Securing Google Workspace Administation with Free Secondary Admin Accounts

This is especially useful for all Google Workspace admins who still use their regular account as domain admin. Google's security best practices for administrator accounts mentions

Don’t use a super admin account for daily activities

and I believe that this is a really important point. If you haven't done so, I also strongly recommend going over this acrticle as it serves as a check-list for your admin setup. Why isn't everybody using an admin account? Well, paying for yet another Google Workspace license just for admin work might be too much for you, especially for smaller domains.

A Shared Admin Account - Bad Idea

Some domains use a shared super admin account where every user has their own YubiKey configured as MFA. While this approach does separate between regular work and admin access, it doesn't give a good solution IMHO:

  • You can't know who actually used it because multiple people have access and Google doesn't log the actual Yubikey used for login
  • Avoiding the cost for a Google Workspace license that nobody is using
  • Risk of losing access to that super admin account, concentration of risk in a single account
  • That user account has regular access to Google services, which increases the attack surface for phishing, credential extraction or access grant attacks

The following approach aims to resolve all these problems at the same time.

Cloud Identity Free

Luckily, there is a solution to this problem: Cloud Identity Free is a free add-on to Google Workspace:

Cloud Identity Free edition includes core identity and endpoint management services. It provides managed Google Accounts to users who don’t need certain Google Workspace services, such as Gmail and Google Calendar.

In fact, Cloud Identity Free (CIF) users are regular Google Workspace users that simply don't have GMail, Calendar, can only participate in Meet meetings and can only read content in Shared Drives. Everything else is pretty much the same, however some advanced features of paid Google Workspace licenses are also missing, as shown by the feature comparison. By default every Google Workspace domain gets 50 licenses for CIF, but that can be increased upon request.

CIF users can be used for many purposes and the main benefit is that they are free of charge and that they avoid some security challenges because they don't have email access. That also makes CIF users a perfect solution for secondary admin accounts which are used only for Google Workspace administration.

The remaining article serves as a step-by-step how-to that guides you through the initial setup and migration.

Setup & Configuration

To start using CIF accounts as secondary admin accounts instead of regular user accounts, we need to make some changes to our Google Workspace domain:

  1. Setup Cloud Identity Free
  2. Decide on an account naming scheme
  3. Configure email delivery for secondary admin accounts
  4. Create OU for secondary admin accounts
  5. Create secondary admin accounts
  6. Secure secondary admin accounts
  7. Configure super admin recovery
  8. Revoke super admin from regular users

Setup Cloud Identity Free

CIF (Cloud Identity Free) is an add-on product to Google Workspace, and can be activated via the admin console. If your organization bought Google Workspace from a third party, you need to contact your reseller to add Cloud Identity licenses to your organization's Google Workspace account.

In your Google Admin console (at admin.google.com)

  1. Go to ꠵ Menu → BillingGet more services.
  2. On the left, click Cloud Identity.
  3. Next to Cloud Identity Premium or Cloud Identity Free, click Get Started.

Decide on an Account Naming Scheme

You can use any naming scheme, however my suggestion for a naming scheme is this:

  • First Name: Admin
  • Last Name: Actual full name of user, e.g. "Schlomo Schapiro"
  • Full Name: Admin First-Name, e.g. "Admin Schlomo Schapiro"
  • Email: administrator.first-name.last-name@domain.com, e.g. administrator.schlomo.schapiro@domain.com

The reasoning for this scheme is that it creates a high degree of visibility for the fact that this is an admin account and makes it simple to handle email delivery via a pattern match.

Configure Google Group and Email Delivery for Secondary Admin Accounts

CIF accounts don't have email capabilities, however you'll need to enable email delivery to real humans for those accounts. This is important to receive notifications and progress information related to the admin accounts, e.g. for a data transfer from a deleted user to another one.

Admin accounts however don't require a personal or individual email, so that you can use a Google Group to receive email for all admin accounts. That way all admins get the same information for admin-related activities and you will create greater transparency around admin tasks.

Illustration showing a Google Group collecting emails for the CIF users with administrator prefix

To facilitate this catch-all email delivery we make use of the Default Routing rules for GMail and create a new rule to route that maps all emails matching administrator.<anything>@domain.com to be delivered to administrators@domain.com, which is a Google Group that contains the personal user accounts of the domain administrators.

