • Toggle the status of the policy between Enabled and Disabled (you'll be prompted, to confirm this change the state).
        • Amend further policy details as required.
        • Amend who the policy applies to.
      • You can then Save & Close to save the changes.

        Clicking on the ellipsis "..." next to a policy also gives you the options to Disable, Duplicate, or Delete it.

You can amend any policy type by following the above steps. Note that what can be amended will vary according to policy type, e.g. for Block or Allow List policies, you're able to:

      • Add blocked and allowed domains and URLs
      • Remove blocked and allowed domains and URLs, by clicking on the Delete icon next to them.

Blocking / Allowing Multiple Domains / URLs

You can block or allow access to multiple domains / URLs by downloading a file template, adding the required entries, and importing it:

A maximum of 5000 entries can be uploaded in the CSV file.

Create the new policy as per Manually creating a new Block or Allow List Policy, but with the following differences:

  1. In the Add blocked and allowed domains and URLs screen:
      • Click on the upload a CSV File link.
      • Click on the Download button. The CSV file is downloaded to your browser’s download location.
      • Delete the first line of the template and enter:
      • Save the CSV file.
      • Click on the Upload button.
      • Click on the Import button.

Complete the creation process by selecting who it applies to, reviewing your details, then clicking on Create Policy.


Configuring Exceptions and Top Level Domains

You can allow or block top-level domains (TLDs) in a Block or Allow List policy. This offers you granular control, to allow or block a sub-domain under the same TLD. For example, you can block the TLD "cn" by adding it to the block list but allow the subdomain "thepaper.cn", and vice versa.

TLDs are accepted without punctuation (i.e. you don't need to include a period "." symbol before to the TLD.)

If there are applications that all users should have access to (e.g. Dropbox, Slack), we recommend adding the domains to your exceptions list, as this overrides all other policies. See the Managing Exceptions page.
 

Configuring an Application Control Policy

You can block access to web applications by configuring an Application Control policy.

Create the new Application Control policy as per Manually creating a new Block or Allow List Policy, but with the following differences:

  1. In the Set the policy details screen, select the Type of Application Control.
  2. Click on the Next button.
  3. Select the required Web Applications from the list:
      • Click the Block button to block an application.
      • Click the Clear Action button to remove the block or allow status for the application.

Use the Search field, to search for web applications.

To block access to all web based email applications, apart from one (e.g. Google Gmail):

  •   Filter the applications list using the Web-Based Email Application Category.
  • Select all filtered applications except Google Gmail.
  • Click the Block button.

Complete the creation process by selecting who it applies to, reviewing your details, then clicking on Create Policy.

Configuring a Category Filtering Policy

You can block domains / URLs based on their category (e.g. security, adult, etc.). You can then block or allow all domains in a category group, or choose to block individual categories in a group.

If a category isn't blocked, further block rules may still apply from other policies.

If you want to block access to all web based email applications, apart from one (e.g. Google Gmail) we recommend creating an Application Control policy.

Create the new Category Filtering policy as per Manually creating a new Block or Allow List Policy, but with the following differences:

  1. In the Set the policy details screen, select the Type of Category Filtering.
  2. Click on the Next button.
  3. In the Select categories to block screen, chose the required option:
      • Select None to select no Security Categories.
      • Select All to select all Security Categories..
      • Select Custom, then select the required Security Categories values from the list supplied.

        You can search for a category by entering text in the Search field. This finds a category matching the search string even if the category group is expanded. For example, a search for Pers whilst inside the Content Category group finds both the Dating & Personals and Personal Sites categories.

      • Click on the Next button.

Select the Content Categories to block.

All category filters are displayed in groups of similar domain types. Each category group allows you to select one of the following options:

  •   None: Allows users to access all domains in a category group.
  • All: Blocks users from access to all domains in a category group.
  • Custom: Allows you to allow or block user access to individual categories in a category group. Selecting this option expands the category group, allowing you to select the categories to be blocked.

See Policy Categories for a full list of the categories and subcategories, complete with a description.

Complete the creation process by selecting who it applies to, reviewing your details, then clicking on Create Policy.
 

