From cybersecurity-skills
Implements Google Workspace admin security hardening: super admin protection, phishing-resistant MFA, DLP policies, SPF/DKIM/DMARC, OAuth app controls, external sharing limits.
npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skillsThis skill uses the workspace's default tool permissions.
- Deploying or hardening a Google Workspace environment for enterprise use
Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.
Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.
Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.
Do not use for Microsoft 365 environments; Google Workspace has distinct admin console settings and API configurations that differ from Azure AD/Entra ID controls.
Secure the highest-privilege accounts in the Google Workspace tenant:
# Google Workspace Admin SDK - configure admin account security
# Using gam (Google Apps Manager) CLI tool
# List all super admin accounts for audit
gam print admins role "Super Admin" > super_admins.csv
echo "Review and minimize super admin count (recommended: 2-3 maximum)"
# Enforce Advanced Protection Program for super admins
# APP provides strongest account protections:
# - Requires FIDO2 security key for sign-in
# - Blocks third-party app access to Gmail and Drive
# - Enhanced account recovery verification
gam update user superadmin@corp.com \
advanced_protection true
# Create dedicated break-glass admin account
gam create user breakglass-admin@corp.com \
firstname "Break" lastname "Glass Admin" \
password "$(openssl rand -base64 32)" \
changepassword true \
org "/Emergency Accounts"
# Assign super admin role to break-glass account
gam create admin breakglass-admin@corp.com "Super Admin"
# Configure admin activity alerts
# Alert Center API - create alert for admin actions
cat > admin_alert_policy.json << 'EOF'
{
"alertPolicies": [
{
"name": "Super Admin Sign-In Alert",
"conditions": {
"eventType": "login",
"filterCriteria": "actor.adminRole=SUPER_ADMIN"
},
"notifications": {
"email": ["security-team@corp.com"],
"webhook": "https://siem.corp.com/webhook/google-admin"
}
},
{
"name": "Admin Role Change Alert",
"conditions": {
"eventType": "admin_role_change"
},
"notifications": {
"email": ["security-team@corp.com"]
}
}
]
}
EOF
Configure MFA policies that eliminate phishable authentication factors:
# Enforce 2-Step Verification for all organizational units
# Using Admin SDK Directory API
# Enable 2SV enforcement for the entire organization
gam update org "/" settings \
2sv_enforcement true \
2sv_enrollment_grace_period 14 \
2sv_new_user_enrollment_period 1
# Configure allowed 2SV methods - restrict to phishing-resistant only
# For high-security OUs: Security keys only
gam update org "/Executive" settings \
2sv_allowed_methods "SECURITY_KEY_ONLY"
# For general staff: Security keys or phone prompts (no SMS/voice)
gam update org "/" settings \
2sv_allowed_methods "SECURITY_KEY,PHONE_PROMPT" \
2sv_disallowed_methods "SMS,VOICE_CALL,BACKUP_CODES"
# Bulk check 2SV enrollment status
gam print users \
fields primaryEmail,isEnrolledIn2Sv,isEnforcedIn2Sv \
query "isEnrolledIn2Sv=false" > users_without_2sv.csv
# Count users without 2SV
echo "Users without 2SV enrolled:"
wc -l < users_without_2sv.csv
# Configure context-aware access policies
# Require 2SV + managed device for sensitive apps
cat > context_aware_policy.json << 'EOF'
{
"accessLevels": [
{
"name": "Managed Device Required",
"conditions": {
"devicePolicy": {
"requireScreenLock": true,
"requireAdminApproval": true,
"allowedEncryptionStatuses": ["ENCRYPTED"],
"requireCorpOwned": false
},
"requiredAccessLevels": ["VERIFIED_2SV"]
}
}
],
"applicationPolicies": [
{
"applications": ["Google Drive", "Gmail", "Admin Console"],
"accessLevel": "Managed Device Required"
}
]
}
EOF
Set up SPF, DKIM, DMARC and advanced phishing protections:
# Step 3a: Configure SPF record
# Add to DNS TXT record for corp.com
echo 'DNS TXT Record for SPF:'
echo 'corp.com TXT "v=spf1 include:_spf.google.com ~all"'
echo ''
