MatrixC Best Practices: How to secure your Admin account
Updated: Aug 26
Before we begin, this article is meant to be read by G Suite users who are super admins of their organizations with full admin privileges. So, don't be surprised if some of the methods below don't work for you!
Your Admin Account is the central place to manage your G Suite services. Without it, the whole organization becomes messy and everything else goes down to drain. Therefore, for your organization must be protected, you must start preliminary by securing from the core - which is your super Admin Account.
How do we protect the Admin Account?
1. Have at least two super admin accounts!
Practically, a business should have more than just one super admin account, each managed by a separate individual admin. MatrixC recommends a minimum of 2 and a maximum of 4 super admin accounts so that in the event one account is compromised, another super admin account can come to rescue while the other one is being recovered.
2. Require a second authentication factor for admin accounts
Super admin accounts must - I repeat, must be set up with 2-step verification. If for whatever reason the password is leaked, a 2-step verification (2SV) protects the account from any unauthorized access. It is extremely important for super admins to use 2SV because their accounts control access to all business confidential information and employee data in the organization. Find out how to set up tour 2SV here: Protect your business with 2-Step Verification - G Suite Admin Help
3. Don’t use a super admin account for daily activities
Super admins can manage all aspects of your company’s account and can even reset another account’s password. Therefore, it’s important that super admins should use a separate user account for day-to-day activities. Admins should only sign in to their super admin accounts when they need to perform super admin duties, such as 2SV or helping another admin recover their account.
4. Don’t stay signed in!
As much as you want to, it’s extremely risky to stay signed in to a super admin account when you aren’t doing specific administrative tasks as it can increase exposure to phishing attacks. Therefore, super admins should sign in as needed to do specific tasks and then sign out right away!
5. Administration of other Google Services
The Super Admin account should not be used to manage other Google services such as Google Cloud Platform (GCP), Youtube, Google Analytics, etc. Those accounts should be delegated to individual user accounts instead. Accounts that manage those services are usually more exposed to phishing or hacking attempts.
Your Admin Account is secure enough? That's great! In addition to the above, we would also like to share several tips for you to manage your super Admin Accounts better!
How you should manage your Admin Accounts:
1. Set up multiple super admin accounts!
We can’t stress this enough. It is ideal to have more than one super admin account so that in the event one account is compromised, another super admin account can come to rescue while the other one is being recovered.
2. Creare per-user super admin role accounts
If there are multiple super admins and each uses firstname.lastname@example.org to sign in, you can’t see which super admin is responsible for activities in the audit log. Each super admin should have an identifiable admin account.
For example, if Chong and Amin are super admins, they should have per-user super admin role accounts and user accounts:
3. Delegate daily admin tasks to user accounts
To encourage using a super admin account only when needed, delegate normal day-to-day administrative operations to user accounts (with limited privileges). For example, you could delegate a frequent activity such as resetting passwords to a user account but allow only super admins to delete an account.
When delegating admin privileges, use the model of least privilege. In a model of least privilege, each admin has access only to the resources and tools they need for their typical tasks in the day-to-day account. This could mean using a pre-defined role or creating a new custom admin role.
Wait, then how should we monitor on admin accounts?
1. Set up admin email alerts
Monitor admin activity and track potential security risks by setting up admin email alerts for certain events, such as suspicious sign-in attempts, compromised mobile devices, or changed by another admin. When you turn on an alert for an activity, you receive an email each time that activity happens and you can act to raise your security or troubleshoot right away.
2. Review the Admin audit log
The Admin audit log is another tool to monitor admin activity. The Admin audit log shows a history of every task performed in the Google Admin console, which admin performed the task, the date, and the IP address where the admin signed in.
Activity from the super admin appears in the Event Description column as _SEED_ADMIN_ROLE, followed by the username.
3. Save backup codes ahead of time for admin account recovery
If an admin loses their security key or phone (where they receive a 2SV verification code or Google prompt), they can use a backup code to sign in.
Admins should generate and print backup codes in case they’re needed. Keep backup codes in a secure location, these could be your only lifeline. In some extreme cases, even Google may be powerless to recover accounts (no security questions, backup devices, numbers, or emails are reachable) so do keep these backup codes safe always.
4. Again, do set up an additional admin
If an admin can’t sign in to their admin account, another admin can generate a backup code for them so they can sign in using 2SV.
5. Contact Your Reseller to provide help immediately
Don’t risk it for the biscuit! If you are having trouble signing in to your Super Admin account, kindly request your PIC to contact us at email@example.com. We will provide you with the recovery support soonest possible!
It's always better to be safe than sorry. Let's stay safe physically and online too!