How to Harden Your Google Apps

Never let a good incident go to waste.

Today, we’re using the OPM incident as an excuse to share with you our top recommendations for shoring up the security of your Google Apps for Work account.

More than 5 million companies rely on Google Apps to run their critical business functions, like email, document storage, calendaring, and chat. As a result, a huge amount of data pools inside Google Apps just waiting for an attacker to gain access to it. In any modern company, this is target #1.

This guide is for small businesses who want avoid the worst security problems while expending minimal effort. If you’re in a company with more than 500 employees, and have dedicated IT staff, this guide is not for you.

Risks

A lot that can go wrong with computers, even when you eliminate the complexity of client applications and move to a cloud-hosted platform like Google Apps. Many people tend to think too abstractly about security to reason about concrete steps to improve themselves. In this context, here are the attacks we’re concerned about:

  • Password management. Users occasionally reuse passwords, surrender them to successful phishing, or lose all of them due to poor choice of password manager.
  • Cross-Site Scripting (XSS). Google has an enormous number of web applications under active development. They routinely acquire and add new companies to their domain. Some new vulnerabilities might be tucked into this torrent of fresh code. Any one XSS can result in a lost cookie that logs an attacker into your Google account.
  • Inadvertent Disclosure. Permissions management is hard. The user interface for Google Docs does not make it easier. Internal documents, calendars, and more can end up publicly available and indexed by search.
  • Backdoored Accounts. In the event of a successful compromise of one user’s account, the attacker will seek to preserve access so they can come back later. Backdoored Google Apps accounts can continue to leak emails even after you format an infected computer.
  • Exploits and Malware. Even with an all-Chromebook fleet (which we wholeheartedly recommend), there is a chance that computers will get infected and malware will ride on the back of legitimate sessions to gain access to your accounts.

Top 8 Google Apps Security Enhancements

If you make these few changes, you’ll be miles ahead of most other people and at considerably less risk to any of the above scenarios.

1. Create a secure Super Administrator account

In admin.google.com, create a new admin account for your domain. You’ll only use this account to administer your domain; no email, no chat. Stay logged out of it. Set the secondary, recovery email to a secure mail host (like your personal Gmail). Turn on 2FA or use a Security Key for both accounts.

Separate the role for administrative access to your domain

Separate the role for administrative access to your domain

2. Plug the leaks in your email policy

Gmail provides a wealth of options that allow users to forward, share, report, or disclose their emails to third parties. Any of these options could enable an inadvertent disclosure or provide a handy backdoor to an attacker who has lost their primary method of access. Disable read receipts, mail delegation, emailing profiles, automatic forwarding, and outbound gateways.

Limit what can go wrong with email

Limit what can go wrong with email

Disable automatic forward

Disable automatic forward

Keep your mail to yourself

Keep work email configurations clean

3. Enable 2-Step Verification (2SV) and review your enrollment reports

2SV (or, as it’s more commonly referred, 2-factor Authentication or 2FA) will save your ass. With 2FA switched on, stolen passwords won’t be enough to compromise accounts. Hundreds of services support it. You should encourage your users to turn it on everywhere. Heck, just buy a bunch of Security Keys and hand them out like health workers would condoms.

Why is this even an option? Turn it on already!

Why is this even an option? Turn it on already!

Note: The advanced settings expose an option to force 2FA on every user on your domain. To use this feature properly, you must create an exception group to allow new users to set up their accounts. tl;dr Ignore the enforcement feature and just go bop your users over the head when you see they haven’t turned 2FA on yet.

4. Delete or suspend unmaintained user accounts

Stale accounts have accumulated sensitive data yet have no one to watch over them. Over the lifetime of an account, it may have connected to dozens of apps, left its password saved in mobile and client apps, and shared public documents now left forgotten and unmaintained. Reduce the risk of these accounts by deleting or suspending them.

Delete or suspend unmaintained accounts

Delete or suspend unmaintained accounts

5. Reduce your data’s exposure to third parties

The default settings for Mail, Drive, Talk, and Sites can lead to over-sharing of data. Retain the flexibility for employees to choose the appropriate setting, but tighten the defaults to start with the data private and warn users when it is not. Currently, there is no universal control; you have to make changes to each Google app individually.

Disable contact sharing

Disable contact sharing (a great way to determine who your CEO talks to)

Stricter defaults for Drive

Stricter defaults for Drive

Stricter defaults for Drive

Stricter defaults for Drive

Help users recognize who they are talking to

Help users recognize who they are talking to

Don't overstore data if you don't need to

Don’t overstore data if you don’t need to

Help users understand who can see their Site

Help users understand who can see their Site

6. Prevent email forgery using your domain name

Left unprotected, it is easy for an attacker to spoof an email that looks like it came from your CEO and send it to your staff, partners, or clients. Ensure this does not happen. Turn on SPF and DKIM to authenticate email for your domain. Both require modifications to TXT records in your DNS settings.

