Search
Clear search
Close search
Google apps
Main menu

Administrator security checklist

As an administrator, if you suspect an account may be compromised, you can use this checklist to ensure that your users' accounts are secure (for example, compromised or hijacked accounts). Work with affected users to complete the end-user Gmail security checklist.

Follow these security steps

Step 1. Temporarily suspend the suspected compromised user account
  1. Suspend a user to prevent unauthorized access.
  2. Block access to G Suite by resetting the user's sign-in cookies.
  3. Investigate the potentially unauthorized activity and restore the account. You might also consider enrolling the domain in 2-step verification (2SV).
  4. Ask the affected user to review their recovery address and complete the Gmail security checklist.
Step 2. Investigate the account for unauthorized activity
  1. If the compromised user is a G Suite administrator, review the Admin audit logs for any configuration changes the user has recently made. Skip this step if it doesn't apply.
  2. Review mobile devices associated with the affected account and wipe any suspicious devices.
  3. Investigate the potentially unauthorized activity:
    1. Use the Login audit log in the Admin console to view a complete list of successful and unsuccessful web-based sign-ins in your domain for up to 6 months. Suspicious sign-ins are flagged with a warning icon. You can also retrieve the sign-ins for domain accounts via the G Suite Reports API.
    2. Use the Email log search to review delivery logs for your domains and evaluate message transit to and from the possibly compromised accounts. If the account is managed by Vault, you can use the Email log search to review email activity.
    3. Use the Security report to evaluate the exposure of the domain to data security risks. You should review these reports:
    4. Verify if any malicious settings were created. You can retrieve user account settings (such as forwarding settings) through the Gmail API. If you suspect a consumer@gmail.com account was used as part of this compromise, please report it.
Step 3. Revoke access to the affected account
  1. Follow the steps in Reset a user's password.
  2. Revoke OAuth 2.0 tokens for the user. 
  3. Some applications that use the OAuth 2.0 authentication method will stop accessing data after you reset a user's password. The user must sign in with their account name and new password to receive a new OAuth 2.0 token.
  4. Block access to G Suite by resetting the user's sign-in cookies.
  5. Remove App passwords that the user created.
Step 4. Return access to the user again
  1. Unsuspend the account.
  2. Let users know their new temporary passwords and ask them to set new, unique passwords (no passwords used with any other websites or applications).
  3. Enable 2-step verification for the domain and enroll users with U2F Security Keys (recommended over 2SV codes).
  4. Work with users to complete the end-user Gmail security checklist. For example, ensure that all your end-user filters and forwarding options are configured appropriately.
    1. Update your account recovery options.
    2. Check your account for unusual activity.
    3. Check for missing or suspicious messages.
    4. Check your contacts for errors.
    5. Check your Gmail settings.  

Take additional security steps 

We recommend that you take these additional steps to ensure the security of your users' G Suite accounts.

Step 1. Enroll in 2-step verification with Security Keys

Enrolling in 2-step verification adds an extra layer of security to your users' G Suite accounts. It requires users to enter a verification code in addition to their username and password when signing in to their accounts. See Add 2-step verification for details. We recommend using Security Keys over 2SV security codes for better protection against phishing.

Step 2. Add, secure, or update recovery options

See Add recovery options to your administrator account for instructions on adding secondary email addresses and phone numbers. We recommend to secure secondary email addresses by changing the passwords or update the secondary email to a new address.

Step 3. Enable account activity alerts

As an administrator, you can choose to receive account activity alerts when important events occur, such as potentially suspicious sign-ins or service setting changes by other administrators.

See Google's Safety Center for general recommendations on keeping your account secure.

Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.