Remove Everyone as an Editor

Removing Everyone as an Editor (where ‘Everyone’ means the whole world).

Many users are not used to the concept of external sharing, sometimes they may share a file to ‘Everyone’ with edit privileges.

 

Using the G Suite Admin Console finding these files which have ‘Everyone’ as editors is an impossible task, with GAT+ this is made easy.

 

Note: Sometimes there may be a legitimate reason to have ‘Everyone’ as a viewer, but there are very few circumstances where a company document should have everyone in the world as an editor!

 

Launch GAT+ and enter Drive Audit. Click on the familiar custom filters button.

When the menu appears, select the following search parameters:

  • Editors contains (exact match) everyone
  • Sharing Flags contains Shared in

Now I can see all of the files which have everyone as editors! So I will now remove these permissions. Click on the File Operations button and select ‘Remove permissions’.

In the menu that appears select the following configurations:

Enter the key term everyone in the field “Remove Only the following External Shares”. And notify the owners which were affected.

How to Create a Report About Devices Not Synced Within the Last 30 days

This report will show us which mobile devices are no longer synced with our domain.

The report will produce a list of mobile devices which have not synced in over 30 days.

On the GAT Home page, select “Mobile Devices”  

On the top right-hand side of the screen, click on the familiar ‘Apply custom filter’ button.

We select “Last sync” before or equal 1st day of the last month.
Schedule the report to run monthly.
The example above shows us a report for all devices that have “Last synced” more than a month ago.
GAT+ will automatically change the date on the next scan next month and every report will give you data for the previous month.

Ways for GAT to Search for Two or More Users at Once

Examples of the different types of searches GAT can perform. Learn to get more out of GAT.

The Regular Expression Method

 

Using Drive method

Note in this last example, you are searching for the more generic match of all docs in the accounts of the ‘Users’ in the group rather than the docs owned by ‘Owners’ (this wider search includes public documents which the ‘Users’ in the group may have viewed).

Detailed Audit of External Shares

In this post, we will discuss how you can handle and audit external files shared into your domain. You will quickly be able to analysis which external users are sharing in the most number of files.

On the GAT+ homepage, click on Drive, then select External Users tab. This will provide a list of all external users.

To identify the files shared in by these external users, review the column Owns (not ours).

The External Users auditing section shows in detail all the external users that have access to documents on your domain as well, some of these docs may be owned by your domain, some not, but they are all opened by or shared explicitly to your users.

The report produces 6 columns, all sortable. The external view lists all the external users and is sorted by the number of documents you have in common but may be sorted by any other column also.  

  • In particular, Can edit (our docs only) is an important sort, to see who the big external collaborators are for documents owned by local users on your domain.
  • Can view (our docs only) indicates files external users can view which are owned by your local users on your domain.
  • Can Edit (any doc) and Can view (any doc) these values may contain files which are not owned solely by your domain, they may be owned by other external domains.

Clicking on any blue number links to the files reflected in that category. This allows the admin to export the detailed metadata about these files.

 

Remove External Users as Editors or Readers

In External Users Tab sort, the column Can Edit (any doc) and Can view (any doc) can be used quickly to remove a particular external share. Click on the values, this will take you to those files.

Next to the email address of the external user will be a drop-down menu. Click on it, and select either remove the external user as an Editor or Reader.

  • Remove this permission, will remove the external user from just that document.
  • Remove userX@externaldomain.com as Reader/Editor from files in the current filter, will remove the external user from all files within the current filter.

Create Delegated Auditors within GAT+

Overview

This feature is ideal where Admins want to delegate the audit function to local managers or regional security personnel. GAT+ allows anyone to audit any range of users based on the model of Google Groups, Google Classrooms, and Org Units. It does not require passing on Google Admin authority. Selected auditors can be an individual user, group or Org Unit. This allows you to have multiple auditors for a specified scope.

 

This process is documented in this Youtube video.

 

To enable audit delegation, go to the GAT+ on the side menu enter the section called Delegated Auditors.

Click on ‘Add new auditor’.

Now, set up the delegated auditors and give them a scope.

For the above example, I just selected one auditor Anna and give her scope over the Sales team.

 

Note: Once the delegation is completed, the delegated auditors when they launch GAT+ will be able to run reports and audits similar to a super admin but only for the scope they’ve been given.

 

You can verify the scope the auditor has by logging into GAT+ as them, you will see exactly what an auditor will see.

 

Identify External members within your Google Groups

Vulnerabilities are introduced when a Google Group contains many or one external member. If these members are no longer in communication with your organization, or they are ex-partners, you should audit such groups and investigate whether these members should still be present.

 

Follow these instructions to identify, audit and take action on external members.

Go to Groups Audit, Group members Tab (top menu bar selection) then click on the apply custom filter button.

When the menu option appears, apply the following search rule, Member doesn’t contain domain email. For example, Member doesn’t contain generalaudittool.com

External members are displayed adjacent to group email address.

Export the data to a Google Spreadsheet.

Find and delete old inactive documents in Google Drive

How to search for all files that have not been viewed since for example, 01 July 2015. 
To find the files across your domain that have not been viewed since 1-July-2015
You can select Drive audit – Apply custom filter – Updated before or equal to July 1, 2015
This will display only the files across  your domain that last been updated before July 2015
How to delete all files that are shown in the search across all users.
You would need to take ownership of the files using GAT+
To do this you would need to use GAT Unlock
You can request to become the owner of those files – by sending the request to your security officer
Once you become owner you can delete the files.
The files will be accessible on your Google drive.
Here is a link you can follow for  GAT Unlock feature if you need.

