resources:courses:gws_c3
差别
这里会显示出您选择的修订版和当前版本之间的差别。
| 两侧同时换到之前的修订记录前一修订版后一修订版 | 前一修订版 | ||
| resources:courses:gws_c3 [2025/01/23 15:29] – jackiez | resources:courses:gws_c3 [2025/01/23 18:06] (当前版本) – jackiez | ||
|---|---|---|---|
| 行 69: | 行 69: | ||
| ## SSO介绍 | ## SSO介绍 | ||
| + | ## 练习1 | ||
| + | {{: | ||
| + | 如果要使用SAML来实现SSO,则需要同第三方服务商确认SSO的URL和EntityID信息。 | ||
| + | App> | ||
| + | {{: | ||
| + | 下载Metadata | ||
| + | {{: | ||
| + | 详细设定指导的URL [[https:// | ||
| + | {{: | ||
| + | 把域名补全,然后ID格式选择Email,继续 | ||
| + | {{: | ||
| + | 完成后,按照指导URL一步步操作才能用。因为公司用的HenngeOne,所以GWS上的操作也可以免了。。 | ||
| + | ## 练习2 | ||
| + | {{: | ||
| + | 这里要上传证书,需要OpenSSL,而且只能在Chrome浏览器,不能用其他的。 | ||
| + | 没有证书,所以练习略过。 | ||
| + | ## Secure LDAP | ||
| + | 同时管理SaaS和传统程序,需要LDAP服务,除了微软的AD外,还有谷歌的Secure LDAP。 | ||
| + | < | ||
| + | 步骤 | ||
| + | * Create LDAP client in the Admin console | ||
| + | * Configure your LDAP client to connect to the secure LDAP service | ||
| + | ## 练习3 | ||
| + | {{: | ||
| + | 设置最高权限 | ||
| + | {{: | ||
| + | {{: | ||
| + | 相关资料: | ||
| + | [[https:// | ||
| + | [[https:// | ||
| + | 类似于加入AD域的操作。 | ||
| + | ## 测试2 | ||
| + | < | ||
| + | - User's authenticate against a local directory to gain access to Google Workspace services | ||
| + | - **It reduces maintenance as directory information is consolidated into one directory** | ||
| + | - **It allows you to connect your LDAP-based applications and services to Google Workspace** | ||
| + | - **Users authenticate against the Google Workspace directory to gain access to LDAP compliant applications and services** | ||
| + | |||
| + | < | ||
| + | - Change Password URL | ||
| + | - **Google Certificate** | ||
| + | - **Entity ID URL** | ||
| + | - **SSO URL** | ||
| + | |||
| + | < | ||
| + | - Password reuse policy | ||
| + | - Password recovery | ||
| + | - **Require password change** | ||
| + | - Password monitoring | ||
| + | |||
| + | < | ||
| + | - **Apps > Web and mobile apps > Add App > Search for apps. Then search for Asana from the list of predefined applications** | ||
| + | - Security > Set up single sign-on (SSO) for SAML applications and provide the necessary information | ||
| + | - Apps > Web and mobile apps > plus sign (+) > SETUP MY OWN CUSTOM APP from the Enable SSO for SAML Application window | ||
| + | - Apps > Settings > Third-party integrations. Then search for Asana. | ||
| + | |||
| + | ## App安全 | ||
| + | - Control access from the Admin SDK API | ||
| + | - Block access to a specific service | ||
| + | - Create a trusted application list | ||
| + | - Explore the GWS Marketplace | ||
| + | ## 练习1 | ||
| + | {{: | ||
| + | {{: | ||
| + | ## 练习2 | ||
| + | 有许多第三方APP会连到GWS上,作为管理员要进行控制。 | ||
| + | {{: | ||
| + | {{: | ||
| + | {{: | ||
| + | 最后点FINISH,然后再把它限制 | ||
| + | {{: | ||
| + | < | ||
| + | 2.当用户想安装被禁用的APP,会收到错误信息</ | ||
| + | 参考链接:[[https:// | ||
| + | ## 练习3 | ||
| + | {{: | ||
| + | {{: | ||
| + | 安装GA4 | ||
| + | {{: | ||
| + | {{: | ||
| + | 查看结果 | ||
| + | {{: | ||
| + | 然后设置,只允许用户安装白名单的APP | ||
| + | {{: | ||
| + | 再添加白名单APP,练习中要求添加Google Apps Script, | ||
| + | 换成某一个用户的账号登录,查看URL apps.google.com/ | ||
| + | {{: | ||
| + | 再打开Market,任意安装一个APP,会跳出提示 | ||
| + | {{: | ||
| + | ## 测试3 | ||
| + | < | ||
| + | - Already installed applications that use the blocked API will continue to work until the application needs a new OAuth token | ||
| + | - **Already installed applications will stop working and OAuth tokens will be revoked** | ||
| + | - Already installed applications that use the blocked API will continue to work indefinitely | ||
