avatarTeri Radichel

Summary

The provided content discusses strategies for implementing different 2-step verification requirements and organizational structures within Google Workspace to enhance security for various user roles.

Abstract

The article delves into the complexities of setting up distinct 2-step verification methods for different users in Google Workspace, emphasizing the importance of using hardware security keys as a primary security measure. It outlines the process of creating Organizational Units and Google Groups to apply specific security policies, ensuring that administrative accounts maintain alternative verification methods in case of hardware key failures. The author, Teri Radichel, advocates for the use of security keys for all users, with the exception of less technical users who might benefit from a passwordless approach. The article also touches on the potential risks of external users being added to security groups and provides guidance on how to configure these groups to control access to sensitive data and services within Google Workspace.

Opinions

  • The author believes that everyone should use hardware security keys when possible, not just administrators.
  • There is a preference for

Using Organizational Units and Groups in Google Workspace for Different User Permissions

Setting up different 2-step Verification Requirements for Different Users in Your Google Workspace

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Google Security | Cloud Governance | DNS Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post, I wrote about how I was having a problem with Google Workspace and hardware security keys and how I was trying to get around it.

Now I have a conundrum. If I require security keys only and something breaks either hardware security keys on Google (such as happened with my Twitter, er I mean X, account where the hardware security key just randomly stopped working) I still need to get into my admin accounts. I want to have some other options but I don’t want to use them except in case of emergency.

For all my other accounts, I want to require the hardware security key option only. Unfortunately that currently causes problems on my phone as demonstrated in the last post, but I am sure Google will fix that shortly.

In the meantime how can I set up these different requirements?

Google Workspace Organizational Units

Well first, there’s an option to create Organizational Units in Google Workspace.

Navigate to Directory > Organizational Units.

Click Create organizational unit.

You can create an organizational unit and add users to it and then change the security configuration for that organizational unit. For example, I might create an organizational unit called Non-Admin and then add users to it. Then I can disable any 2-step verification except hardware security keys for that group (presuming it actually works as a second factor.)

I could possibly create two organizational units — Admin and Non-Admin:

Then I navigate to and click on any user.

Click CHANGE ORGANIZATIONAL UNIT.

Add the user to the organizational unit.

Verify the user is in the organizational unit on the secreen above after the change:

Not back where I changed 2-Step verification in a prior post, I can require security key only as a 2-Step verification option for non-admins.

This is a little different than the advice you usually get which is to add hardware security keys only for administrators. I think everyone should be using a security key when possible as a second factor.

I would only use passwordless for less-technical users who aren’t equipped to deal with a more complex solution as it is better than a password alone or getting tricked into entering a 2-step code on the wrong screen. However, for more technical users I still think a password plus a security key is better.

I also would leave on other options for administrators so you don’t get locked out of your account, but only use them in case of emergency. However, at the moment, Google has a bug that doesn’t let you use your hardware security key at all which I hope they fix soon.

Google Groups

You can also apply security policies to Google Groups.

Navigate to Directory > Groups.

There’s a link here to Learn about Security groups.

Create a group and apply specific policies to the group specifying what they can and cannot do.

Let’s say I create two groups — one for Google Workspace Administration and one for non-admins.

Google groups can be used to create email aliases — where any time you email the group email address, that email goes to anyone else in the group. But there’s another purpose for Google groups — which is to create a group of users to which you want to apply a security policy. You have to specify that the group is for the latter purpose when you create it.

When I create the groups I check the box next to Security.

On the next screen, you can configure some group settings. You can specify that certain emails can only be used internally at your organization or within a certain group. Make sure this works as expected. If those users need to be able to get external messages for some purpose you might break something.

One thing I don’t particularly love about these settings is that regardless of how you configure the last setting, external members can still be added to the group.

Next you can add members to the group:

I added a user that is already a Super Admin to this group and I got this error. That’s probably because this user can already do everything in Google Workspace. However, it added the user despite this message.

Here’s what Google says about when you might want to create a security group:

This page has some of the service settings you can change for a Google group:

Now let’s say I wanted to apply a policy for a service to a specific group.

Head back over to the Google service you want to modify as I demonstrated in my Google Workspace security 101 post.

On the left side search for and add your group. Then you can turn on that service for that specific group and configure it instead of allowing everyone in your organization to use it. I’m not going to enable Cloud Search for reasons explained in that 101 post. This is just an example.

You can also apply your security settings to a group:

Groups or Organizational Units?

I mentioned above I don’t like that warning that you can add external users to a group regardless of the global configuration. I would test that thoroughly to see how your groups might be abused in that case if you grant administrative or special privileges via a group. Other than that the design depends on your particular organization.

I’ve written a good deal about designing and organizational structure and policies in AWS and these posts are also applicable to Google Cloud and Google Workspace. The the constructs are a bit different, the principles are the same.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2024

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Google
Workspace
Organizational Unit
Security Group
Cloud Security
Recommended from ReadMedium
avatarJonathan Mondaut
How ChatGPT Turned Me into a Hacker

Discover how ChatGPT helped me become a hacker, from gathering resources to tackling CTF challenges, all with the power of AI.

4 min read
avatarYogasatriautama
SOC: Install OpenCTI

OpenCTI (Open Cyber Threat Intelligence) is an open-source platform designed to collect, store, and utilize cyber threat data. It helps…

5 min read
avatarDavid Ambros
AWS Cognito + Auth0 (OIDC) Authentication System Using IAM Authorization Type: Angular, Amplify…

All signed-in users will be assigned an IAM role, while non-signed-in ones will have another role.

11 min read
avatarAbhay Parashar
17 Mindblowing Python Automation Scripts I Use Everyday

Scripts That Increased My Productivity and Performance

14 min read
avatarMike Takahashi (TakSec)
Top Google Dorks Explained 🔍

Top Google Dorks for bug bounty hunting, pentesting, appsec, recon, and SEO. Discover hidden endpoints and test for vulnerabilities such as…

8 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read