With the following settings, a G Suite administrator can protect passwords, secure sign-ins, and significantly reduce phishing for your organization.
A G Suite administrator has access to hundreds of settings that affect how Google’s collaborative tools work for people in an organization. These tools include settings for shared Google Drive documents, Chrome browser behavior, as well as mobile device and app management. A prudent G Suite administrator will periodically review many of these settings. See 5 important tasks for G Suite administrators for a list of specific items to check.
The following steps are three of the most important actions a G Suite administrator can take to protect an organization’s data. In order, these steps help protect your organization’s email communications, guard against unauthorized account access, and alert people in your organization to potential password problems.
Anyone may run the first test below to check your domain name system (DNS) configuration, but you’ll need administrator access to both G Suite and your domain’s DNS settings to completely configure all three of the following G Suite security components.
SEE: G Suite: Tips and tricks for business professionals (TechRepublic download)
Validate G Suite mail exchange records
A properly configured DNS and mail exchange (MX) records make it difficult for people outside your organization to falsely send email that appears to be from an account in your organization. Specifically, correctly configured Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) records work together to reject email not sent from people in your organization.
Follow these steps to check that your MX records are correctly configured for G Suite.
1. Go to toolbox.googleapps.com.
2. Select Check MX.
3. Enter the domain you’ve configured to use with G Suite in the text box below Domain name (e.g., wolberworks.com).
4. Select Run Checks!
5. Wait a few moments for the system to check your system’s DNS and MX records.
6. If issues are identified, the system will display an exclamation mark inside either a yellow or red triangle. Yellow indicates a problem, while red signals an issue that may prevent mail delivery.
7. Next to identified problems, the system displays a link to a related G Suite Help center article with guidance as to how to fix the identified issue. Follow the instructions to complete configuration of your MX records, as well as all SPF, DKIM, and DMARC settings. Proper adjustment and configuration of DNS settings can take time to deploy, so this may take a period of days to complete.
8. Repeat the process until the system displays a green checkmark next to your domain name, along with a “No problems were found with the configuration of this domain” message (Figure A).
Enable 2-Step Verification
Every organization that uses G Suite should allow people in the organization to enable 2-Step Verification. Once enabled, people will not only need an account name and password to sign in, but also an additional method, such as a Security Key, Google Prompt, or Google Authenticator, among others.
To enable 2-step verification for people in your organization (Figure B):
1. Sign in with a G Suite administrator account.
2. Select Security | Basic Settings, then check the box next to Allow Users To Turn On 2-Step Verification. Select Save to apply your settings.
3. If you wish to require people to use 2-Step Verification, select Go To Advanced Settings To Enforce 2-Step Verification. Within the advanced settings, you may turn on enforcement, restrict the verification methods, and choose a new user enrollment period.
Note: You may apply different 2-Step Verification requirements to different groups of people by selecting an organizational unit. This would allow you, for example, to place some accounts–such as G Suite administrators, executives, and people with access to sensitive information–into an organizational unit that requires 2-step authentication. In a school setting, for example, certain employees might be placed in an organizational unit that requires 2-step authentication, while students might be placed in an organizational unit that does not.
Install Chrome password extensions
Google provides two extensions that can help protect passwords for people who use Chrome on a computer. The Password Alert extension notifies people when they sign-in with their Google account password to any site other than the actual Google sign-in service. The Password Checkup extension notifies people when a password they use on a service has been part of a publicly known data breach. Combined, the two extensions raise awareness of password problems.
A G Suite administrator may choose to Force Install these extensions for people within the organization (Figure C).
1. Sign in with a G Suite administrator account.
2. Go to https://admin.google.com/ac/chrome/apps/user.
3. Move the cursor over the yellow circle with a + in it (lower-right), then choose the square grid with nine square in it, Add Chrome App Or Extension By ID. Copy and paste the Password Alert extension ID—noondiphcddnnabmjcihcjfbhfklnnep—into the Extension ID box, then select Save.
4. Move the cursor over the yellow circle with a + in it (lower right), then choose the square grid with nine square in it, Add Chrome App Or Extension By ID. Copy and paste the Password Checkup extension ID—pncabnpcffmalkkjpajodfhijclecjno—into the Extension ID box, then select Save.
5. Next to the Password Alert extension, select the drop-down menu, select Force Install, then select Save.
6. Next to the Password Checkup extension, select the drop-down menu, select Force Install, then select Save.
What’s your preferred G Suite security configuration?
The three steps above allow a G Suite admin to secure an organization’s G Suite email and accounts, as well as other passwords. If you use G Suite or are a G Suite administrator, what additional steps (if any) do you take to protect your organization’s accounts and data? Let me know in the comments below or on Twitter (@awolber).