Control: 3.1.3.5.1 (L2) Ensure POP and IMAP access is disabled for all users
Description
POP and IMAP may allow users to access Gmail using legacy or unapproved email clients that do not support modern authentication mechanisms, such as multifactor authentication.
Disabling POP and IMAP prevents use of legacy and unapproved email clients with weaker authentication mechanisms that would increase the risk of email account credential compromise.
Remediation
To configure this setting via the Google Workspace Admin Console:
- Log in to
https://admin.google.com
as an administrator. - Select
Apps
. - Select
Google Workspace
. - Select
Gmail
. - Under
End User Access
-POP and IMAP Access
. - Set
Enable IMAP access for all users
tounchecked
. - Set
Enable POP access for all users
tounchecked
. - Select
Save
.
Default Value
Enable IMAP access for all users
ischecked
Enable POP access for all users
ischecked
Usage
Run the control in your terminal:
powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_3_5_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run googleworkspace_compliance.control.cis_v120_3_1_3_5_1 --share
SQL
This control uses a named query:
with all_users as ( select primary_email as user_email from googledirectory_user),gmail_settings as ( select u.user_email, gs.pop, gs.imap from all_users u left join googleworkspace_gmail_settings gs on gs.user_email = u.user_email)select user_email as resource, case when (pop ->> 'accessWindow' = 'disabled' or pop ->> 'accessWindow' is null) and (imap ->> 'enabled' = 'false' or imap ->> 'enabled' is null) then 'ok' else 'alarm' end as status, case when (pop ->> 'accessWindow' = 'disabled' or pop ->> 'accessWindow' is null) and (imap ->> 'enabled' = 'false' or imap ->> 'enabled' is null) then 'POP and IMAP access disabled for user: ' || user_email || '.' when pop ->> 'accessWindow' != 'disabled' and pop ->> 'accessWindow' is not null then 'POP access enabled for user: ' || user_email || ' (access window: ' || (pop ->> 'accessWindow') || ').' when imap ->> 'enabled' = 'true' then 'IMAP access enabled for user: ' || user_email || '.' else 'POP or IMAP access may be enabled for user: ' || user_email || '.' end as reasonfrom gmail_settings;