Redefining privileged account to be based on privileges in Common Con…

…trols 6.x (#588)

* Change Common Controls 7.1 to SHOULD and update Common Controls Policy Group 17 resource link (#558)

* Changed 7.1 to SHOULD and Fixed CC 17 Resource Link

* Updated Drift Rules

* Updated Date

* Change CommonControls 7.1 to SHOULD in rego

---------

Co-authored-by: Alden Hilton <[email protected]>

* Adding Gmail 10.2 MAY Policy as a note to 10.1 (#580)

* Update GWS Drift Monitoring Rules - Gmail.csv

* Update gmail.md

* added 10.2 as a note for 10.1

---------

Co-authored-by: mdueltgen <[email protected]>

* Updating Common Controls 1.2 to be at most 1 Week (#584)

* Changing language to at most 1 week

* at least 1 day, at most 1 week update

* fixes to implementation steps

* Update scubagoggles/baselines/commoncontrols.md

Co-authored-by: David Bui <[email protected]>

---------

Co-authored-by: jkaufman-mitre <[email protected]>
Co-authored-by: David Bui <[email protected]>

* first stab at adding in highly privledged account being definded by permission level.

* grammar

* fix

* draft for admin privledge accounts rewrite

* add back in initial commits from review

* solve the other merge conflicts

* Apply suggestions from code review/update admin wording to fit guidelines

Co-authored-by: David Bui <[email protected]>

---------

Co-authored-by: jkaufman-mitre <[email protected]>
Co-authored-by: Alden Hilton <[email protected]>
Co-authored-by: bnewlin-MITRE <[email protected]>
Co-authored-by: David Bui <[email protected]>

drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv

@@ -1,5 +1,4 @@
 PolicyId,Name,Data Source,Event (Is),Setting Name (Is),New Value (Is Not),Rule ID,Last Successful Test
-<<<<<<< HEAD
 GWS.COMMONCONTROLS.1.1v0.4,Phishing-Resistant MFA SHALL be required for all users.,Admin Log Event,Enforce 2-Step Verification,No Setting Name,true,rules/00gjdgxs3twm54g,JK 08-02-23 @ 06:51
 GWS.COMMONCONTROLS.1.2v0.4,New user enrollment period SHALL be set to 1 week.,Admin Log Event,Change 2-Step Verification Enrollment Period Duration,No Setting Name,1 week,rules/00gjdgxs19shvvu,JK 08-02-23 @ 07:04
 GWS.COMMONCONTROLS.1.3v0.4,Allow users to trust the device SHALL be disabled.,Admin Log Event,Change 2-Step Verification Frequency,No Setting Name,ENABLE_USERS_TO_TRUST_DEVICE,rules/00gjdgxs15t2155,JK 08-02-23 @ 07:10
@@ -15,7 +14,7 @@ GWS.COMMONCONTROLS.5.3v0.4,User password length SHOULD be at least 15 characters
 GWS.COMMONCONTROLS.5.4v0.4,Password policy SHALL be enforced at next sign-in.,Admin Log Event,Change Application Setting,Password Management - Enforce password policy at next login,true,rules/00gjdgxs0p7tza1,JK 08-02-23 @ 09:00
 GWS.COMMONCONTROLS.5.5v0.4,User passwords SHALL NOT be reused.,Admin Log Event,Change Application Setting,Password Management - Enable password reuse,false,rules/00gjdgxs0tbqklj,JK 08-02-23 @ 09:05
 GWS.COMMONCONTROLS.5.6v0.4,User passwords SHALL NOT expire.,Admin Log Event,Change Application Setting,Password Management - Password reset frequency,0,rules/00gjdgxs1k1llys,JK 08-02-23 @ 09:09
-GWS.COMMONCONTROLS.6.1v0.4,All highly privileged accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency’s authoritative on-premises or federated identity system.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.COMMONCONTROLS.6.1v0.4,All administrative accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency’s authoritative on-premises or federated identity system.,N/A,N/A,N/A,N/A,N/A,Not Alertable
 GWS.COMMONCONTROLS.6.2v0.4,A minimum of two and maximum of four separate and distinct Super Admin users SHALL be configured.,N/A,N/A,N/A,N/A,N/A,Not Alertable
 GWS.COMMONCONTROLS.7.1v0.4,Account conflict management SHALL be configured to replace conflicting unmanaged accounts with managed ones.,N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log event being produced
 GWS.COMMONCONTROLS.8.1v0.4,"Account self-recovery for Super Admins SHALL be disabled, forcing Super Admin users who have lost their login credentials to contact another Super Admin to recover their account.",Admin Log Event,Change Application Setting,AdminAccountRecoverySettingsProto Enable admin account recovery,false,rules/00gjdgxs2rlm6cr,JK 08-02-23 @ 09:16
@@ -24,32 +23,6 @@ GWS.COMMONCONTROLS.9.2v0.4,All sensitive user accounts SHOULD be enrolled into t
 GWS.COMMONCONTROLS.10.1v0.4,Agencies SHALL use GWS application access control policies to restrict access to all GWS services by third party apps.,N/A,N/A,N/A,N/A,N/A,Not Alertable
 GWS.COMMONCONTROLS.10.2v0.4,Agencies SHALL NOT allow users to consent to access to low-risk scopes.,N/A,N/A,N/A,N/A,N/A,Not Alertable
 GWS.COMMONCONTROLS.10.3v0.4,Agencies SHALL NOT trust unconfigured internal apps.,Admin Log Event,"Allow Google Sign-in only third party API access
-=======
-GWS.COMMONCONTROLS.1.1v0.3,Phishing-Resistant MFA SHALL be required for all users.,Admin Log Event,Enforce 2-Step Verification,No Setting Name,true,rules/00gjdgxs3twm54g,JK 08-02-23 @ 06:51
-GWS.COMMONCONTROLS.1.2v0.3,Google 2SV new user enrollment period SHALL be set to at least 1 day or at most 1 week.,Admin Log Event,Change 2-Step Verification Enrollment Period Duration,No Setting Name,1 week,rules/00gjdgxs19shvvu,JK 08-02-23 @ 07:04
-GWS.COMMONCONTROLS.1.3v0.3,Allow users to trust the device SHALL be disabled.,Admin Log Event,Change 2-Step Verification Frequency,No Setting Name,ENABLE_USERS_TO_TRUST_DEVICE,rules/00gjdgxs15t2155,JK 08-02-23 @ 07:10
-GWS.COMMONCONTROLS.1.4v0.3,"If phishing-resistant MFA is not yet tenable, an MFA method from the following list SHALL be used in the interim.",Admin Log Event,Change Allowed 2-Step Verification Methods,No Setting Name,NO_TELEPHONY,rules/00gjdgxs3t3ug07,JK 08-02-23 @ 14:53
-GWS.COMMONCONTROLS.2.1v0.3,Policies restricting access to GWS based on signals about enterprise devices SHOULD be implemented.,Admin Log Event,Context Aware Access Enablement,No Setting Name,ENABLED,rules/00gjdgxs1qrcqvm,JK 08-02-23 @ 07:49
-GWS.COMMONCONTROLS.2.2v0.3,"Use of context-aware access for more granular controls, including using Advanced Mode (CEL), MAY be maximized and tailored if necessary.",N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.3.1v0.3,Post-SSO verification SHOULD be enabled for users signing in using the SSO profile for your organization.,Admin Log Event,Change Application Setting,SsoPolicyProto challenge_selection_behavior,PERFORM_CHALLENGE_SELECTION,rules/00gjdgxs0o76pk2,JK 08-02-23 @ 07:59
-GWS.COMMONCONTROLS.3.2v0.3,Post-SSO verification SHOULD be enabled for users signing in using other SSO profiles.,Admin Log Event,Change Application Setting,SsoPolicyProto sso_profile_challenge_selection_behavior,PERFORM_CHALLENGE_SELECTION,rules/00gjdgxs0o76pk2,JK 08-02-23 @ 07:59
-GWS.COMMONCONTROLS.4.1v0.3,Users SHALL be forced to re-authenticate after an established 12-hour GWS login session has expired.,Admin Log Event,Change Application Setting,Session management settings - Session length in seconds,43200,rules/00gjdgxs1j87x46,JK 08-02-23 @ 08:11
-GWS.COMMONCONTROLS.5.1v0.3,User password strength SHALL be enforced.,Admin Log Event,Change Application Setting,Password Management - Enforce strong password,on,rules/00gjdgxs2rh5fry,JK 08-02-23 @ 08:21
-GWS.COMMONCONTROLS.5.2v0.3,User password length SHALL be at least 12 characters.,Admin Log Event,Change Application Setting,Password Management - Minimum password length,12,rules/00gjdgxs0ogcs3x,JK 08-02-23 @ 08:51
-GWS.COMMONCONTROLS.5.3v0.3,User password length SHOULD be at least 15 characters.,Admin Log Event,Change Application Setting,Password Management - Minimum password length,15,rules/00gjdgxs0ogcs3x,JK 08-02-23 @ 08:51
-GWS.COMMONCONTROLS.5.4v0.3,Password policy SHALL be enforced at next sign-in.,Admin Log Event,Change Application Setting,Password Management - Enforce password policy at next login,true,rules/00gjdgxs0p7tza1,JK 08-02-23 @ 09:00
-GWS.COMMONCONTROLS.5.5v0.3,User passwords SHALL NOT be reused.,Admin Log Event,Change Application Setting,Password Management - Enable password reuse,false,rules/00gjdgxs0tbqklj,JK 08-02-23 @ 09:05
-GWS.COMMONCONTROLS.5.6v0.3,User passwords SHALL NOT expire.,Admin Log Event,Change Application Setting,Password Management - Password reset frequency,0,rules/00gjdgxs1k1llys,JK 08-02-23 @ 09:09
-GWS.COMMONCONTROLS.6.1v0.3,All highly privileged accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency’s authoritative on-premises or federated identity system.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.6.2v0.3,A minimum of two and maximum of four separate and distinct Super Admin users SHALL be configured.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.7.1v0.3,Account conflict management SHOULD be configured to replace conflicting unmanaged accounts with managed ones.,N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log event being produced
-GWS.COMMONCONTROLS.8.1v0.3,"Account self-recovery for Super Admins SHALL be disabled, forcing Super Admin users who have lost their login credentials to contact another Super Admin to recover their account.",Admin Log Event,Change Application Setting,AdminAccountRecoverySettingsProto Enable admin account recovery,false,rules/00gjdgxs2rlm6cr,JK 08-02-23 @ 09:16
-GWS.COMMONCONTROLS.9.1v0.3,Highly privileged accounts SHALL be enrolled in the GWS Advanced Protection Program.,Admin Log Event,Change Application Setting,Advanced Protection Program Settings - Enable user enrollment,true,rules/00gjdgxs2mq8dv5,JK 08-02-23 @ 09:20
-GWS.COMMONCONTROLS.9.2v0.3,All sensitive user accounts SHOULD be enrolled into the GWS Advanced Protection Program. This control enforces more secure protection of sensitive user accounts from targeted attacks. Sensitive user accounts include political appointees and other Senior Executive Service (SES) officials whose account compromise would pose a level of risk prohibitive to agency mission fulfillment.,Admin Log Event,Change Application Setting,Advanced Protection Program Settings - Enable user enrollment,true,rules/00gjdgxs2mq8dv6,JK 08-02-23 @ 09:21
-GWS.COMMONCONTROLS.10.1v0.3,Agencies SHALL use GWS application access control policies to restrict access to all GWS services by third party apps.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.10.2v0.3,Agencies SHALL NOT allow users to consent to access to low-risk scopes.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.10.3v0.3,Agencies SHALL NOT trust unconfigured internal apps.,Admin Log Event,"Allow Google Sign-in only third party API access
->>>>>>> 44461f3 (Change Common Controls 7.1 to SHOULD and update Common Controls Policy Group 17 resource link (#558))
 OR
         All third party API access unblocked",No Setting Name,No Value,rules/00gjdgxs0xcbmu1,
 GWS.COMMONCONTROLS.10.4v0.4(a),Agencies SHALL NOT allow users to access unconfigured third-party apps.,Admin Log Event,All third party API access unblocked,No Setting Name,No Value,rules/00gjdgxs0zd46an,JK 09-22-23 @ 14:15 (works only from Don't allow)

