Data/AuditChecks/AuthenticationChecks.json
|
{ "categoryId": "auth", "categoryName": "Authentication & Access Controls", "categoryDescription": "Checks related to user authentication, MFA, passwords, and session controls", "checks": [ { "id": "AUTH-001", "name": "2SV Enforcement", "description": "Two-step verification (2SV/MFA) should be enforced for all users to prevent account takeover via stolen credentials", "severity": "Critical", "zeroTrustPillar": "Identity", "zeroTrustWeight": 3, "subcategory": "Multi-Factor Authentication", "recommendedValue": "Enforced for all organizational units", "remediationUrl": "https://admin.google.com/ac/security/2sv", "remediationSteps": "Admin Console > Security > Authentication > 2-step verification > Set Enforcement to 'On'", "referenceUrl": "https://knowledge.workspace.google.com/admin/security/protect-your-business-with-2-step-verification?hl=en", "referenceTitle": "Google: Protect your business with 2-Step Verification", "affectedLabel": "Active users without 2SV enforced", "compliance": { "nistSp80053": [ "IA-2(1)", "IA-2(2)" ], "mitreAttack": [ "T1078.004" ], "cisBenchmark": [ "1.1" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "AUTH-002", "name": "2SV Enrollment Rate", "description": "All active users should have 2SV enrolled. Low enrollment rates leave accounts vulnerable to credential-based attacks", "severity": "High", "zeroTrustPillar": "Identity", "zeroTrustWeight": 2, "subcategory": "Multi-Factor Authentication", "recommendedValue": "95% or higher enrollment among active users", "remediationUrl": "https://admin.google.com/ac/reporting/report/user/security", "remediationSteps": "Admin Console > Reporting > User Reports > Security > Review users without 2SV. Set enrollment deadline via Security > 2-Step Verification", "referenceUrl": "https://knowledge.workspace.google.com/admin/security/deploy-2-step-verification?hl=en", "referenceTitle": "Google: Deploy 2-Step Verification", "affectedLabel": "Active users not enrolled in 2SV", "compliance": { "nistSp80053": [ "IA-2(1)" ], "mitreAttack": [ "T1078.004" ], "cisBenchmark": [ "1.2" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "AUTH-003", "name": "2SV Method Strength", "description": "Security keys should be the primary 2SV method. SMS and voice-based 2SV are vulnerable to SIM-swapping and interception attacks", "severity": "Medium", "zeroTrustPillar": "Identity", "zeroTrustWeight": 3, "subcategory": "Multi-Factor Authentication", "recommendedValue": "Security keys enforced as primary method", "remediationUrl": "https://admin.google.com/ac/security/2sv", "remediationSteps": "Admin Console > Security > Authentication > 2-step verification > Set allowed methods to 'Security key only'", "referenceUrl": "https://www.vectra.ai/blog/the-hidden-risks-of-sms-based-multi-factor-authentication", "referenceTitle": "Why SMS-based MFA is vulnerable (SIM-swap & interception)", "compliance": { "nistSp80053": [ "IA-2(1)", "IA-2(12)" ], "mitreAttack": [ "T1111", "T1078.004" ], "cisBenchmark": [ "1.3" ], "scuba": [ "GWS.COMMONCONTROLS.1.1v1", "GWS.COMMONCONTROLS.1.3v1" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "AUTH-004", "name": "Password Minimum Length", "description": "Password minimum length should be at least 12 characters to resist brute-force and dictionary attacks", "severity": "High", "zeroTrustPillar": "Identity", "zeroTrustWeight": 2, "subcategory": "Password Policy", "recommendedValue": "Minimum 12 characters", "remediationUrl": "https://admin.google.com/ac/security/passwordmanagement", "remediationSteps": "Admin Console > Security > Authentication > Password management > Set minimum length to 12 or higher", "referenceUrl": "https://www.strongdm.com/blog/nist-password-guidelines", "referenceTitle": "NIST password guidelines: why length resists brute force", "compliance": { "nistSp80053": [ "IA-5(1)" ], "mitreAttack": [ "T1110.001", "T1110.003" ], "cisBenchmark": [ "1.4" ], "scuba": [ "GWS.COMMONCONTROLS.5.1v1", "GWS.COMMONCONTROLS.5.2v1", "GWS.COMMONCONTROLS.5.3v1", "GWS.COMMONCONTROLS.5.4v1", "GWS.COMMONCONTROLS.5.5v1", "GWS.COMMONCONTROLS.5.6v1" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "AUTH-005", "name": "Password Reuse Restriction", "description": "Users should not be able to reuse recent passwords, preventing credential cycling attacks", "severity": "Medium", "zeroTrustPillar": "Identity", "zeroTrustWeight": 3, "subcategory": "Password