How to Manage Publicly Shared Files with GAT

You may find that on your domain a large number of the User’s Google Docs are public. There is a possibility that not all of these public shares were intentional. Learn how to easily manage publically shared files.

With GAT, an Admin can remove Public access in two different ways. The Admin can select the ‘Everyone’, ‘Everyone with Link’ or ‘Published’ flag from the drive audit table and clicking on this flag, select the remove link options available. Method 1.

However, that may also revoke access to documents made public intentionally. Therefore to address the problem we should a) alert users to their current situation and b) implement a plan of on-going monitoring and alerting and scheduled removal if necessary. Method 2.

 

Background

Google Docs can be made public in three different ways, understanding the difference is important in assessing the risk.

Public Documents that are shared ‘Public’ are fully available to everyone on the internet. They are also searched by Google Search engines and can turn up in Search engine results.

Public with Link Documents made ‘Public with link’ are available to all those who have a copy of the link. They are not however available for indexing by search engines. The link can be passed on anonymously.

Published ‘Published’ documents are created when a specific version of the document is ‘Published to the web’ via the ‘File’ option in a Google document. This creates a link to the version of the document at the point of publishing. This link can be embedded in a web paged or passed in an email. It is searchable by search engines. Subsequent changes to the document may not change the ‘Published’ version.

 

Method 1 – Direct Action

This allows the Admin to directly remove the public access from an individual file or all files on his or her G Suite domain Drive. It can be done in 4 easy steps in the Drive Audit.

1, Select the type of public files you wish to target, Full public view, Public with link or Published. After this one-click filter returns the files, 2, select the ‘Out’ filter, meaning you want only files shared out. (Your domain does not own files shared in, so you can not change their access rights.) Next, 3, click on flag showing how the files are shared with everyone, (Everyone, Everyone with Link or Published). Finally, 4, remove the share for that file or for all files that match that condition. See the screenshot below.

this is how you remove the share for that file or for all files that match that condition

Method 2 – Alerting users to the current situation

In this case, we set up a policy to identify all public files and notify the user of the exposure and show them how to revoke access if required. We treat each exposure case as a separate reporting policy because the risk message and the remediation steps are slightly different in each case. 

Alerting Users to files with ‘Public’ access

Go to the ‘Drive’ Audit. From the ‘Documents in the Domain’ table select those that are ‘Open to full public view’. This will return all the files open to full public view in the results table below. This result will also include some files that are shared in. To remove these we simply click on the ‘X’ beside ‘In’ (on the line above the results table). See the screenshot below.

Select docs that are ‘Open to full public view’. They are marked in red.

This filtering process has created a search chip called ‘Docs not shared in Public not deleted’, (the ‘not deleted’ simply refers to the fact that we are excluding all deleted files from this search. This is not the same as ‘Trash’, Trashed files are included as they are live. (GAT is the only tool to track ‘Deleted’ files)).

Next, select the ‘Schedule/Save’ button.

select the ‘Schedule/Save’ button

Set up a policy as outlined in the screenshot above and run ‘Just Once’ by clicking update. It will take some time to run.

Here is a copy of the text to save you time.

The following list of documents is open to full public view.

This means they may be searched and indexed by Google search engines and anyone can look at the contents.

Is this what you intended?

If not, you may want to consider removing public access to the Google Doc.

Alerting Users to files with ‘Public with link’ access

This is very similar to the case for ‘Public’, all that changes is the message and the initial steps.

Go to the ‘Drive’ Audit. From the ‘Documents in the Domain’ table select those that are ‘Public with link’. This will return all the files open to full public view in the results table below. This result will also include some files that are shared in. To remove these, we simply click on the ‘X’ beside ‘In’ (on the line above the results table). See the screenshot below.

Repeat the scheduled steps as above but with the following message.

The following list of documents is open to public view via the link to the document.

This means the link may be passed to anyone anonymously and the third party can view the document contents.

