implementing-google-workspace-admin-security
Implements comprehensive Google Workspace security hardening including admin console configuration, phishing-resistant MFA enforcement, DLP policies, email authentication (SPF/DKIM/DMARC), OAuth app control, and external sharing restrictions. Activates for requests involving Google Workspace hardening, G Suite security configuration, or cloud office security administration.
What this skill does
# Implementing Google Workspace Admin Security ## When to Use - Deploying or hardening a Google Workspace environment for enterprise use - CIS benchmark compliance assessment for Google Workspace configuration - Protecting against business email compromise (BEC) and phishing attacks targeting Google accounts - Implementing Data Loss Prevention controls for Gmail and Google Drive - Restricting OAuth application access and third-party integrations - Configuring admin account security with Advanced Protection Program enrollment **Do not use** for Microsoft 365 environments; Google Workspace has distinct admin console settings and API configurations that differ from Azure AD/Entra ID controls. ## Prerequisites - Google Workspace Business Plus, Enterprise Standard, or Enterprise Plus license - Super Admin access to the Google Admin Console (admin.google.com) - DNS management access for SPF, DKIM, and DMARC record configuration - Google Cloud Identity or Cloud Identity Premium for advanced security features - FIDO2 security keys for super admin accounts (YubiKey 5 Series recommended) ## Workflow ### Step 1: Harden Super Admin Accounts Secure the highest-privilege accounts in the Google Workspace tenant: ```bash # Google Workspace Admin SDK - configure admin account security # Using gam (Google Apps Manager) CLI tool # List all super admin accounts for audit gam print admins role "Super Admin" > super_admins.csv echo "Review and minimize super admin count (recommended: 2-3 maximum)" # Enforce Advanced Protection Program for super admins # APP provides strongest account protections: # - Requires FIDO2 security key for sign-in # - Blocks third-party app access to Gmail and Drive # - Enhanced account recovery verification gam update user [email protected] \ advanced_protection true # Create dedicated break-glass admin account gam create user [email protected] \ firstname "Break" lastname "Glass Admin" \ password "$(openssl rand -base64 32)" \ changepassword true \ org "/Emergency Accounts" # Assign super admin role to break-glass account gam create admin [email protected] "Super Admin" # Configure admin activity alerts # Alert Center API - create alert for admin actions cat > admin_alert_policy.json << 'EOF' { "alertPolicies": [ { "name": "Super Admin Sign-In Alert", "conditions": { "eventType": "login", "filterCriteria": "actor.adminRole=SUPER_ADMIN" }, "notifications": { "email": ["[email protected]"], "webhook": "https://siem.corp.com/webhook/google-admin" } }, { "name": "Admin Role Change Alert", "conditions": { "eventType": "admin_role_change" }, "notifications": { "email": ["[email protected]"] } } ] } EOF ``` ### Step 2: Enforce Phishing-Resistant Multi-Factor Authentication Configure MFA policies that eliminate phishable authentication factors: ```bash # Enforce 2-Step Verification for all organizational units # Using Admin SDK Directory API # Enable 2SV enforcement for the entire organization gam update org "/" settings \ 2sv_enforcement true \ 2sv_enrollment_grace_period 14 \ 2sv_new_user_enrollment_period 1 # Configure allowed 2SV methods - restrict to phishing-resistant only # For high-security OUs: Security keys only gam update org "/Executive" settings \ 2sv_allowed_methods "SECURITY_KEY_ONLY" # For general staff: Security keys or phone prompts (no SMS/voice) gam update org "/" settings \ 2sv_allowed_methods "SECURITY_KEY,PHONE_PROMPT" \ 2sv_disallowed_methods "SMS,VOICE_CALL,BACKUP_CODES" # Bulk check 2SV enrollment status gam print users \ fields primaryEmail,isEnrolledIn2Sv,isEnforcedIn2Sv \ query "isEnrolledIn2Sv=false" > users_without_2sv.csv # Count users without 2SV echo "Users without 2SV enrolled:" wc -l < users_without_2sv.csv # Configure context-aware access policies # Require 2SV + managed device for sensitive apps cat > context_aware_policy.json << 'EOF' { "accessLevels": [ { "name": "Managed Device Required", "conditions": { "devicePolicy": { "requireScreenLock": true, "requireAdminApproval": true, "allowedEncryptionStatuses": ["ENCRYPTED"], "requireCorpOwned": false }, "requiredAccessLevels": ["VERIFIED_2SV"] } } ], "applicationPolicies": [ { "applications": ["Google Drive", "Gmail", "Admin Console"], "accessLevel": "Managed Device Required" } ] } EOF ``` ### Step 3: Configure Email Authentication and Anti-Phishing Set up SPF, DKIM, DMARC and advanced phishing protections: ```bash # Step 3a: Configure SPF record # Add to DNS TXT record for corp.com echo 'DNS TXT Record for SPF:' echo 'corp.com TXT "v=spf1 include:_spf.google.com ~all"' echo '' echo 'After testing, change ~all to -all (hard fail) for enforcement' # Step 3b: Generate and configure DKIM signing # Generate 2048-bit DKIM key via Admin Console or API gam create dkim domain corp.com selector google bitlength 2048 echo 'Add DKIM DNS TXT record:' echo 'google._domainkey.corp.com TXT "v=DKIM1; k=rsa; p=<public_key_from_admin_console>"' # Verify DKIM is working gam info dkim domain corp.com # Step 3c: Configure DMARC policy echo 'DNS TXT Record for DMARC (start with monitoring):' echo '_dmarc.corp.com TXT "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100; adkim=s; aspf=s"' echo '' echo 'After 30 days monitoring, escalate to quarantine then reject:' echo '_dmarc.corp.