echo 'After testing, change ~all to -all (hard fail) for enforcement'
# Step 3b: Generate and configure DKIM signing
# Generate 2048-bit DKIM key via Admin Console or API
gam create dkim domain corp.com selector google bitlength 2048
echo 'Add DKIM DNS TXT record:'
echo 'google._domainkey.corp.com TXT "v=DKIM1; k=rsa; p=<public_key_from_admin_console>"'
# Verify DKIM is working
gam info dkim domain corp.com
# Step 3c: Configure DMARC policy
echo 'DNS TXT Record for DMARC (start with monitoring):'
echo '_dmarc.corp.com TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@corp.com; ruf=mailto:dmarc-forensics@corp.com; pct=100; adkim=s; aspf=s"'
echo ''
echo 'After 30 days monitoring, escalate to quarantine then reject:'
echo '_dmarc.corp.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@corp.com; pct=100; adkim=s; aspf=s"'
# Step 3d: Enable advanced phishing and malware protection
# Configure in Admin Console > Security > Email Safety
gam update settings email_safety \
protect_against_domain_spoofing true \
protect_against_employee_spoofing true \
protect_against_inbound_spoofing true \
protect_unauthenticated_email true \
identify_spoofed_groups true \
auto_move_suspicious_to_spam true
# Configure attachment security
gam update settings email_safety \
protect_encrypted_attachments true \
protect_anomalous_attachment_types true \
protect_scripts_from_untrusted true \
whitelist_sender_domains "" \
apply_future_recommended_settings true
Configure DLP rules to prevent sensitive data exfiltration:
# Create DLP rules for Gmail and Drive
# Using Google Workspace DLP API
cat > dlp_rules.json << 'EOF'
{
"dlpRules": [
{
"name": "PII Detection - SSN",
"description": "Detect Social Security Numbers in outbound email and Drive sharing",
"trigger": {
"contentMatchers": [
{
"infoType": "US_SOCIAL_SECURITY_NUMBER",
"likelihood": "LIKELY",
"minMatchCount": 1
}
],
"scope": ["GMAIL_OUTBOUND", "DRIVE_EXTERNAL_SHARE"]
},
"action": {
"blockAction": "QUARANTINE",
"notifyAdmin": true,
"notifyUser": true,
"userMessage": "This message contains a Social Security Number and has been quarantined for review.",
"auditLog": true
}
},
{
"name": "Credit Card Number Detection",
"description": "Block credit card numbers in outbound communications",
"trigger": {
"contentMatchers": [
{
"infoType": "CREDIT_CARD_NUMBER",
"likelihood": "LIKELY",
"minMatchCount": 1
}
],
"scope": ["GMAIL_OUTBOUND", "DRIVE_EXTERNAL_SHARE", "CHAT"]
},
"action": {
"blockAction": "BLOCK",
"notifyAdmin": true,
"notifyUser": true,
"auditLog": true
}
},
{
"name": "Confidential Document Detection",
"description": "Detect documents marked as Confidential or Internal Only",
"trigger": {
"contentMatchers": [
{
"customRegex": "(?i)(CONFIDENTIAL|INTERNAL ONLY|DO NOT DISTRIBUTE|RESTRICTED)",
"minMatchCount": 2
}
],
"metadataMatchers": [
{
"driveLabels": ["Confidential", "Restricted"]
}
],
"scope": ["DRIVE_EXTERNAL_SHARE"]
},
"action": {
"blockAction": "WARN",
"requireJustification": true,
"auditLog": true
}
}
]
}
EOF
echo "Apply DLP rules via Admin Console > Security > Data Protection"
echo "Or use the Google Workspace DLP API for programmatic deployment"
Restrict which third-party applications can access organizational data:
# Configure OAuth app access control
# Admin Console > Security > API Controls > App Access Control
# Block all third-party apps by default, then allowlist approved ones
gam update org "/" settings \
third_party_app_access "BLOCKED" \
allow_users_to_install_apps false
# Allowlist approved applications
cat > approved_apps.json << 'EOF'
{
"allowedApps": [
{
"appId": "slack-app-id",
"name": "Slack",
"scopes": ["gmail.readonly", "calendar.readonly"],
"approvedBy": "security-team",
"reviewDate": "2026-01-15"
},
{
"appId": "zoom-app-id",
"name": "Zoom",
"scopes": ["calendar.events"],
"approvedBy": "security-team",
"reviewDate": "2026-01-15"
},
{
"appId": "salesforce-app-id",
"name": "Salesforce",
"scopes": ["gmail.send", "contacts.readonly"],
"approvedBy": "security-team",
"reviewDate": "2026-01-15"
}
]
