← All controls

32 Groups for Business exposure lockdown

A Google group is both a mailing list and an access principal: whatever a group can reach, every member of it can reach. This control sets the org-wide posture to Private — archives not readable outside the organisation, no external members, no inbound external mail by default — restricts group creation to admins, and audits existing groups for the two dangerous states: anyone-on-the-web access, and external members on a group that grants Drive or shared-drive access.

Caveats

Setup steps

  1. open ↗ Apps › Google Workspace › Groups for Business › Sharing settings

    'Accessing groups from outside this organization' = Private; 'Group owners can allow external members' = Off; 'Group owners can allow incoming email from outside the organization' = Off (leave On only if named support aliases need per-group external mail)

    Set organization-wide policies for using groups ↗

  2. Apps › Google Workspace › Groups for Business › Sharing settings
    Creating groups
    Only organization admins can create groups
    Default for permission to view conversations
    All group members

    Set organization-wide policies for using groups ↗

  3. open ↗
    Admin console screen — Directory > Groups (per-group access settings audit)

    https://admin.google.com/ac/groups · captured 2026-07-15

    Directory › Groups
    Per group: Who can join
    Only invited users
    Who can view conversations
    Group members
    Who can post
    Group members

    Update group details ↗

  4. Groups used for access control
    admin-managed membership only

Ongoing maintenance

How to verify

  1. Fetch a group archive logged out — it must refuse.

    curl -s -o /dev/null -w "%{http_code}" "https://groups.google.com/a/<domain>/g/<group>" # expect 302/403, not 200

v0.0.3Prevent policy #4 · #15 ↗