SCuBA Google Classroom

Secure Cloud Business Applications Minimum Viable Secure Configuration Baselines

Version: 1.01

Publication: 12/2023

CISA Google Workspace Security Configuration Baseline for Google Classroom

Google Classroom is a service to streamline assignments, boost collaboration, and foster communication. This service allows for the creation of classes, creating and grading assignments, student collaboration, communication with teachers and students, and integration with other Google products.

Google Classroom is designed and intended for implementation for Education Institutions. Google Classroom is available with the Google Workspace for Education Edition, and is included with all tiers of GWS for Education including Fundamentals, Standard, and Plus. CISA's Secure Configuration Baseline Classroom policies and guidance are written to the Plus edition.

The Secure Cloud Business Applications (SCuBA) project provides guidance and capabilities to secure agencies' cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments. The SCuBA Secure Configuration Baselines (SCB) for Google Workspace (GWS) will help secure federal civilian executive branch (FCEB) information assets stored within GWS cloud environments through consistent, effective, modern, and manageable security configurations.

The CISA SCuBA SCBs for GWS help secure federal information assets stored within GWS cloud business application environments through consistent, effective, and manageable security configurations. CISA created baselines tailored to the federal government's threats and risk tolerance with the knowledge that every organization has different threat models and risk tolerance. Non-governmental organizations may also find value in applying these baselines to reduce risks.

The information in this document is being provided "as is" for INFORMATIONAL PURPOSES ONLY. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial entities or commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoritism by CISA.

This baseline is based on Google documentation available at Google Workspace Admin Help: Classroom and addresses the following:

• Class Membership
• Classroom API
• Roster Import
• Student Unenrollment
• Class Creation

Settings can be assigned to certain users within Google Workspace through organizational units, configuration groups, or individually. Before changing a setting, the user can select the organizational unit, configuration group, or individual users to which they want to apply changes.

Assumptions

This document assumes the organization is using GWS Education Plus.

This document does not address, ensure compliance with, or supersede any law, regulation, or other authority. Entities are responsible for complying with any recordkeeping, privacy, and other laws that may apply to the use of technology. This document is not intended to, and does not, create any right or benefit for anyone against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

Key Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Baseline Policies

1. Class Membership

This section covers who has the ability to join classes and what classes the users in your domain can join.

Policy

GWS.CLASSROOM.1.1v0.2

Who can join classes in your domain SHALL be set to Users in your domain only.

• Rationale: Classes can contain private or otherwise sensitive information. Restricting classes to users in your domain helps prevent data leakage resulting from unauthorized classroom access.
• Last modified: September 27, 2023
• MITRE ATT&CK TTP Mapping
  • T1530: Data from Cloud Storage
  • T1537: Transfer Data to Cloud Account

GWS.CLASSROOM.1.2v0.2

Which classes users in your domain can join SHALL be set to Classes in your domain only.

• Rationale: Allowing users to join a class from outside your domain could allow for data to be exfiltrated to entities outside the control of the organization creating a significant security risk.
• Last modified: September 27, 2023
• MITRE ATT&CK TTP Mapping
  • T1530: Data from Cloud Storage
  • T1537: Transfer Data to Cloud Account

Resources

• Google Workspace Admin Help: Control User Access to Classroom

Prerequisites

• None

Implementation

To configure the settings for Class Membership:

Policy Group 1 Common Implementation:

1. Sign in to the Google Admin Console.
2. Select Apps -> Additional Google Service -> Classroom.
3. Select Class Settings.
4. Select About Class Membership.

GWS.CLASSROOM.1.1v0.2 Instructions

1. For Who can join classes in your domain, select Users in your domain only.
2. Select Save.

GWS.CLASSROOM.1.2v0.2 Instructions

1. For Who can join classes in your domain, select Classes in your domain only.
2. Select Save.

2. Classroom API

This section covers policies related to the Google Classroom API.

Policy

GWS.CLASSROOM.2.1v0.2

Users SHALL NOT be able to authorize apps to access their Google Classroom data.