Policy", "recommendedValue": "Password reuse not allowed", "remediationUrl": "https://admin.google.com/ac/security/passwordmanagement", "remediationSteps": "Admin Console > Security > Authentication > Password management > Enable 'Enforce password policy at next sign-in' and restrict reuse", "referenceUrl": "https://knowledge.workspace.google.com/admin/users/enforce-and-monitor-password-requirements-for-users", "referenceTitle": "Google: Enforce and monitor password requirements", "compliance": { "nistSp80053": [ "IA-5(1)" ], "mitreAttack": [ "T1110.004" ], "cisBenchmark": [ "1.5" ], "scuba": [ "GWS.COMMONCONTROLS.5.1v1", "GWS.COMMONCONTROLS.5.2v1", "GWS.COMMONCONTROLS.5.3v1", "GWS.COMMONCONTROLS.5.4v1", "GWS.COMMONCONTROLS.5.5v1", "GWS.COMMONCONTROLS.5.6v1" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "AUTH-006", "name": "Session Duration", "description": "Web session duration should be limited to reduce the window for session hijacking and unauthorized access from shared devices", "severity": "Medium", "zeroTrustPillar": "Identity", "zeroTrustWeight": 1, "subcategory": "Session Management", "recommendedValue": "Session duration of 12 hours or less", "remediationUrl": "https://admin.google.com/ac/security/session", "remediationSteps": "Admin Console > Security > Google Session Control > Set web session duration", "referenceUrl": "https://knowledge.workspace.google.com/admin/security/set-session-length-for-google-services", "referenceTitle": "Google: Set session length for Google services", "compliance": { "nistSp80053": [ "AC-12", "SC-23" ], "mitreAttack": [ "T1550.004" ], "cisBenchmark": [ "1.6" ], "scuba": [ "GWS.COMMONCONTROLS.4.1v1" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "AUTH-007", "name": "SSO Configuration", "description": "If SSO is configured, it should use secure protocols and trusted identity providers", "severity": "Medium", "zeroTrustPillar": "Identity", "zeroTrustWeight": 1, "subcategory": "Single Sign-On", "recommendedValue": "SAML SSO properly configured with trusted IdP", "remediationUrl": "https://admin.google.com/ac/security/ssoprofile", "remediationSteps": "Admin Console > Security > Authentication > SSO with third-party IdP > Verify configuration", "referenceUrl": "https://knowledge.workspace.google.com/admin/apps/best-practices-for-third-party-idp-and-google-workspace-configuration", "referenceTitle": "Google: Best practices for third-party IdP configuration", "compliance": { "nistSp80053": [ "IA-2(6)", "IA-8" ], "mitreAttack": [ "T1078.004" ], "cisBenchmark": [ "1.7" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "AUTH-008", "name": "Less Secure Apps Access", "description": "Less secure apps (apps that don't support modern authentication) should be blocked to prevent credential exposure", "severity": "High", "zeroTrustPillar": "Identity", "zeroTrustWeight": 3, "subcategory": "App Access", "recommendedValue": "Disabled for all users", "remediationUrl": "https://admin.google.com/ac/security/lsa", "remediationSteps": "Admin Console > Security > Authentication > Less secure apps > Set to 'Disable access to less secure apps'", "referenceUrl": "https://knowledge.workspace.google.com/admin/sync/transition-from-less-secure-apps-to-oauth", "referenceTitle": "Google: Transition from less secure apps to OAuth", "compliance": { "nistSp80053": [ "IA-5(2)" ], "mitreAttack": [ "T1078.004", "T1110" ], "cisBenchmark": [ "1.8" ], "scuba": [ "GWS.COMMONCONTROLS.10.5v1" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "AUTH-009", "name": "App Passwords Policy", "description": "App-specific passwords bypass 2SV and should be controlled. If allowed, they should require 2SV enrollment first", "severity": "Medium", "zeroTrustPillar": "Identity", "zeroTrustWeight": 3, "subcategory": "App Access", "recommendedValue": "App passwords restricted or disabled", "remediationUrl": "https://admin.google.com/ac/security/2sv", "remediationSteps": "Admin Console > Security > Authentication > 2-step verification > Review app password settings", "referenceUrl": "https://support.google.com/a/answer/9176599", "referenceTitle": "Google: How 2-Step Verification works with legacy apps", "compliance": { "nistSp80053": [ "IA-5(1)" ], "mitreAttack": [ "T1078.004" ], "cisBenchmark": [ "1.9" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "AUTH-010", "name": "Recovery Options Configuration", "description": "User self-service recovery should be configured appropriately. Super