diff --git a/handbook/security.md b/handbook/security.md index f29d06759c..cb7239818b 100644 --- a/handbook/security.md +++ b/handbook/security.md @@ -523,7 +523,7 @@ Google's name for Two-Factor Authentication (2FA) or Multi-Factor Authentication | SMS/Phone-based 2FA | Puts trust in the phone number itself, which attackers can hijack by [social engineering phone companies](https://www.vice.com/en/topic/sim-hijacking). | | Time-based one-time password (TOTP - Google Authenticator type 6 digit codes) | Phishable as long as the attacker uses it within its short lifetime by intercepting the login form. | | App-based push notifications | Harder to phish than TOTP, but by sending a lot of prompts to a phone, a user might accidentally accept a nefarious notification. | -| Hardware security keys | [Most secure](https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/), but requires extra hardware or a recent smartphone. Configure this as soon as you receive your Fleet YubiKeys | +| Hardware security keys | [Most secure](https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/) but requires extra hardware or a recent smartphone. Configure this as soon as you receive your Fleet YubiKeys | **2-Step Verification in Google Workspace** @@ -533,18 +533,18 @@ We apply the following settings to *Security/2-Step Verification* to all users a | ------------------------------------------ | -------------------------------------------------- | | Allow users to turn on 2-Step Verification | On | | Enforcement | On | -| New user enrollment period | 1 week | +| New user enrollment period | 1-week | | Frequency: Allow user to trust the device | Off | | Methods | Any except verification codes via text, phone call | **Hardware security keys** -We strongly recommend the use of hardware security keys. +We strongly recommend using hardware security keys. Fleet configures privileged user accounts with a policy that enforces the use of hardware security keys. This prevents credential theft better than other methods of 2FA/2-SV. See [hardware security -keys](https://fleetdm.com/handbook/security#hardware-security-keys) for information about the model we use, why and how to set -them up, . +keys](https://fleetdm.com/handbook/security#hardware-security-keys) for information about the model we use, why, and how to set +them up. #### Passwords @@ -588,9 +588,9 @@ We apply the following settings to *Security/Less Secure Apps* to all users as t | Control user access to apps that use less secure sign-in technology and make accounts more vulnerable. | Disable access to less secure apps (Recommended) | #### API Access -Google Workspace makes it easy for users to add tools to their workflows, while having these tools authenticate to their Google applications and data via OAuth. We mark all Google services as *restricted* but do allow the use of OAuth for simple authentication and the use of less dangerous privileges on Gmail and Drive. We then approve applications that require more privileges on a case-by-case basis. +Google Workspace makes it easy for users to add tools to their workflows while having these tools authenticate to their Google applications and data via OAuth. We mark all Google services as *restricted* but do allow the use of OAuth for simple authentication and the use of less dangerous privileges on Gmail and Drive. We then approve applications that require more privileges on a case-by-case basis. -This level of security allows users to authenticate to web applications with their Google account. This exposes little information beyond what they would provide in a form to create an account and it protects confidential data while keeping everything managed. +This level of security allows users to authenticate to web applications with their Google accounts. This exposes little information beyond what they would provide in a form to create an account, and it protects confidential data while keeping everything managed. >To get an application added to Fleet's Google Workspace security configuration, create an issue assigned to the security team in [this repository](https://github.com/fleetdm/confidential/issues). @@ -610,17 +610,17 @@ We have also created the following custom alerts. | Alert On | Created on | Purpose | Notification | | ------------------------------------------- | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------- | -| Out of domain email forwarding | Login audit log, filtered on event | Attackers in control of an email account often configure forwarding as a way to establish persistence. | Alert Center + Email | -| 2-step Verification disable | Login audit log, filtered on event | Though we enforce 2-SV, if we accidentally allowed removing it, we want to know as soon as someone does so. | Alert Center + Email | -| 2-step Verification Scratch Codes Generated | Admin audit log, filtered on event | Scratch codes can be used to bypass 2-SV. An attacker with elevated privileges could leverage this to log in as a user. | Alert Center + Email | -| Change Allowed 2-step Verification Methods | Admin audit log, filtered on event | We want to detect accidental or malicious downgrades of 2-SV configuration. | Alert Center + Email | -| Change 2-Step Verification Start Date | Admin audit log, filtered on event | We want to detect accidental or malicious "downgrades" of 2-SV configuration. | Alert Center + Email | -| Alert Deletion | Admin audit log, filtered on event | For alerts to be a reliable control, we need to alert on alerts being disabled or changed. | Alert Center + Email | -| Alert Criteria Change | Admin audit log, filtered on event | For alerts to be a reliable control, we need to alert on alerts being disabled or changed. | Alert Center + Email | -| Alert Receivers Change | Admin audit log, filtered on event | For alerts to be a reliable control, we need to alert on alerts being disabled or changed. | Alert Center + Email | -| Dangerous download warning | Chrome audit log, filtered on event | As we roll out more Chrome security features, we want to track the things getting blocked so we can evaluate the usefulness of the feature and potential false positives. | Alert Center | -| Malware transfer | Chrome audit log, filtered on event | As we roll out more Chrome security features, we want to track the things getting blocked so we can evaluate the usefulness of the feature and potential false positives. | Alert Center | -| Password reuse | Chrome audit log, filtered on event | As we roll out more Chrome security features, we want to track the things getting blocked so we can evaluate the usefulness of the feature and potential false positives | Alert Center | +| Out of domain email forwarding | Login audit log, filtered by event | Attackers in control of an email account often configure forwarding to establish persistence. | Alert Center + Email | +| 2-step Verification disable | Login audit log, filtered by event | Though we enforce 2-SV, if we accidentally allow removing it, we want to know as soon as someone does so. | Alert Center + Email | +| 2-step Verification Scratch Codes Generated | Admin audit log, filtered by event | Scratch codes can be used to bypass 2-SV. An attacker with elevated privileges could leverage this to log in as a user. | Alert Center + Email | +| Change Allowed 2-step Verification Methods | Admin audit log, filtered by event | We want to detect accidental or malicious downgrades of 2-SV configuration. | Alert Center + Email | +| Change 2-Step Verification Start Date | Admin audit log, filtered by event | We want to detect accidental or malicious "downgrades" of 2-SV configuration. | Alert Center + Email | +| Alert Deletion | Admin audit log, filtered by event | For alerts to be a reliable control, we need to alert on alerts being disabled or changed. | Alert Center + Email | +| Alert Criteria Change | Admin audit log, filtered by event | For alerts to be a reliable control, we need to alert on alerts being disabled or changed. | Alert Center + Email | +| Alert Receivers Change | Admin audit log, filtered by event | For alerts to be a reliable control, we need to alert on alerts being disabled or changed. | Alert Center + Email | +| Dangerous download warning | Chrome audit log, filtered by event | As we roll out more Chrome security features we want to track the things getting blocked to evaluate the usefulness of the feature and potential false positives. | Alert Center | +| Malware transfer | Chrome audit log, filtered by event | As we roll out more Chrome security features we want to track the things getting blocked to evaluate the usefulness of the feature and potential false positives. | Alert Center | +| Password reuse | Chrome audit log, filtered by event | As we roll out more Chrome security features we want to track the things getting blocked to evaluate the usefulness of the feature and potential false positives | Alert Center | ### Gmail @@ -632,11 +632,11 @@ We authenticate email with [DKIM](https://support.google.com/a/answer/174124?pro The DKIM configuration under *Apps/Google Workspace/Settings for Gmail/Authenticate Email* simply consists of generating the key, publishing it to DNS, then enabling the feature 48 hours later. -[DMARC](https://support.google.com/a/answer/2466580) is configured separately, at the DNS level, once DKIM is enforced. +[DMARC](https://support.google.com/a/answer/2466580) is configured separately at the DNS level once DKIM is enforced. #### Email security -Google Workspace includes multiple options in *Apps/Google Workspace/Settings for Gmail/Safety* that relate to how inbound email is handled. +Google