Configuring a Targeted Threat Protection Policy

You can utilize the managed URLs and advanced similarity checks in the URL Protection product in Mimecast Web Security by configuring a policy. This policy type is only visible if the URL Protection package is enabled for your account. If your managed URLs list contains URLs and domains and you wish to filter both, you must have an Advanced Security policy with the Web Proxy option enabled for those targets.

See the Configuring URL Protection Definitions and URL Protection Policy Configuration pages for more information on Managed URLs.

Create the new Targeted Threat Protection policy as per Manually creating a new Block or Allow List Policy, but with the following differences:

  1. In the Set the policy details screen, select the Type of Targeted Threat Protection.
  2. Click on the Next button.
  3. In the Managed URLs screen, enable this option, if required.

    Click on the Managed URLs link to view your managed URLs and domains.

  4. Click on the Next button.
  5. In the Advanced Similarity Checks screen, enable this option if required, to detect the use of special characters that look like other characters in the domain. This checks DNS requests against Mimecast's managed domain lists and your custom-monitored internal and external domains.
  6. Click the Custom Monitored External Domains link to view your custom external domain list. For further information, see the Custom Monitored External Domains page.
  7. Select from one of the following Action options:
      • Block: Blocks the user from accessing the link and displays a block page.
      • Warn: Displays a warning page to the user, allowing them to access the link.

Complete the creation process by selecting who it applies to, reviewing your details, then clicking on Create Policy.
 

Configuring an Advanced Security Policy

The Advanced Security policy type allows you to configure advanced options, e.g. SafeSearch, Newly Observed Domains and Web Proxy.

Create the new Advanced Security policy as per Manually creating a new Block or Allow List Policy, but with the following differences:

  1. In the Set the policy details screen, select the Type of Advanced Security.
  2. Click on the Next button.
  3. In the Turn SafeSearch on by site screen, you can toggle the Google, Bing and YouTube fields, to enabled or disabled.

    When SafeSearch is enabled, it helps block explicit images, videos, and websites from search results. While SafeSearch isn't 100% accurate, it can help your organization avoid explicit and inappropriate search results on user's phones, tablets, and computers.

  4. Click on the Next button.
  5. In the Newly Observed Domains screen, you can toggle the Block newly observed domains, which have a higher risk of malicious content. field to to enabled or disabled. This blocks newly observed domains that might be malicious.
  6. Click on the Next button.
  7. In the Configure Web Proxy screen, you can toggle the Web Proxy field to enabled or disabled. Proxying suspicious sites allows SSL inspection, URL categorization, and antivirus scanning.
      • If Web Proxy is enabled, you can then toggle the Antivirus Scanning field to enable or disable anti-virus scanning. If enabled, proxied traffic is scanned for malware.
      • If Antivirus Scanning is also enabled, you can then:
        • Toggle the Browser Isolation field to enabled or disabled. This opens suspicious sites in an isolated environment. By configuring a Browser Isolation policy, you can control what end users can do in it. See Configuring Browser Isolation Policies for full details.

          This option is only available if your Mimecast account has the Browser Isolation add on enabled on it. You can configure how your users interact with these sites in Services | Browser Isolation.

        • Use the Unscannable Content field, to select to Block or Allow files which cannot be scanned due to encryption or corruption.
        • Use the Proxy Extensions section, to:
          • Select None.
          • Select All.
          • Select Custom values from the list supplied (Dropbox, Facebook, LinkedIn, Twitter, Yahoo! Mail, Egnyte, GMail and GDrive, ShareFile and We Transfer). See Supported Web Proxy Services and Support Modes for full details. 

            When any of these services are selected, we'll proxy any domains known to Mimecast that are associated with them.

            Complete the creation process by selecting who it applies to, reviewing your details, then clicking on Create Policy.

Supported Web Proxy Services and Support Modes

This section describes the supported modes for the extended web proxy functionality:

Application Web Application Windows Desktop App Mac Desktop App iOS Mobile App iOS Browser
Dropbox
Facebook
ShareFile
YahooMail
LinkedIn
Twitter
GMail
GoogleDrive
WeTransfer
Egnyte

Dropbox URL are not supported, e.g. dropbox.com/url.