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100; adkim=s; aspf=s"' # Step 3d: Enable advanced phishing and malware protection # Configure in Admin Console > Security > Email Safety gam update settings email_safety \ protect_against_domain_spoofing true \ protect_against_employee_spoofing true \ protect_against_inbound_spoofing true \ protect_unauthenticated_email true \ identify_spoofed_groups true \ auto_move_suspicious_to_spam true # Configure attachment security gam update settings email_safety \ protect_encrypted_attachments true \ protect_anomalous_attachment_types true \ protect_scripts_from_untrusted true \ whitelist_sender_domains "" \ apply_future_recommended_settings true ``` ### Step 4: Implement Data Loss Prevention (DLP) Configure DLP rules to prevent sensitive data exfiltration: ```bash # Create DLP rules for Gmail and Drive # Using Google Workspace DLP API cat > dlp_rules.json << 'EOF' { "dlpRules": [ { "name": "PII Detection - SSN", "description": "Detect Social Security Numbers in outbound email and Drive sharing", "trigger": { "contentMatchers": [ { "infoType": "US_SOCIAL_SECURITY_NUMBER", "likelihood": "LIKELY", "minMatchCount": 1 } ], "scope": ["GMAIL_OUTBOUND", "DRIVE_EXTERNAL_SHARE"] }, "action": { "blockAction": "QUARANTINE", "notifyAdmin": true, "notifyUser": true, "userMessage": "This message contains a Social Security Number and has been quarantined for review.", "auditLog": true } }, { "name": "Credit Card Number Detection", "description": "Block credit card numbers in outbound communications", "trigger": { "contentMatchers": [ { "infoType": "CREDIT_CARD_NUMBER", "likelihood": "LIKELY", "minMatchCount": 1 } ], "scope": ["GMAIL_OUTBOUND", "DRIVE_EXTERNAL_SHARE", "CHAT"] }, "action": { "blockAction": "BLOCK", "notifyAdmin": true, "notifyUser": true, "auditLog": true } }, { "name": "Confidential Document Detection", "description": "Detect documents marked as Confidential or Internal Onl
Related in Cloud & DevOps
appbuilder-action-scaffolder
IncludedCreate, implement, deploy, and debug Adobe Runtime actions with consistent layout, validation, and error handling. Use this skill whenever the user needs to add actions to an App Builder project, understand action structure (params, response format, web/raw actions), configure actions in the manifest, use App Builder SDKs (State, Files, Events, database), deploy and invoke actions via CLI, debug action issues, or implement patterns such as webhook receivers, custom event providers, journaling consumers, large payload redirects, action sequence pipelines, and Asset Compute workers. Also trigger when users mention serverless functions in Adobe context, action logging, IMS authentication for actions, or cron-style scheduled actions.
orchestrating-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. Use this skill when the user needs a multi-step Data Cloud pipeline, cross-phase troubleshooting, or data space and data kit management. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase sf data360 workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching phase-specific skill), the task is STDM/session tracing/parquet telemetry (use observing-agentforce), standard CRM SOQL (use querying-soql), or Apex implementation (use generating-apex).
github-project-automation
IncludedAutomate GitHub repository setup with CI/CD workflows, issue templates, Dependabot, and CodeQL security scanning. Includes 12 production-tested workflows and prevents 18 errors: YAML syntax, action pinning, and configuration. Use when: setting up GitHub Actions CI/CD, creating issue/PR templates, enabling Dependabot or CodeQL scanning, deploying to Cloudflare Workers, implementing matrix testing, or troubleshooting YAML indentation, action version pinning, secrets syntax, runner versions, or CodeQL configuration. Keywords: github actions, github workflow, ci/cd, issue templates, pull request templates, dependabot, codeql, security scanning, yaml syntax, github automation, repository setup, workflow templates, github actions matrix, secrets management, branch protection, codeowners, github projects, continuous integration, continuous deployment, workflow syntax error, action version pinning, runner version, github context, yaml indentation error
sf-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase `sf data360` workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching sf-datacloud-* skill), the task is STDM/session tracing/parquet telemetry (use sf-ai-agentforce-observability), standard CRM SOQL (use sf-soql), or Apex implementation (use sf-apex).
fabric-cli
IncludedUse this skill for Fabric.so CLI workflows with the `fabric` terminal command: diagnose/install/login, search or browse a Fabric library, save notes/links/files, create folders, ask the Fabric AI assistant, manage tasks/workspaces, generate shell completion, check subscription usage, produce JSON output, and use Fabric as persistent agent memory. Do not use for Microsoft Fabric/Azure/Power BI `fab`, Daniel Miessler's Fabric framework, Python Fabric SSH, Fabric.js, or textile/fashion fabric.
lark
IncludedLark/Feishu CLI skills: lark-cli operations for docs, markdown, sheets, base, calendar, im, mail, task, okr, drive, wiki, slides, whiteboard, apps, approval, attendance, contact, vc, minutes, event. Use when the user needs to operate Lark/Feishu resources via lark-cli, send messages, manage documents, spreadsheets, calendars, tasks, OKRs, deploy web pages, or any Feishu/Lark workspace operations.