Apply a Search Filter in Google Drive Audit

Searching for files of a user/editor/reader etc

In GAT’s Google Drive audit, we provide an array of search parameters to filter by. Making it the most useful feature on in this section. You can quickly find files and take action on them or to export this data for archiving purposes.

 

Click on the funnel icon also known as ‘Custom apply filter’ button.

In the menu which appears the default type is set to Simple Filter.

Select Owner parameter equal to UserX’s email address. If you wish not to enter the entire email address then change equal to contains (case insensitive).

 

Other Search parameters are as follows:

  • Organizer – This is related to Team Drive roles, Organizers roles allow users to permanently remove content and modify Team Drive name and membership.
  • User – This search parameter returns files which can be edited, read or are owned by UserX
  • Editors – This search parameter will return files which can be edited by UserX
  • Readers – This search parameter will return files which can be viewed or read by UserX

Long Search

If you wish to find files owned or related (editors, readers, organizers) with a Google Group or a user OU structure this is achieved using the Long Search.

For example, if I want to find all of the files owned by members of Sales Group (sales@generalaudittool.com) I can enter the following info into the fields provided.

Note: If the option Owned is not checked, the search will return files which the members of Sales Group can own, edit, or read. All 3 states will be covered.

 

Once you request the search, it will take a few seconds for the search to complete, the load speed depends on a number of factors mainly the number of files which need to be indexed. Click on the reload button to update the UI and to see if the search is completed.

If the search is complete, select it and apply it.

Once the search is applied you will see all of the files owned by the group you have selected in the Drive result table.

 

Remember you can build on top of this search. For example, if I now wanted to narrow down my search for PDF files owned by Sales Group, I can click on the ‘Apply custom filter’ button.

Then I can add a new rule, for Mimetype equals application/pdf

Of course, you can also apply other search operators to make the search even more narrow and specific.

 

Note: Do not remove the Long Search ID which is shown, this is a reference to the long search you carried out in the previous steps.

 

Measuring user engagement over the last 90 days

We can measure user engagement over the last 90 days (by counting Google Docs created in that time frame).

 

In Drive audit, click on the ‘Apply custom filter’ button.

apply the custom filter

In the Drive Files filters popup, perform the following actions, click on ‘Add group’, in this group select the following search parameters.

  • Type equal Document
  • Type equal Word

Note: This group is OR’d.

Outside of the group add an additional rule.

  • Created After or equal dd/mm/yyyy (look back 3 months)

Filters for Drive files

And then apply the filter.

 

When the results appear in the Drive result table, click on the ‘Export data’ button and select ‘Export to Google Sheet’

‘Export to Google Sheet’

A message will appear when the export is ready.

Data exported to your google drive

The spreadsheet will contain a lot more columns of data.

How to Use GAT to Detect a Sharing Policy Violation

Using GAT to detect a sharing policy violation

 

This example is for a user, but you can also check for sharing violations on a file, or file type, a folder, a group (all the users in the group – ‘Local User/Group’), an organization, a file id and anyone sharing in or to a particular external target such as a user or a domain.

 

Security Lesson Part 1

 

In the Drive Audit, Click Long Search button and enter the email of a local user against whom you wish to make a policy watch. (For a group of users, add the group name to the ‘Local User/Group’ field)

long search

Note: The Owned checkbox will return the documents that user owns only. If left unchecked it will return files that user can edit, read or owns.

Click on the refresh to see if the search is complete, if the search is done, click on the Green checkbox to apply the filter.

 

Now, let’s modify this feature slightly when the results have been displayed. Click on the ‘Apply custom filter’ button.

When the Drive Files filter appears, add these additional search parameters on your existing Long Search.

  • Updated after or equal today’s date dd/mm/yyyy hh:mm
  • Sharing Flags contains Shared out

 

Note: You should also give it a meaningful name, for example, files shared out of UserX on a daily basis.

Once you have added these additional search parameters click on Scheduled. Once Scheduled is selected, you will see additional options. You should make the scheduled report run on a daily basis ‘Every day – after midnight’

You can also choose who should receive this report which contains data on files shared out by user X each day.

 

Click on Apply & Schedule.

 

Now navigate to Scheduled reports on the configuration side menu.

You can modify your existing scheduled jobs from here.

If you want to create action with this policy you can click on Jobs Action Edit this is the icon next to the pen icon.

 

Setting up this scheduled report, you will receive an email with a spreadsheet of all of the files shared out of User X each day.

 

Security Lesson Part 2

 

Although you have created a policy in security lesson part 1 to show you files a user has shared out on a daily basis, there maybe another vulnerability that exists with files shared in that may be used to leak sensitive data. A user on your domain can copy and paste data into this shared in document without your awareness. That is why we recommend creating a schedule report which can show you the files shared in to an individual user, entire group, specific OU structure or folder.

 

In this example we will take a look at files shared into a specific user.

In Drive audit, click on the ‘Apply custom filter’ button.

In the Drive Files filter popup apply the following search parameters.

  • Sharing Flags contains Shared in
  • Flags doesn’t contain Team Drive
  • Editors contains (exact match) UserX’s email address

We will apply the filter instead of scheduling this information. If you wish to schedule this report, add another search parameter

  • Updated After or equal dd/mm/yyyy hh:mm

 

And click on Scheduled checkbox. Select how often you want the report to run.

 

Once the results appear in the Drive result table, you can use the functionalities of GAT Unlock to examine the file contents. For more information about viewing file contents silently read this post “View File Contents: How to silently copy or view files”.

 

Of course, we have made this easy for Admins  – for this type of report for the entire domain, just go to ‘One Click Reports’, select ‘Docs shared in or out changed in the last 24 hour’.