Requests from mobile applications are exempted from extended proxy, but requests from mobile browsers are proxied. See Mimecast Security Agent for iOS.

Configuring a Log Settings Policy

Configuring a Log Settings policy allows you to comply with regional specific data and privacy regulations, by managing what web security information is logged.

Create the new Log Settings policy as per Manually creating a new Block or Allow List Policy, but with the following differences:

  1. In the Set the policy details screen, select the Type of Log Settings.
  2. Click on the Next button.
  3. In the Select your log settings screen, select one of the following options:
      • Log All Activity: All user activities are logged. This is the default setting if there is no Log Settings policy.
      • Log No Activity: No user activity is logged.
      • Log Security Events Only: Only attempts to visit infected sites are logged. Activity and security logs display all security events.

Complete the creation process by selecting who it applies to, reviewing your details, then clicking on Create Policy.

Block Page Settings

You can customize a Block Page for when your end users contact their administrators regarding blocked access.
They will see the reason for the block, followed by helpful security tips and engaging, memorable visuals.
You can specify the informational tips displayed to the end user based on the type of the block.

You can customize Block Page Settings, by using the following steps:

  1. Log on to the Mimecast Administration Console. 
  2. Navigate to Web Security | Policies.
  3. Click on the Block Page Settings button.
  4. In the Block Page Settings screen, you can:
      • Toggle the state of the Customize button:
        • If Disabled, Mimecast default settings are applied to block pages.
        • If Enabled, this allows you to enter your required custom Title and Footer text. 
        • Enabling this option makes the Web Security Tips button appear.
      • Toggle the state of the Web Security Tips button:
      • If Disabled, Mimecast default tips are applied to block pages.
      • If Enabled, this allows you to enter your required custom Footer text. 
      • Enabling this option hides the Title field.
  1. Click on Save and Close.

The Footer field allows you to enter up to 1000 characters of text (e.g. email addresses, domain name, IT Support telephone numbers).

Email addresses and domain names (e.g., a link to your corporate acceptable use policy) automatically render a link.

To further customize this page, you can incorporate your company branding. For instance, you can include your company logo, company colors, and a disclaimer. For further assistance on branding, see the Stationery Branding page.

Mimecast diagnostics and domain/URLs cannot be customized, as diagnostic information will differ based on the reason for the block.

Further Information About Using Policies

This section gives more information, including some example policies and how multiple policies interact with each other.

Block or Allow List Policy Syntax and Examples

When using Block or Allow List policies, a URL takes precedence over a domain as it is more specific.

If your Block or Allow List contains URLs, you must have an Advanced Security policy with the Web Proxy option enabled for those targets.

Domain / URL Syntax

When you're adding  a domain / URL to a Block or Allow List policy, consider the following syntax rules:

Rule Entered Domain / URL Accepted Domain / URL
Wildcard characters are not accepted and are treated as normal alphanumeric characters. http://www.domain.co* The domain is not accepted and must be corrected.

The * character is not accepted as part of a domain. It is accepted as part of a URL, but not as a wildcard character.
"http://"", "https://"", and FTP prefixes are stripped from the URL. http://www.domain.com www.domain.com
https://www.domain.com/ www.domain.com
https://subdomain.domain.com subdomain.domain.com
Ports are stripped from the URL. http://subdomain.domain.user:8080/path/ subdomain.domain.user/path
Fragments are stripped from the URL. www.domain.com/#anchor www.domain.com
https://example.com/index.html#foo example.com/index.html
Query parameters are accepted. http://subdomain.com/abccd?z=1&text=yes subdomain.com/abccd?z=1&text=yes

Domain / URL Examples

The following examples outline the domains / URLs that will be blocked or allowed if the Block or Allow List policy is set to the specified value.

