# 32 Groups for Business exposure lockdown

> v0.0.3 · role: Prevent · [policy: #4 · #15](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

A Google group is both a mailing list and an access principal: whatever a group can reach, every member of it can reach. This control sets the org-wide posture to Private — archives not readable outside the organisation, no external members, no inbound external mail by default — restricts group creation to admins, and audits existing groups for the two dangerous states: anyone-on-the-web access, and external members on a group that grants Drive or shared-drive access.

Documentation: [Options for limiting group access & activity](https://knowledge.workspace.google.com/admin/groups/options-for-limiting-group-access-and-activity)

## Caveats

- The org-wide screen sets defaults and ceilings, not the state of the groups you already have — enumerate them (GAM `print groups settings`) and remediate, or the tenant setting looks fixed while the groups are not.
- A group with open membership that is also an ACL on a shared drive is a public share with extra steps — see №11 and №29.
- Turning off the org-wide 'Group owners can allow incoming email from outside the organization' checkbox removes owners' ability to allow external mail per group — enumerate legitimate inbound aliases (support@, press@) first, and if any need external mail, leave the checkbox On and restrict it per group instead.
- Multi-party approval can hold this change hostage — if №22 covers Groups for Business, a change here does not take effect until a second admin approves it, so expect a pending-approval banner rather than an applied setting.

## Setup steps

1. Set the org-wide sharing posture to Private so group archives are not readable outside the organization. — `Apps › Google Workspace › Groups for Business › Sharing settings`

   'Accessing groups from outside this organization' = Private; 'Group owners can allow external members' = Off; 'Group owners can allow incoming email from outside the organization' = Off (leave On only if named support aliases need per-group external mail)

   docs: [Set organization-wide policies for using groups](https://knowledge.workspace.google.com/admin/groups/set-organization-wide-policies-for-using-groups)

2. Constrain who may create groups and what default access a new group gets, so a user cannot mint a world-readable list. — `Apps › Google Workspace › Groups for Business › Sharing settings`

   - **Creating groups** = Only organization admins can create groups
   - **Default for permission to view conversations** = All group members

   docs: [Set organization-wide policies for using groups](https://knowledge.workspace.google.com/admin/groups/set-organization-wide-policies-for-using-groups)

3. Audit existing groups for the two dangerous states: 'Anyone on the web can post/view' and external members on a group that grants Drive/shared-drive access. — `Directory › Groups`

   - **Per group: Who can join** = Only invited users
   - **Who can view conversations** = Group members
   - **Who can post** = Group members

   docs: [Update group details](https://knowledge.workspace.google.com/admin/groups/update-group-details)

4. Remember that a group is an access principal: any group used to grant shared-drive or Drive access inherits its membership rules. An externally-joinable group is a self-service permission grant.

   - **Groups used for access control** = admin-managed membership only

## Ongoing maintenance

- **[automatable: script]** Monthly: check newly created groups against the exposure baseline.

## How to verify

1. Fetch a group archive logged out — it must refuse.

   ```
   curl -s -o /dev/null -w "%{http_code}" "https://groups.google.com/a/<domain>/g/<group>" # expect 302/403, not 200
   ```

## Settings screens

- Apps > Google Workspace > Groups for Business > Sharing settings
  - console: https://admin.google.com/ac/managedsettings/864450622151
  - screenshot: ../screenshots/admin.google.com/ac/managedsettings/864450622151.png
- Directory > Groups (per-group access settings audit)
  - console: https://admin.google.com/ac/groups
  - screenshot: ../screenshots/admin.google.com/ac/groups.png
