Section 2 3 Security User adoption

  1. What happens when you enable SSL in the Security > basic settings
    Allows the session traffic to be encrypted between the services and the browser.
  2. When does SSL work best for the user?
    When they are using an unsecured network such as public wifi, coffee shop, etc.
  3. Can you specify the password strength for your users?
  4. Can users be forced not to use dictionary words?
    No.  They can use dictionary words.
  5. Does google monitor passwords?
    Yes.  It checks to make sure they aren't ones that are being frequently exploited like 'password.'
  6. Is two-step verification mandatory?
    No it isn't.  You can however make it mandatory.
  7. Can two step verification be forced on one sub-organization?
  8. Can my organization use our own authentication system to provide user access to Google Apps?
    Yes.  Google does through the use of SSO.
  9. What is the google required minimum characters for passwords?
    minumum 8
  10. How are passwords for Google apps users accounts generated?
    Google uses a mixed pattern of symbols, upper and lower case letters, and numbers. The length of the password will be the greater of the required minimum (8), or the minimum password length you've set for your domain.
  11. An administrator/end-user deleted a number of email messages, how can I recover them?
    Once an administrator or end-user has deleted any data in Google Apps, we delete it according to your Customer Agreement and our Privacy Policy.

    Data is irretrievable once an administrator deletes a user account. See the Help Center for best practices for deleting users.
  12. What does Google use to prevent phishing scams?
    To help prevent phishing, Google participates in the Domain-based Message Authentication, Reporting & Conformance (DMARC) program, which lets domain owners tell email providers how to handle unauthenticated messages from their domain. Google Apps customers can implement DMARC by creating a DMARC record within their administrator settings and implementing an SPF record and DKIM keys on all outbound mail streams.
  13. How does google respond to users sending spam?
    If Google identifies a Google Apps email user who is spamming, we reserve the right to immediately suspend the user.
  14. How does google respond to a domain sending spam?
    If the spam is domain-wide, we reserve the right to suspend the entire account and deny administrator access to all the Google Apps services.
  15. What is federated login?
    You can login to a 3rd party service without sharing your credentials.
  16. Can federated login be controlled from the Apps panel?
    Yes.  It is controlled.
  17. What is an API?
    It is a set of applications that dictate how one app speaks with another.

    IE, Gmail --> API --> Outlook
  18. Is API access enabled by default?
    Yes.  The service has to be enabled for other services
  19. Is it necessary to enable API's from the Google market place?
    Some apps do require APIs to be enabled.
  20. What is OAuth?
    Open standard authorization protocol.
  21. How is OAuth used?
    Allows third parties to access user data without obtaining confidential information.
  22. Which version of OAuth is recommended?
    OAuth version 2
  23. Can the admin authorize access user data for the entire domain?
  24. How does the admin authorize access user data for the entire domain?
    By installing an extension for the entire domain.
  25. Can an admin revoke authorized access given to a third party by a user?
    yes.  In the user's security tab.
  26. How do you obtain security info on the domain?
    Reports > Security
  27. Where can you obtain information on which users have external apps and are sharing files externally?
    Reports > Security
  28. What is the plan of action for a compromised account?
    The administrator security checklist
  29. When do we follow the administrator security checklist?
    When the user cannot verify that the suspicious activity was them.
  30. What do we do if a user account has been compromised?
    • We suspend the account
    • Reset the sign-in cookies (user > account settings> We give the user the gmail security checklist
  31. Can admins who forgot their credentials recover them?
    Yes.  At the login page click on need help.
  32. When are email and phone number account recovery methods not available to admins?
    When three or more super admins exist or more than 500 users
  33. What happens if a super admin cannot reset your super admin credentials?
    Google requires domain verification to prove you have administrator access for your domain
  34. To require users to sign in to Google Apps using their LDAP credentials, what should you enable in your domain?

    A. Application Specific Passwords

    B. Secure Socket Layout

    C. Single Sign On

    D. 2-Factor authorization
  35. On a public computer, one of your users signed in to a corporate Gmail account and may not have signed out. How do you ensure the user's profile is secure?

    A. View the user’s profile to see if the user is still signed in, and if so, sign out the user.

    B. Reset the user’s sign-in cookies and require the user to change the password at next sign in.
    C. Use the Activity Report to see if any suspicious sign-in attempts have been made using the user’s profile.

