Educause Security Discussion mailing list archives
Re: Google Workspace for Education domain shared files
From: Brian Amstutz <brian.amstutz () ASBURYSEMINARY EDU>
Date: Fri, 3 Sep 2021 14:27:50 -0400
Thanks Mike! This is helpful! Brian On Fri, Sep 3, 2021 at 11:57 AM Mike Beane <beanem () husson edu> wrote:
I wrote the various chunks of this last October as discovery notes and posted to another list group at the time. We use GAM primarily here and were able to start identifying high risk users first, and then dealing with the outcomes. As Kevin mentioned, this can get intensive and we're only just under 20k users. I took some time to take a look through items vs taking a nuking it from orbit approach, which was tedious, but led to understandings\discoveries such as having someone who had shared a Folder out, resulting in downstream issues, etc. ~ Mike --------- Search Bar I noticed that if you want to look at high value targets sooner than later (or lack GAM), you can use this in Drive's search bar source:domain AND owner:<Google name | Google name () yourinstitute edu> Google Admin audit report https://admin.google.com/ac/reporting/audit/drive?new=true&pli=1 With GAM (I use GAM-ADV-XTD3) gam all users show filelist query "visibility='domainCanFind'" todrive Frank Barton did some testing and came up with an alternative gam search: gam all users show filelist todrive fullquery "visibility!='limited'" This will take a while… valid values for visibility are anyoneCanFind, anyoneWithLink, domainCanFind, domainWithLink, and limited Later Thoughts (and steps) I've been thinking about this as it pertains to Anyone vs (Shared with) Domain. I opted to not look at the entire scope of "visibility!='limited'" and below is what I did in regards to source:domain specifically for this phase. There are other .py scripts at the repository I mention that will assist in looking at Anyone or other variations. - Assumes you have GAM or GAM-ADV-XTD3 and python available - Grab Ross Scrogg's python script (he maintains GAM-ADV-XTD3, a rewrite/extension of Jay Lee's GAM) - https://github.com/taers232c/GAM-Scripts/blob/master/GetSharedWithDomainDriveACLs.py - Edit the .py script - If you're multi-domain, add your domain of interest (we have one, I put it in there anyway). - If you're interested in the files that are appearing due to a source:domain search, then change the following variable from 'All' to 'True'. See 'allowFileDiscovery' from the Google API definition below all the steps text. - DESIRED_ALLOWFILEDISCOVERY = 'True' - Using GAM, run the example command in the script header to get the file permissions. I used gam for this (the example command is below) - gam all users print filelist id title permissions owners > filelistperms.csv - Note: I only care about our Fac\Staff Google OU's right now, so I targeted that OU. This cuts out the students and while we are a small institution, I left this to run when I left last night and I came into work this morning to a 6GB .csv file with only 1700+ accounts (it's about total files in the end, but again, we're small and 6GB was impressive to me having never done this). Another approach with overhead spread out might be to list the targeted users and then pipe them through something like gam user $username print filelist id title permissions owners > filelistperms-$username.csv - gam ou "FacultyStaff OU" print filelist id title permissions owners > filelistperms.csv - After you get an output file, run the python script against it - C:\GAM>python GetSharedWithDomainDriveACLs.py filelistperms.csv deleteperms.csv - Review the delete permissions csv file. If AllowFileDiscovery is True in the last column, you *should* be able to view these files in google drive if you are authenticated. If you can, most likely everyone else in your domain can as well. - I took the first column, moved it to another tab and ran remove duplicates so I have a good idea of who we may need to discuss this with. - Finally, the script includes how to remove the setting, however take some time to think about the ramifications of bulk clearing these without investigation as there are legitimate reasons to have shared things out this way. - The first action may be to flip the ALLOWFILEDISCOVERY to FALSE on things that can be easily identified as "that shouldn't be shared like that" to get them off the search list without breaking functionality. - The first discussion may be simply to ask the users to enter the source:domain AND owner:me into the search and see if anything scary immediately jumps out in a "why am I sharing that out to everyone?!?!" way, then work from there. - Be aware that while Shared Drives are where (imo) groups should be working from these days, the act of migrating "personal" files\folders to a Shared Drive will reset the permission set (this could be both good AND bad). Note (9/3/21) - this item may be coming to end with the recent announcement: https://workspaceupdates.googleblog.com/2021/09/new-beta-experience-for-admins-to-move-folders-to-shared-drives.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+GoogleAppsUpdates+%28Google+Workspace+Updates+Blog%29 Definition allowFileDiscovery boolean Whether the permission allows the file to be discovered through search. This is only applicable for permissions of type domain or anyone. Hope this helps someone out and as always, YMMV. Finally (I hope) If you get the accounts in a Google Sheet with the duplicates removed, try this (where A2 has the first address) and drag it to the bottom of the column. Then open the link to review. =HYPERLINK(CONCATENATE(" https://drive.google.com/drive/search?q=source:domain owner:",A2)) *Mike Beane* Director, IT Infrastructure *Ph: *207-941-7613 *Husson University* 1 College Circle Bangor ME 04401 *He/Him/His* On Fri, Sep 3, 2021 at 11:04 AM Brian Amstutz < brian.amstutz () asburyseminary edu> wrote:Questions for anyone that uses Google Workspace for Education 1. Do you know if there is a setting that *prevents* a user from sharing a Google Workspace file with the entire domain or with anyone on the internet? - I found the Link Sharing setting but that just controls the Default, but does not prevent it 2. Have you found a way to identify all of the domain shared (source:domain search) files AND un-share them from the domain? Thanks, Brian -- Brian Amstutz Director of Administrative Technology Library, Information, and Technology Services Asbury Theological Seminary 859-858-2321 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Google Workspace for Education domain shared files Brian Amstutz (Sep 03)
- Re: [External] [SECURITY] Google Workspace for Education domain shared files Kevin Wilcox (Sep 03)
- Re: [External] [SECURITY] Google Workspace for Education domain shared files Brian Amstutz (Sep 03)
- Re: [External] [SECURITY] Google Workspace for Education domain shared files Kevin Wilcox (Sep 03)
- Re: [External] [SECURITY] Google Workspace for Education domain shared files Rich Graves (Sep 03)
- Re: [External] [SECURITY] Google Workspace for Education domain shared files Brian Amstutz (Sep 03)
- Re: [External] [SECURITY] Google Workspace for Education domain shared files Kevin Wilcox (Sep 03)
- Re: Google Workspace for Education domain shared files Mike Beane (Sep 03)
- Re: Google Workspace for Education domain shared files Brian Amstutz (Sep 03)