URL Paths

URL used:  http://domain.com/abc/

URL Allowed / Blocked Comments
http://domain.com/abc Yes This is an exact match.
http://domain.com/abc/text Yes Sub-paths are covered by a higher level path.
https://domain.com/abc Yes This is an exact match as the scheme is ignored.
http://domain.com/abc?q=searchtext Yes Any parameters specified are covered by a higher level path.
http://domain.com/abc&key=value Yes
http://domain.com/abc?q=searchtext Yes
http://www.domain.com/abc/ Yes A wildcard is implicit for a sub-domain.
http://otherdomain.com/abc/ No The top level domain is different.
https://domain.com/ABC/text No The path is case sensitive.
http://domain.com No The path is shorter / longer than the specified URL.
http://domain.com/ab No
http://domain.com/abcdef No

Query Parameters

URL used:  https://domain.com/abccd?z=1&text=yes

URL Allowed / Blocked Comments
http://domain.com/abc-cd?z=1&text=yes Yes This is an exact match.
http://domain.com/abc-cd?text=yes&z=1 Yes The parameter order is ignored.
http://domain.com/abc-cd?text=YES&z=1 No Parameters are case sensitive.
https://domain.com/abc-cd?z=1&text=yes&id=1234 Yes Additional query parameters are ignored.
http://domain.com/abc? No The path is shorter / longer than the specified URL.

Managing Domains 

This section lists additional domains of well-known applications that you can Allow or Block. Use the table below to add domains to your:

      • Allow or block a list in a domain filtering policy. This provides more granular control over the sites users or groups can access. See Amending a Policy.
      • Exceptions List. This applies to everyone in the organization and overrides any existing policies. See Managing Exceptions.
Service Domain
Adobe

Refer to the Adobe Creative Cloud Network Endpoints page on the Adobe support site for an updated list of network endpoints. Alternatively:

  1. Click here to download a Zip file we've provided containing a list of Adobe's domains.
  2. Extract the .ZIP file.
  3. Amend the .CSV file as required.
  4. Upload the .CSV file to your URL Filtering policy.
Atlassian Services atlassian.com, atlassian.io, atlassian.net, atl-paas.net, bitbucket.org, braintreegateway.com, cdnjs.cloudflare.com, hipchat.com, jira.com trello-attachments.s3.amazonaws.com, trello-avatars.s3.amazonaws.com, trello-backgrounds.s3.amazonaws.com, trello.com, trello-emoji.s3.amazonaws.com, trello-logos.s3.amazonaws.com, trello.services, trellostatus.com, trello-stickers.s3.amazonaws.com
Facebook facebook.com, fbcdn.net, fbsbx.com
Google Drive Refer to the Drive Firewall and Proxy Settings page of the Google Google Workspace administrator's help.
Hulu Streaming Service www.hulu.com, a248.e.akamai.net, a.huluad.com, assets.hulu.com, assets.huluim.com, assetshuluimcom-a.akamaihd.net, bartender2.hulu.com, fa.hulu.com, huluqa.com, ib1.huluim.com, ib2.huluim.com, ib3.huluim.com, ib4.huluim.com, ib.hulu.com, ib.huluim.com, ibhuluimcom-a.akamaihd.net, mozart.hulu.com, p.hulu.com, player.huluqa.com, play.hulu.com pt.hulu.com, secure.hulu.com, secure.huluim.com, secure.huluqa.com, s.hulu.com, s.huluqa.comassets.huluqa.com, smoke.hulu.com, ss-e-darwin.hulu.com, static.huluim.com, t2.hulu.com, t2.huluqa.com, t2.qa.hulu.com, tempo-fallback.hulu.com, tempo-fallback.huluqa.com, tempo.hulu.com, tempo.huluqa.commozart.huluqa.com, t.hulu.com, urlcheck.hulu.com, vortex.hulu.com, www.huluqa.com
Instagram cdninstagram.com, instagram.com
iTunes albert.apple.com, appstore.com, ax.init.itunes.apple.com, ax.itunes.apple.com, gs.apple.com, itunes.apple.com, mzstatic.com, phobos.apple.com, s.mzstatic.com
LinkedIn linkedin.com, edge.quantserve.com, secure-us.imrworldwide.com, b.scorecardresearch.com, pixel.quantserve.com, licdn.com
MalwareBytes AntiVirus cdn.mwbsys.com
McAfee AV Updates download.nai.com, ftp.nai.com, update.nai.com
OneDrive for Business

