Control: 4.1.1.1 (L1) Ensure 2-Step Verification (Multi-Factor Authentication) is enforced for all users in administrative roles
Description
Enforce 2-Step Verification (Multi-Factor Authentication) for all users assigned administrative roles. These include roles such as:
- Help Desk Admin
- Groups Admin
- Super Admin
- Services Admin
- User Management Admin
- Mobile Admin
- Android Admin
- Custom Admin Roles.
Add an extra layer of security to users accounts by asking users to verify their identity when they enter a username and password. 2-Step Verification (Multi-factor authentication) requires an individual to present a minimum of two separate forms of authentication before access is granted. 2-Step Verification provides additional assurance that the individual attempting to gain access is who they claim to be. With 2-Step Verification, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.
Remediation
To verify this setting via the Google Workspace Admin Console:
- Log in to
https://admin.google.com
as an administrator. - Go to
Security
and click on2-Step Verification
. - Select the appropriate group with
ALL ADMIN ROLES
-- Create this group if needed. - Under
Authentication
, setAllow users to turn on 2-Step Verification
tochecked
. - Set
Enforcement
toOn
. - Set
New user enrollment period
is set to2 weeks
. - Under
Frequency
, setAllow user to trust device
tounchecked
. - Under
Methods
, setAny except verification codes via text, phone call
toselected
. - Select
Save
.
Default Value
Allow users to turn on 2-Step Verification
ischecked
Enforcement
isOff
New user enrollment period
isNone
Frequency - Allow user to trust device
ischecked
Methods
isAny
Usage
Run the control in your terminal:
powerpipe control run googleworkspace_compliance.control.cis_v120_4_1_1_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run googleworkspace_compliance.control.cis_v120_4_1_1_1 --share
SQL
This control uses a named query:
with admin_users as ( select u.primary_email, u.is_admin, u.is_delegated_admin, u.is_enrolled_in_2sv, u.is_enforced_in_2sv, r.role_name, r.is_super_admin_role from googledirectory_user u left join googledirectory_role_assignment ra on u.id = ra.assigned_to left join googledirectory_role r on ra.role_id = r.role_id where u.is_admin = true or u.is_delegated_admin = true)select primary_email as resource, case when is_enrolled_in_2sv = false then 'alarm' when is_enrolled_in_2sv = true and is_enforced_in_2sv = false then 'info' else 'ok' end as status, case when is_enrolled_in_2sv = false then format('Admin user %s is not enrolled in 2-Step Verification (role: %s).', primary_email, coalesce(role_name, 'Admin')) when is_enrolled_in_2sv = true and is_enforced_in_2sv = false then format('Admin user %s has 2FA enrolled but not enforced (role: %s).', primary_email, coalesce(role_name, 'Admin')) else format('Admin user %s has 2-Step Verification properly configured (role: %s).', primary_email, coalesce(role_name, 'Admin')) end as reasonfrom admin_usersorder by is_super_admin_role desc, is_enrolled_in_2sv asc, primary_email;