• Rationale: Allowing ordinary users to authorize apps to have access to classroom data opens a possibility for data loss. Allowing only admins to authorize apps reduces this risk.
• Last modified: September 28, 2023
• MITRE ATT&CK TTP Mapping
  • T1059: Command and Scripting Interpreter
    • T1059:009: Command and Scripting Interpreter: Cloud API
  • T1199: Trusted Relationship

Resources

• Google Workspace Admin Help: Set Classroom data access

Prerequisites

• None

Implementation

To configure the settings for Classroom API:

GWS.CLASSROOM.2.1v0.2 Instructions

1. Sign in to the Google Admin Console.
2. Select Apps -> Additional Google Service -> Classroom.
3. Select Data Access.
4. Uncheck Users can authorize apps to access their Google Classroom data.
5. Select Save.

3. Roster Import

This section covers policies related to importing rosters from Clever.

Policy

GWS.CLASSROOM.3.1v0.2

Roster import with Clever SHOULD be turned off.

• Rationale: If your organization does not use Clever, allowing roster imports could create a way for unauthorized data to be inputted into your organization's environment. If your organization does use Clever, then roster imports may be enabled.
• Last modified: September 28, 2023
• MITRE ATT&CK TTP Mapping
  • T1199: Trusted Relationship

Resources

• Google Workspace Admin Help: Get Started with SIS Roster Import

Prerequisites

• None

Implementation

To configure the settings for Roster Import:

GWS.CLASSROOM.3.1v0.2 Instructions

1. Sign in to the Google Admin Console.
2. Select Apps -> Additional Google Service -> Classroom.
3. Select Roster Import.
4. Select OFF.
5. Select Save.

4. Student Unenrollment

This section covers policies related to unenrolling a student from a class.

Policy

GWS.CLASSROOM.4.1v0.2

Only teachers SHALL be allowed to unenroll students from classes.

• Rationale: Allowing students to unenroll themselves creates the opportunity for data loss or other inconsistencies, especially for K-12 classrooms. Restricting this ability to teachers mitigates this risk.
• Last modified: September 28, 2023
• MITRE ATT&CK TTP Mapping
  • T1530: Data from Cloud Storage

Resources

• Google Workspace Admin Help: Control Student Unenrollment Settings

Prerequisites

• None

Implementation

To configure the settings for Student Unenrollment:

GWS.CLASSROOM.4.1v0.2 Instructions

1. Sign in to the Google Admin Console.
2. Select Apps -> Additional Google Service -> Classroom.
3. Select Student unenrollment.
4. Select Teachers Only.
5. Select Save.

5. Class Creation

The first time users sign in to Classroom, they self-identify as either a student or teacher. Users who identify as teachers will be marked as a pending teacher until an administrator verifies them. Google Classroom allows administrators to restrict class creation to only verified teachers.

Policy

GWS.CLASSROOM.5.1v0.2

Class creation SHALL be restricted to verified teachers only.

• Rationale: Allowing pending teachers to create classes potentially allows students to impersonate teachers and exploit the trusted relationship between teacher and student, e.g., to phish sensitive information from the students. Restricting class creation to verified teachers reduces this risk.
• Last modified: June 21, 2024
• MITRE ATT&CK TTP Mapping
  • T1656: Impersonation
  • T534: Internal Spearphishing
  • T1598: Phishing for Information
    • T1598:002: Phishing for Information: Spearphishing Attachment
    • T1598:003: Phishing for Information: Spearphishing Link
    • T1598:004: Phishing for Information: Spearphishing Voice

Resources

• Verify teachers and set permissions

Prerequisites

• None

Implementation

To configure the settings for Class Creation:

GWS.CLASSROOM.5.1v0.2 Instructions

1. Sign in to the Google Admin Console.
2. Select Apps -> Additional Google Service -> Classroom.
3. Select General Settings.
4. Select Teacher permissions.
5. Select Verified teachers only for Who can create classes?
6. Select Save.