Securing Google Workspace

Josh and I presented at the MidwestTechTalk Security Symposium on “Securing Google.” We talked about Google Admin Console security settings. From basic user password resets to DKIM, DMARC, and SPF email settings, we tried to cover as much as possible in an hour’s time. We had a great time conversing with the attendees and bantering with one another over our Google Workspace settings. Post conference, we thought it would be good to share a quick overview of that session and share a best practices activity (30-60 mins) that will improve the function and security of your Google Admin console.

No One Size Fits All

Here’s the thing, no two school districts are the same. We all know this! Josh and I are pretty much neighboring school districts, and his 1:1 program looks similar, but different, compared to mine. My faculty/staff password policy is almost the same as his. My overall tech program is better than his. Did I really say that? I kid, of course. No really, mine is better. Our Google security settings? Many are the same. Some different! The point is, we all have different cultures, needs, and pain thresholds within our organizations. As you review the video and the guide, think about how you can implement best practices that will meet the culture and needs of your organization. 

If you watch the video (and I strongly encourage you to), then you’ll hear the banter between us about settings and best practices as well as from the room. It’s great conversation!

Session Slides

K12TechTalk podcast presents “Securing Google” at the MidwestTechTalk Security Symposium

So, grab a colleague, a coffee or other caffeinated beverage and jump in. What are you waiting for!? Log into your Google Admin Console and click around with this article. At bare minimum, refresh your memory on settings. Compare yourself to us. Best case, you make your Google users more secure after spending a few minutes with this article. Worse case, your memory is refreshed and you leave feeling like you are more secure than me.

Individual User Security

(Pick a user, any user, and remind yourself of what’s in this area)

Google Admin > Users > Pick any user

  • Reset password
  • Click Security… add security keys, 2-step, backup codes for 2-step, reset sign-in cookies, view/revoke app passwords and connected applications

Question to ask yourself: Do you enforce 2-step Google on your faculty, staff, students, who? If not, what’s holding you back from implementing it?

Gmail Security

Google Admin > Apps > Google Workspace > Gmail

  • Safety… Attachments (Protect against all things untrusted. Apply future recommended settings is ON.)
  • Safety… IMAP, links and external images (Identify and Scan links. Appy future recommended settings is ON.)
  • Safety… Spoofing and auth (Protect yourself! Apply future recommended settings is ON.)
  • Spam/phishing/malware (Whitelist is here.)
  • Spam… Pre-delivery (This is a good thing.)
  • Spam… rules (Be more aggressive when filtering spam. Different OUs can have different rules here. Student versus Staff, etc.)
  • Spam… Blocked senders

Question to ask yourself:  What settings do you use under Safety and Spam sections? Could you/should you do more?

Gmail Security (Continued)

Google Admin >  Apps > Google Workspace > Gmail

  • Compliance… content, objectionable content, attachment (Different OUs can have different settings here. For Attachment, we recommend quarantining messages with encrypted attachments. Chris adds a “prepend custom subject” to emails that contain attachments too, asking users to double check that they are expecting an attachment from the person sending it.)
  • Authenticate email… DKIM (Do this!)
  • Jim Wagner’s great MWTT presentation –
  • https://docs.google.com/presentation/d/1xte9Uj-xS66wAvhG9VcZMKvyAAAzfEh8t2DtHaCVmb4/edit#slide=id.p

Question to ask yourself:  What compliance do you use? Do you do DKIM, DMARC, and SPF? You should be using all three!

Device Security

Google Admin > Devices > Chrome > Settings > Devices

  • Forced re-enrollment (Yes!)
  • Disabled device return instructions (Yes!)
  • Disable guest mode (Yes!)
  • Restrict sign-in (Yes!)
  • Track recent users (Uh, yes!)

● Google Admin > Devices > Chrome > Settings > User/Browser

  • Idle settings (Chris does 25min)
  • Disable Incognito Mode (Yes!)
  • Always save browser history (Yes!)
  • SafeSearch and Restricted Mode (Different OUs can have different settings.)
  • URL Blocking (Chris blocks crosh and other URLs here.)

Google Admin Security Settings

Google Admin > Security (Click around in these areas and refresh your memory of them)

  • Alert Center
  • Auth… 2 step
  • Password Management
  • SSO (like Clever)
  • Security Center… dashboard and security health

Question to ask yourself:  How long is your required password? Strong password? Reuse? Expire? Is it as strong as it should be? Compare yourself to neighboring school districts.

Google Admin Reports

Google Admin > Reports (Click around in these areas and refresh your memory of them)

  • User Reports, Security
  • User Reports, Accounts
  • User Reports, Apps usage
  • Audit… Admin, Login, User Accounts

Question to ask yourself:  How often do you look at Google logs? What would be a best practice?

Dig Even Deeper

Google has a “Security checklist for medium and large businesses (100+ users)” https://support.google.com/a/answer/7587183?product_name=UnuFlow&hl=en&visit_id=637824506319186394-2956343033&rd=1&src=supportwidget0&hl=en#zippy=

Leave a Comment