Google Security

Authored by:

matta

The Red Guild | SEAL

zedt3ster

Sigma Prime

Fredrik Svantes

Ethereum Foundation

Auditware

Auditware

Reviewed by:

matta

The Red Guild | SEAL

Summary

🔑 Key Takeaway: Enhance your Google account security by implementing robust 2FA, eliminating redundant recovery options, and diligently overseeing third-party access.

Google provides a wide range of services—from email to file storage. Safeguarding your Google account is among the most critical steps you can take to protect your personal and professional data. Below are simple yet effective measures to improve your Google account security.

For Individuals

These settings apply to your personal Google account. All team members and admins should configure these on their own accounts.

This section does not include Google Suite or more advanced security configurations. For that, refer to the Operational Security Framework, under Google Suite Security.

Account Security Checklist

• Google Security Settings:
  • Settings > Security > Skip passwords when possible > Enabled
    • Skipping password entry allows you to renew logins in public places without having to type out your password or store it in your clipboard
  • Settings > Security > Recovery email > Enabled
  • Settings > Security > Recovery phone > Disabled
    • By default, Google allows account recovery using phone numbers and emails. Attackers can exploit these if they compromise your phone or email.
    • Optional: If you're confident you won't need standard recovery processes, also remove Recovery Email
  • Settings > Security > Third-party apps with account access > Remove all unnecessary
    • Some apps request extensive permissions (e.g., full inbox or file access). Regularly review these to minimize risks.
  • Settings > Security > Your devices > Log out from all unnecessary devices
    • Keeping track of active sessions helps you detect unauthorized access.
  • Security > Enhanced Safe Browsing > Enabled
• 2-Step Verification:
  • Properly setting up two-factor authentication (2FA) is one of the most crucial steps you can take. Disable SMS 2FA to avoid SIM swaps, and instead use an authenticator app or a hardware security key (preferred).
  • Enable any, but passkeys or authenticator recommended. You can also continue using Google prompts.
  • Disable "Voice or text message" if enabled
  • Remove any App passwords
  • Store Backup Codes offline in a secure place
• Google Connections:
  • Review each connected app's permissions; remove if unnecessary or excessive
• Google Profile:
  • Publicly visible personal info can aid attackers in impersonating you.
  • Check Visibility: If any info is set to "Anyone," switch it to private if unnecessary
  • Birthday: Consider making it private

Extended Security Settings

For a comprehensive security review, follow these steps from Google Security:

• "Your connection to third-party apps & Services" > Revoke all applications that should not be connected
• "Log out of all unknown devices"
• "Turn off" skip password when possible (below previous step)
• "How you sign in with Google" > Set up your 2FA or Security Key
• Ensure you do not have a recovery phone setup. No SMS 2FA or phone number on your account at all.
• Change your password after completing these steps
• Note down your backup codes

If using Google Authenticator as a 2FA app on your phone, disconnect it from the cloud, as backup codes are then stored in the google cloud associated to email. Use it without an account and ensure backup codes are written down offline.

Advanced Protection Program

For those who are public figures or need heightened security, Google's Advanced Protection Program is worth considering. It requires the use of security keys, limits access to unverified apps, and makes the process of account recovery more challenging.

• Enroll in Advanced Protection Program

Best Practices & Ongoing Maintenance

• Review Security Alerts: Pay attention to any email or phone notifications from Google regarding unusual sign-ins or account changes.
• Perform a Security Checkup: Regularly visit Google's Security Checkup to identify potential issues and resolve them.
• Consider using identity monitoring apps like Push Security.

For Team Members

These guidelines apply to team members who use Google Workspace but don't have administrative access.

Team members should:

• Ensure their individual account settings are configured according to the checklist above
• Pay attention to any email or phone notifications from Google regarding unusual sign-ins or account changes
• Regularly visit Google's Security Checkup to identify potential issues and resolve them

For Admins

These settings and practices apply to Google Workspace administrators with elevated privileges.

Admin Settings (Workspace Configuration)

Rules and Notifications

• Rules > Enable notifications for security events
  • "User's password changed"
  • "Suspicious login"
  • "User granted Admin privilege"
  • "User's Admin privilege revoked"
  • "Primary admin changed"
  • "Leaked password"
  • "Device compromised" [1]

Security Settings

• Security > Overview > Less Secure Apps > Disable access to less secure apps
• Security > Authentication > 2-Step Verification > Allow users to turn on 2-Step Verification
  • Enforcement > On
    • Methods > Any except verification codes via text, phone call or Only security key [2]
• Security > Authentication > Account Recovery >
  • Super admin account recovery > On (if fewer than 3 super admins on account)
  • User account recovery > On
• Security > Authentication > Password Management > Enforce strong password
  • Length > Minimum length > At least 12
• Security > Access and data control > Google Cloud session control > Reauthentication policy > Require reauthentication
  • Exempt Trusted apps > Off
  • Reauthentication frequency > 16

Apps and Data Control

• Apps > Google Workspace > Drive and Docs > Sharing options >
  • Sharing outside of organization > OFF or ALLOWLISTED DOMAINS
    • Allow users in organization to receive files from users or shared drives outside of organization/allowlisted domains > Off
    • When sharing outside of organization is allowed, users in organization can make files and published web content visible to anyone with the link > Off
  • Distributing content outside of organization > No one
• Apps > Google Workspace > Settings for Google Chat > Service Settings > OFF for everyone

Gmail Security

• Apps > Google Workspace > Settings for Gmail >
  • Authenticate email > Set up DKIM with your DNS provider
  • Safety >
    • Attachments > Enable all protections and set to quarantine
    • IMAP view time protections > Enabled
    • Links and external images > Enable all
    • Spoofing and authentication > Enable all and set to quarantine
      • Protect against any unauthenticated emails can be set to Keep email in inbox and show warning in order to prevent blocking external emails

Email Authentication

• SPF & DMARC
  • Follow these guides to confirm and/or set up SPF and DMARC:
    • https://support.google.com/a/answer/33786?hl=en&sjid=5876544508252018851-NC#spf-already-setup
    • https://support.google.com/a/answer/2466580?hl=en#dmarc-step2

Optional Enhancement

• Enroll in the Advanced Protection Program for high-risk users or your entire organization

Notes

[1] Security Alerts

Other alerts should be enabled by default, but it is recommended to go through the list and enable any others that would indicate concerns.

[2] 2FA Enrollment

You can confirm user enrollment status at Directory > Users, under the 2-step verification enrollment and Advanced Protection Program enrollment columns.