implementing-google-workspace-admin-security▌
mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Implements comprehensive Google Workspace security hardening including admin console configuration, phishing-resistant MFA enforcement, DLP policies, email authentication (SPF/DKIM/DMARC), OAuth app control, and external sharing restrictions. Activates for requests involving Google Workspace hardening, G Suite security configuration, or cloud office security administration.
| name | implementing-google-workspace-admin-security |
| description | 'Implements comprehensive Google Workspace security hardening including admin console configuration, phishing-resistant MFA enforcement, DLP policies, email authentication (SPF/DKIM/DMARC), OAuth app control, and external sharing restrictions. Activates for requests involving Google Workspace hardening, G Suite security configuration, or cloud office security administration. ' |
| domain | cybersecurity |
| subdomain | identity-access-management |
| tags | - Google-Workspace - admin-security - MFA - DMARC - DLP - OAuth - cloud-security |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.AA-01 - PR.AA-02 - PR.AA-05 - PR.AA-06 |
Implementing Google Workspace Admin Security
When to Use
- Deploying or hardening a Google Workspace environment for enterprise use
- CIS benchmark compliance assessment for Google Workspace configuration
- Protecting against business email compromise (BEC) and phishing attacks targeting Google accounts
- Implementing Data Loss Prevention controls for Gmail and Google Drive
- Restricting OAuth application access and third-party integrations
- Configuring admin account security with Advanced Protection Program enrollment
Do not use for Microsoft 365 environments; Google Workspace has distinct admin console settings and API configurations that differ from Azure AD/Entra ID controls.
Prerequisites
- Google Workspace Business Plus, Enterprise Standard, or Enterprise Plus license
- Super Admin access to the Google Admin Console (admin.google.com)
- DNS management access for SPF, DKIM, and DMARC record configuration
- Google Cloud Identity or Cloud Identity Premium for advanced security features
- FIDO2 security keys for super admin accounts (YubiKey 5 Series recommended)
Workflow
Step 1: Harden Super Admin Accounts
Secure the highest-privilege accounts in the Google Workspace tenant:
# Google Workspace Admin SDK - configure admin account security
# Using gam (Google Apps Manager) CLI tool
# List all super admin accounts for audit
gam print admins role "Super Admin" > super_admins.csv
echo "Review and minimize super admin count (recommended: 2-3 maximum)"
# Enforce Advanced Protection Program for super admins
# APP provides strongest account protections:
# - Requires FIDO2 security key for sign-in
# - Blocks third-party app access to Gmail and Drive
# - Enhanced account recovery verification
gam update user [email protected] \
advanced_protection true
# Create dedicated break-glass admin account
gam create user [email protected] \
firstname "Break" lastname "Glass Admin" \
password "$(openssl rand -base64 32)" \
changepassword true \
org "/Emergency Accounts"
# Assign super admin role to break-glass account
gam create admin [email protected] "Super Admin"
# Configure admin activity alerts
# Alert Center API - create alert for admin actions
cat > admin_alert_policy.json << 'EOF'
{
"alertPolicies": [
{
"name": "Super Admin Sign-In Alert",
"conditions": {
"eventType": "login",
"filterCriteria": "actor.adminRole=SUPER_ADMIN"
},
"notifications": {
"email": ["[email protected]"],
"webhook": "https://siem.corp.com/webhook/google-admin"
}
},
{
"name": "Admin Role Change Alert",
"conditions": {
"eventType": "admin_role_change"
},
"notifications": {
"email": ["[email protected]"]
}
}
]
}
EOF
Step 2: Enforce Phishing-Resistant Multi-Factor Authentication
Configure MFA policies that eliminate phishable authentication factors:
# Enforce 2-Step Verification for all organizational units
# Using Admin SDK Directory API
# Enable 2SV enforcement for the entire organization
gam update org "/" settings \
2sv_enforcement true \
2sv_enrollment_grace_period 14 \
2sv_new_user_enrollment_period 1
# Configure allowed 2SV methods - restrict to phishing-resistant only
# For high-security OUs: Security keys only
gam update org "/Executive" settings \
2sv_allowed_methods "SECURITY_KEY_ONLY"
