Skip to content

NoMachine

Validate NoMachine client behavior for NX protocol egress, file transfer features, clipboard, and device redirection under the Secure Sandbox.

Objectives

  • Enforce proxy+pinned roots and deny-by-default egress for NX connections where applicable.
  • Deny or constrain file transfer features and device redirections.
  • Verify clipboard boundaries.

Preconditions

  • Windows target with Turbo Launcher and Secure Sandbox.
  • NoMachine client installed (generic version).
  • Networking deny-by-default posture.

Controls Under Test

  • runtime.networking.egressDefaultAction, proxy enforcement and pinned roots, UDP off when required.
  • runtime.dataMotion.rules[] with channel: "clipboard".
  • Device policies for printers/audio if applicable.

Test Scenarios

IDCanonical IDScenarioProcedureExpected Outcome
SCEN-REMOTE-NOMACHINE-01NET-EGRESS-01NX egress allowlistConnect to an allowlisted server; attempt to connect to non-allowlisted host.Allowed only to allowlisted; denied otherwise.
SCEN-REMOTE-NOMACHINE-02DM-DRAG-01File transfer featureAttempt client file transfer (if exposed as drag/drop-style).Denied per policy; audit shows dataMotion dragDrop deny.
SCEN-REMOTE-NOMACHINE-03DM-CLIP-01Clipboard outboundCopy in session; paste on host.Denied/processed per policy.
SCEN-REMOTE-NOMACHINE-04DM-DEVICE-01Device redirectRedirect printer/audio if supported.Denied unless explicitly allowed.

Evidence Requirements

  • network events (protocol, action, outcome), dataMotion for clipboard, device for redirects.

Troubleshooting

  • Verify server address patterns and allowlists; ensure pinning roots match server certificates when applicable.

Known Limitations & Negative Space

  • Feature set varies by NoMachine versions; validate against the version deployed in your org.