scubagoggles/baselines/commoncontrols.md

@@ -14,7 +14,7 @@ This baseline is based on Google documentation and addresses the following:
 - [Login Challenges](#3-login-challenges)
 - [User Session Duration](#4-user-session-duration)
 - [Secure Passwords](#5-secure-passwords)
-- [Highly Privileged Accounts](#6-highly-privileged-accounts)
+- [Privileged Accounts](#6-privileged-accounts)
 - [Conflicting Account Management](#7-conflicting-account-management)
 - [Catastrophic Recovery Options](#8-catastrophic-recovery-options-for-super-admins)
 - [GWS Advanced Protection Program](#9-gws-advanced-protection-program)
@@ -516,11 +516,11 @@ To configure a strong password policy is configured, use the Google Workspace Ad
 #### GWS.COMMONCONTROLS.5.6v0.4 Instructions
 1.  Under **Expiration**, select **Never Expires.**
 
-## 6. Highly Privileged Accounts
+## 6. Privileged Accounts
 
-Highly privileged accounts represent significant risk to an agency if compromised or if insiders use them in an unauthorized way. Highly privileged accounts share the same risk factors related to the catastrophic impacts on GWS services, user community and agency data, if compromised. This section supports the definition of highly privileged accounts and the controls necessary to protect them.
+Administrative or admin accounts are privileged accounts in Google Workspace that can manage settings, access sensitive data, and perform critical functions. The compromise of an admin account could have catastrophic impacts on the workspace organization. This section defines privileged accounts as both pre-built and custom admin accounts.
 
-Pre-Built GWS Admin Roles considered highly privileged:
+Some examples of these privileged accounts include the pre-built GWS Admin Roles:
 
 -   Super Admin: This role possesses critical control over the entire GWS structure. It has access to all features in the Admin Console and Admin API and can manage every aspect of agency GWS accounts.
 -   User Management Admin: This account has rights to add, remove, and delete normal users in addition to managing all user passwords, security settings, and other management tasks that make it potentially crucial if compromised.
@@ -531,7 +531,7 @@ Pre-Built GWS Admin Roles considered highly privileged:
 ### Policies
 
 #### GWS.COMMONCONTROLS.6.1v0.4
-All highly privileged accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency's authoritative on-premises or federated identity system.
+All administrative accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency's authoritative on-premises or federated identity system.
 
 - _Rationale:_ Leveraging Google Account authentication with phishing resistant MFA for highly privileged accounts reduces the risks associated with a compromise of on-premises federation infrastructure. This makes it more challenging for an adversary to pivot from a compromised on-premises environment to the cloud with privileged access.
 - _Last modified:_ January 2025