Refer to the Microsoft 365 URLs and IP Address Ranges (One Drive for Business) or Required URLs and Ports for OneDrive (OneDrive for Personal) page on the Microsoft Microsoft 365 support site for an updated network endpoints list. Alternatively:

  1. Click on one of the following links to download a Zip file we've provided containing a list of One Drive's domains.
  1. Extract the .ZIP file.
  2. Amend the .CSV file as required.
  3. Upload the .CSV file to your URL Filtering policy. 
OneDrive for Personal
Netflix btstatic.com, netflix.com, nflxext.com, nflximg.com, nflximg.net, nflxso.net, nflxvideo.net
Slack slack.com, slack-core.com, slack-edge.com, slack-files.com, slack-imgs.com, slack-msgs.com, slack-redir.net
Sophos AV Updates d1.sophosupd.com, d1.sophosupd.net, d2.sophosupd.com, d2.sophosupd.net, d3.sophosupd.com, d3.sophosupd.net, dci.sophosupd.com, dci.sophosupd.net
Spotify apresolve.spotify.com, ap.spotify.com, cdn.betrad.com, d2c87l0yth4zbw.cloudfront.net, embed.spotify.com, gslb.spotify.com l.betrad.com, play.spotify.com, play.spotify.edgekey.net, spapps.co, spapps.spotify.edgekey.net
Symantec AV Updates liveupdate.symantec.com, liveupdate.symantecliveupdate.com, update.symantec.com
Telegram telegram.me, telegram.org, t.me
Twitter api.twitter.com, dev.twitter.com, pic.twitter.com, platform.twitter.com, search.twitter.com, wimg0-a.akamaihd.net, twimg.com, upload.twitter.com, userstream.twitter.com
WhatsApp whatsapp.com, whatsapp.net
Zoom zoom.us
 

Policy Precedence and Specificity

As you create your Mimecast Web Security policies, it is important to understand how their settings affect your desired result. Failure to do so could render them ineffective (e.g. if you've previously configured two policies for the same target).

Policy Precedence

When a user attempts to access a domain or URL, the Web Security policies are applied in the following order:

  1. Block/Allow: A check is made to see if the domain / URL is explicitly blocked or allowed as part of a Block or Allow List policy, and the appropriate action is applied.
  2. Managed URLs: If there is no Block or Allow List policy with the explicit domain / URL, a check is made for a Targeted Threat Protection policy with:
      • The Managed URLs option is enabled.
      • Where the domain/URL is defined as a managed URL in Targeted Threat Protection - URL Protect
  1. Newly Observed Domain: If there is no Targeted Threat Protection policy with the “Managed URL” option enabled, a check is made for an Advanced Security policy with:
      • The Newly Observed Domains Block option is enabled.
      • Where the domain / URL is exhibiting behavior associated with malicious activity (e.g. command and control)
  1. Application Control Policy: A check is made to verify if the domain accessed is associated with any of the applications currently being blocked using the App Control Policy and appropriate action is applied.
  2. Category Filtering: If there is no Application Control policy with blocked applications, a check is made to see if the domain / URL is part of a Category Filtering policy. If it is, access is blocked.
  3. Similarity Check: If there is no category filtering policy, a check is made for a Targeted Threat Protection policy with:
      • The Advanced Similarity Checks option is enabled.
      • Where the domain / URL employs some homoglyph or homograph impersonation.
  1. Anti-Virus: Finally if a domain / URL doesn't trigger any other web security policy, anti-virus checks are made to ensure the link isn't suspicious or contains malicious content.

Policy Specificity

The more specific a policy, the higher its priority. For example, policy that targets:

  1. User takes precedence over those that target a Group of users.
  2. Group take precedence over those that target a Location.
  3. Location takes precedence over those that target Everyone.

If you have multiple Mimecast Web Security policies of the same type (e.g. Category Filtering), they are applied to web requests based on their specificity. You must avoid configuring two policies of the same type with the same specificity, as this can cause issues with which policy is applied. Take the following example:

 policy specificity

The above shows Category Filtering policies, set to apply to "Everyone". Even if the policies are configured to allow or block different categories, the order in which they are applied is not absolute. As a result, one policy may be applied before the other and vice versa.

