Benchmark: 3.1.3.5 End User Access
Overview
The CIS Google Workspace Community does not have any specific security recommendations with regard to Google Meet, due to its usage being very organizationally specific.
That being said, are some items that Admins should consider when deploying Google Meet:
- Who should be allowed to create meetings?
- Example: In an education environment possibly configure that only Teachers can be allowed to create a meeting and Students only attend.
- Who can join a meeting?
- Example: In an education environment possibly Teachers can attend any meeting (internally or externally created) and Students can only attend internally created meetings.
Settings you may want to review are:
Log in to
https://admin.google.com
as an administrator.Select
Google Workspace
.Select
Apps
.Select
Google Meet
.Select
Meet video settings
.
- Select
Recording
-Let people record their meetings.
- Select
Stream
-Let people stream their meetings.
- Select
Meet safety settings
.
- Select
Domain
-Who can join meetings created by your organization
- Select
Access
-Which meetings users in the organization can join
- Select
Joining
-How users join a meeting (quick access)
- Select
Chat
-Who can send in-call chat messages
- Select
Present
-Who can share their screens in calls
- Select
Host management
- `Default host management
NOTE: To configure this properly will likely require creating different Organizational Units (OUs) to segment users properly and allow different configuration settings to be applied. An informative video on this topic can be found here.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-googleworkspace-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 3.1.3.5 End User Access.
Run this benchmark in your terminal:
powerpipe benchmark run googleworkspace_compliance.benchmark.cis_v120_3_1_3_5
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run googleworkspace_compliance.benchmark.cis_v120_3_1_3_5 --share
Controls
- 3.1.3.5.1 (L2) Ensure POP and IMAP access is disabled for all users
- 3.1.3.5.2 (L1) Ensure automatic forwarding options are disabled