Blocking and Detecting Shadow IT Cloud File Sharing Tools

Shadow IT behavior puts sensitive corporate and personal data at risk. Employees knowingly and unknowingly sync files to a number of diverse storage locations that reside outside of your network.

Detecting this activity is tricky, even on your own network. If you don’t have a DLP, SIEM or a strong NGFW, you could be in the dark as to what’s traveling outside your network.

In this article, you’ll learn how to detect and block Shadow IT cloud file sharing tools — at least two of the most popular ones. None of these tools are perfect and blocking all the 700+ cloud Shadow IT tools will be tough. However, at the end of this article we’ll discuss a tool that can make your life easier and can make detecting and blocking Shadow IT cloud providers a lot easier.

Detecting and Blocking Dropbox on Your Network

Dropbox is tricky. It focuses on syncing and sharing files, and most of these efforts detect the network connections — not the user or files. Sometimes firewall, proxy records and log files can detect individual machines, but that’s not quick because they typically show an IP address. IT has to reference that and then investigate the user.

Overall, Dropbox is a Shadow IT cloud tool that can prove tricky to block and prevent, but here are some quick tools.

Blocking Dropbox on HTTP or HTTPS

Dropbox traditionally uses HTTP (port 80) and HTTPS (port 443) to transmit data between the user’s machine and their servers. Since you obviously don’t want to block these ports, you need to block all of Dropbox’s IP addresses, which you can see below or you can click here for the most up-to-date information.

blocking dropbox ip addresses

You can use your network firewall then to block connections to and from these addresses.

Detecting and Blocking via Proxy

Depending on the logging you have for your proxy server and how your proxy is setup and where it sits on your network, you can block a number of different threats including Dropbox.

A cheap(er) option might be using Squid Proxy, which you can read about in this presentation or in this forum thread. Basically, Squid Proxy can show (through logs) and potentially prevent many Dropbox connections.

Squid Proxy Dropbox
Credit to Jake Williams and SANS Institute

For in-depth instructions, you can read more here from the help docs on Squid Proxy’s site.

DNS Blackhole or Null Route to Block Dropbox

If your DNS is set up the right way, you can create a blackhole — or Null Route — for Dropbox.com. Connections to and from these addresses would be dropped.

Executing this method could frustrate some users though, because the DNS blackhole does not inform the sender that the connection was dropped. So, if you have existing Dropbox connections — or any other file sharing connection — that could be dropped, the end user may not discover why the file isn’t uploading.

Detecting Dropbox on Local Machines

Let’s start with a script on GitHub that has received some notoriety as it pings all Active Directory users in an Organizational Unit and then scans for local installations of Dropbox. You can get the code here.

Henry_EZ had a solid answer on Spiceworks for removing local installations. Although this isn’t blocking per se, it’s worth looking into. You could do this manually on each machine or run it across your network, but users with proper local permissions might be a roadblock.


#Script to Remove Dropbox
#By: Enrique Sanchez

#Dropbox Paths

$Dir = "C:\Users\"

$drop = "\Appdata\Roaming\Dropbox"

$dropM = "\Appdata\Roaming\DropboxMaster"

$DropD = "\Dropbox"

$StartM = "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox"

$Short = "\Desktop\Dropbox.lnk"

#Kill related processes

taskkill /im dropbox.exe /f

taskkill /im explorer.exe /f

Get-ChildItem -name c:\users | foreach ($_) {

Remove-Item -recurse -force $Dir$_$dropD -ErrorAction SilentlyContinue

Remove-Item -recurse -force $dir$_$dropM -ErrorAction SilentlyContinue

Remove-Item -recurse -force $dir$_$drop -ErrorAction SilentlyContinue

Remove-Item -recurse -force $dir$_$StartM -ErrorAction SilentlyContinue

Remove-Item -recurse -force $dir$_$Short -ErrorAction SilentlyContinue

}

C:\Windows\explorer.exe

#End

The reason you need this unique script is because Dropbox is not typically found in the uninstall registry where most installations are kept.

On the whole, Dropbox is a tricky Shadow IT cloud tool to block and detect, but these can get you halfway there.

Looking To Fully Block and Detect Shadow IT Cloud Tools?

FileHub™ can help you thwart these attempts and understand usage behavior. Stop wasting time on workarounds and sleep easier at night knowing that FileHub™ is protecting your organization from Shadow IT.

Email us to learn more.

Blocking and Detecting Google Drive

Google Drive is a difficult Shadow IT cloud file sharing tool to detect and block as well. This is because you often don’t want to block every Google service. In addition, blocking IP addresses wouldn’t work because Google’s setup to deliver across a massive variety of IP addresses to ensure quick connections.

There are a few options. Google puts out this list of addresses to block over HTTP and HTTPS. By plugging these into your firewall, you can thwart some of the connections. Note that if some are not active, they may become active later, and that new addresses may appear at any time. Here’s the current list, and a screenshot is below.

For the following hosts, [N] means any single decimal digit and * means any string not containing a period.

  • www.google.com:443/HTTPS
  • accounts.google.com:443/HTTPS
  • googledrive.com:443/HTTPS
  • drive.google.com:443/HTTPS
  • *.drive.google.com:443/HTTPS
  • docs.google.com:443/HTTPS
  • *.docs.google.com:443/HTTPS
  • *.c.docs.google.com:443/HTTPS
  • sheets.google.com:443/HTTPS
  • slides.google.com:443/HTTPS
  • talk.google.com:5222/XMPP (needed only for Google Drive for Mac/PC)
  • gg.google.com:443/HTTPS
  • script.google.com:443/HTTPS
  • ssl.google-analytics.com:443/HTTPS
  • video.google.com:443/HTTPS
  • s.ytimg.com:443/HTTPS
  • apis.google.com:443/HTTPS
  • *.googleapis.com:443/HTTPS
  • *.googleusercontent.com:443/HTTPS
  • *.gstatic.com:443/HTTPS
  • lh[N].google.com:443/HTTPS
  • [N].client-channel.google.com:443/HTTPS
  • clients[N].google.com:443/HTTPS

Again, make sure to routinely check the link above for the most recent list.

Blocking and Detecting Shadow IT Cloud File Sharing Tools

Blocking Shadow IT cloud file sharing tools isn’t easy. In fact, these tools are not complete. A user could use a mobile device off the network, so you might need to take additional steps to truly protect your network. For instance, you might need to create a Group Policy (GPO) to shut off USB sharing or disable Bluetooth connections or block emails with attachments from personal accounts.

Or, better yet, check out FileHub™. FileHub™’s patent pending technology is the best combination of a cloud access security broker (CASB) and DLP tool. With it, you’ll be able to identify and classify similar files in order to protect corporate information. Additionally, you’ll be able to integrate it with your existing security tools to understand where your data lives, who is sharing it on cloud services and block inappropriate actions. Use the button below if you’re interested in learning more!

Learn More About FileHub™

Get insight into answering the tough questions about how your employees use their files to help you investigate incidents or breaches, spot trends or help thwart employee data loss.
About the author

I'm the Marketing Manager for FileHub™. I love marketing and connecting IT and security professionals with tools that make their job easier and their company more secure.

Leave a Reply