    D. Suspend the user’s profile and reset the password to a system-generated password
  36. In the Google Apps Admin console, how do you view which third-party applications have access to a specific user’s data?

    A. In the security section of the user's profile, view the services the user has authorized for access.

    B. In the security section of the user's profile, view the user's application-specific passwords.

    C. In the domain’s security settings, view the API access settings.

    D. In the domain’s security settings, view the Basic settings.
  37. What is two-step verification?
    2-Step Verification adds an extra layer of security to your users' Google Apps accounts by requiring them to enter a verification code in addition to their username and password when signing in to their account.
  38. Google best practice suggests who should have 2-Step verification enabled?
    2-Step Verification should always be enabled and enforced for all Super Administrator, VIP, sensitive access accounts, and all user accounts.
  39. How is the code in two-step verification sent to the user or used by the user?
    This verification can be in the form of codes which only the user can obtain via their own mobile phone, or via an encrypted signature contained on a security key.
  40. When do you use Google Authenticator?
    When the 2 step-authentication service is enabled by the user.
  41. If the service is turned on but not forced across the domain, how does a user enable it?
    The user must go to My Account  > Sign-in & security > Password & sign-in method
  42. Is Google authenticator the only way a user can use 2 step authentication?
    No.  You can use verification code on their mobile phone: the Google Authenticator app, text message, or phone call
  43. How often do trusted computers require a verification code?
    Trusted computers only ask for verification codes once every 30 days.
  44. If you lose your phone is it possible to still access your account?
    Yes, if the machine is a trusted one.
  45. Does the Google Apps SLA apply if I am using Google Authenticator?
  46. Does the Google Apps SLA apply if I am using the Sprint network?
    No.  The Google Apps SLA (Service Level Agreement) does not apply to any services that are used in connection with 2-step verification, if the verification process relies on third-party voice or data providers to deliver the verification code
  47. Can you use more than one method at a time for two step verification?
    No.  Only one.
  48. When are you prompted to select for google to trust the two step verification for a computer?
    When you are logging in to the computer for the first time you are asked to trust this computer
  49. What is the one caveat about using codes sent to a user?
    They are time based and expire
  50. What happens if you accidentally enable a device for trust for 30 days?
    You can unregister it.  However, you will unregister ALL of the devices except the computer you are using.
  51. Can you use authenticator on one phone for more than one account?
  52. Can 2 step verification be used for devices using a a SAML single sign on service?  (SSO)
  53. What can you if you want to use 2 step verification but are using SSO?
    You can get a third party SSO solution that has 2 step verification
  54. What are the differences between regular codes and back up codes for two step verification?
    back up codes are eight characters long.  Regular codes are 6.
  55. Backup codes can be used how many times?
    Just one time.
  56. If you have used some backup codes and then generate new back up codes what happens to the first set of codes?
    They are no longer valid.  Use the second set.
  57. How does a user with no access to their backup verification codes get a code?
    They call an admin and they can give them one from the security tab in the users section.
  58. Can you have more than one phone number as the contact in your two-step verification?
    Yes.  You can setup more than one.
  59. Can an admin turn on two step verification for a user?
    No.  The user has to opt in.  They can force the domain but not the user.
  60. Can an admin turn off 2 step verification?
    Yes.  But cannot turn it on.
  61. What happens with mail clients who don't have native two-step verification built in?
    You have to generate an app specific code to use the app on your phone
  62. What happens if you no longer need to use an app that is using app verification?
    You can revoke the app in your account.
  63. Can you revoke an ASP for a user from the console?
    Yes.  From the user security tab.
  64. what has to happen before you enforce two step verification?
    Everyone in the org must be enrolled prior to the enforcement or they will be locked out of Google apps.
  65. For Google Apps to send a code to a user’s mobile device to verify their identity when signing in, what feature must be set up by the user?

    A. 2-Step Verification

    B. SSLSingle

    C. Sign On (SSO)

    D. Mobile Device Management
  66. What do application-specific passwords do?

    A. Allow users to have different passwords depending on how they sign in.

    B. Act as a substitute for a verification code for applications that don’t support 2-step verification.

    C. Enable third-party applications to connect to Google using a manufacturer-supplied password.
Card Set
Section 2 3 Security User adoption
Section 2.3 Security, User adoption