In the example below, one of the two policies has been changed to apply only to a group of users (IT Team). With this configuration, there can be no confusion as to which policy is applied first.

 policy specificity

Policy Categories

 This section lists the categories used by a category filtering policy. 
 Security Category Group

Category Description
Anonymizers Sites that attempt to make activity untraceable (e.g. proxy servers that act as an intermediary and privacy shield between a client computer and the internet). Example: https://2ip.io/anonim/
Attacker Controlled Infrastructure Sites that prevent communication with malicious networks (botnet infrastructure) and block communication between botnet controllers and any bots on your network.
Botnets Sites that are landing pages for botnets or are infected by botnets.
Compromised Sites that are infected with viruses or distribute viruses.
Hacking Sites with resources for the illegal or questionable use of computer hardware/software. Sites that describe how to gain unauthorized access to systems and distribute copyrighted material that has been cracked to bypass licensing. Example: http://mirror-h.org
Malware Sites that may contain malware or promote the distribution of malware. A virus may infect these sites.
Phishing & Fraud Sites used in phishing attacks.
Potentially Malicious Sites that attempt to install malware onto a device.
Spam Sites Sites that typically are contained in spam messages and are associated with mischievous or unsolicited efforts.

Adult Category Group

Category Description
Alcohol & Tobacco Sites that are manufacturers/distributors of tobacco products or that promote their use. Also, sites that are restaurants/bars that primarily serve alcoholic drinks or that promote the use of alcohol. Examples: http://rooseveltdenver.com or http://marlboro.com
Hate & Intolerance Sites promoting aggressive, degrading, or abusive opinions about any section of the population that could be identified by race, religion, gender, age, nationality, physical disability, economic situation, sexual preferences, or any other lifestyle choice. Example: http://kkk.com
Nudity Sites that provide full frontal and semi-nude images/videos (typically in artistic form) that might allow the download or sale of such materials. Example: http:// www.roystuart.net
Pornography / Sexually Explicit Sites containing sexually explicit content in an image-based or textual form. Any other form of adult / sexually oriented material is also listed here. Example: http://xhamster.com
Sex Education Sites that discuss sex and sexuality in an informative and non-voyeuristic way. Topics include education about human reproduction and contraception, advice on preventing infection from sexual diseases such as HIV, and advice to the LGBT communities on sexual health matters. Example: http://tradesexualhealth.com
Tasteless Sites that aren't pornographic or violent but are oriented towards content unsuitable for children or that an employer would be uncomfortable with their staff accessing. Example: http://specialfriedrice.net
Violence Sites that display or promote content related to violence against humans or animals, as well as those that advocate any means of harming oneself, such as self-mutilation or euthanasia. Example: http://peacefulpillhandbook.com
Weapons Sites that sell weapons/ammunition or advocate the use of weapons. Sites of weapons manufacturers. Example: http://smith-wesson.com

Bandwidth Intensive Category Group

Category Description
Advertisements & Pop-Ups Sites that advertise. Example: http://pubmatic.com
Download Sites Sites whose primary function is to allow users to download media content, except computer programs and mobile apps. This includes computer wallpaper, icons, fonts, etc. Example: http://zedge.net/wallpapers/
Image Sharing Sites that facilitate the sharing of or searching for photos. This can include social aspects of clubs or other organizations to share information (e.g. schedules and forums). This category can also include image-hosting sites. Example: http://flickr.com
Peer-to-Peer Sites that facilitate file sharing using P2P software. This includes but is not restricted to, sites that host P2P software or allow users to search for files that can be downloaded using P2P software. Example: http://utorrent.com
Streaming Media & Downloads Sites whose primary function is to allow users to watch streaming media. Example: http://youtube.com
Content Delivery Networks Sites including CDN (Content Delivery Networks) or hosts/servers that provide back-end services or functions for sites that make the internet or network function (e.g. DNS, gateways, APIs). Example: http://cloudflare.com
File Sharing Sites that facilitate file sharing using P2P software. This includes but is not restricted to, sites that host P2P software or allow users to search for files that can be downloaded using P2P software. Example: http://utorrent.com

