# Google Workspace Control Walkthroughs Step-by-step hardening guides for Google Workspace. Machine-readable renditions of the guide at https://faz.ms/gworkspace/ — one markdown file per control, plus `controls.json` with the full structured data. ## Tier 0 - [1 Enforce 2-Step Verification](control/enforce-2sv.md) - [2 Alert recipient hygiene + suspicious-login alerts](control/alert-recipient-hygiene.md) - [3 Government-backed attack alert routing](control/gov-attack-alert-routing.md) - [4 Email authentication (SPF/DKIM/DMARC)](control/email-authentication.md) - [5 Account inventory (incl. shared/service accounts)](control/account-inventory.md) - [6 Super-admin separation & minimal count](control/superadmin-separation.md) ## Tier 1 - [7 Phishing-resistant 2SV (FIDO2/passkeys only)](control/phishing-resistant-2sv.md) - [8 OAuth app access control / allowlisting](control/oauth-app-control.md) - [9 Marketplace install allowlist](control/marketplace-allowlist.md) - [10 Chrome managed-profile policy baseline](control/chrome-profile-baseline.md) - [11 Legacy public-share inventory & cleanup](control/public-share-cleanup.md) - [12 Web session-length control](control/web-session-length.md) - [13 Drive external-sharing restriction / trust rules](control/drive-external-sharing.md) - [14 Basic Context-Aware Access (IP/geo)](control/caa-basic.md) - [15 SSO/SAML to hardened IdP](control/sso-saml-idp.md) - [16 Calendar external-sharing lockdown](control/calendar-external-sharing.md) - [17 Google Chat external containment](control/chat-external-containment.md) - [18 Disable user auto-forwarding & mailbox delegation](control/disable-user-forwarding-delegation.md) - [19 Residual mail & service hygiene](control/residual-mail-hygiene.md) - [20 Break-glass admin + offline backup codes](control/breakglass-admin.md) ## Tier 2 - [21 Advanced Protection Program (high-risk users)](control/advanced-protection.md) - [22 Native multi-party approval](control/multi-party-approval.md) - [23 Gmail Security Sandbox + safety-toggle verification](control/gmail-sandbox-safety.md) - [24 Data regions (storage)](control/data-regions.md) - [25 Handling untrusted files at rendering distance](control/rendering-distance-handling.md) - [26 DLP rules (Drive/Gmail/Chat)](control/dlp-rules.md) - [27 Device-trust CAA via MDM](control/device-trust-caa.md) - [28 MTA-STS + TLS reporting](control/mta-sts.md) - [29 Shared-drive architecture](control/shared-drive-architecture.md) - [30 Vault retention & legal hold](control/vault-retention.md) - [31 Audit-log export to SIEM/BigQuery](control/audit-log-export.md) - [32 Groups for Business exposure lockdown](control/groups-exposure-lockdown.md) - [33 Disable POP/IMAP / app-specific passwords](control/disable-legacy-auth.md) ## Tier 3 - [34 Disable Google Takeout](control/disable-takeout.md) - [35 Witnessed ceremonies + tamper-evident custody](control/ceremonies-custody.md) - [36 Split-custody break-glass](control/split-custody-breakglass.md) - [37 Continuous OAuth re-authorization sweeps](control/oauth-sweeps.md) - [38 Cloud session control + admin re-auth](control/cloud-session-control.md) - [39 Directory minimization for targeted staff](control/directory-minimization.md) - [40 Scripted JIT admin elevation](control/jit-admin-elevation.md) - [41 Periodic access recertification](control/access-recertification.md) - [42 Color-coded data domains (labels + IRM)](control/color-coded-domains.md) - [43 Hardware-key break-glass super-admin](control/hardware-key-breakglass.md) - [44 Vault-account custody of crown jewels](control/vault-account-custody.md) - [45 Mandatory-absence review](control/mandatory-absence-review.md) - [46 Reading-room enclave (SCIF port, incl. data-copy minimization)](control/reading-room-enclave.md) - [47 Deny-by-default IP/geo gating](control/deny-by-default-geo.md) - [48 CSE self-hosted / HYOK KACLS](control/cse-hyok.md) - [49 Email gateway interception](control/email-gateway.md) - [50 Offline & desktop-sync data minimization](control/offline-sync-minimization.md) - [51 Privileged Access Workstation for admins](control/privileged-access-workstation.md) ## Tier 4 - [52 Alert-pipeline heartbeat](control/alert-pipeline-heartbeat.md) - [53 Honeytoken credential file](control/honeytoken-credential-file.md) - [54 Cloud Identity Free decoy accounts](control/decoy-accounts.md) - [55 Air-gapped recovery identity](control/air-gapped-recovery.md) - [56 Self-hosted canary corpus](control/canary-corpus.md) - [57 Canary tokens via commercial console](control/canary-commercial.md) - [58 WORM off-tenant log archive](control/worm-log-archive.md) - [59 Config-drift & persistence sentinel (incl. mail-routing watch)](control/config-drift-sentinel.md) - [60 Zero-standing-access delivery pattern](control/zero-standing-access.md) - [61 Audit-the-auditors alerting](control/audit-the-auditors.md) - [62 Config-as-code with reconciliation](control/config-as-code.md) - [63 Travel-mode accounts](control/travel-mode-accounts.md) - [64 AI-agent / prompt-injection canary](control/ai-agent-canary.md) - [65 Apps Script / add-on / AI-agent governance](control/appsscript-governance.md) - [66 Detection engineering on exported logs](control/detection-engineering.md) - [67 Purple-team / adversary emulation](control/purple-team.md) - [68 Multi-tenant compartmentalization](control/multi-tenant.md) - [69 CSE with Google-partner KACLS](control/cse-partner-kacls.md)