# For general staff: Security keys or phone prompts (no SMS/voice)
gam update org "/" settings \
2sv_allowed_methods "SECURITY_KEY,PHONE_PROMPT" \
2sv_disallowed_methods "SMS,VOICE_CALL,BACKUP_CODES"
# Bulk check 2SV enrollment status
gam print users \
fields primaryEmail,isEnrolledIn2Sv,isEnforcedIn2Sv \
query "isEnrolledIn2Sv=false" > users_without_2sv.csv
# Count users without 2SV
echo "Users without 2SV enrolled:"
wc -l < users_without_2sv.csv
# Configure context-aware access policies
# Require 2SV + managed device for sensitive apps
cat > context_aware_policy.json << 'EOF'
{
"accessLevels": [
{
"name": "Managed Device Required",
"conditions": {
"devicePolicy": {
"requireScreenLock": true,
"requireAdminApproval": true,
"allowedEncryptionStatuses": ["ENCRYPTED"],
"requireCorpOwned": false
},
"requiredAccessLevels": ["VERIFIED_2SV"]
}
}
],
"applicationPolicies": [
{
"applications": ["Google Drive", "Gmail", "Admin Console"],
"accessLevel": "Managed Device Required"
}
]
}
EOF
Step 3: Configure Email Authentication and Anti-Phishing
Set up SPF, DKIM, DMARC and advanced phishing protections:
# Step 3a: Configure SPF record
# Add to DNS TXT record for corp.com
echo 'DNS TXT Record for SPF:'
echo 'corp.com TXT "v=spf1 include:_spf.google.com ~all"'
echo ''
echo 'After testing, change ~all to -all (hard fail) for enforcement'
# Step 3b: Generate and configure DKIM signing
# Generate 2048-bit DKIM key via Admin Console or API
gam create dkim domain corp.com selector google bitlength 2048
echo 'Add DKIM DNS TXT record:'
echo 'google._domainkey.corp.com TXT "v=DKIM1; k=rsa; p=<public_key_from_admin_console>"'
# Verify DKIM is working
gam info dkim domain corp.com
# Step 3c: Configure DMARC policy
echo 'DNS TXT Record for DMARC (start with monitoring):'
echo '_dmarc.corp.com TXT "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100; adkim=s; aspf=s"'
echo ''
echo 'After 30 days monitoring, escalate to quarantine then reject:'
echo '_dmarc.corp.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100; adkim=s; aspf=s"'
# Step 3d: Enable advanced phishing and malware protection
# Configure in Admin Console > Security > Email Safety
gam update settings email_safety \
protect_against_domain_spoofing true \
protect_against_employee_spoofing true \
protect_against_inbound_spoofing true \
protect_unauthenticated_email true \
identify_spoofed_groups true \
auto_move_suspicious_to_spam true
# Configure attachment security
gam update settings email_safety \
protect_encrypted_attachments true \
protect_anomalous_attachment_types true \
protect_scripts_from_untrusted true \
whitelist_sender_domains "" \
apply_future_recommended_settings true
Step 4: Implement Data Loss Prevention (DLP)
Configure DLP rules to prevent sensitive data exfiltration:
# Create DLP rules for Gmail and Drive
# Using Google Workspace DLP API
cat > dlp_rules.json << 'EOF'
{
"dlpRules": [
{
"name": "PII Detection - SSN",
"description": "Detect Social Security Numbers in outbound email and Drive sharing",
"trigger": {
"contentMatchers": [
{
"infoType": "US_SOCIAL_SECURITY_NUMBER",
"likelihood": "LIKELY",
"minMatchCount": 1
}
],
"scope": ["GMAIL_OUTBOUND", "DRIVE_EXTERNAL_SHARE"]
},
"action": {
"blockAction": "QUARANTINE",
"notifyAdmin": true,
"notifyUser": true,
"userMessage": "This message contains a Social Security Number and has been quarantined for review.",
"auditLog": true
}
},
{
"name": "Credit Card Number Detection",
"description": "Block credit card numbers in outbound communications",
"trigger": {
"contentMatchers": [
{
"infoType": "CREDIT_CARD_NUMBER",
"likelihood": "LIKELY",
"minMatchCount": 1
}
],
"scope": ["GMAIL_OUTBOUND", "DRIVE_EXTERNAL_SHARE", "CHAT"]
},
"action": {
"blockAction": "BLOCK",
"notifyAdmin": true,
"notifyUser": true,
"auditLog": true
}
},
{
"name": "Confidential Document Detection",
"description": "Detect documents marked as Confidential or Internal Only",
"trigger": {
"contentMatchers": [
{
"customRegex": "(?i)(CONFIDENTIAL|INTERNAL ONLY|DO NOT DISTRIBUTE|RESTRICTED)",
"minMatchCount": 2
}
],
"metadataMatchers": [
{
"driveLabels": ["Confidential", "Restricted"]
}
],
"scope": ["DRIVE_EXTERNAL_SHARE"]
},
"action": {
"blockAction": "WARN",
"requireJustification": true,
"auditLog": true
}
}
]
}
EOF
echo "Apply DLP rules via Admin Console > Security > Data Protection"
echo "Or use the Google Workspace DLP API for programmatic deployment"
Step 5: Control OAuth Applications and Third-Party Access
