Overview Security policies in NeoSC enforce Zero Trust principles across your infrastructure. Policies control access requirements, network security, and session monitoring to ensure compliance and data protection.
Policy Model Each security policy contains rules and enablement status:
class Policy ( BaseModel ): id : str # Unique policy identifier name: str # Policy display name description: str # Policy description type : str # access, network, session rules: List[ str ] # List of policy rules enabled: bool = True # Policy activation status created_at: datetime # Policy creation timestamp
Policy Types NeoSC supports three categories of security policies:
Access Policies
Network Policies
Session Policies
Control authentication and authorization requirements. Examples:
Multi-Factor Authentication (MFA)
WebAuthn/FIDO2 enforcement
Password complexity rules
Session timeout settings
Define network security and connectivity rules. Examples:
Zero Trust networking
Encrypted tunnel requirements
IP whitelisting/blacklisting
VPN/NetBird requirements
Manage session behavior and monitoring. Examples:
Session recording
Idle timeout
Concurrent session limits
Activity logging
Default Policies NeoSC comes with three pre-configured security policies:
DEFAULT_POLICIES = [ { "id" : "pol-mfa-required" , "name" : "MFA Required" , "description" : "Enforce multi-factor authentication for all users" , "type" : "access" , "rules" : [ "Require MFA for login" , "WebAuthn preferred" , "TOTP as fallback" ], "enabled" : True }, { "id" : "pol-network-zero-trust" , "name" : "Zero Trust Network" , "description" : "All connections through encrypted NetBird tunnels" , "type" : "network" , "rules" : [ "No direct connections" , "WireGuard encryption" , "Identity verification" ], "enabled" : True }, { "id" : "pol-session-recording" , "name" : "Session Recording" , "description" : "Record all workspace sessions for audit" , "type" : "session" , "rules" : [ "Record screen activity" , "Log keystrokes for audit" , "30-day retention" ], "enabled" : True } ]
Listing Policies Retrieve all security policies:
curl -X GET "https://api.neosc.com/api/policies" \ -H "Authorization: Bearer YOUR_TOKEN"
Response Example [ { "id" : "pol-mfa-required" , "name" : "MFA Required" , "description" : "Enforce multi-factor authentication for all users" , "type" : "access" , "rules" : [ "Require MFA for login" , "WebAuthn preferred" , "TOTP as fallback" ], "enabled" : true , "created_at" : "2026-01-15T10:00:00Z" } ]
Toggling Policies Enable or disable a policy:
PATCH /api/policies/{policy_id}
const handleTogglePolicy = async ( policyId ) => { const response = await axios . patch ( ` ${ API } /policies/ ${ policyId } ` , {}, { headers: getAuthHeader () } ); toast . success ( response . data . message ); };
Toggling critical security policies like MFA or Zero Trust networking can impact system security. Ensure you understand the implications before disabling policies.
MFA Policy Overview The MFA Required policy enforces multi-factor authentication for all user logins.
Configuration { "id" : "pol-mfa-required" , "name" : "MFA Required" , "type" : "access" , "rules" : [ "Require MFA for login" , "WebAuthn preferred" , "TOTP as fallback" ], "enabled" : true }
Implementation MFA status is tracked per user:
class User ( BaseModel ): mfa_enabled: bool = True # MFA enforcement flag
Sessions inherit MFA verification:
class Session ( BaseModel ): mfa_verified: bool = True # MFA verification status
Effects When Enabled
Login Enforcement
Users must complete MFA during authentication
Session Verification
All sessions are marked with mfa_verified: true
UI Indicators
MFA badges appear in session and workspace views
Zero Trust Network Policy Overview Enforces all connections through encrypted NetBird WireGuard tunnels with no direct internet access to workspaces.
Configuration { "id" : "pol-network-zero-trust" , "name" : "Zero Trust Network" , "type" : "network" , "rules" : [ "No direct connections" , "WireGuard encryption" , "Identity verification" ], "enabled" : true }
NetBird Integration Workspaces require active NetBird connection:
{ "requires_netbird" : True , # NetBird VPN requirement flag }
Security Features
Encrypted Tunnels All traffic flows through WireGuard VPN tunnels
No Open Ports Workspaces have no publicly exposed ports
Identity Verification NetBird verifies device and user identity
Zero Trust Never trust, always verify approach
Workspace Launch Security return { "session_id" : session.id, "workspace" : workspace, "stream_url" : f "/viewer/ { session.id } " , "tunnel_status" : "encrypted" , "security" : { "encrypted_tunnel" : True , "identity_verified" : True , "mfa_enforced" : user.get( 'mfa_enabled' , True ), "session_recording" : True , "no_open_ports" : True } }
Session Recording Policy Overview Records all workspace activity for audit compliance and security monitoring.