Legal Risk Category Group

Category Description
Illegal Sites containing instructions, recipes, or advice on creating illegal items (e.g. explosives) or selling them. Sites that instruct, advise about or promote illegal acts. Example: http://fakepassport.info
Illegal Drug Sites that sell illegal/controlled substances promote substance abuse or sell related paraphernalia. Example: http://www.drug-testing-detox.com

Business Category Group

Category Description
Business Sites of businesses and commercial organizations don't fit into any other category. This includes groups that represent, report, or provide commentary specifically targeting business and commercial. Example: http://accenture.com
Computers & Technology Sites related to computer hardware and software. This category includes sales, news and current industry trends, and professional bodies. Example: http://microsoft.com
Finance Sites covering aspects of personal/corporate finance provide price comparisons between financial products or report or comment on financial matters. Example: http://bankofamerica.com
Hosting Sites that provide hosting services for websites. Example: http://hostgator.com
Reference Sites that provide online encyclopedias, dictionaries, thesauruses, atlases, and other information resources. Example: http://wikipedia.org
Cryptocurrency Sites that enable, distribute, trade, mine, or promote cryptocurrencies. Example: https://www.bitcoin.com
Search Engine & Portals Sites that are search engine caches. Example: http://webcache.googleusercontent.com

Social Media Category Group

Category Description
Chat Sites that are web-based chat rooms. Example: http://lingr.com
Dating & Personals Sites that contain matchmaking/personal listings or discuss romance and interpersonal relationships, whether partnership is the resultant goal. Example: http://match.com
Instant Messaging Sites that offer services for downloading instant message software and other related information, as well as client-based instant messaging. Example: http://aim.com
Personal Sites Sites that host personal pages (e.g. blogs) created by an individual to contain content of a personal nature rather than a company, organization, or institution. Example: http://www.blogger.com
Social Networking Social networking sites (SNS) focus on personal and professional services unless defined in another category. Example: http://www.swarmapp.com