}
EOF
# Audit current OAuth tokens granted by users
gam all users print tokens > oauth_tokens_audit.csv
echo "Review oauth_tokens_audit.csv for unauthorized third-party access"
# Revoke tokens for unapproved applications
gam all users deprovision tokens \
clientid "unapproved-app-client-id"
# Configure API scopes restriction
# Limit which API scopes third-party apps can request
gam update org "/" settings \
api_access_restricted true \
allowed_api_scopes "gmail.readonly,calendar.readonly,drive.readonly"
Lock down data sharing controls:
# Configure Google Drive sharing restrictions
gam update org "/" settings \
drive_sharing_outside_domain "WHITELISTED_DOMAINS" \
drive_sharing_whitelisted_domains "partner1.com,partner2.com" \
drive_allow_file_requests false \
drive_shared_drive_creation "ADMIN_ONLY" \
drive_default_link_sharing "RESTRICTED"
# Configure sharing alerts
gam create alert \
name "External Sharing Alert" \
type "drive_external_share" \
condition "shared_outside_domain=true AND file_type IN ('spreadsheet','document','presentation')" \
action "notify_admin security-team@corp.com"
# Audit current external shares
gam all users print filelist \
fields id,name,owners,permissions \
query "visibility='anyoneWithLink' or visibility='anyoneCanFind'" \
> external_shares_audit.csv
echo "External shares requiring review:"
wc -l < external_shares_audit.csv
# Configure Google Groups security
gam update org "/" settings \
groups_external_members false \
groups_external_posting false \
groups_creation "ADMIN_ONLY" \
groups_allow_external_invitations false
| Term | Definition |
|---|---|
| Advanced Protection Program (APP) | Google's strongest account security requiring FIDO2 security keys, blocking third-party app access, and enhanced identity verification for account recovery |
| Context-Aware Access | Security policy framework that evaluates device posture, location, and user identity before granting access to Google Workspace applications |
| DMARC | Domain-based Message Authentication, Reporting and Conformance protocol that prevents email domain spoofing by validating SPF and DKIM alignment |
| DLP Rule | Data Loss Prevention policy that scans content in Gmail, Drive, and Chat for sensitive data patterns and triggers block, quarantine, or warn actions |
| OAuth App Allowlisting | Admin control restricting which third-party applications can access organizational data through Google OAuth API scopes |
| 2-Step Verification (2SV) | Google's multi-factor authentication implementation supporting security keys, phone prompts, TOTP, and backup codes as second factors |
Context: Post-acquisition security audit reveals the acquired company's Google Workspace has no MFA enforcement, open external sharing, no DLP policies, and multiple unauthorized OAuth applications accessing user data.
Approach:
Pitfalls:
GOOGLE WORKSPACE SECURITY ASSESSMENT REPORT
=============================================
Tenant: corp.com
License: Enterprise Plus
Total Users: 3,847
Organizational Units: 12
AUTHENTICATION SECURITY
2SV Enforced: YES (all OUs)
2SV Enrollment: 3,712 / 3,847 (96.5%)
Security Keys Only: Executive OU (47 users)
Advanced Protection: 3 super admin accounts
Super Admin Count: 3 (within recommended limit)
EMAIL AUTHENTICATION
SPF: CONFIGURED (hard fail: -all)
DKIM: CONFIGURED (2048-bit, selector: google)
DMARC: ENFORCED (p=reject, 100%)
Anti-Phishing: ALL PROTECTIONS ENABLED
Anti-Spoofing: ENABLED (domain + employee name)
DATA PROTECTION
DLP Rules Active: 7
PII Detection: SSN, Credit Card, Passport
Content Labels: Confidential, Restricted
Custom Patterns: 3 organization-specific rules
DLP Violations (30d): 89 (67 blocked, 22 warned)
APPLICATION CONTROL
Third-Party App Policy: BLOCKED (allowlist mode)
Approved Apps: 12
Unauthorized Tokens: 0 (all revoked)
API Scope Restrictions: ENABLED
SHARING CONTROLS
External Sharing: RESTRICTED (allowlisted domains only)
Public Link Sharing: DISABLED
External Group Members: DISABLED
Shared Drive Creation: ADMIN ONLY