Configuration { "id" : "pol-session-recording" , "name" : "Session Recording" , "type" : "session" , "rules" : [ "Record screen activity" , "Log keystrokes for audit" , "30-day retention" ], "enabled" : true }
What Gets Recorded
Full screen recording of workspace sessions at 30 FPS
Command and keystroke audit trail (not passwords)
Connections, data transfers, and access patterns
User, workspace, duration, IP address, timestamps
Retention Policy Session recordings are retained for 30 days:
# Recordings older than 30 days are automatically deleted retention_days = 30 cutoff_date = datetime.now(timezone.utc) - timedelta( days = retention_days) await db.session_recordings.delete_many( { "created_at" : { "$lt" : cutoff_date}} )
Session recording data is encrypted at rest and in transit. Access is logged in audit trails.
Policy UI Implementation The frontend provides an intuitive interface for managing policies:
frontend/src/pages/PoliciesPage.jsx:80
< div className = "grid gap-6" > { policies . map (( policy ) => { const Icon = policyIcons [ policy . type ] || Shield ; const iconColor = policyColors [ policy . type ]; return ( < div className = "p-6 rounded-xl bg-card border" > < div className = "flex items-start justify-between" > < div className = "flex items-start gap-4" > < div className = "w-12 h-12 rounded-lg bg-muted/50" > < Icon className = { `w-6 h-6 ${ iconColor } ` } /> </ div > < div > < h3 className = "text-lg font-semibold" > { policy . name } </ h3 > < Badge variant = "outline" className = "capitalize text-xs" > { policy . type } </ Badge > < p className = "text-muted-foreground" > { policy . description } </ p > { /* Rules */ } < ul className = "space-y-1" > { policy . rules ?. map (( rule , index ) => ( < li key = { index } className = "flex items-center gap-2" > < span className = "w-1.5 h-1.5 rounded-full bg-primary" /> { rule } </ li > )) } </ ul > </ div > </ div > < div className = "flex items-center gap-3" > < span className = { policy . enabled ? 'text-green-400' : 'text-muted' } > { policy . enabled ? 'Enabled' : 'Disabled' } </ span > < Switch checked = { policy . enabled } onCheckedChange = { () => handleTogglePolicy ( policy . id ) } /> </ div > </ div > </ div > ); }) } </ div >
Audit Trail All policy changes are tracked in audit logs:
await create_audit_log( user[ 'id' ], user[ 'email' ], "toggle_policy" , f "policy: { policy_id } " , f "Policy { 'enabled' if new_status else 'disabled' } " )
Example Audit Events [ { "user_email" : "admin@neogenesys.com" , "action" : "toggle_policy" , "resource" : "policy:pol-mfa-required" , "details" : "Policy disabled" , "timestamp" : "2026-03-05T14:30:00Z" , "success" : true } ]
Creating Custom Policies (Future) Custom policy creation will be available for advanced users:
const newPolicy = { name: "Geo-Restriction Policy" , description: "Block access from specific countries" , type: "network" , rules: [ "Block IPs from sanctioned countries" , "Allow EU and US only" , "Log all blocked attempts" ], enabled: true }; await axios . post ( ` ${ API } /policies` , newPolicy , { headers: getAuthHeader () });
Custom policy creation is planned for future releases. Currently, only default policies can be toggled.
Policy Enforcement Flow Best Practices
Always enable MFA for production environments
Support multiple MFA methods (WebAuthn, TOTP)
Implement password complexity requirements
Set appropriate session timeout values
Enable Zero Trust networking for all environments
Require NetBird for internal resources
Implement IP allowlisting for admin access
Monitor and log all connection attempts
Enable session recording for compliance requirements
Configure appropriate retention periods
Encrypt recorded sessions at rest
Limit concurrent sessions per user
Review policies quarterly
Test policy changes in staging first
Document policy rationale and exceptions
Audit policy changes regularly
Compliance Considerations SOC 2
Session recording provides audit trail
MFA enforces access controls
Zero Trust networking ensures data protection
GDPR
Session recordings include personal data
30-day retention supports right to erasure
Audit logs track data access
ISO 27001
Policies enforce information security controls
Network segmentation via Zero Trust
Access control through MFA
Audit Logs Track policy changes and enforcement
Sessions Session recording and monitoring
Authentication MFA and SSO configuration
Organizations Organization-level policy management