Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Google Workspace for Education domain shared files

From: Brian Amstutz <brian.amstutz () ASBURYSEMINARY EDU>
Date: Fri, 3 Sep 2021 14:27:50 -0400
Thanks Mike! This is helpful!
Brian


On Fri, Sep 3, 2021 at 11:57 AM Mike Beane <beanem () husson edu> wrote:


I wrote the various chunks of this last October as discovery notes and
posted to another list group at the time.  We use GAM primarily here and
were able to start identifying high risk users first, and then dealing with
the outcomes.  As Kevin mentioned, this can get intensive and we're only
just under 20k users.  I took some time to take a look through items vs
taking a nuking it from orbit approach, which was tedious, but led to
understandings\discoveries such as having someone who had shared a Folder
out, resulting in downstream issues, etc.

~ Mike

---------



Search Bar

I noticed that if you want to look at high value targets sooner than later
(or lack GAM), you can use this in Drive's search bar

source:domain AND owner:<Google name | Google name () yourinstitute edu>

Google Admin audit report

https://admin.google.com/ac/reporting/audit/drive?new=true&pli=1

With GAM (I use GAM-ADV-XTD3)

gam all users show filelist query "visibility='domainCanFind'" todrive

Frank Barton did some testing and came up with an alternative gam search:

gam all users show filelist todrive fullquery "visibility!='limited'"

This will take a while…  valid values for visibility are anyoneCanFind,
anyoneWithLink, domainCanFind, domainWithLink, and limited

Later Thoughts (and steps)

I've been thinking about this as it pertains to Anyone vs (Shared with)
Domain. I opted to not look at the entire scope of "visibility!='limited'"
and below is what I did in regards to source:domain specifically for this
phase. There are other .py scripts at the repository I mention that will
assist in looking at Anyone or other variations.



   -

   Assumes you have GAM or GAM-ADV-XTD3 and python available
   -

   Grab Ross Scrogg's python script (he maintains GAM-ADV-XTD3, a
   rewrite/extension of Jay Lee's GAM)
   -


      https://github.com/taers232c/GAM-Scripts/blob/master/GetSharedWithDomainDriveACLs.py
      -

   Edit the .py script
   -

      If you're multi-domain, add your domain of interest (we have one, I
      put it in there anyway).
      -

      If you're interested in the files that are appearing due to a
      source:domain search, then change the following variable from 'All' to
      'True'.  See 'allowFileDiscovery' from the Google API definition below all
      the steps text.
      -

         DESIRED_ALLOWFILEDISCOVERY = 'True'
         -

   Using GAM, run the example command in the script header to get the
   file permissions.  I used gam for this (the example command is below)
   -

      gam all users print filelist id title permissions owners >
      filelistperms.csv
      -

      Note: I only care about our Fac\Staff Google OU's right now, so I
      targeted that OU.  This cuts out the students and while we are a small
      institution, I left this to run when I left last night and I came into work
      this morning to a 6GB .csv file with only 1700+ accounts (it's about total
      files in the end, but again, we're small and 6GB was impressive to me
      having never done this).  Another approach with overhead spread out might
      be to list the targeted users and then pipe them through something like
      gam user $username print filelist id title permissions owners >
      filelistperms-$username.csv
      -

      gam ou "FacultyStaff OU" print filelist id title permissions owners
      > filelistperms.csv
      -

   After you get an output file, run the python script against it
   -

   C:\GAM>python GetSharedWithDomainDriveACLs.py filelistperms.csv
   deleteperms.csv
   -

   Review the delete permissions csv file.  If AllowFileDiscovery is True
   in the last column, you *should* be able to view these files in google
   drive if you are authenticated.  If you can, most likely everyone else in
   your domain can as well.
   -

   I took the first column, moved it to another tab and ran remove
   duplicates so I have a good idea of who we may need to discuss this with.
   -

   Finally, the script includes how to remove the setting, however take
   some time to think about the ramifications of bulk clearing these without
   investigation as there are legitimate reasons to have shared things out
   this way.
   -

      The first action may be to flip the ALLOWFILEDISCOVERY to FALSE on
      things that can be easily identified as "that shouldn't be shared like
      that" to get them off the search list without breaking functionality.
      -

      The first discussion may be simply to ask the users to enter the source:domain
      AND owner:me into the search and see if anything scary immediately
      jumps out in a "why am I sharing that out to everyone?!?!" way, then work
      from there.
      -

      Be aware that while Shared Drives are where (imo) groups should be
      working from these days, the act of migrating "personal" files\folders to a
      Shared Drive will reset the permission set (this could be both good AND
      bad).  Note (9/3/21) - this item may be coming to end with the
      recent announcement:
      
https://workspaceupdates.googleblog.com/2021/09/new-beta-experience-for-admins-to-move-folders-to-shared-drives.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+GoogleAppsUpdates+%28Google+Workspace+Updates+Blog%29

Definition



allowFileDiscovery

boolean

Whether the permission allows the file to be discovered through search.
This is only applicable for permissions of type domain or anyone.





Hope this helps someone out and as always, YMMV.


Finally (I hope)



If you get the accounts in a Google Sheet with the duplicates removed, try
this (where A2 has the first address) and drag it to the bottom of the
column.  Then open the link to review.



=HYPERLINK(CONCATENATE("
https://drive.google.com/drive/search?q=source:domain owner:",A2))





*Mike Beane*
Director, IT Infrastructure
*Ph: *207-941-7613
*Husson University*
1 College Circle
Bangor ME 04401
*He/Him/His*







On Fri, Sep 3, 2021 at 11:04 AM Brian Amstutz <
brian.amstutz () asburyseminary edu> wrote:


Questions for anyone that uses Google Workspace for Education

   1. Do you know if there is a setting that *prevents* a user from
   sharing a Google Workspace file with the entire domain or with anyone on
   the internet?
      - I found the Link Sharing setting but that just controls the
      Default, but does not prevent it
   2. Have you found a way to identify all of the domain shared
   (source:domain search) files AND un-share them from the domain?

Thanks,

Brian
--
Brian Amstutz
Director of Administrative Technology
Library, Information, and Technology Services
Asbury Theological Seminary
859-858-2321

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community


**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
Previous By Date Next
Previous By Thread Next

Current thread: