Skip to content

The 78 Google Workspace security checks Black Cat runs

Black Cat SSPM evaluates 78 security policies against your Google Workspace configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

mediumAdmin With App Password

Disable less secure app access for Google Workspace admins and migrate to OAuth authentication

lowUser With App Password

Disable less secure app access organization-wide in Google Workspace

mediumOAuth App With Restricted Scopes

Revoke Google Workspace user-authorized OAuth apps with restricted or sensitive scopes

mediumDormant Users

Suspend or delete dormant Google Workspace accounts after verifying with HR

mediumNever Logged In Users

Remove Google Workspace accounts that have never been used after confirming with the manager

highOAuth App Critical Scopes

Block or limit Google Workspace OAuth apps that have been granted critical scopes

mediumOAuth App With Restricted Scopes Widely Authorized

Revoke admin-authorized Google Workspace OAuth apps with restricted scopes that are not business-critical

mediumOAuth App AI With Data Scopes

Block or limit Google Workspace AI apps that have been granted data access scopes

mediumSuper Admin Count Excessive

Reduce Google Workspace Super Admin count to 2-4 by demoting unnecessary admins to specific roles

highSuper Admin Redundancy Missing

Assign a second trusted user the Super Admin role in Google Workspace for redundancy

highSSO Not Configured

Configure SSO with a third-party IdP in Google Workspace for centralized authentication

highAccount Recovery Unrestricted

Restrict user-managed account recovery options in Google Workspace

highGmail App Passwords Active

Revoke application-specific passwords that bypass 2-Step Verification

highGmail Delegate Privileged

Remove mailbox delegation from privileged admin accounts

highGmail Stale Delegates

Remove mailbox delegates from suspended user accounts

highLess Secure Apps Allowed

Disable less secure app access to enforce modern authentication

mediumMarketplace Apps Unrestricted

Enable a Google Workspace Marketplace app allowlist

mediumWeak Session Control

Reduce the Google Workspace web session duration to at most 12 hours

configuration

highDomain Not Verified

Add the required DNS TXT or CNAME record to verify the Google Workspace domain

highDKIM Not Configured

Generate and publish a DKIM TXT record in DNS to authenticate outbound Gmail messages

lowGroup Spam Moderation Disabled

Enable spam message moderation for Google Workspace groups

lowGemini Not Licensed

Purchase or assign Google Workspace Gemini licenses to eligible users

mediumAutomatic Email Forwarding Enabled

Disable automatic email forwarding in Google Workspace Gmail compliance settings

mediumIMAP Access Enabled

Disable IMAP access in Google Workspace Gmail end user access settings

mediumPOP Access Enabled

Disable POP access in Google Workspace Gmail end user access settings

lowDrive Shared Drive Creation Unrestricted

Restrict Google Drive shared drive creation to admins only

mediumShared Drive No Admin Restrictions

Enable admin restrictions on the flagged Google Workspace shared drive

lowShared Drive Folder Sharing Unrestricted

Restrict folder sharing in the flagged Google Workspace shared drive to members only

mediumChat Webhooks Unrestricted

Require admin approval for Google Chat webhooks

lowGmail Confidential Mode Disabled

Enable Gmail confidential mode to protect sensitive email content

mediumGmail Send-As External Alias

Review Gmail send-as aliases using external addresses

mediumGmail Unverified Send-As Alias

Remove or verify unverified Gmail send-as aliases

lowMeet Recording Unrestricted

Restrict who can record Google Meet meetings

highWeak Password Policy

Increase the Google Workspace minimum password length to at least 12 characters

highSpoofing Protection Disabled

Enable Gmail spoofing and authentication protection

data sharing

criticalDrive External Sharing Enabled

Disable external sharing for Google Drive at the organization level

criticalDrive Link Sharing Anyone

Disable anyone-with-the-link sharing for Google Drive organization-wide

highDrive Sharing Outside Organization

Restrict Google Drive sharing to within the organization only

highDrive Publish to Web Allowed

Disable the option for users to publish Google Drive files to the web

mediumDrive External Shared Drives Allowed

Prevent external users from accessing organization shared drives in Google Drive

criticalDrive File Public Sharing

Remove public sharing from the flagged Google Drive file and contact the file owner

