Groups for Business

Secure Cloud Business Applications Minimum Viable Secure Configuration Baselines

Groups for Business is a Google Workspace collaboration tool that supports storage, access, and sharing of files, document management, and email. Groups for Business allows administrators to control and manage collaboration efforts among groups within their organizations. This Secure Configuration Baseline (SCB) provides specific policies to strengthen Groups security.

The Secure Cloud Business Applications (SCuBA) project provides guidance and capabilities to secure agencies' cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments. The SCuBA Secure Configuration Baselines (SCB) for Google Workspace (GWS) will help secure federal civilian executive branch (FCEB) information assets stored within GWS cloud environments through consistent, effective, modern, and manageable security configurations.

The CISA SCuBA SCBs for GWS help secure federal information assets stored within GWS cloud business application environments through consistent, effective, and manageable security configurations. CISA created baselines tailored to the federal government's threats and risk tolerance with the knowledge that every organization has different threat models and risk tolerance. Non-governmental organizations may also find value in applying these baselines to reduce risks.

The information in this document is being provided "as is" for INFORMATIONAL PURPOSES ONLY. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial entities or commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoritism by CISA.

This baseline is based on Google documentation available at Google Workspace Admin Help: Set up and manage Groups for Business and addresses the following:

• External Group Access
• Adding External Members
• Allowing Posting by External Members
• Group Creation
• Default Permissions for Viewing Conversations
• Ability to Hide Groups from the Directory
• New Groups

Settings can be assigned to certain users within Google Workspace through organizational units, configuration groups, or individually. Before changing a setting, the user can select the organizational unit, configuration group, or individual users to which they want to apply changes.

This document assumes the organization is using GWS Enterprise Plus.

This document does not address, ensure compliance with, or supersede any law, regulation, or other authority. Entities are responsible for complying with any recordkeeping, privacy, and other laws that may apply to the use of technology. This document is not intended to, and does not, create any right or benefit for anyone against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

This control determines whether users outside of an agency's organization can view, search for, or post to groups internal to an agency.

Note: Even with this setting configured, group owners can still explicitly add external POCs to a group (Adding External Members), or explicitly allow posting to a group by an external POC who has not been added to said group (Allowing Posting by External Members).

GWS.GROUPS.1.1v0.2

Group access from outside the organization SHALL be disabled unless explicitly granted by the group owner.

• Rationale: Groups may contain private or sensitive information. Restricting group access reduces the risk of data loss.
• Last modified: July 10, 2023
• MITRE ATT&CK TTP Mapping
  • T1530: Data from Cloud Storage

• Google Workspace Admin Help: Set organization-wide policies for using groups
• CIS Google Workspace Foundations Benchmark

• None

GWS.GROUPS.1.1v0.2 Instructions

To configure the settings for Sharing options:

1. Sign in to the Google Admin Console.
2. Select Apps -> Google Workspace -> Groups for Business.
3. Select Sharing settings -> Sharing options.
4. Select Accessing groups from outside this organization -> Private.
5. Select Save.

This section covers whether or not the owner of the group has the ability to add external members to the group.

• Google Workspace Admin Help: Set organization-wide policies for using groups

• None

GWS.GROUPS.2.1v0.2 Instructions

To configure the settings for Sharing options:

1. Sign in to the Google Admin Console.
2. Select Apps -> Google Workspace -> Groups for Business.
3. Select Sharing settings -> Sharing options.
4. Uncheck the Group owners can allow external members checkbox.
5. Select Save.

This section covers whether or not an owner of a group has the ability to allow an external non-member to post to the group.

• Google Workspace Admin Help: Set organization-wide policies for using groups

• None

GWS.GROUPS.3.1v0.2 Instructions

To configure the settings for Sharing options:

1. Sign in to the Google Admin Console.
2. Select Apps -> Google Workspace -> Groups for Business.
3. Select Sharing settings -> Sharing options.
4. Uncheck the Group owners can allow incoming mail from outside the organization checkbox.
5. Select Save.

This section covers who has the ability to create a new group within the organization.

GWS.GROUPS.4.1v0.2

Group creation SHOULD be restricted to admins within the organization unless necessary for agency mission fulfillment.

