Google Workspace Control Walkthroughs
Step-by-step hardening guides for Google Workspace.
Progress is saved locally in your browser — no information is ever sent to our server.
Tier 0 — do it today
| Control | Status | Est. time |
|---|---|---|
| 1 Enforce 2-Step Verification | 30 min | |
| 2 Alert recipient hygiene + suspicious-login alerts | 1 h | |
| 3 Government-backed attack alert routing | 15 min | |
| 4 Email authentication (SPF/DKIM/DMARC) | 1–2 h | |
| 5 Account inventory (incl. shared/service accounts) | 1–2 h | |
| 6 Super-admin separation & minimal count | 1 h |
1 Enforce 2-Step Verification
Prevent walkthrough 2 Alert recipient hygiene + suspicious-login alerts
Detect walkthrough 3 Government-backed attack alert routing
Detect walkthrough 4 Email authentication (SPF/DKIM/DMARC)
Prevent walkthrough 5 Account inventory (incl. shared/service accounts)
Assure runbook 6 Super-admin separation & minimal count
Prevent walkthrough
Prevent walkthrough 2 Alert recipient hygiene + suspicious-login alerts
Detect walkthrough 3 Government-backed attack alert routing
Detect walkthrough 4 Email authentication (SPF/DKIM/DMARC)
Prevent walkthrough 5 Account inventory (incl. shared/service accounts)
Assure runbook 6 Super-admin separation & minimal count
Prevent walkthrough
Tier 1 — the working baseline
7 Phishing-resistant 2SV (FIDO2/passkeys only)
Prevent walkthrough 8 OAuth app access control / allowlisting
Prevent walkthrough 9 Marketplace install allowlist
Prevent walkthrough 10 Chrome managed-profile policy baseline
Prevent walkthrough 11 Legacy public-share inventory & cleanup
Prevent runbook 12 Web session-length control
Prevent walkthrough 13 Drive external-sharing restriction / trust rules
Prevent walkthrough 14 Basic Context-Aware Access (IP/geo)
Prevent walkthrough 15 SSO/SAML to hardened IdP
Prevent walkthrough 16 Calendar external-sharing lockdown
Prevent walkthrough 17 Google Chat external containment
Prevent walkthrough 18 Disable user auto-forwarding & mailbox delegation
Prevent walkthrough 19 Residual mail & service hygiene
Assure walkthrough 20 Break-glass admin + offline backup codes draft
Recover runbook
Prevent walkthrough 8 OAuth app access control / allowlisting
Prevent walkthrough 9 Marketplace install allowlist
Prevent walkthrough 10 Chrome managed-profile policy baseline
Prevent walkthrough 11 Legacy public-share inventory & cleanup
Prevent runbook 12 Web session-length control
Prevent walkthrough 13 Drive external-sharing restriction / trust rules
Prevent walkthrough 14 Basic Context-Aware Access (IP/geo)
Prevent walkthrough 15 SSO/SAML to hardened IdP
Prevent walkthrough 16 Calendar external-sharing lockdown
Prevent walkthrough 17 Google Chat external containment
Prevent walkthrough 18 Disable user auto-forwarding & mailbox delegation
Prevent walkthrough 19 Residual mail & service hygiene
Assure walkthrough 20 Break-glass admin + offline backup codes draft
Recover runbook
Tier 2 — hardening
| Control | Status | Est. time |
|---|---|---|
| 21 Advanced Protection Program (high-risk users) | 1 h | |
| 22 Native multi-party approval | 30 min | |
| 23 Gmail Security Sandbox + safety-toggle verification | 30 min | |
| 24 Data regions (storage) | 15 min | |
| 25 Handling untrusted files at rendering distance | 4–8 h | |
| 26 DLP rules (Drive/Gmail/Chat) | 1–2 days | |
| 27 Device-trust CAA via MDM | 3+ days | |
| 28 MTA-STS + TLS reporting | 1–2 h | |
| 29 Shared-drive architecture | 4–8 h | |
| 30 Vault retention & legal hold | 2–4 h | |
| 31 Audit-log export to SIEM/BigQuery | 4–8 h | |
| 32 Groups for Business exposure lockdown | 30 min | |
| 33 Disable POP/IMAP / app-specific passwords draft | 30 min |
21 Advanced Protection Program (high-risk users)
Prevent walkthrough 22 Native multi-party approval
Prevent walkthrough 23 Gmail Security Sandbox + safety-toggle verification
Prevent walkthrough 24 Data regions (storage)
Prevent walkthrough 25 Handling untrusted files at rendering distance
Prevent process 26 DLP rules (Drive/Gmail/Chat)
Prevent walkthrough 27 Device-trust CAA via MDM
Prevent walkthrough 28 MTA-STS + TLS reporting
Prevent runbook 29 Shared-drive architecture
Prevent walkthrough 30 Vault retention & legal hold
Recover walkthrough 31 Audit-log export to SIEM/BigQuery
Detect walkthrough 32 Groups for Business exposure lockdown
Prevent walkthrough 33 Disable POP/IMAP / app-specific passwords draft
Prevent walkthrough
Prevent walkthrough 22 Native multi-party approval
Prevent walkthrough 23 Gmail Security Sandbox + safety-toggle verification
Prevent walkthrough 24 Data regions (storage)
Prevent walkthrough 25 Handling untrusted files at rendering distance
Prevent process 26 DLP rules (Drive/Gmail/Chat)
Prevent walkthrough 27 Device-trust CAA via MDM
Prevent walkthrough 28 MTA-STS + TLS reporting
Prevent runbook 29 Shared-drive architecture
Prevent walkthrough 30 Vault retention & legal hold
Recover walkthrough 31 Audit-log export to SIEM/BigQuery
Detect walkthrough 32 Groups for Business exposure lockdown
Prevent walkthrough 33 Disable POP/IMAP / app-specific passwords draft
Prevent walkthrough
Tier 3 — high-assurance
Everything in this tier is in draft status — shown only as a preliminary direction we're considering.
34 Disable Google Takeout
Prevent walkthrough 35 Witnessed ceremonies + tamper-evident custody
Assure process 36 Split-custody break-glass
Prevent process 37 Continuous OAuth re-authorization sweeps
Detect runbook 38 Cloud session control + admin re-auth
Prevent walkthrough 39 Directory minimization for targeted staff
Prevent walkthrough 40 Scripted JIT admin elevation
Prevent runbook 41 Periodic access recertification
Assure runbook 42 Color-coded data domains (labels + IRM)
Prevent walkthrough 43 Hardware-key break-glass super-admin
Prevent process 44 Vault-account custody of crown jewels
Prevent process 45 Mandatory-absence review
Detect process 46 Reading-room enclave (SCIF port, incl. data-copy minimization)
Prevent walkthrough 47 Deny-by-default IP/geo gating
Prevent walkthrough 48 CSE self-hosted / HYOK KACLS
Prevent walkthrough 49 Email gateway interception
Prevent runbook 50 Offline & desktop-sync data minimization
Prevent walkthrough 51 Privileged Access Workstation for admins
Prevent process
Prevent walkthrough 35 Witnessed ceremonies + tamper-evident custody
Assure process 36 Split-custody break-glass
Prevent process 37 Continuous OAuth re-authorization sweeps
Detect runbook 38 Cloud session control + admin re-auth
Prevent walkthrough 39 Directory minimization for targeted staff
Prevent walkthrough 40 Scripted JIT admin elevation
Prevent runbook 41 Periodic access recertification
Assure runbook 42 Color-coded data domains (labels + IRM)
Prevent walkthrough 43 Hardware-key break-glass super-admin
Prevent process 44 Vault-account custody of crown jewels
Prevent process 45 Mandatory-absence review
Detect process 46 Reading-room enclave (SCIF port, incl. data-copy minimization)
Prevent walkthrough 47 Deny-by-default IP/geo gating
Prevent walkthrough 48 CSE self-hosted / HYOK KACLS
Prevent walkthrough 49 Email gateway interception
Prevent runbook 50 Offline & desktop-sync data minimization
Prevent walkthrough 51 Privileged Access Workstation for admins
Prevent process
Tier 4 — the deep end
Everything in this tier is in draft status — shown only as a preliminary direction we're considering.
52 Alert-pipeline heartbeat
Assure runbook 53 Honeytoken credential file
Detect runbook 54 Cloud Identity Free decoy accounts
Detect runbook 55 Air-gapped recovery identity
Recover process 56 Self-hosted canary corpus
Detect runbook 57 Canary tokens via commercial console
Detect runbook 58 WORM off-tenant log archive
Assure runbook 59 Config-drift & persistence sentinel (incl. mail-routing watch)
Detect runbook 60 Zero-standing-access delivery pattern
Meta process 61 Audit-the-auditors alerting
Detect walkthrough 62 Config-as-code with reconciliation
Prevent runbook 63 Travel-mode accounts
Prevent runbook 64 AI-agent / prompt-injection canary
Detect runbook 65 Apps Script / add-on / AI-agent governance
Prevent walkthrough 66 Detection engineering on exported logs
Detect runbook 67 Purple-team / adversary emulation
Assure process 68 Multi-tenant compartmentalization
Prevent process 69 CSE with Google-partner KACLS
Prevent walkthrough
Assure runbook 53 Honeytoken credential file
Detect runbook 54 Cloud Identity Free decoy accounts
Detect runbook 55 Air-gapped recovery identity
Recover process 56 Self-hosted canary corpus
Detect runbook 57 Canary tokens via commercial console
Detect runbook 58 WORM off-tenant log archive
Assure runbook 59 Config-drift & persistence sentinel (incl. mail-routing watch)
Detect runbook 60 Zero-standing-access delivery pattern
Meta process 61 Audit-the-auditors alerting
Detect walkthrough 62 Config-as-code with reconciliation
Prevent runbook 63 Travel-mode accounts
Prevent runbook 64 AI-agent / prompt-injection canary
Detect runbook 65 Apps Script / add-on / AI-agent governance
Prevent walkthrough 66 Detection engineering on exported logs
Detect runbook 67 Purple-team / adversary emulation
Assure process 68 Multi-tenant compartmentalization
Prevent process 69 CSE with Google-partner KACLS
Prevent walkthrough