Access Scope of Delegated Auditors

Education, business and enterprise domains usually have a few G Suite super admin roles within their organization. For security reasons, they may want to delegate responsibilities to other users to have super admin like privileges within GAT+ or GAT Shield without having G Suite super admin roles. This is why its critical for them to have a feature called Delegated Auditors that allows them to distribute responsibilities to normal users while securing the number of users who have access to the G Suite Admin Console.

Delegated Auditor has very similar scopes comparable to super admin within GAT+.

They have full access to all of the Auditing areas.

In the Auditing Areas, they can utilize all of the features of GAT Unlock of course with Security Officer approval.

  • They can modify permissions/download files/view file content.
  • They can download emails, view emails and remove emails from users Gmail accounts.
  • They can set up email delegation to give one user direct delegation into another user’s Gmail account.

In Drive Audit they can’t use the Remove Permissions functionality yet. We will let you know when this feature is available to them as well.

Currently, Delegated Auditors will not have access to the Configuration areas unless they are a Security Officer then they will only see the SO section.

Future Improvements: In the coming weeks, we will be releasing features that give Super Admins more controls the scopes of delegated auditors. Super Admins will have the option to switch on certain areas of Configuration section, it will be up to the super admin’s own discretion.

Alert of Disabled 2 Factor Authentication

Go to the Alarm area in GAT+.

select 'alarms'

You can enable the option ‘Alert on 2FA disabled’. This alarm is fired whenever a user or an Admin disables an account’s 2FA mechanism when it had been working. For organizations that depend on high levels of security, this is a vital alarm to alert Admins to dangers.

see alarm details and edit them as needed.

You can also get alerted when 2FA codes are used by users.

Audit Google Hangouts Chat with GAT Shield

With GAT Shield you can monitor who your users are chatting to on Google Hangouts Chat, you can gather information about how long the conversation lasts for and see the chat participates. The chat contents itself is not shown for security reasons.

Select 'chats'

You can quickly analysis whether your users are chatting with external domains. To do this click on the funnel icon on the top right of your screen. This button is called the Apply custom filter, it allows you to apply specific search criteria.

e

select apply in the 'chat filters' tab

Once this is applied all external chats will appear in the search result.

GAT Shield does not track the contents of conversations, however if these conversations are on record (that is, the participants have not enabled the ‘History Off’ feature), then the contents are recorded under email audit and the contents can be seen by following the Security Officer approval process in GAT+, view email contents process.

Prevent MP3 files and other file types from being downloaded

Using the real-time alert rules within GAT Shield an admin can set up a rule to prevent certain file types from being downloaded to a user’s device.

To set up a download rule, go to the Configuration section of GAT Shield. And enter the Alert Rules section.

select "alert rules"

Click on the Add a rule button, and select File download.

Click on the Add a rule button, and select File download.

Once the menu appears, do the following:

  • Give the rule a meaningful name, in my case, I will prevent mp3 and mp4 files from being downloaded.  
  • Make sure to enable ‘Active’ so that the rule will be active once the rule set up is complete.
  • I entered mp3;mp4 I used a semicolon to separate the two file types. A semicolon is not necessary if only one file type is being covered.

Tick the boxes next to "active" and "cancel/delete download"

  • You have an option available to block files based on their file size as well. Anything equal to or above the value you have entered. For example, I can enter 20 MB. That means any mp3 or mp4 equal to or greater than 20 MB will be blocked from being downloaded others which are less won’t.  
  • The Cancel/delete download will be enabled because we want this rule to block and prevent downloads if left unchecked it would only notify you and not take any action.
  • Site exclusions are useful if you have some educational sites where downloading of mp3 or mp4 are allowed.

indicate which users will be covered by this rule.

  • Now we need to indicate which users will be covered by this rule. I have used the OU option, and I’ve selected the root user OU / and I have also included sub. Org units. This means my entire domain is covered by this rule (well actually users who have Shield deployed on their accounts). You can indicate a sub OU like /Students and enable the option to cover its sub-OUs if you wish.
  • You can also take actions like shutting the webpage down or showing a custom warning message to the students.
  • The last 3 options allow you to report the file name, capture the screen the user was on and take a picture of the user using the webcam of the device (if Shield Companion app is deployed as well).

All alerts will be sent to you via email and you can also find them in the Shield Alerts section.

Shield alerts tab

Delegate one email account to another indefinitely with GAT+

With GAT+ Super Admins and Delegated Auditors can give a user access into another user’s Gmail account indefinitely.

By default Admins could delegate for any number of hours and GAT+ would automatically remove the delegation when the time was up (saves Admins having to remember to go back and remove it). Now, by using 0 hours, Admins have the option to delegate permanently.

Launch GAT+ and enter the User Audit section.

select 'users'

Click on the Email Info tab. Search for the user whose Gmail account will be delegated to someone else, click on the drop-down menu and select ‘Add e-mail delegation’.

When the menu appears, enter the user who will gain access. Leave the number of hours as 0.

select 'confirm'

A request will be sent to your security officer for approval, once approved the delegation will be set.

The delegated account appears in the accounts drop-down list in the user’s own Gmail account. This can take several minutes and may require a refresh. The user accessing the delegated account will have to log out and log back in again for the delegated account to appear.

The user accessing the delegated account will have to log out and log back in again for the delegated account to appear.

In addition, if the delegated user reads any unopened email in the audit account, this email will be marked as ‘read’.

How to Use GAT to Detect a Sharing Policy Violation

Using GAT to detect a sharing policy violation

 

This example is for a user, but you can also check for sharing violations on a file, or file type, a folder, a group (all the users in the group – ‘Local User/Group’), an organization, a file id and anyone sharing in or to a particular external target such as a user or a domain.

 

Security Lesson Part 1

 

In the Drive Audit, Click Long Search button and enter the email of a local user against whom you wish to make a policy watch. (For a group of users, add the group name to the ‘Local User/Group’ field)

long search

Note: The Owned checkbox will return the documents that user owns only. If left unchecked it will return files that user can edit, read or owns.

Click on the refresh to see if the search is complete, if the search is done, click on the Green checkbox to apply the filter.

 

Now, let’s modify this feature slightly when the results have been displayed. Click on the ‘Apply custom filter’ button.

When the Drive Files filter appears, add these additional search parameters on your existing Long Search.

  • Updated after or equal today’s date dd/mm/yyyy hh:mm
  • Sharing Flags contains Shared out

 

Note: You should also give it a meaningful name, for example, files shared out of UserX on a daily basis.

Once you have added these additional search parameters click on Scheduled. Once Scheduled is selected, you will see additional options. You should make the scheduled report run on a daily basis ‘Every day – after midnight’

You can also choose who should receive this report which contains data on files shared out by user X each day.

 

Click on Apply & Schedule.

 

Now navigate to Scheduled reports on the configuration side menu.

You can modify your existing scheduled jobs from here.

If you want to create action with this policy you can click on Jobs Action Edit this is the icon next to the pen icon.

 

Setting up this scheduled report, you will receive an email with a spreadsheet of all of the files shared out of User X each day.

 

Security Lesson Part 2

 

Although you have created a policy in security lesson part 1 to show you files a user has shared out on a daily basis, there maybe another vulnerability that exists with files shared in that may be used to leak sensitive data. A user on your domain can copy and paste data into this shared in document without your awareness. That is why we recommend creating a schedule report which can show you the files shared in to an individual user, entire group, specific OU structure or folder.

 

In this example we will take a look at files shared into a specific user.

In Drive audit, click on the ‘Apply custom filter’ button.

In the Drive Files filter popup apply the following search parameters.

  • Sharing Flags contains Shared in
  • Flags doesn’t contain Team Drive
  • Editors contains (exact match) UserX’s email address

We will apply the filter instead of scheduling this information. If you wish to schedule this report, add another search parameter

  • Updated After or equal dd/mm/yyyy hh:mm

 

And click on Scheduled checkbox. Select how often you want the report to run.

 

Once the results appear in the Drive result table, you can use the functionalities of GAT Unlock to examine the file contents. For more information about viewing file contents silently read this post “View File Contents: How to silently copy or view files”.

 

Of course, we have made this easy for Admins  – for this type of report for the entire domain, just go to ‘One Click Reports’, select ‘Docs shared in or out changed in the last 24 hour’.

 

GAT Shield’s Recursive User OU Search

GAT Shield now has recursive user ou search in shield browsing summary and URL access rules settings. This is a much-requested feature.
recursive user ou search

[New Feature] Automatically Block and Approve URL Sets with GAT Shield

Automatically block certain URLs during specific times of the day. For example, block Facebook between the hours of 9 AM and 6 PM Monday through Friday. This feature is very flexible. It allows you to curate a list of URLs that automatically become blocked at certain times. You can also choose to block all sites apart from ones in an ‘approved’ list.

time restriction url access control

See Who Violated Your Domain’s Usage Rules with GAT Shield

In the Shield Alerts section of GAT Shield, you can view all the instances where your users have violated any Alert Rules.

You can see the video instead of reading the post.

 

To know how to create an Alert Rule you can watch our video covering the topic.

In the Alerts Explorer, you can view a list of all the times a rule was violated.

You can see data such as the Rule name, The Rule type, Page info if it was a URL visit, how long ago the Rule was violated, the User who violated the rule and whether the Status of the alert was still open or acknowledged by an Admin.

See when rules were violated

Clicking the check mark will change the status indicator to a green Acknowledged status.

This is so you can let other Administrators on your domain know the alert was investigated.

By clicking the eye Icon you can get all the details of that alert, as well as the admin who acknowledged it.

Device information such as the rule violators Shield UUID, OS, IP details and location information is also available in this area.

Device information such as the rule violators Shield UUID, OS, IP details and location information can be seen with GAT Shield

Track Your Users’ Online Activities with GAT Shield

Using GAT Shield you can track your user’s browser activity throughout the day.

Below is a short tutorial explaining the feature. You can watch it instead of reading this post.

 

You can view what sites they spend most of their time on as well as their active time spent there.

 To start off we’re going to go to the User Activity section of GAT Shield.

Here we can see the timeline of any user.

Sites are ordered by the total duration of time spent, this will help you to quickly spot where the bulk of the time is spent by a user.

At the top left of this section, you can select the User you wish to view.

To the right, you can select the date you wish to investigate.

And in the top right you can choose to either view the data by Active time spent or view their activity in a 24-hour window.

user activity report in GAT Shield

The total chrome browser activity shows you a summary of the users total active time spent using their browser. Each colour represents a website, hovering over a colour will reveal it’s URL

See the sites visited while hovering over the report

Under this window, you can search for any specific website to see if your user is spending any of their time on that site. For example, you can see if your users are spending too much time on youtube.com

To the right, you can select the number of displayed sites.

See the amount of displayed sites in GAT Shield

Below you can view your users’ activity for every site they have visited. You can also see what percentage of the user’s day is spent on that site.

View a user's activity for every site they have visited