Workspace includes multiple options in *Apps/Google Workspace/Settings for Gmail/Safety* related to how inbound email is handled. As email is one of the main vectors used by attackers, we ensure we protect it as much as possible. Attachments are frequently used to send malware. We apply the following settings to block common tactics. @@ -652,10 +652,10 @@ As email is one of the main vectors used by attackers, we ensure we protect it a | Links and external images | Scan linked images | On | | | | Links and external images | Show warning prompt for any click on links to untrusted domains | On | | | | Links and external images | Apply future recommended settings automatically | On | | | -| Spoofing and authentication | Protect against domain spoofing based on similar domain names | On | Keep email in inbox and show warning | | -| Spoofing and authentication | Protect against spoofing of employee names | On | Keep email in inbox and show warning | | +| Spoofing and authentication | Protect against domain spoofing based on similar domain names | On | Keep email in the inbox and show warning | | +| Spoofing and authentication | Protect against spoofing of employee names | On | Keep email in the inbox and show warning | | | Spoofing and authentication | Protect against inbound emails spoofing your domain | On | Quarantine | | -| Spoofing and authentication | Protect against any unauthenticated emails | On | Keep email in inbox and show warning | | +| Spoofing and authentication | Protect against any unauthenticated emails | On | Keep email in the inbox and show warning | | | Spoofing and authentication | Protect your Groups from inbound emails spoofing your domain | On | Quarantine | | | Spoofing and authentication | Apply future recommended settings automatically | On | | | | Manage quarantines | Notify periodically when messages are quarantine | On | | | @@ -669,7 +669,7 @@ We recommend using the Gmail web interface on computers and the Gmail app on mob | Category | Setting name | Value | Note | | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | POP and IMAP access | Enable IMAP access for all users | Restrict which mail clients users can use (OAuth mail clients only) | | -| | Clients | (450232826690-0rm6bs9d2fps9tifvk2oodh3tasd7vl7.apps.googleusercontent.com, 946018238758-bi6ni53dfoddlgn97pk3b8i7nphige40.apps.googleusercontent.com, 406964657835-aq8lmia8j95dhl1a2bvharmfk3t1hgqj.apps.googleusercontent.com) | Those are the iOS, macOS built-in clients as well as Thunderbird. We plan to eventually only allow iOS, to limit the data cached on Macs and PCs. | +| | Clients | (450232826690-0rm6bs9d2fps9tifvk2oodh3tasd7vl7.apps.googleusercontent.com, 946018238758-bi6ni53dfoddlgn97pk3b8i7nphige40.apps.googleusercontent.com, 406964657835-aq8lmia8j95dhl1a2bvharmfk3t1hgqj.apps.googleusercontent.com) | Those are the iOS, macOS built-in clients as well as Thunderbird. We plan to eventually only allow iOS,\ to limit the data cached on Macs and PCs. | | | Enable POP access for all users | Disabled | | | Google Workspace Sync | Enable Google Workspace Sync for Microsoft Outlook for my users | Disabled | | | Automatic forwarding | Allow users to automatically forward incoming email to another address | Enabled | We will eventually disable this in favor of custom routing rules for domains where we want to allow forwarding. There is no mechanism for allow-listing destination domains, so we rely on alerts when new forwarding rules are added. | @@ -692,7 +692,7 @@ We use Google Drive and related applications for internal and external collabora | Sharing options | Access Checker | Recipients only, or Fleet Device Management | | | Sharing options | Distributing content outside of Fleet Device Management | Only users in Fleet Device Management | This prevents external contributors from sharing to other external contributors | | Link sharing default | When users in Fleet Device Management create items, the default link sharing access will be: | Off | We want the owners of new files to make a conscious decision around sharing, and to be secure by default | -| Security update for files | Security update | Apply security update to all impacted files | | +| Security update for files | Security update | Apply security update to all affected files | | | Security update for files | Allow users to remove/apply the security update for files they own or manage | Enabled | We have very few files impacted by [updates to link sharing](https://support.google.com/a/answer/10685032?amp;visit_id=637807141073031168-526258799&rd=1&product_name=UnuFlow&p=update_drives&visit_id=637807141073031168-526258799&rd=2&src=supportwidget0). For some files meant to be public, we want users to be able to revert to the old URL that is more easily guessed. | #### Features and applications