Restrict which third-party applications can access organizational data:
# Configure OAuth app access control
# Admin Console > Security > API Controls > App Access Control
# Block all third-party apps by default, then allowlist approved ones
gam update org "/" settings \
third_party_app_access "BLOCKED" \
allow_users_to_install_apps false
# Allowlist approved applications
cat > approved_apps.json << 'EOF'
{
"allowedApps": [
{
"appId": "slack-app-id",
"name": "Slack",
"scopes": ["gmail.readonly", "calendar.readonly"],
"approvedBy": "security-team",
"reviewDate": "2026-01-15"
},
{
"appId": "zoom-app-id",
"name": "Zoom",
"scopes": ["calendar.events"],
"approvedBy": "security-team",
"reviewDate": "2026-01-15"
},
{
"appId": "salesforce-app-id",
"name": "Salesforce",
"scopes": ["gmail.send", "contacts.readonly"],
"approvedBy": "security-team",
"reviewDate": "2026-01-15"
}
]
}
EOF
# Audit current OAuth tokens granted by users
gam all users print tokens > oauth_tokens_audit.csv
echo "Review oauth_tokens_audit.csv for unauthorized third-party access"
# Revoke tokens for unapproved applications
gam all users deprovision tokens \
clientid "unapproved-app-client-id"
# Configure API scopes restriction
# Limit which API scopes third-party apps can request
gam update org "/" settings \
api_access_restricted true \
allowed_api_scopes "gmail.readonly,calendar.readonly,drive.readonly"
Step 6: Configure External Sharing and Drive Security
Lock down data sharing controls:
# Configure Google Drive sharing restrictions
gam update org "/" settings \
drive_sharing_outside_domain "WHITELISTED_DOMAINS" \
drive_sharing_whitelisted_domains "partner1.com,partner2.com" \
drive_allow_file_requests false \
drive_shared_drive_creation "ADMIN_ONLY" \
drive_default_link_sharing "RESTRICTED"
# Configure sharing alerts
gam create alert \
name "External Sharing Alert" \
type "drive_external_share" \
condition "shared_outside_domain=true AND file_type IN ('spreadsheet','document','presentation')" \
action "notify_admin [email protected]"
# Audit current external shares
gam all users print filelist \
fields id,name,owners,permissions \
query "visibility='anyoneWithLink' or visibility='anyoneCanFind'" \
> external_shares_audit.csv
echo "External shares requiring review:"
wc -l < external_shares_audit.csv
# Configure Google Groups security
gam update org "/" settings \
groups_external_members false \
groups_external_posting false \
groups_creation "ADMIN_ONLY" \
groups_allow_external_invitations false
Key Concepts
| Term | Definition |
|---|---|
| Advanced Protection Program (APP) | Google's strongest account security requiring FIDO2 security keys, blocking third-party app access, and enhanced identity verification for account recovery |
| Context-Aware Access | Security policy framework that evaluates device posture, location, and user identity before granting access to Google Workspace applications |
| DMARC | Domain-based Message Authentication, Reporting and Conformance protocol that prevents email domain spoofing by validating SPF and DKIM alignment |
| DLP Rule | Data Loss Prevention policy that scans content in Gmail, Drive, and Chat for sensitive data patterns and triggers block, quarantine, or warn actions |
| OAuth App Allowlisting | Admin control restricting which third-party applications can access organizational data through Google OAuth API scopes |
| 2-Step Verification (2SV) | Google's multi-factor authentication implementation supporting security keys, phone prompts, TOTP, and backup codes as second factors |
Tools & Systems
- Google Admin Console: Web-based administration portal for managing all Google Workspace security settings, users, and organizational units
- GAM (Google Apps Manager): Open-source command-line tool for bulk Google Workspace administration and automation
- Google Workspace Alert Center: Centralized dashboard for security alerts including suspicious login activity, DLP violations, and device compromise
- Google BeyondCorp Enterprise: Zero-trust access solution integrated with Google Workspace for context-aware access policies
Common Scenarios
Scenario: Securing a Newly Acquired Google Workspace Tenant
Context: Post-acquisition security audit reveals the acquired company's Google Workspace has no MFA enforcement, open external sharing, no DLP policies, and multiple unauthorized OAuth applications accessing user data.