Turn on DKIM for your domain and get this green check

Turn on DKIM for your domain and get this green check

7. Disable services from Google that you don’t need

Cross-site Scripting (XSS) and other client-side web application flaws are an underappreciated method for performing targeted hacks. DOM XSS can be used as a method of persistence. Labelling a bug as “post-authentication” means little when you stay logged into your Google account all day. Disable access to Google services you don’t use. That will help limit the amount of code your cookies are exposed to.

There are dozens of services you'll never use. Disable them.

There are dozens of services you’ll never use. Disable them.

8. Set booby traps for the hacker that makes it in anyway

Your defenses will give way at some point. When this happens, you’ll want to know it, fast. Enable predefined alerts to receive an email when major changes are made to your Google Apps. Turn on alerts for suspicious login activity, admin privileges added or revoked, users added or deleted, and any settings changes. Send the alerts to a normal user, since you wouldn’t be logged into the Super Administrator regularly.

Turn on alerts and be liberal with who gets them

Turn on alerts and be liberal with who gets them

Security Wishlist for Google Apps

Google Apps offers one of the most secure platforms for running outsourced IT services for your company. However, even the configuration above leaves some blind spots.

Better support for inbound attachment filtering

Attackers will email your users malicious attachments or links. This problem is largely one for the endpoint (and Google offers Chromebooks as one solution), but an email provider can do more to mitigate this tactic.

The Google Apps settings for Gmail offers an “attachment compliance” feature that, while not specifically made for security, could be enhanced to protect users from malicious attachments. Gmail could prepend a message to the email subject that includes a warning about certain attachments, quarantining attachments with certain features (e.g. macros), sending attachments to a third-party service for analysis via an ICAP-like protocol, or converting attachments (say, doc to docx).

If we took this idea even further, Gmail could strip the attachments entirely and place them in Google Drive. This would make it easier to remove access to the attachment in the event it was identified as malicious and it would make it easier to perform repeated analyses of past attachments to discover previously unknown malicious content.

Attachment compliance options could be useful to play with

Tune attachment compliance options to protect users from malicious attachments

Better management of 2FA enforcement

Google was the first major service provider to roll out 2FA to all their users. Their support for this technology has been nothing short of tremendous. But it’s still too hard to enforce across your domain in Google Apps.

Turning on organization-wide enforcement requires setting up an exception group and performing extra work each time you add a new user to your domain. Could Google require 2FA on first sign-in, or give new users a configurable X-day grace period during which they could use just a password? How about bulk discounts on Security Keys?

Built-in management and reporting for DMARC

Domain Message Authentication Reporting and Conformance (DMARC), like SPF and DKIM, was designed to enhance the security and deliverability of the email you send. DMARC can help you discover how and when other people may be sending email in your name. If you want to turn on DMARC for your Google Apps, you’re pretty much on your own.

Google should make it easier to turn on DMARC and provide the tools to help manage it. This is a no-brainer, and it should be, considering email is their flagship feature.

End-to-end crypto on all their services

If the data for your organization were stored encrypted on Google servers, you wouldn’t have to worry as much about password disclosures, snooping Google employees, or security incidents at Google. Anyone who gained access to your data, but lacked the proper key, would be unable to read it.

Google’s End-to-End project will help users deploy email crypto. If you want this feature today, the S/MIME standard is supported out-of-the-box on Mail.app, iOS, Outlook, Thunderbird, and more. Amazon WorkMail, a competitor to Google Apps, allows client-managed keys. By encrypting 100% of your internal email, their contents are unreadable to third parties that happen to gain access to your accounts.

However, this still leaves sensitive data that lives unprotected on other services, like Hangouts and Drive. Yes, there are alternatives, but none are ideal in this scenario. You could deploy your own, in-house secure videoconferencing or consider adopting tarsnap but the inconvenience is still too great. This problem is still waiting for a solution in Google Apps.

If You Have a Problem

By now, your Google Apps domain should be less vulnerable. So, what happens if you discover one of your users has been hacked? Google has you covered here. Review the “Administrator security checklist” if you think you have a problem. Their step-by-step guide is nearly everything you need to get started responding to a security incident.

Feedback

I hope that you have found this guide useful. What do you use to help secure your Google Apps? Are there features on your wishlist for Google Apps that I missed? Did I miss something?

UPDATE 1:

GCHQ released a guide for securing Google Apps in November, 2015.

5 thoughts on “How to Harden Your Google Apps

    • Thanks! I didn’t even consider marketplace applications. It’s a real problem that Google spread out the security-relevant configuration options all over their app.

  1. Thank you for sharing this! I love the google apps, but I have always found their security lacking to say the least. More people need to know just how secure their information is!

  2. Pingback: 2015 In Review – Trail of Bits Blog

  3. Hi,
    sometimes this ardening is counterproductive.

    For example, we are creating users via API. And default hardening of Google makes these accounts suspicious, forcing newly created users to enter phone address for SMS code.

    Do you, by any chance, know how to lower this setting? Thanks!
    Petr Gašparík, petr.gasparik@ami.cz

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s