Productivity Category Group

Category Description
CAdvice Sites that offer advice and training make employees more productive. This includes time management, distraction elimination, mailbox management, etc. Example: https://www.kanbanchi.com/
Arts Sites that promote or provide information about the arts. These can include art galleries, art instruction, art information, theater, symphonies, orchestras, operas, etc. Example: http://aspenartmuseum.org
Auctions Sites that offer online auction sites or services to aid buying or selling via online auctions/auction sniping. This category includes traditional auction companies and/or sites promoting traditional auctions. Example: http://webidz.com
Restaurants & Dining Sites relating to restaurants (eat-in and takeaway) and pubs/bars. Recipes, cuisine, farms, and other food-related sites are also listed in this category. Example: http://goodfoodgourmet.com
Education Sites for colleges, universities, primary/secondary schools, online educational resources (e.g., exam syllabuses, example questions), and support organizations (e.g., admissions bodies, research councils). Example: http://newlosangeles.org
Entertainment Sites providing information about entertainers and famous people. Example: http://celebritynetworth.com
Fashion & Beauty Sites related to the fashion and beauty industry, including pages with models, clothing, and the discussion of current fashion trends. Example: http:// fashionspot.com
Forums & Newsgroups Sites offering access to Usenet newsgroups or similar services or any other discussion forum that doesn't sit well in another category. Example: http://4chan.org
Gambling Sites offering online / offline gambling or that promote gambling skills and practice. Example: http://irpoker.com
Games Sites relating to video, computer, online games, or support gaming through hosting online services, cheat information, general advice, etc. Example: http://piratesarena.net
Government Sites of all central/local government websites, as well as related bodies and agencies.  Example: http://gov.ph
Health & Medicine Sites offering over-the-counter/prescription drugs, common medicines, natural products, and prescription medications. Example: http://rxlist.com
Job Search Sites that are employment agencies, recruitment consultancies, headhunters, contractors, or agencies assisting anyone seeking employment. This includes those that allow job vacancies to be posted, offer career advice, describe how to get through interviews or prepare a resume. It also includes human resource services, outsourcing, training, and technology related to human resources. Example: http://indeed.com
Kids Sites Sites that are safe for or are of interest to children (e.g. games, educational portals, and multimedia sites). Example: http://pbskids.org
Law Sites for law firms, attorneys, legal resources, materials, and news. This category does not include government websites or legal information that governments provide. Example: http://law.com
Leisure & Recreation Sites covering all activities or interests, other than sport, that someone might pursue for their pleasure and not as a primary occupation. This includes clubs and groups that pursue or meet specific interests. Example: http://knittinghelp.com
Marijuana Sites offering information, discussion, and/or resale of marijuana and associated products and/or services. Example: http://www.marijuana.com
Military Sites belonging to official military organizations or containing information relevant to their activities. Example: http://sealswcc.com
News Sites that report/deliver news of interest to the public (e.g. online news sites, printed / online newspapers, current affairs sites not exclusively focused on entertainer news/gossip). Example: http://bbc.com
Sites focused on specific industry news (e.g. finance, travel, health, etc.) are listed in those specific categories. Sites providing news, information, and/or gossip about celebrities and entertainers are listed in the Entertainment category).
Non-profits & NGOs Sites that are, or provide services for, charities, non-profit organizations, foundations, trusts, fundraising events for nonprofit and philanthropic organizations, and seeking donations. Example: http://madd.org
Politics Sites that provide political information. Example: http://politifact.com
Real Estate Sites oriented to the selling, letting, and building of private/commercial property. Example: http://rent.com
Religion Sites that relate to religion, except for the traditional religions. Example: http://religioustolerance.org
Shopping Sites that allow the purchase of various products. Example: http://amazon.com
Sports Sites for professional sports or sports, whether media-related or fan-related, except those related to gambling. Example: http://espn.com
Transportation Sites providing public transit services and/or information about those services. Example: http://rtddenver.com
Travel Sites related to travel agents, travel advice, timetable information, or car hire. Example: http://tripadvisor.com
Web Based Email Sites offering web-based email services. Example: http://gmail.com

Other Category Group

Category Description
Cults Sites are used by groups with the same religious beliefs or ideas that others view as strange or disturbing. Example: http://www.heavensgate.com
General Sites containing information provided by webmasters to promote their opinions on a subject or topic.
Parked Domains Placeholders for sites that have not been created yet or parked domains.
Translators Sites that translate a web page from one language to another or transform the text in a web page. Example: http://translate.google.com
Unknown Sites that are not known to fall into any other category.

Device Groups

You can create and manage Device Groups, that can be used as targets in all Mimecast Web Security policies. 
For more information about Protected Devices, see Protected Devices.

Creating a Device Group 

You can create a Device Group, by using the following steps:

  1. Log on to the Mimecast Administration Console. 
  2. Navigate to Web Security | Protected Devices
  3. Click on the Device Group tab. 
  4. Click on the Create Group button. 
  5. Complete the Details as follows:
Field / Option Description
Name  Enter a name for the group.
Description Enter an optional description. 
  1. Click on the Next button. 
  2. Select the required Device from the list. 

You can search for a device by entering text in the Search field.

  1. Click on the Next button.  
  2. To ensure all details are correct, review the Summary displayed. 
  3. Click on the Create Group button. 
  4. The new group is displayed 

Managing Device Groups 

You can manage your groups from the Device Group tab under Protected Devices.

You can edit a Device Group, by using the following steps:

  1. Log on to the Mimecast Administration Console
  2. Navigate to Web Security | Protected Devices
  3. Click on "..." / More next to the Device Group that requires editing. 
  4. Select Edit
  5. Update the Device Group as required.
  6. Click on the Save and Close button.

You can delete a Device Group, by using the following steps:

  1. Log on to the Mimecast Administration Console
  2. Navigate to Web Security | Protected Devices
  3. Click on "..." / More next to the Device Group to be deleted. 
  4. Select Delete. 
  5. A confirmation box appears.
  6. Click on the Delete button.

Only empty Device Groups and those not associated with a policy can be deleted.

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.