Google Workspace - Table of Contents
Visit our YouTube Channel for more video content: https://www.youtube.com/@connectsecure
Google Workspace - Overview
Access the Google Workspace from the company-level module, Cloud Assessments.
Google Workspace Checks
The Google Workspace Admin Console Security Checklist closely aligns to the ConnectSecure checks you will get from the dashboard view. In total, there are 21 checks that include the following:
# | Finding Name | Description |
|---|---|---|
1 | Admin 2StepVerification Required | Enforce 2-Step Verification (Multi-Factor Authentication) for all users assigned administrative roles. These include roles such as: Help Desk Admin, Groups Admin, Super Admin, Services Admin, User Management Admin, Mobile Admin, Android Admin, Custom Admin Roles. |
2 | Conflicting Admin Roles | Super admins should sign in as needed to do specific tasks and then sign out. Leaving super admin accounts sign-in can increase exposure to phishing attacks. |
3 | Ensure Access Checker is configured to limit file access | When a user shares a file via a Google product other than Docs or Drive (e.g. by pasting a link in Gmail), Google can check that the recipients have access. If not, when possible, Google will ask the user to pick how they want to share the file. |
4 | Ensure accessing groups from outside this organization is set to private | Choose whether people outside your organization can access your groups. Group owners can further restrict access as needed. |
5 | Ensure calendar web offline is disabled | Limit who is allowed offline calendar access. |
6 | Ensure creating groups is restricted | Control who is allowed to create Groups in your organization and if they can have external members. |
7 | Ensure default for permission to view conversations is restricted | By default, only allow group members to view group conversations. |
8 | Ensure external invitation warnings for Google Calendar are configured | Configure Google Calendar to warn users when inviting guest outside your domain. |
9 | Ensure external sharing options for primary calendars are configured | Control how much calendar information users in your organization can share externally. |
10 | Ensure external sharing options for secondary calendars are configured | Control how much calendar information users in your organization can share externally. |
11 | Ensure internal sharing options for primary calendars are configured | Control how much calendar information users in your organization can share internally. |
12 | Ensure internal sharing options for secondary calendars are configured | Control how much calendar information users in your organization can share internally. |
13 | Ensure manager access members cannot modify shared drive settings | Only administrators should be able to modify shared drive settings. |
14 | Ensure only users inside your organization can distribute content externally | You should control who is allowed to distribute organizational content to shared drives owned by another organization. |
15 | Ensure shared drive file access is restricted to members only | Shared drive file access should be restricted to that shared drive's members. |
16 | Ensure users are warned when they share a file outside their domain | Warn the user when they try to share a file and/or shared drive externally. |
17 | Ensure users can create new shared drives | All users should have the ability to create new shared drives. |
18 | Ensure users cannot publish files to the web or make them visible to the world as public or unlisted | You should control the publishing of documents to the web or make them visible to the world as public or unlisted. |
19 | Excessive Super Admins | Having more than one Super Admin account is needed primarily so that a single point of failure can be avoided, but having too many should be avoided. |
20 | Min Super Admins | Having more than one Super Admin account is needed primarily so that a single point of failure can be avoided. Also, for larger organizations, having multiple Super Admins can be useful for workload balancing purposes. |
21 | User 2StepVerification Required | Enforce 2-Step Verification (Multi-Factor Authentication) for all users. |
Google Workspace Setup
Log in to your Google Workspace account using an account with super admin permissions.
https://cloud.google.com
Tap on the Console option
Navigate to IAM & Admin and select Create a Project.
Create a new project. Enter a project name. By default, the Organization and Location should auto-populate. Your project name is your choice; you can use something like ConnectSecure.
Once the new project is created, navigate to API & Services > Library from the left navigation menus.
Use the search box and query for Google Workspace Events API and Admin SDK API. You will need to tap into each of these selections and tap the Enable button.
Repeat these steps for the Admin SDK API
Next, we will create service accounts for the project. Tap on the left menu and choose IAM. If you do not see this option, you can search for it at the top, as shown below.
Near the top, top on the + Create service account button.
Enter the service account details and click the Create and continue button. You only need to set up the name, which is a name of your choice. The service account ID will fill itself in based on your service account name.
Assign the Owner role to the project service account.
Tap on Continue.
The following section is optional; tap on Done.
Select the created Service Account and navigate to Keys, where you will need to Add Key.
Use the Add key > Create new key option menu.
Select JSON as the Key Type and click on Create.
This will download the credentials JSON. Keep a copy of the JSON. This is required in the ConnectSecure portal for the integration setup.
Once the credential.json is downloaded, go back to the Service Account, and you can see the OAuth2 Client ID; please copy this for the next steps.
Browse to admin.google.com
Navigate to Security > Access and Data Control > API Controls
Tap on Domain Wide Delegations.
Add New Client ID.
Copy/paste the OAuth2 Client ID from the steps above.
We must assign the five permissions scopes below to this new Client ID. You can add them with a single copy/paste using the box below. The individual URLs are also available below.
https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/admin.directory.user.security
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.user
https://www.googleapis.com/auth/admin.directory.rolemanagement
Proceed to the ConnectSecure Portal to continue the setup
ConnectSecure Setup
Log in to the ConnectSecure portal and navigate to Global > Settings > Integrations > Google Workspace.
Credentials
Enter a name to the integration, use the super credential username, and upload the credentials.json downloaded from the Google Workspace account from the steps above.
Once the credentials are saved, please finish the company mapping, navigate to Company > Cloud Assessments > Google Workspace, and click SYNC.
Google Workspace - Webscraper Installation
From the Google Workspace dashboard, tap on the Install button found on the header toolbar.
Select macOS or Windows to obtain the installation steps and commands.
Follow the instructions on the screen and run each of the commands one step at a time.
Here is a walk-through using Windows PowerShell.
After the 3 commands are executed, you should see the following.
Tap on Yes, Proceed to continue.
Provide the Google Workspace admin credentials.
Assessment should be active and running.
Tap the SYNC button on the main toolbar to initiate a new scan once you have completed the webscraper installation steps.
The dashboard data can be refreshed manually using the refresh button.
Upon successful installation and sync, you should see the total count of checks increase from the initial base of 5 to 21.
Webscraper Uninstallation
To remove the Google Webscraper, tap on the Install option from the toolbar.
Tap on the operating system first, then the Uninstall option.
WIP RYAN
Google Workspace - Action Toolbar Overview
Sync
Tap here to start the Google Workspace Assessment scan manually.
Activity
Tap to view the activity associated with the Google Workspace account; token access is logged when authorized by a third-party application or service.
Install
Tap here to begin the Google Webscraper installation; steps outlined above.
Jobs
Tap to view the Google Workspace-related jobs data.
Alerts
Tap to view the timeline style of System Events with filtering options.
Info
Tap to view the Getting Started info; see the link below for additional information.
https://cybercns.atlassian.net/wiki/x/MIDKfw
Need Support?
You can contact our support team by emailing support@connectsecure.com or visiting our Partner Portal, where you can create, view, and manage your tickets.
https://cybercns.freshdesk.com/en/support/login
Attachments (76)
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article