Approach:
- Immediately enforce 2SV for all super admin accounts using FIDO2 security keys
- Reduce super admin count to 3 (primary, secondary, break-glass)
- Deploy SPF, DKIM, and DMARC starting with monitoring mode (p=none)
- Enable all anti-phishing and anti-spoofing settings in Email Safety
- Audit and revoke all unauthorized OAuth application tokens
- Set third-party app access to blocked with allowlist of approved applications
- Restrict external Drive sharing to approved partner domains only
- Deploy DLP rules for PII, financial data, and confidential documents
- Enable context-aware access requiring managed devices for sensitive applications
- Configure security alerts and SIEM integration for ongoing monitoring
Pitfalls:
- Enforcing MFA without enrollment grace period locks users out of accounts
- Setting DMARC to reject before monitoring period causes legitimate email delivery failures
- Blocking all OAuth apps without identifying business-critical integrations disrupts workflows
- Not auditing existing external shares before restricting sharing leaves data exposed
Output Format
GOOGLE WORKSPACE SECURITY ASSESSMENT REPORT
=============================================
Tenant: corp.com
License: Enterprise Plus
Total Users: 3,847
Organizational Units: 12
AUTHENTICATION SECURITY
2SV Enforced: YES (all OUs)
2SV Enrollment: 3,712 / 3,847 (96.5%)
Security Keys Only: Executive OU (47 users)
Advanced Protection: 3 super admin accounts
Super Admin Count: 3 (within recommended limit)
EMAIL AUTHENTICATION
SPF: CONFIGURED (hard fail: -all)
DKIM: CONFIGURED (2048-bit, selector: google)
DMARC: ENFORCED (p=reject, 100%)
Anti-Phishing: ALL PROTECTIONS ENABLED
Anti-Spoofing: ENABLED (domain + employee name)
DATA PROTECTION
DLP Rules Active: 7
PII Detection: SSN, Credit Card, Passport
Content Labels: Confidential, Restricted
Custom Patterns: 3 organization-specific rules
DLP Violations (30d): 89 (67 blocked, 22 warned)
APPLICATION CONTROL
Third-Party App Policy: BLOCKED (allowlist mode)
Approved Apps: 12
Unauthorized Tokens: 0 (all revoked)
API Scope Restrictions: ENABLED
SHARING CONTROLS
External Sharing: RESTRICTED (allowlisted domains only)
Public Link Sharing: DISABLED
External Group Members: DISABLED
Shared Drive Creation: ADMIN ONLY
How to use implementing-google-workspace-admin-security on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add implementing-google-workspace-admin-security
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches implementing-google-workspace-admin-security from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate implementing-google-workspace-admin-security. Access the skill through slash commands (e.g., /implementing-google-workspace-admin-security) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Installation Steps
- 1.Install skill using provided installation command
- 2.Test with simple use case relevant to your work
- 3.Evaluate output quality and relevance
- 4.Iterate on prompts to improve results
- 5.Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices▌
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This▌
✓ Use When
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid When
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path▌
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.4★★★★★42 reviews- ★★★★★Hiroshi Liu· Dec 24, 2024
implementing-google-workspace-admin-security has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Kwame Rahman· Dec 20, 2024
Solid pick for teams standardizing on skills: implementing-google-workspace-admin-security is focused, and the summary matches what you get after install.
- ★★★★★Naina Diallo· Dec 20, 2024
Registry listing for implementing-google-workspace-admin-security matched our evaluation — installs cleanly and behaves as described in the markdown.
- ★★★★★Dhruvi Jain· Dec 16, 2024
Useful defaults in implementing-google-workspace-admin-security — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Neel Gonzalez· Dec 4, 2024
implementing-google-workspace-admin-security fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★Rahul Santra· Nov 15, 2024
Registry listing for implementing-google-workspace-admin-security matched our evaluation — installs cleanly and behaves as described in the markdown.
- ★★★★★Soo Desai· Nov 15, 2024
implementing-google-workspace-admin-security fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★Kwame Zhang· Nov 11, 2024
We added implementing-google-workspace-admin-security from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Oshnikdeep· Nov 7, 2024
implementing-google-workspace-admin-security is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Ganesh Mohane· Oct 26, 2024
Keeps context tight: implementing-google-workspace-admin-security is the kind of skill you can hand to a new teammate without a long onboarding doc.
showing 1-10 of 42