Is this what you intended?

If it not, you can remove public access by following the steps outlined in this post.

Alerting Users to files with ‘Published’ access

Again this is very similar to the case for ‘Public’, instead of selecting ‘Public’ we select ‘Published’.

Go to the ‘Drive’ Audit. From the ‘Documents in the Domain’ table select those that are ‘Published’. This will return all the files open to full public view in the results table below. This result will also include some files that are shared in. To remove these we simply click on the ‘X’ beside ‘In’ (on the line above the results table). See the screenshot below.

Repeat the scheduled steps as above but with the following message.

 

The following list of documents has at least one version in their history open to public view via a ‘Published’ link.

This means the link may be passed to anyone anonymously and the third party can view the document contents. The contents of the published version may also be searched by search engines.

Is this what you intended?

If it not, you can remove public access with GAT.

 

Addressing Future Vulnerabilities

Having looked at and alerted users to the historical situation the Admin should now look to staying on top of the situation.

Again the assumption is the users are allowed to publish and make files public. GAT can, of course, remove public or published links, but in the example following the use case is that the Admin will be alerted, the user alerted, and a link given to let a user make his own choice.

For the Public and Public with link cases.

In the ‘Scheduler’ remove the three ‘just once’ rules you have created. We are now going to create a time-based policy that will run daily.

 

In the Drive audit, follow the following steps… (we are going to treat ‘Public’ and ‘Public with link as the same in this use case)

  1. Select files that are public and visible in the domain
  2. Exclude those shared in
  3. Select files that are ‘Changed’
  4. Select today’s date as the ‘From’ date (no need for an end date)

  1. Select the tab ‘Recent Filters’
  2. Choose the last two searches you did (the steps 1 to 4)
  3. Using the ‘And’ operator, complete the new search
  4. You will now see you have a new combined ‘search chip’
  5. Press ‘Schedule/Save’ to turn this search into a Policy

In the scheduler create the following rule (see screenshot below).

  1. Select the ‘Policy’ option (same as Audit but only reports when they is a match to the search criteria.
  2. PDF is a good report format for this report if you are sharing with non-IT staff (but CSV works too)
  3. Run every 24 hours
  4. Select the option to notify local ‘Owners’ of the files you want to highlight
  5. Add the message of the type in the example

When ready, hit ‘Update’ to enable the rule.

GAT will run this every day after midnight and will automatically update the ‘From’ date. This way rule covers a 24 hour period.

The suggested text is below. You may cut and paste into GAT.

The following list of documents is open to public view via the link to the document.

This means the link may be passed to anyone anonymously and the third party can view the document contents.

Is this what you intended?

If it not, you can remove public access by following the steps outlined in the link http://goo.gl/kJC2Yc

 

For the Published cases

In the Drive audit, follow the following steps (using the step detail in the example above)…

  1. From the ‘Documents in the Domain’ table select those that are ‘Published’
  2. Next, select ‘From’ today’s date and click on ‘Search Documents’
  3. Now pick the ‘Recent Filters’ tab in the drive audit. We are going to combine the last two filters
  4. Select your last two searches and combine into a new one with ‘And’ and ‘Show’
  5. That search may not return any results (meaning there were no files published from your domain today), but we are going to go ahead and schedule it anyway

By making this a policy GAT will run it every day and only notify you as Admin or the user when a document in breach of policy is found. The text and the ‘fix it’ guide are the same as in the Published case above…

The following list of documents has at least one version in their history open to public view via a ‘Published’ link.

This means the link may be passed to anyone anonymously and the third party can view the document contents. The contents of the published version may also be searched by search engines.

Is this what you intended?

If it not, you can remove public access by following the steps outlined in the link http://goo.gl/HDVAS9

With both of these rules running the Domain will be able to stay on top of accidental public sharing of documents.

 

Tip:

You may find this post about removing public and published permissions helpful.

Comments

comments