To audit if [email protected] has shared any sensitive documents outside the organization, use

the Security Investigation Tool in the Google Admin console. This tool allows administrators to

investigate and take action on security issues within the organization.

Open Security Investigation Tool:

Go to the Google Admin console.

Navigate to Security > Investigation tool.

Set Conditions in Drive Log Events:

In the Investigation Tool, select the data source as "Drive Log Events".

Add the following conditions:

Visibility Is External: This filters the events to show only documents that have been shared externally.

Actor Is [email protected]: This specifies that the actions performed by the [email protected]

should be displayed.

Run the Investigation:

Click on “Search” to run the investigation with the specified conditions.

Review the results to identify any documents that have been shared externally by the user.

Remediate:

For any documents that were shared inappropriately, you can take corrective actions such as

changing permissions or removing external sharing.

Reference:

Security Investigation Tool

Audit Drive log events

To enable others to help manage the admin quarantine while maintaining security, give the users

Services > Gmail > Access Admin Quarantine admin privileges. This specific privilege allows

designated users to view and manage the admin quarantine without granting excessive

administrative rights.

Go to the Admin console.

Navigate to Account > Admin roles.

Select the role that you want to assign to users or create a new role.

Assign the "Services > Gmail > Access Admin Quarantine" privilege to the role.

Add the users to this role.

Reference:

Google Workspace Admin Help: Admin quarantine

Testing on Different Device or Incognito Window:

This helps determine if the issue is related to the user's current device, browser, or cached data.

Incognito mode runs a clean session without extensions or cached data, which can help identify if

browser settings or cache are causing the issue.

Steps to Test:

Ask the user to sign in to Gmail on a different device (e.g., another computer or mobile phone).

Alternatively, instruct the user to open a new incognito or private browsing window in their browser

and sign in to Gmail.

Observe if the problem persists in these different environments.

Reference

Google Workspace Admin Help: Troubleshoot Gmail Issues

Access Admin Console: Log in to the Google Admin console.

Navigate to Admin Roles: Go to Admin roles under Account settings.

Create Custom Role: Click on 'Create new role' and name it appropriately.

Assign Vault Privileges: Select the privileges related to Google Vault, including managing matters,

holds, searches, and exports.

Assign Role to User: Assign this custom role to the designated administrator who will handle the

security investigations.

Verify Access: Ensure that the new administrator has the necessary access to Google Vault to monitor

and manage ongoing security investigations.

Reference:

Google Workspace Admin Help - Create Custom Admin Roles

Google Workspace Admin Help - Google Vault Privileges

To fulfill the request from the head of marketing, you need to:

Create an isolated Organizational Unit (OU) for the consultants who need restricted contact access.

This helps in managing and applying specific policies to the consultants without affecting other users.

Create a group that includes the contacts the consultant is allowed to view. This group will contain

the marketing team members' contact details, ensuring that the consultant has access only to these

specific contacts.

Reference:

Google Workspace Admin Help - Manage user access to contacts

Google Workspace Admin Help - Create and manage groups

Create a Matter: Access Google Vault and create a new matter for the lawsuit. Matters are used to

manage legal holds and searches.

Create a Hold: Within the matter, create a new hold.

Set the Hold Scope: Set the hold scope to Gmail, since the requirement is to discover and hold

emails.

Specify Accounts: Set the usernames to [email protected] and [email protected].

This ensures that all emails for these specific users are held.

Set Search Terms: Use the search terms “secret project 123” to hold any emails that reference this

specific term. This is a broad search that captures any email mentioning "Secret Project 123."

Save the Hold: Save the hold to ensure that it captures all relevant emails for the specified users and

the search term.

Reference

Google Support: Create or update a hold

Secure Transport Compliance:

TLS (Transport Layer Security) ensures that emails are encrypted during transit between sending and

receiving email servers.

Setting up secure transport compliance ensures that emails sent to or received from a particular

domain use TLS.

Steps to Enforce TLS:

Navigate to the Google Admin console.

Go to Apps > Google Workspace > Gmail > Advanced settings.

In the "Compliance" section, select "Secure transport (TLS) compliance".

Click "Add setting" and configure the following:

Select the appropriate organizational unit.

Specify the receiving domain(s) for which TLS should be enforced.

Choose to enforce TLS for incoming, outgoing, or both types of messages.

Save the changes and apply them.

Reference

Google Workspace Admin Help: Set Up TLS Compliance

Open Developer Tools:

In Chrome, click the three dots menu (More).

Select "More Tools" > "Developer Tools".

Replicate the Error:

Go to the "Network" tab in Developer Tools.

Reload the Gmail page to replicate the 500 error.

Export HAR:

After the error is replicated, right-click on the network log.

Select "Save all as HAR with content".

Save the HAR file, which contains detailed logs of the network activity.

This file can then be provided to Google support for further analysis.

Reference

Google Workspace Admin Help: Troubleshooting Network Issues

Access the Admin Console: Log into your Google Workspace Admin Console.

Navigate to Security Settings: Go to the Security section in the Admin Console.

Password Recovery: Enable the option for non-admin password recovery. This feature allows users to

reset their own passwords using their recovery email address or phone number without needing to

contact the helpdesk.

Configure Recovery Options: Ensure users have their recovery options set up (recovery email and

phone number) so they can use this feature effectively.

Inform Users: Notify users about this new self-service password recovery option and provide

instructions on how to use it.

Reference

Google Support: Set up self-service password recovery

To ensure that the Context-Aware Access policy is working correctly, perform the following checks:

Confirm Google Workspace License:

Verify that the user has a Google Workspace Enterprise Plus license. Context-Aware Access is a

feature available only to Enterprise Plus customers.

In the Admin console, navigate to Billing > Subscriptions and confirm the license type assigned to the

user.

Check Endpoint Verification:

Ensure that Endpoint Verification is installed and active on users’ desktops.

Go to the Admin console, navigate to Devices > Endpoint Verification.

Check the list of devices to confirm that Endpoint Verification is installed and reporting the status of

users' devices.

Additional Steps:

Ensure that policies are correctly configured and applied to the relevant Organizational Units (OUs).

Verify that the Context-Aware Access policies are correctly set up in Security > Context-Aware Access.

By confirming the correct license and ensuring Endpoint Verification is installed, you can

troubleshoot and resolve issues related to Context-Aware Access policy enforcement.

Reference:

Set up Context-Aware Access

Endpoint Verification overview