Securing Google Workspace Administration with Free Secondary Admin Accounts

This is especially useful for all Google Workspace admins who still use their regular account as domain admin. Google's security best practices for administrator accounts mentions

Don’t use a super admin account for daily activities

and I believe that this is a really important point. If you haven't done so, I also strongly recommend going over this acrticle as it serves as a check-list for your admin setup. Why isn't everybody using an admin account? Well, paying for yet another Google Workspace license just for admin work might be too much for you, especially for smaller domains.

A Shared Admin Account - Bad Idea

Some domains use a shared super admin account where every user has their own YubiKey configured as MFA. While this approach does separate between regular work and admin access, it doesn't give a good solution IMHO:

  • You can't know who actually used it because multiple people have access and Google doesn't log the actual Yubikey used for login
  • Avoiding the cost for a Google Workspace license that nobody is using
  • Risk of losing access to that super admin account, concentration of risk in a single account
  • That user account has regular access to Google services, which increases the attack surface for phishing, credential extraction or access grant attacks

The following approach aims to resolve all these problems at the same time.

Cloud Identity Free

Luckily, there is a solution to this problem: Cloud Identity Free is a free add-on to Google Workspace:

Cloud Identity Free edition includes core identity and endpoint management services. It provides managed Google Accounts to users who don’t need certain Google Workspace services, such as Gmail and Google Calendar.

In fact, Cloud Identity Free (CIF) users are regular Google Workspace users that simply don't have GMail, Calendar, can only participate in Meet meetings and can only read content in Shared Drives. Everything else is pretty much the same, however some advanced features of paid Google Workspace licenses are also missing, as shown by the feature comparison. By default every Google Workspace domain gets 50 licenses for CIF, but that can be increased upon request.

CIF users can be used for many purposes and the main benefit is that they are free of charge and that they avoid some security challenges because they don't have email access. That also makes CIF users a perfect solution for secondary admin accounts which are used only for Google Workspace administration.

The remaining article serves as a step-by-step how-to that guides you through the initial setup and migration.

Setup & Configuration

To start using CIF accounts as secondary admin accounts instead of regular user accounts, we need to make some changes to our Google Workspace domain:

  1. Setup Cloud Identity Free
  2. Decide on an account naming scheme
  3. Configure email delivery for secondary admin accounts
  4. Create OU for secondary admin accounts
  5. Create secondary admin accounts
  6. Secure secondary admin accounts
  7. Configure super admin recovery
  8. Revoke super admin from regular users

Setup Cloud Identity Free

CIF (Cloud Identity Free) is an add-on product to Google Workspace, and can be activated via the admin console. If your organization bought Google Workspace from a third party, you need to contact your reseller to add Cloud Identity licenses to your organization's Google Workspace account.

In your Google Admin console (at admin.google.com)

  1. Go to ꠵ Menu → BillingGet more services.
  2. On the left, click Cloud Identity.
  3. Next to Cloud Identity Premium or Cloud Identity Free, click Get Started.

Decide on an Account Naming Scheme

You can use any naming scheme, however my suggestion for a naming scheme is this:

  • First Name: Admin
  • Last Name: Actual full name of user, e.g. "Schlomo Schapiro"
  • Full Name: Admin First-Name, e.g. "Admin Schlomo Schapiro"
  • Email: administrator.first-name.last-name@domain.com, e.g. administrator.schlomo.schapiro@domain.com

The reasoning for this scheme is that it creates a high degree of visibility for the fact that this is an admin account and makes it simple to handle email delivery via a pattern match.

Configure Google Group and Email Delivery for Secondary Admin Accounts

CIF accounts don't have email capabilities, however you'll need to enable email delivery to real humans for those accounts. This is important to receive notifications and progress information related to the admin accounts, e.g. for a data transfer from a deleted user to another one.

Admin accounts however don't require a personal or individual email, so that you can use a Google Group to receive email for all admin accounts. That way all admins get the same information for admin-related activities and you will create greater transparency around admin tasks.

