Google Workspace

Modified on Tue, Jul 29 at 9:11 AM

You can find this module at the Company level only. (Premium Edition Only)

Setting up Google Workspace scanning requires configuration in the Google Workspace Console, the Admin portal, and the ConnectSecure integration.


Google Workspace - Table of Contents


Watch The Video.png

Visit our YouTube Channel for more video content: https://www.youtube.com/@connectsecure


Google Workspace - Overview

Access the Google Workspace from the company-level module, Cloud Assessments.

image-20250320-131147.png

Google Workspace Checks

image-20250616-120535.png

The Google Workspace Admin Console Security Checklist closely aligns to the ConnectSecure checks you will get from the dashboard view. In total, there are 21 checks that include the following:

#

Finding Name

Description

1

Admin 2StepVerification Required

Enforce 2-Step Verification (Multi-Factor Authentication) for all users assigned administrative roles. These include roles such as: Help Desk Admin, Groups Admin, Super Admin, Services Admin, User Management Admin, Mobile Admin, Android Admin, Custom Admin Roles.

2

Conflicting Admin Roles

Super admins should sign in as needed to do specific tasks and then sign out. Leaving super admin accounts sign-in can increase exposure to phishing attacks.

3

Ensure Access Checker is configured to limit file access

When a user shares a file via a Google product other than Docs or Drive (e.g. by pasting a link in Gmail), Google can check that the recipients have access. If not, when possible, Google will ask the user to pick how they want to share the file.

4

Ensure accessing groups from outside this organization is set to private

Choose whether people outside your organization can access your groups. Group owners can further restrict access as needed.

5

Ensure calendar web offline is disabled

Limit who is allowed offline calendar access.

6

Ensure creating groups is restricted

Control who is allowed to create Groups in your organization and if they can have external members.

7

Ensure default for permission to view conversations is restricted

By default, only allow group members to view group conversations.

8

Ensure external invitation warnings for Google Calendar are configured

Configure Google Calendar to warn users when inviting guest outside your domain.

9

Ensure external sharing options for primary calendars are configured

Control how much calendar information users in your organization can share externally.

10

Ensure external sharing options for secondary calendars are configured

Control how much calendar information users in your organization can share externally.

11

Ensure internal sharing options for primary calendars are configured

Control how much calendar information users in your organization can share internally.

12

Ensure internal sharing options for secondary calendars are configured

Control how much calendar information users in your organization can share internally.

13

Ensure manager access members cannot modify shared drive settings

Only administrators should be able to modify shared drive settings.

14

Ensure only users inside your organization can distribute content externally

You should control who is allowed to distribute organizational content to shared drives owned by another organization.

15

Ensure shared drive file access is restricted to members only

Shared drive file access should be restricted to that shared drive's members.

16

Ensure users are warned when they share a file outside their domain

Warn the user when they try to share a file and/or shared drive externally.

17

Ensure users can create new shared drives

All users should have the ability to create new shared drives.

18

Ensure users cannot publish files to the web or make them visible to the world as public or unlisted

You should control the publishing of documents to the web or make them visible to the world as public or unlisted.

19

Excessive Super Admins

Having more than one Super Admin account is needed primarily so that a single point of failure can be avoided, but having too many should be avoided.

20

Min Super Admins

Having more than one Super Admin account is needed primarily so that a single point of failure can be avoided. Also, for larger organizations, having multiple Super Admins can be useful for workload balancing purposes.

21

User 2StepVerification Required

Enforce 2-Step Verification (Multi-Factor Authentication) for all users.


Google Workspace Setup

  • Log in to your Google Workspace account using an account with super admin permissions.

    • https://cloud.google.com

  • Tap on the Console option

image-20250415-141740.png
  • Navigate to IAM & Admin and select Create a Project.

image-20250320-131745.png
  • Create a new project. Enter a project name. By default, the Organization and Location should auto-populate. Your project name is your choice; you can use something like ConnectSecure.

image-20250415-142031.png
  • Once the new project is created, navigate to API & Services > Library from the left navigation menus.

image-20250415-142352.pngimage-20250415-142330.png
  • Use the search box and query for Google Workspace Events API and Admin SDK API. You will need to tap into each of these selections and tap the Enable button.

image-20250415-142640.pngimage-20250415-142706.pngimage-20250415-142731.png
  • Repeat these steps for the Admin SDK API

image-20250415-142836.png
  • Next, we will create service accounts for the project. Tap on the left menu and choose IAM. If you do not see this option, you can search for it at the top, as shown below.

image-20250415-143832.pngimage-20250415-143904.png
  • Near the top, top on the + Create service account button.

image-20250415-143955.png
  • Enter the service account details and click the Create and continue button. You only need to set up the name, which is a name of your choice. The service account ID will fill itself in based on your service account name.

image-20250415-144207.png
  • Assign the Owner role to the project service account.

