Do you know who has access to your Admin console? When doing Google domain audits we so often see users in admin roles who have been granted too little or too much access along with users with unprotected accounts. Delegating the right level of access to users can not only help them be more successful but also protect your environment from unwarranted changes. The new year is always a good time to start fresh and in the Admin console, knowing who has the keys to the kingdom is essential to managing your environment.
Let’s start with the basics. Who has access? First, Super Admin access should be reserved for individuals who truly need that level of access. How do you know they need that level of access? Well for starters, Super Admins have a few key abilities that others do not. For instance, they can perform functions like managing other administrators, restoring users, and deleting the domain. In the grand scheme of the Admin console, these are some pretty high-priority capabilities that these users have access to manage. Google recommends at least two people have these rights because Super Admins are also the only ones who can reset another admins password. In addition, CDW Amplified for Education would recommend keeping this role to a maximum of three to four users to prevent unnecessary access.
But what role should everyone else have? Google provides a few pre-configured roles which can be helpful to initially assign roles, but you also have the option to create custom-configured roles that are specifically tailored to the roles of the user. We recommend taking a look at custom-configured roles for your users and creating roles targeted towards specific individuals and their needs. Assigning users to only the roles that they need ensures that users can perform the tasks they need while keeping them from accidentally changing things they shouldn’t.
In addition to configuring custom roles for your admin, we often come across many admins who use the same everyday use account for their admin account. As a best practice, we do our best to avoid mixing the two accounts. Everyday use accounts are exposed to add-ons, extensions, file sharing, and emails which means there are more points of exposure and potential for these accounts to be compromised. Just like any account that holds confidential information, you only want to use that account for the specific purpose of accessing sensitive data. Keeping these two accounts separate prevents overexposure and separates your admin processes from everyday processes.
Another step to protecting these accounts is to remove them from directory view. This helps to avoid confusion when you have both an everyday use account and a Super Admin account. To hide an account from the directory you will navigate to the User’s account you want to hide, click on the user information card, scroll down to directory sharing and toggle it off. Now you have a secondary account that is not visible in the directory and helps to avoid confusion with your Super Admin account.
Once a secondary account has been established, it is important to protect that account from being compromised. There have been cases of Super Admin accounts being broken into by brute force attacks or password captures. One of the best ways to secure your accounts is to enable and enroll in 2 Step Verification.
Quite often 2 step verification is seen as an extra step to logging in that may not be convenient but is essential to protecting your account. For example, a school that had recently done an audit decided it was time to turn on 2 Step Verification for all of their Super Admins. Prior to the audit, they had not enabled this feature because it wasn’t deemed a necessary step for security. About two months after the audit a student claimed that their device was broken and had an admin check it out for them. The student had loaded a keystroke recorder on the device, which captured the Admin’s password. Afterward, the student then boasted that he had acquired the Super Admin password. Luckily, because of 2 Step Verification, the Admin knew their account was protected.
2 step verification on a Super Admin account is a preventative step that is sometimes overlooked until an incident occurs. In the case of account security, a proactive approach is recommended to ensure your account stays protected even if your password is compromised.
As we roll out a new year and decade, let’s take a moment to ensure that our environment is being managed in an intentionally granular method with user accounts that are separate and protected. Almost every audit we do sees the same issues with Super Admin accounts and although it may not be front of mind for a lot of admins, having an unsecured Super Admin account is like leaving your keys in your front door. People may not notice, but when they do they can use those accounts to gain access to systems they shouldn’t have access to. This is just one of the common things we see in our audits but there are so many other common issues that bubble up during an audit. If you haven’t taken a look at your environment recently, maybe the new year and new decade is the time to reflect and plan for the future.
To learn more about the most common mistakes we find during an audit, download our top Google for Education domain configuration errors.
If you would like to talk to someone about your institution’s Admin role settings, connect with one of our team.
About the Author
|Kendal Shomura, Google Consultant|
|Kendal Shomura joined the CDW Amplified for Education team in 2018 after 7 years working in Public Schools as an educator, Instructional Coach, Technology Integration Specialist, and as a Professor in the Masters of Educational Technology program at Touro University. He spent 3 years as a Google Administrator while training staff on how to integrate Google Workspace tools into their classrooms. Kendal’s wide array of experiences with Educational Technology allows him to understand the important nuances of technology in schools. Today, he is a Google for Education Consultant who works to help schools better understand their Google environment and empowers them to configure Google Workspace in the most optimum way for student safety while still allowing for robust usage of the tools.|