Illustration showing a Google Group collecting emails for the CIF users with administrator prefix

To facilitate this catch-all email delivery we make use of the Default Routing rules for GMail and create a new rule to route that maps all emails matching administrator.<anything>@domain.com to be delivered to administrators@domain.com, which is a Google Group that contains the personal user accounts of the domain administrators.

  1. In the Admin console, go to ꠵ Menu → AppsGoogle WorkspaceGmailDefault Routing.
  2. Click Configure or Add another rule.
  3. In the Add setting box, take these steps:
    1. Specify envelope recipients to match via pattern, e.g. administrator\..*@domain.com$ and make sure to test the pattern:



    2. If the envelope recipient matches the above, do the following - Modify the message
      1. Headers - select Add X-Gm-Original-To header
      2. Envelope recipient - Replace username with the group email, e.g. administrators
    3. Options:
      Select Perform this action only on non-recognised addresses
  4. Click Save

Next, create the new Google Group as a security group:

  1. In the Admin console, go to ꠵ Menu → DirectoryGroups.
  2. At the top, click Create group.
  3. Enter the following details (following the above examples):
    1. Group name: Domain Administrators
    2. Group email: administrators - this must match the email used in the routing rule!
    3. Group description: All Domain Administrators
    4. Select the Security checkbox
      Screenshot showing group creation for administrators group
  4. Click Next and configure at least the following Group settings to:
    1. Allow "view conversations" only for group members
    2. Allow "post" to External
    3. Only invited users can you the group
      Screenshot showing the group settings
    4. Click Create Group to create the group and add all the domain administrators' personal accounts as members.

Finally, send a test email from the outside (not from a domain user but some other system) to a fake administrators email to validate the email rule and group configuration. For example, an email sent to administrators.this.does.not.exist@domain.com should arrive in the new Google Group and come to the GMail Inbox of all members. When viewing the test email, check also for the X-Gm-Original-To header to see the original envelope recipient.

Create OU for Secondary Admin Accounts

First, create a new organizational unit (OU) for all the secondary admin accounts. This OU makes it easy to apply additional restrictions and security hardening. And it is required to disabled automatically assigning Google Workspace licenses to the secondary admin accounts.

  1. In the Admin console, go to ꠵ Menu → Directory → Organizational units.
  2. Click on "Create organizational unit"
  3. Fill in the name, e.g. "Administrators" and a description and select the parent OU, I recommend top level, for the new OU:
  4. Click on Create
  5. Go to ꠵ Menu → Billing → License settings.
  6. Click on the newly created OU and then click on the pen icon to disable automatic license assignment for Google Workspace licenses:
  7. Select OFF in the drop-down and click Override to save the setting:

To reduce the potential attack surface, I recommend disabling as many Google Workspace services as possible:

  1. In the Admin console, go to ꠵ Menu → Apps → Google Workspace → Service status.
  2. Select the newly created OU, e.g. "Administrators"
  3. Select all services and click OFF in the table header:

  4. Go to ꠵ Menu → Apps → Additional Google Services.
  5. Select the newly created OU, e.g. "Administrators".
  6. Select all services and click OFF in the table header, go to the 2nd page and repeat to disable all remaining services.
  7. Finally, click on Change at the top to disable the services without individual controls. Make sure to again select the new "Administrators" OU on the left side before selecting the OFF and saving via Override:

Additionally, I recommend activating the Advanced Protection Programme (APP) for all secondary admin users, by following these instructions. This includes activating 2-Step-Verification and allowing users to enroll into the APP.

Create Secondary Admin Accounts

Finally, you can create a new secondary admin account:

  1. In the Admin console, go to ꠵ Menu → Directory → Users
  2. Select the newly created OU, e.g. "Administrators"
  3. Click on Add new userand fill in the new user details:
  4. Click Add new user to create the user
  5. In the confirmation screen, click on Preview and send to send the new user setup instructions to the personal email of the user:
  6. Add the new user to the Super Admin role (alternatively, perform this step after the user activated their account and enrolled into the Advanced Protection Programme). To do so, find the new secondary admin user in the Admin console, scroll to Admin Roles and Privileges and assign the Super Admin role:

    Don't forget to click Save at the end.

