Security Settings in your Google Admin Interface

If you use Google’s infrastructure to run your company’s email infrastructure, you should be aware of some additional security options.

Adding New Users

The interface for adding a new user looks a little different.

Click the "Users" button in the admin interface.

Click Users

Click the "Add new user" button.

Add New User
Add New User Form
New User Added Confirmation

Securing the Admin User Account

It is imperative to secure the administration user of your Google account.

It is a good idea to have a separate user from the one you use day-to-day.

This admin user should have a secure passphrase, two-factor authentication enabled, and should likely be enrolled in the Advanced Protection Program.

Advance Protection Settings View
Important
IMPORTANT: Secure your Admin Account

It is essential to secure your administrator account properly.

One setting that you can change on your super admin account is to disallow that account to recover its password.

This means you need to have multiple super admin accounts (preferably owned/managed by separate people), so that another super admin account can unlock the other.

You can also restrict regular users from recovering their accounts, thus needing and admin to unlock and reset the password.

Security Account Recovery

Default Security Settings

To further secure your organization’s account, you can enable specific security settings.

Enable or Disable Features

You can enable and disable features of the Google platform on a user by user, group, or organizational unit.

  • Calendar

  • Drive

    • Offline Docs

    • Publish on the web

    • Sharing settings

  • Mail

    • Approved domain senders

    • Automatic email forwarding

    • Attachment safety.

These are just a few of the possible options you can enable or disable in your account.

Security Health

Password and Login Settings

Password and login policies are a typical setting you can also find in your Google account.

You can force strong passwords, disable password re-use, and cause password resets on a regular schedule.

Security Password Management

You can force a session to expire after a set amount of time.

Security Session Control

You can enforce that accounts have two-factor auth enabled.

Security Settings Page with 2FA option visible
2FA Settings

You can disable access from "Less Secure Apps," such as third-party clients that don’t meet Google’s security standards.

Security Less Secure Apps

You can enable "Login challenges", which will do extended verification (such as employee ID) if the login seems suspicious.

Security Login Challenges

Context Aware Access

Advanced context-aware access rules are also an option.

You can set up rules that, when matched, require additional security.

First, you set access levels; tied to accounts/OUs or groups.

Then an access level is configured with one or more rules.

For example, if you wanted to create an access level 1 which limits logins to IP addresses from the US only.

Security Context Aware Access
Security Context Aware Access Access Levels
Security Context Aware Access Access Levels USA

Advanced Rules

If the above settings don’t cover your needs, you can also define more advanced specific rules.

This page is where you can also tie in audit events to warn about security issues.

Security Rules

Data Protection

Google will monitor the data in your account and generate a report on what types of data are there, and how much of each type has been shared.

Security Data Protection

Monitoring Dashboard

There is also a monitoring dashboard with some important metrics.

Security Dashboard