Lance Lennon - Director of Technology in Iowa with a school of 1000 students.
Separate your GAFE super admin account. Turn off Email and Chat. Set with 2 factor authentication. Make a complex password. Stay logged out. Only log in when you need to. I think this is one of the most important pieces of advice. An entire district can be compromised. Not following this has pushed the NYCDOE, Google, and AmplifiedIT to develop a district parachute to save GAFE domains.
Create custom admin roles. Why needs access and what access do they need? Use admin roles. The More controls can be access to do this.
Some admin accounts are pre-made,
Help Desk Admin - Changes passwords. You can customize further for specific OUs.
Services Admin - Turn services on and off. Give read access to OUs.
Security - Password Requirements and Recovery. Understand what your requirements are. Set minimum based on this.
Allow users to turn on for 2-step verification. This will help to prevent hacking. Enforce the 2-step verification for staff. For students it’s not a great idea. They would need to use phones for it. When users log in for the first time it does not redirect them to setup 2-step.
There is a USB key for those that don’t want to use their phone. YuniKey $25.
Create a video for 2-step verification.
Keep it fun and light as you turn key tech requirements.
The initial setup requires a phone.
DKIM - DomainKey Identified Mail and SPF Sender Policy are meant to stop and minimize spoofing on emails.
Need access to DNS. See if your setup at https://toolbox.googleapps.com/apps/main/
Email footers. App does with a footer so it goes out on every email without the student/teachers control.
GSuite Vs Additional - Age Restrictions on Additional, Support on GSuite,
Suspend Accounts and move to a different OU . Delete when an account is created in error. Documents remain shared with who they are shared with. Moving accounts doesn’t suspend. Need to actually suspend. GAM can do it.
With Groups to avoid international spoofing require a suffix to groups. This identifies it as a group.
Manage Alerts in reports. The reports can be setup to alert when there are too many login attempts. Custom reports can be made to track specific events. Users can be tracked to see what they are doing.
Login can be reported.
Specific logins can be tracked if a student needs to be located. The physical IP will identify where they last logged in.
Block sites to prevent adding personal accounts to their school account.