Securing Secondary Admin Accounts

These steps have to be performed by the users for their new secondary admin accounts:

  1. The user will receive and email with a sign in link. They should create a new Chrome profile and open the link in this new profile, it will ask them to set a password for their new account:
  2. Enroll into the Advanced Protection Programme

Configure Super Admin Recovery

To ensure continued access to your Google Workspace domain I recommend to implement these strategies:

  1. multiple super admins who all use their account on a regular base
  2. potentially allowing super admins to reset their password
  3. ensure that you can modify your DNS domain configuration off-line or without depending on your Google Workspace domain, to use the domain as a way to prove ownership and recover domain access via a support ticket to Google.

See Recovering administrator access to your account for more details on the recovery options.

Revoke Super Admin from Regular Users

After creating secondary admin accounts for your users I recommend a 2 week period where your admins exercise working with the new secondary admin accounts. If you don't find any problems, you can remove the Super Admin role from the regular users and enjoy a significantly improved security posture for your Google Workspace domain.

Are you interested in learning more about good administration practices and securing Google Workspace, in your company? Together with my colleagues from Tektit Consulting I'll be happy to support you personally!

Location: Berlin, Germany

Comments

Post a Comment

Like this content? You could send me something from my Amazon Wishlist. Need commercial support? Contact me for Consulting Services.

Popular posts from this blog

Overriding / Patching Linux System Serial Number

Image
I'm a big fan of test driven development  (TDD) for infrastructure components. I'm currently working on a hardware-related topic where we also use the system serial number as identifier. To create a proper integration test, we need to be able to start a system and set the serial number to a known value. This can easily be done with the help of virtual machines like in VMware or VirtualBox , but I couldn't find a way for changing the system serial number on hardware boxes, cloud VMs (e.g. on Alibaba Cloud) or other Linux system. Problem Analysis I was thinking: Linux is the operating system where I can potentially do everything . So how hard can this be? After some digging around I found out that there are those main sources for the serial number on Linux: /sys/firmware/dmi/tables/DMI contains a binary blob of Desktop Management Interface data provided by the kernel and the dmidecode utility is commonly used to decode
Read more

A Login Security Architecture Without Passwords

Image
Following up on Lifting the Curse of Static Credentials and Eliminating the Password of Shared Accounts , I have many discussions about why we would benefit from removing password prompts for website logins. Let's dig deeper into the details and show why removing password prompts leads to a  safer security architecture . Update 11.03.2022: Added more details about business vs. consumer websites and additional security suggestions surrounding WebAuthn Problem Space For context, imagine a website that needs to identify online users via their email address. We assume that the website in question is not the primary email system of a user but some other website, e.g. an e-commerce shop system or a collaborative productivity tool. As a User As a user of that website I want to easily sign up for an account have an easy way to login into the account be sure that my account is protected from others or attacks be able to easily recover access to my account i
Read more

WARNING is a waste of my time

Image
How many log levels do you know? How many log levels are actually useful? At Relax and Recover we had an interesting discussion about the use of the WARNING log level. I suddenly realized that in a world of automation, I need only two log levels: ERROR and everthing else. ERROR means that I as a human should take action. Everything else is irrelevant for me. So far for the user side. As a programmer the choice of log level is sometimes much more difficult. As a programmer I might not want to decide for the user if some problem is an ERROR or not. The obvious solution is to issue a WARNING in an attempt to shed the responsibility of making a decision. But in an automated world that does not help me as an admin to run the software better. WARNINGS for most cases only create extra manual work because somebody needs to go and check some log file and decide if there actually is a problem. I would rather have the software make that decision and I would be happy to fix or readjus
Read more