| + | - Already installed applications that use the blocked API will continue to work until the user next signs in to Google Workspace | ||
| + | |||
| + | < | ||
| + | - **Users can not attempt to install an application that is not on the allowlist because they only see allowed apps in the Marketplace** | ||
| + | - When the user attempts to install the app they will see a message advising that the app cannot be installed because it has not been allowed | ||
| + | - Users can install an app that is not in the allowlist but they cannot grant it access to their data so it will not work | ||
| + | - The app will appear to install, but it will not function correctly. | ||
| + | |||
| + | < | ||
| + | - **Change the Marketplace settings to allow users to install only allowed applications from Google Workspace Marketplace** | ||
| + | - Complete a Domain install for each application that you want to allow | ||
| + | - Get your users to Install the Marketplace allowlist app onto each device | ||
| + | - Add the names of all the trusted applications to each user's device policy | ||
| + | |||
| + | < | ||
| + | - Disable API access from the Gmail and Drive service settings | ||
| + | - **From Security > Access and Data Control > API Controls, ensure Trust domain owned apps is enabled. From Security > Access and Data Control > API Controls > MANAGE GOOGLE SERVICES, restrict access to the Gmail and Drive services.** | ||
| + | - From Security > API Permissions, | ||
| + | - Disable Gmail and Drive API access from the top level organization settings | ||
| + | |||
| + | ## 练习1 | ||
| + | Security> | ||
| + | {{: | ||
| + | 发现有一个高危警报,User suspended | ||
| + | {{: | ||
| + | {{: | ||
| + | 找到TLS Failure | ||
| + | {{: | ||
| + | {{: | ||
| + | {{: | ||
| + | 系统预设的Rule只能设置Email通知(被触发时) | ||
| + | ## 练习2 | ||
| + | Reporting> | ||
| + | ## Security Center | ||
| + | - Security best practice | ||
| + | - Analytics | ||
| + | - Actionable insights | ||
| + | |||
| + | 还可以查看各类设置的状态,比如 | ||
| + | - Automatic email forwarding | ||
| + | - Device encryption | ||
| + | - Drive sharing settings | ||
| + | |||
| + | 查看各类报警,比如 | ||
| + | - External file share activity | ||
| + | - Authenticated messages | ||
| + | - Suspicious device activities | ||
| + | - Failed password attempts | ||
| + | |||
| + | Dashboard里则有各种图表,另外,还可以查看Log | ||
| + | - Access device-log data | ||
| + | - Access data about Gmail messages | ||
| + | - Access Gmail log data | ||
| + | - Access Drive log data | ||
| + | 举例来说,我们可以通过Query来确认,是否有如下行为 | ||
| + | - Delete specific messages | ||
| + | - Mark messages as spam or phishing | ||
| + | - Send message to quarantine | ||
| + | - Send message to users' inboxes | ||
| + | |||
| + | < | ||
| + | ## 测试4 | ||
| + | < | ||
| + | - **The alert center consolidates all admin created email alerts into one place** | ||
| + | - The alert center enables you to view alerts and alert details directly in the admin console | ||
| + | - The alert center includes additional in-depth details that enable you to take action to resolve numerous issues that might affect your organization | ||
| + | |||
| + | < | ||
| + | - **Delete message** | ||
| + | - **Mark message as spam** | ||
| + | - Forward tot self | ||
| + | - **View header** | ||
| + | |||
| + | < | ||
| + | - Access Transparency Audit log | ||
| + | - Users Security log | ||
| + | - The Admin Audit log | ||
| + | - **Users Account Activity Report** | ||
resources/courses/gws_c3.1737613795.txt.gz · 最后更改: 2025/01/23 15:29 由 jackiez