Do you know who has access to your Admin console? When doing Google domain audits, we often see users in admin roles who have been granted too little or too much access along with users with unprotected accounts. Delegating the right level of access to users can help them be more successful and protect your environment from unwarranted changes. The academic year is always a good time to start fresh in the Admin console, knowing who has the keys to the kingdom is essential to managing your environment.
For instance, they can manage other administrators, restore users, and delete the domain. In the grand scheme of the Admin console, these are high-priority capabilities that these users can manage. Google recommends that at least two people have these rights because super admins are the only ones who can reset another admin's password. In addition, CDW Amplified for Education recommends keeping this role to a maximum of three to four users to prevent unnecessary access.
But what role should everyone else have? Google provides a few pre-configured roles, which can help initially assign roles. Still, you also have the option to create custom-configured roles tailored to the user's needs. We recommend taking a look at custom-configured roles for your users and creating roles targeted towards specific individuals and their needs. Assigning users to only the roles that they need ensures that they can perform the tasks they need while keeping them from accidentally changing things they shouldn’t.
In addition to configuring custom roles for your admin, we often come across many admins who use the same everyday use account for their admin account. As a best practice, avoid mixing the two accounts. Everyday use accounts are exposed to add-ons, extensions, file sharing, and emails, which means there is more potential for these accounts to be compromised. Just like any account that holds confidential information, you only want to use that account to access sensitive data. Keeping these two accounts separate prevents overexposure and separates your admin processes from everyday processes.
Another step to protecting these accounts is to remove them from the directory view. This removal helps avoid confusion when you have an everyday-use account and a Super Admin account.
To hide an account from the directory:
- Navigate to the User’s account you want to hide.
- Click on the user information card.
- Scroll down to directory sharing and toggle it OFF.
Now you have a secondary account that is not visible in the directory, which helps to avoid confusion with your Super Admin account.
Once a secondary account has been established, it is important to protect that account from being compromised. There have been cases of Super Admin accounts being broken into by brute force attacks or password captures. One of the best ways to secure your accounts is to enable and enroll in 2-Step Verification.
Quite often 2-step verification is seen as an extra step to logging in that may not be convenient but is essential to protecting your account. For example, a school that had recently done an audit decided it was time to turn on 2-Step Verification for all their Super Admins. Before the audit, they had not enabled this feature because they didn't deem it a necessary step for security. About two months after the audit, a student claimed that their device was broken and had an admin check it out for them. The student had loaded a keystroke recorder on the device, which captured the Admin’s password. Afterward, the student boasted that he had acquired the Super Admin password. Luckily, because of 2-Step Verification, the Admin knew their account was protected.
2-step verification on a Super Admin account is a preventative step that is sometimes overlooked until an incident occurs. In the case of account security, a proactive approach is recommended to ensure your account stays protected even if your password is compromised.
Let’s take a moment to ensure that our environment is being managed in an intentionally granular method with user accounts that are separate and protected. Almost every audit we do see the same issues with Super Admin accounts and although it may not be front of mind for many admins, having an unsecured Super Admin account is like leaving your keys in your front door. People may not notice, but when they do, they can use those accounts to gain access to systems they shouldn’t have access to. This is just one of the common things we see in our audits, but so many other common issues bubble up during an audit. If you haven’t looked at your environment recently, maybe the new year and new decade is the time to reflect and plan for the future.
To learn more about the most common mistakes we find during an audit, download our top Google for Education domain configuration errors.
If you would like to talk to someone about your institution’s Admin role settings, connect with one of our team.
Document Version | Date | Description of Change |
1.1 | 5/28/2024 | Removed author block |
1.1 | 7/5/2024 | Removed span tags that impacted search |
1.2 | 7/15/2024 | Text edits and reverify |