criticalDrive File Publicly Indexed

Remove public indexing from the flagged Google Drive file so it is not discoverable by search engines

highDrive File Link Sharing Enabled

Restrict the flagged Google Drive file from anyone-with-the-link access

highDrive File Shared With Personal Email

Remove personal email address access from the flagged Google Drive file

highDrive File External Edit Access

Remove external edit access from the flagged Google Drive file

highDrive Shared Drive Has External Members

Remove external members from the flagged Google Drive shared drive

highDrive File Owner Is External

Transfer ownership of the flagged Google Drive file back to an internal organization user

mediumDrive File Shared With External Domain

Remove sharing with unapproved external domains from the flagged Google Drive file

mediumDrive File Stale External Sharing

Remove stale external sharing permissions from the flagged Google Drive file

mediumDrive File Excessive Permissions

Reduce permissions on the flagged Google Drive file to the minimum required

mediumDrive File External Commenter Access

Remove external commenter access from the flagged Google Drive file

mediumDrive File Broad Internal Sharing

Restrict the flagged Google Drive file from being accessible to the entire organization

lowDrive File Org-Wide Link Sharing

Change the flagged Google Drive file from organization-wide link sharing to restricted access

mediumDrive User Excessive External Sharing

Review and reduce excessive external sharing by the flagged Google Drive user

highShared Drive Allows External Users

Remove external user access from the flagged Google Workspace shared drive

mediumShared Drive Allows Non-Members

Restrict the flagged Google Workspace shared drive so only members can access it

lowShared Drive No Download Restriction

Enable download restrictions on the flagged Google Workspace shared drive for viewers and commenters

highShared Drive Has External Members

Remove external members from the flagged Google Workspace shared drive

mediumCalendar External Sharing Unrestricted

Limit Google Calendar external sharing to free/busy information only

mediumChat External Access Enabled

Disable external chat in Google Chat to prevent outside users from messaging members

highDLP Rules Not Configured

Configure data loss prevention (DLP) rules in Google Workspace

highGmail Filter Forwards Externally

Remove Gmail filter rules that forward mail to external addresses

highGmail Multiple Forwarding Destinations

Reduce Gmail forwarding destinations to limit data exfiltration risk

highGmail Suspicious Forwarding

Investigate and remove suspicious Gmail mail forwarding

encryption

lowS/MIME Not Configured

Enable S/MIME in Google Workspace Gmail and upload organization certificates

mfa

highAdmin Without 2-Step Verification

Enforce 2-Step Verification enrollment for all Google Workspace admin accounts

highAdmin 2-Step Verification Not Enforced

Set Google Workspace 2-Step Verification to Enforced for admin organizational units

highDelegated Admin Without 2-Step Verification

Require 2-Step Verification enrollment for all Google Workspace delegated admin accounts

highUser Without 2-Step Verification

Enforce 2-Step Verification enrollment for all Google Workspace users

highUser 2-Step Verification Not Enforced

Set Google Workspace 2-Step Verification to Enforced for the root organizational unit

sharing

mediumGroup Allows External Members

Restrict Google Workspace group membership to organization members only

highGroup Allows External Posting

Restrict Google Workspace group posting to organization members only

lowGroup Allows Open Join

Change Google Workspace group join policy to Invite Only or Approval Required

mediumGroup Public Conversations

Set Google Workspace group conversation visibility to Members Only

mediumGroup Domain-Wide Membership Visibility

Restrict Google Workspace group membership visibility to Members Only or Managers Only

mediumGroup Contact Owner Anyone

Restrict Google Workspace group contact-owner to group members only

mediumGroup Discoverable by Anyone

Restrict Google Workspace group discoverability to organization members only

mediumMail Delegation Enabled

Disable mail delegation in Google Workspace Gmail end user access settings

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial