Appearance
NoMachine
Validate NoMachine client behavior for NX protocol egress, file transfer features, clipboard, and device redirection under the Secure Sandbox.
Objectives
- Enforce proxy+pinned roots and deny-by-default egress for NX connections where applicable.
- Deny or constrain file transfer features and device redirections.
- Verify clipboard boundaries.
Preconditions
- Windows target with Turbo Launcher and Secure Sandbox.
- NoMachine client installed (generic version).
- Networking deny-by-default posture.
Controls Under Test
runtime.networking.egressDefaultAction, proxy enforcement and pinned roots, UDP off when required.runtime.dataMotion.rules[]withchannel: "clipboard".- Device policies for printers/audio if applicable.
Test Scenarios
| ID | Canonical ID | Scenario | Procedure | Expected Outcome |
|---|---|---|---|---|
| SCEN-REMOTE-NOMACHINE-01 | NET-EGRESS-01 | NX egress allowlist | Connect to an allowlisted server; attempt to connect to non-allowlisted host. | Allowed only to allowlisted; denied otherwise. |
| SCEN-REMOTE-NOMACHINE-02 | DM-DRAG-01 | File transfer feature | Attempt client file transfer (if exposed as drag/drop-style). | Denied per policy; audit shows dataMotion dragDrop deny. |
| SCEN-REMOTE-NOMACHINE-03 | DM-CLIP-01 | Clipboard outbound | Copy in session; paste on host. | Denied/processed per policy. |
| SCEN-REMOTE-NOMACHINE-04 | DM-DEVICE-01 | Device redirect | Redirect printer/audio if supported. | Denied unless explicitly allowed. |
Evidence Requirements
networkevents (protocol, action, outcome),dataMotionfor clipboard,devicefor redirects.
Troubleshooting
- Verify server address patterns and allowlists; ensure pinning roots match server certificates when applicable.
Known Limitations & Negative Space
- Feature set varies by NoMachine versions; validate against the version deployed in your org.