The Principal Name in this step is NOT the principal name of the service account that the partner creates, but instead the principal name of the Super Admin that created the service account. 

image-20250415-144340.png
  • Tap on Continue.

image-20250415-144409.png
  • The following section is optional; tap on Done.

image-20250415-144517.png
  • Select the created Service Account and navigate to Keys, where you will need to Add Key.

image-20250415-144616.pngimage-20250415-144705.png
  • Use the Add key > Create new key option menu.

image-20250415-144754.png
  • Select JSON as the Key Type and click on Create.

  • This will download the credentials JSON. Keep a copy of the JSON. This is required in the ConnectSecure portal for the integration setup.

image-20250320-133100.png
  • Once the credential.json is downloaded, go back to the Service Account, and you can see the OAuth2 Client ID; please copy this for the next steps.

image-20250415-145001.png
  • Browse to admin.google.com

  • Navigate to Security > Access and Data Control > API Controls

  • Tap on Domain Wide Delegations.

image-20250415-145212.png
  • Add New Client ID.

image-20250415-145246.png
  • Copy/paste the OAuth2 Client ID from the steps above.

image-20250415-145449.png
  • We must assign the five permissions scopes below to this new Client ID. You can add them with a single copy/paste using the box below. The individual URLs are also available below.

https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.directory.user.security, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.rolemanagement

https://www.googleapis.com/auth/admin.reports.audit.readonly

https://www.googleapis.com/auth/admin.directory.user.security

https://www.googleapis.com/auth/admin.directory.user.readonly

https://www.googleapis.com/auth/admin.directory.user

https://www.googleapis.com/auth/admin.directory.rolemanagement

image-20250320-133515.png

(blue star) Proceed to the ConnectSecure Portal to continue the setup


ConnectSecure Setup

Log in to the ConnectSecure portal and navigate to Global > Settings > Integrations > Google Workspace.

image-20250320-133807.png

Credentials

  • Enter a name to the integration, use the super credential username, and upload the credentials.json downloaded from the Google Workspace account from the steps above.

image-20250320-133917.png
  • Once the credentials are saved, please finish the company mapping, navigate to Company > Cloud Assessments > Google Workspace, and click SYNC.

image-20250613-123216.png

Google Workspace - Webscraper Installation

From the Google Workspace dashboard, tap on the Install button found on the header toolbar.

image-20250613-123353.png

Select macOS or Windows to obtain the installation steps and commands.

image-20250613-123502.png

macOS uses Terminal

Windows uses PowerShell

Follow the instructions on the screen and run each of the commands one step at a time.

Here is a walk-through using Windows PowerShell.

After the 3 commands are executed, you should see the following.

image-20250613-124450.pngimage-20250613-124523.png

Tap on Yes, Proceed to continue.

image-20250613-124538.png

Provide the Google Workspace admin credentials.

image-20250613-124602.png

Assessment should be active and running.

image-20250613-124644.png

If your Google Account has MFA enabled, please use the preferred method and resync if the automated login attempts fail.

Tap the SYNC button on the main toolbar to initiate a new scan once you have completed the webscraper installation steps.

image-20250711-122925.png

The dashboard data can be refreshed manually using the refresh button.

image-20250711-123029.png

Upon successful installation and sync, you should see the total count of checks increase from the initial base of 5 to 21.

image-20250711-123109.png


Webscraper Uninstallation

To remove the Google Webscraper, tap on the Install option from the toolbar.

image-20250711-124454.png

Tap on the operating system first, then the Uninstall option.

image-20250711-124552.png

WIP RYAN


Google Workspace - Action Toolbar Overview

image-20250613-124725.png

Sync

Tap here to start the Google Workspace Assessment scan manually.

Activity

Tap to view the activity associated with the Google Workspace account; token access is logged when authorized by a third-party application or service.

image-20250613-124941.png

Install

Tap here to begin the Google Webscraper installation; steps outlined above.

Jobs

Tap to view the Google Workspace-related jobs data.

image-20250318-141827.png

Alerts

Tap to view the timeline style of System Events with filtering options.

image-20240426-160844.png

Info

Tap to view the Getting Started info; see the link below for additional information.

https://cybercns.atlassian.net/wiki/x/MIDKfw


Need Support?

You can contact our support team by emailing support@connectsecure.com or visiting our Partner Portal, where you can create, view, and manage your tickets.

https://cybercns.freshdesk.com/en/support/login

image-20240206-144508.png

Attachments (76)

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article