• Rationale: Many settings for Google Workspace products can be set at the Group level. Allowing unrestricted group creation complicates setting management and opens channels of unmanaged communication.
• Last modified: July 10, 2023
• MITRE ATT&CK TTP Mapping
  • T1530: Data from Cloud Storage
  • T1069: Permission Groups Discovery
    • T1069:003: Permission Groups Discovery: Cloud Groups

• Google Workspace Admin Help: Set organization-wide policies for using groups
• CIS Google Workspace Foundations Benchmark

• None

GWS.GROUPS.4.1v0.2 Instructions

To configure the settings for Sharing options:

1. Sign in to the Google Admin Console.
2. Select Apps -> Google Workspace -> Groups for Business.
3. Select Sharing settings -> Sharing options.
4. Select Creating groups -> Only organization admins can create groups.
5. Select Save.

This section covers the default permissions assigned to the viewing of conversations within a group.

GWS.GROUPS.5.1v0.2

The default permission to view conversations SHOULD be set to All Group Members.

• Rationale: Groups may contain private or sensitive information not appropriate for the entire Google Workspace organization. Restricting access to group members reduces the risk of data loss.
• Last modified: July 10, 2023
• Note: This setting can be changed by group owners and group managers.
• MITRE ATT&CK TTP Mapping
  • T1530: Data from Cloud Storage
  • T1048: Exfiltration Over Alternative Protocol
    • T1048:001: Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
    • T1048:002: Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

• Google Workspace Admin Help: Set organization-wide policies for using groups
• CIS Google Workspace Foundations Benchmark

• None

GWS.GROUPS.5.1v0.2 Instructions

To configure the settings for Sharing options:

1. Sign in to the Google Admin Console.
2. Select Apps -> Google Workspace -> Groups for Business.
3. Select Sharing settings -> Sharing options.
4. Select Default for permission to view conversations -> All group members.
5. Select Save.

This section covers whether or not the owner of a group can hide the group from the directory.

GWS.GROUPS.6.1v0.2

The Ability for Groups to be Hidden from the Directory SHALL be disabled.

• Rationale: Hidden groups are not visible, even to admins, in the list of groups found at groups.google.com, though they are still visible on the directory page on admin.google.com. As such, allowing for hidden groups increases the risk of groups being created without admin oversight.
• Last modified: July 10, 2023
• MITRE ATT&CK TTP Mapping
  • T1530: Data from Cloud Storage
  • T1048: Exfiltration Over Alternative Protocol
    • T1048:001: Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
    • T1048:002: Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

• Google Workspace Admin Help: Set organization-wide policies for using groups

• None

GWS.GROUPS.6.1v0.2 Instructions

To configure the settings for Sharing options:

1. Sign in to the Google Admin Console.
2. Select Apps -> Google Workspace -> Groups for Business.
3. Select Sharing settings -> Sharing options.
4. Uncheck the Group owners can hide groups from the directory checkbox.
5. Ensure that the hide newly created groups from the directory checkbox is not selected.
6. Select Save.

This section covers the access type setting for new groups that are created.

GWS.GROUPS.7.1v0.2

New Groups SHOULD be created with an Access type of Restricted unless necessary for agency mission fulfillment.

• Rationale: Groups may contain private or sensitive information not appropriate for the entire Google Workspace organization. Restricting access to group members reduces the risk of data loss.
• Last modified: July 10, 2023
• MITRE ATT&CK TTP Mapping
  • T1530: Data from Cloud Storage
  • T1069: Permission Groups Discovery
    • T1069:003: Permission Groups Discovery: Cloud Groups

• Google Workspace Admin Help: Create a group in your organization

• This control only applies to agencies with Google Groups for Business enabled.

GWS.GROUPS.7.1v0.2 Instructions

To configure Access type for a Google Group:

1. Sign in to the Google Admin Console.
2. Select Directory -> Groups.
3. Select Create group.
4. Fill in the details for the new group and click Next.
5. In the Access type section, select the Restricted radio button.
6. If the group needs to receive messages from non-members, select the appropriate checkboxes in the Who can post row.
7. Select Next.
8. Select Create Group.