admins should not have personal recovery options to prevent social engineering", "severity": "High", "zeroTrustPillar": "Identity", "zeroTrustWeight": 3, "subcategory": "Account Recovery", "recommendedValue": "Super admins: no personal recovery. Regular users: recovery options allowed with admin override", "remediationUrl": "https://admin.google.com/ac/security/accountrecovery", "remediationSteps": "Admin Console > Security > Authentication > Account recovery > Disable personal recovery for super admin OU", "referenceUrl": "https://support.google.com/a/answer/9436964", "referenceTitle": "Google: Allow super administrators to recover their password", "affectedLabel": "Super admins with personal recovery options", "compliance": { "nistSp80053": [ "IA-5(1)", "AC-2(4)" ], "mitreAttack": [ "T1078.004", "T1098" ], "cisBenchmark": [ "1.10" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "AUTH-011", "name": "Login Challenge Settings", "description": "Login challenges should be enabled to provide additional verification when suspicious login attempts are detected", "severity": "Medium", "zeroTrustPillar": "Identity", "zeroTrustWeight": 1, "subcategory": "Login Security", "recommendedValue": "Login challenges enabled with employee ID or other verification", "remediationUrl": "https://admin.google.com/ac/security/loginchallenges", "remediationSteps": "Admin Console > Security > Authentication > Login challenges > Enable", "referenceUrl": "https://support.google.com/a/answer/6002699", "referenceTitle": "Google: Protect accounts with security challenges", "compliance": { "nistSp80053": [ "IA-2(13)" ], "mitreAttack": [ "T1078.004" ], "cisBenchmark": [ "1.11" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "AUTH-012", "name": "Super Admin 2SV Enrollment", "description": "All super admin accounts must have 2SV enrolled. Super admins have unrestricted access to all settings and data", "severity": "Critical", "zeroTrustPillar": "Identity", "zeroTrustWeight": 3, "subcategory": "Multi-Factor Authentication", "recommendedValue": "100% of super admins enrolled in 2SV", "remediationUrl": "https://admin.google.com/ac/reporting/report/user/security", "remediationSteps": "Admin Console > Reporting > User Reports > Security > Filter by admin status > Ensure all super admins have 2SV enrolled", "referenceUrl": "https://support.google.com/a/answer/16271818", "referenceTitle": "Google: About 2SV enforcement for admins", "affectedLabel": "Super admins without 2SV enrolled", "compliance": { "nistSp80053": [ "IA-2(1)", "IA-2(11)" ], "mitreAttack": [ "T1078.004" ], "cisBenchmark": [ "1.12" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "AUTH-013", "name": "Stale Super Admin Accounts", "description": "Super admin accounts that have not logged in recently may be orphaned and at risk of compromise. All super admin accounts should be actively managed", "severity": "High", "zeroTrustPillar": "Identity", "zeroTrustWeight": 2, "subcategory": "Account Hygiene", "recommendedValue": "No super admin accounts inactive for more than 90 days", "remediationUrl": "https://admin.google.com/ac/users", "remediationSteps": "Admin Console > Directory > Users > Filter by admin role > Review and remove or suspend inactive super admin accounts", "referenceUrl": "https://cloud.google.com/resource-manager/docs/super-admin-best-practices", "referenceTitle": "Google Cloud: Super administrator account best practices", "affectedLabel": "Stale super admin accounts", "compliance": { "nistSp80053": [ "AC-2(3)", "AC-2(4)" ], "mitreAttack": [ "T1078.004" ], "cisBenchmark": [ "1.13" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "AUTH-014", "name": "2SV Enrollment Allowed", "description": "Users must be allowed to enroll in two-step verification. Disabling 2SV enrollment blocks MFA adoption and leaves accounts protected by passwords alone", "severity": "Medium", "zeroTrustPillar": "Identity", "zeroTrustWeight": 3, "subcategory": "Multi-Factor Authentication", "recommendedValue": "2SV enrollment allowed in all organizational units", "remediationUrl": "https://admin.google.com/ac/security/2sv", "remediationSteps": "Security > Authentication > 2-step verification > Set 'Allow users to turn on 2-Step Verification' to On for all organizational units", "referenceUrl": "https://support.google.com/a/answer/9176657", "referenceTitle": "Google: Turn on 2-Step Verification", "compliance": { "nistSp80053": [ "IA-2(1)" ], "mitreAttack": [ "T1078.004" ], "cisBenchmark": [ "1.2" ], "scuba": [ "GWS.COMMONCONTROLS.1.1v1", "GWS.COMMONCONTROLS.1.2v1", "GWS.COMMONCONTROLS.1.3v1", "GWS.COMMONCONTROLS.1.4v1", "GWS.COMMONCONTROLS.1.5v1" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "AUTH-015", "name": "2SV Enrollment Grace Period", "description": "The grace period before newly added users must enroll in 2SV should be short. A long grace period leaves accounts unprotected by MFA for an extended window after creation", "severity": "Low", "zeroTrustPillar": "Identity", "zeroTrustWeight": 2, "subcategory": "Multi-Factor Authentication", "recommendedValue": "Grace period of 7 days (168 hours) or less", "remediationUrl": "https://admin.google.com/ac/security/2sv", "remediationSteps": "Security > Authentication > 2-step verification > Set the new-user enrollment grace period to 7 days or less", "referenceUrl": "https://support.google.com/a/answer/9176657", "referenceTitle": "Google: Set a 2-Step Verification enrollment period", "compliance": { "nistSp80053": [ "IA-2(1)" ], "mitreAttack": [ "T1078.004" ], "cisBenchmark": [ "1.2" ], "scuba": [ "GWS.COMMONCONTROLS.1.4v1" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "AUTH-016", "name": "Advanced Protection Self-Enrollment", "description": "Allowing self-enrollment in the Advanced Protection Program lets high-risk users adopt the strongest available account protections without admin intervention", "severity": "Low", "zeroTrustPillar": "Identity", "zeroTrustWeight": 1, "subcategory": "Account Security", "recommendedValue": "Advanced Protection self-enrollment allowed in all organizational units", "remediationUrl": "https://admin.google.com/ac/security/advanced-protection", "remediationSteps": "Security > Authentication > Advanced Protection Program > Allow users to self-enroll in Advanced Protection", "referenceUrl": "https://support.google.com/a/answer/9378686", "referenceTitle": "Google: Protect users with the Advanced Protection Program", "compliance": { "nistSp80053": [ "IA-2(1)" ], "mitreAttack": [ "T1078.004" ], "cisBenchmark": [ "1.14" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "AUTH-017", "name": "Super Admin Account Self-Recovery", "description": "Self-service account recovery for super admins is an account-takeover path via social engineering and should be turned off. Super admins should be recovered only by another administrator", "severity": "High", "zeroTrustPillar": "Identity", "zeroTrustWeight": 3, "subcategory": "Account Security", "recommendedValue": "Super admin self-recovery disabled in all organizational units", "remediationUrl": "https://admin.google.com/ac/security/accountrecovery", "remediationSteps": "Security > Authentication > Account recovery > Turn off 'Allow super admins to recover their account' for all organizational units", "referenceUrl": "https://support.google.com/a/answer/9436964", "referenceTitle": "Google: Allow super administrators to recover their password", "compliance": { "nistSp80053": [ "IA-4", "AC-6(5)" ], "mitreAttack": [ "T1078.004", "T1098" ], "cisBenchmark": [ "1.15" ], "scuba": [ "GWS.COMMONCONTROLS.8.1v1" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "AUTH-018", "name": "Account self-recovery disabled for users and non-super admins (GWS.COMMONCONTROLS.8.2)", "description": "SCuBA GWS.COMMONCONTROLS.8.2 requires that account self-recovery be disabled for users and non-super-admin accounts. Self-service recovery is an account-takeover vector: an attacker who controls a recovery channel can seize the account without the help desk. This check reads the security.user_account_recovery Cloud Identity policy and flags any organizational unit where self-recovery is enabled.", "severity": "Medium", "zeroTrustPillar": "Identity", "zeroTrustWeight": 2, "subcategory": "Account Security", "recommendedValue": "Account self-recovery disabled (enableAccountRecovery = false) for users and non-super admins in all organizational units.", "remediationSteps": "In the Google Admin console, under Security > Account recovery, disable self-recovery for users (and non-super admins), so account recovery is handled through an administrator or help-desk process rather than a user-controlled channel.", "compliance": { "scuba": [ "GWS.COMMONCONTROLS.8.2v1" ], "nistSp80053": [ "IA-5", "AC-2" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null, "verdictPaths": [ "clean", "known-bad", "not-assessed" ] } ] } |