As a Google Apps Administrator, you’ve already changed the obvious security settings.
You increased the required password length to more than the minimum of 8 characters. You checked the box to allow people to use 2-step authentication. You’ve even customized the password assistance message in Google Apps to display the phone number for your help desk.
Administrator accounts merit additional security review, since a Google Apps administrator can change settings that affect the entire organization.
Below are a few actions to take to secure—and monitor—Google Apps administrator accounts for your organization.
1. Provide more than one person Administrator privileges
When an organization signs up for Google Apps, the initial account receives “Super Administrator” privileges. Most large organizations proceed to add additional administrators, but some organizations proceed with just the initial administrator account.
Give at least one additional account administrator privileges, preferably to a person from a different operational area. For example, while an I.T. manager might be the initial super administrator, a technically savvy person from the human resources area might be a solid choice as an additional administrator.
2. Administrators should use 2-step authentication
Periodically check to see that all Administrator accounts have 2-step authentication active. To do this, login at admin.google.com, choose Users, and then Security settings to view 2-step status for each Administrator account.
For organizations concerned with cost, 2-step authentication on the desktop no longer requires either a smartphone app or a phone. Instead, Chrome and Chrome OS users may insert a security key into the USB port to provide authentication. Security key verification requires a USB port and works with Chrome, so people who are mobile-only or use other browsers should continue to use an app or SMS verification.
3. Regularly review Administrator recovery settings
Each Administrator should review his or her recovery email address and phone number. The recovery option allows an administrator to access a phone number or email account to reset a password. To add a phone number or email account for recovery, login to https://www.google.com/settings/security, then choose Edit next to either the recovery email or phone option.
Ideally, use email accounts or phones that are controlled by the company for recovery accounts. For example, a company email account not routed through Google Apps, such as email@example.com, instead of firstname.lastname@example.org. Secure your recovery email accounts with 2-step authentication, as well.
4. Review your domain name system (DNS) registrar settings
If you have more than three Super Administrators or more than 500 user accounts, an administrator won’t be able to recover a password via a recovery email account or phone number. Instead, a different administrator will need to reset the account password.
Alternatively, you can verify that you have control of your organization’s domain name system settings. The verification process is similar to the initial Google Apps signup process: Google provides a string of text, you add the text as a CNAME record to your domain, then Google verifies the record is present. (Tip: Since DNS records determine email routing and website hosting, require 2-step authentication to modify your DNS records, if possible. For example, Hover and Cloudflare offer 2-step authentication with an app or SMS.)
Configure and Review
Administrators often seek to secure user accounts, which is important to do. But securing administrator accounts may be even more important, since the impact of a breach of an administrator account could have devastating implications.
If you only have one administrator, add a second administrator today.
Otherwise, audit your administrator settings at least annually to keep your Google Apps and DNS accounts safe, secure, and ready to recover from a lost password.