  1. In the Admin console, go to ꠵ Menu → AppsGoogle WorkspaceGmailDefault Routing.
  2. Click Configure or Add another rule.
  3. In the Add setting box, take these steps:
    1. Specify envelope recipients to match via pattern, e.g. administrator\..*@domain.com$ and make sure to test the pattern:



    2. If the envelope recipient matches the above, do the following - Modify the message
      1. Headers - select Add X-Gm-Original-To header



      2. Envelope recipient - Replace username with the group email, e.g. administrators
    3. Options:
      Select Perform this action only on non-recognised addresses
  4. Click Save

Next, create the new Google Group as a security group:

  1. In the Admin console, go to ꠵ Menu → DirectoryGroups.
  2. At the top, click Create group.
  3. Enter the following details (following the above examples):
    1. Group name: Domain Administrators
    2. Group email: administrators - this must match the email used in the routing rule!
    3. Group description: All Domain Administrators
    4. Select the Security checkbox
      Screenshot showing group creation for administrators group
  4. Click Next and configure at least the following Group settings to:
    1. Allow "view conversations" only for group members
    2. Allow "post" to External
    3. Only invited users can you the group
      Screenshot showing the group settings
    4. Click Create Group to create the group and add all the domain administrators' personal accounts as members.

Finally, send a test email from the outside (not from a domain user but some other system) to a fake administrators email to validate the email rule and group configuration. For example, an email sent to administrators.this.does.not.exist@domain.com should arrive in the new Google Group and come to the GMail Inbox of all members. When viewing the test email, check also for the X-Gm-Original-To header to see the original envelope recipient.

Create OU for Secondary Admin Accounts

First, create a new organizational unit (OU) for all the secondary admin accounts. This OU makes it easy to apply additional restrictions and security hardening. And it is required to disabled automatically assigning Google Workspace licenses to the secondary admin accounts.

  1. In the Admin console, go to ꠵ Menu → Directory → Organizational units.
  2. Click on "Create organizational unit"
  3. Fill in the name, e.g. "Administrators" and a description and select the parent OU, I recommend top level, for the new OU:
  4. Click on Create
  5. Go to ꠵ Menu → Billing → License settings.
  6. Click on the newly created OU and then click on the pen icon to disable automatic license assignment for Google Workspace licenses:
  7. Select OFF in the drop-down and click Override to save the setting:

To reduce the potential attack surface, I recommend disabling as many Google Workspace services as possible:

  1. In the Admin console, go to ꠵ Menu → Apps → Google Workspace → Service status.
  2. Select the newly created OU, e.g. "Administrators"
  3. Select all services and click OFF in the table header:

  4. Go to ꠵ Menu → Apps → Additional Google Services.
  5. Select the newly created OU, e.g. "Administrators".
  6. Select all services and click OFF in the table header, go to the 2nd page and repeat to disable all remaining services.
  7. Finally, click on Change at the top to disable the services without individual controls. Make sure to again select the new "Administrators" OU on the left side before selecting the OFF and saving via Override:

Additionally, I recommend activating the Advanced Protection Programme (APP) for all secondary admin users, by following these instructions. This includes activating 2-Step-Verification and allowing users to enroll into the APP.

Create Secondary Admin Accounts

Finally, you can create a new secondary admin account:

  1. In the Admin console, go to ꠵ Menu → Directory → Users
  2. Select the newly created OU, e.g. "Administrators"
  3. Click on Add new userand fill in the new user details:
  4. Click Add new user to create the user
  5. In the confirmation screen, click on Preview and send to send the new user setup instructions to the personal email of the user:
  6. Add the new user to the Super Admin role (alternatively, perform this step after the user activated their account and enrolled into the Advanced Protection Programme). To do so, find the new secondary admin user in the Admin console, scroll to Admin Roles and Privileges and assign the Super Admin role:

    Don't forget to click Save at the end.

Securing Secondary Admin Accounts

These steps have to be performed by the users for their new secondary admin accounts:

  1. The user will receive and email with a sign in link. They should create a new Chrome profile and open the link in this new profile, it will ask them to set a password for their new account:
  2. Enroll into the Advanced Protection Programme

Configure Super Admin Recovery

To ensure continued access to your Google Workspace domain I recommend to implement these strategies:

  1. multiple super admins who all use their account on a regular base
  2. potentially allowing super admins to reset their password
  3. ensure that you can modify your DNS domain configuration off-line or without depending on your Google Workspace domain, to use the domain as a way to prove ownership and recover domain access via a support ticket to Google.

See Recovering administrator access to your account for more details on the recovery options.

Revoke Super Admin from Regular Users

After creating secondary admin accounts for your users I recommend a 2 week period where your admins exercise working with the new secondary admin accounts. If you don't find any problems, you can remove the Super Admin role from the regular users and enjoy a significantly improved security posture for your Google Workspace domain.

Are you interested in learning more about good administration practices and securing Google Workspace, in your company? Together with my colleagues from Tektit Consulting I'll be happy to support you personally!

Comments

Like this content? You could send me something from my Amazon Wishlist. Need commercial support? Contact me for Consulting Services.

Popular posts from this blog

Overriding / Patching Linux System Serial Number

A Login Security Architecture Without Passwords

The Demise of KaiOS - Alcatel 3088X