secauditor speaks: hmmmm…Security - Imagine That

In a recent release Google has release Google Apps Team Edition. As an administrator for your organization you need to get out and set this up so you have control over this function for your organization rather than Joe Blow user.

I decided I wanted to take a look at this to figure out how an organization can limit access or take control over this app for an organization. I have a feeling that many companies “would not” like to have their employees use this for collaboration. However any employee can go and register using company domain and get started.
Some questions that came up are is it possible for the authorized IT Admin in the company to make sure that nobody opens a Team Edition account in the name of the company domain?

I opened up one of the free accounts, then I had to dig through a few pages to find how to set myself up as an admin for the domain. It involved putting a page containing a special string either on a website hosting the root of my domain (http://mydomain.com) or a special entry in my DNS servers for mydomain.com.

This is proof enough to Google that you are authorized to take over admin rights for the domain. Once that was done, it is no longer possible for other folks to setup an account using my domain without the admins approval.

Here are some notes from Google on this.

If you’re the IT admin for your domain, you can verify domain ownership to begin managing Google Apps. As a Google Apps admin, you’ll have access to the following features in addition to the services included in the Team Edition:

• Email for your domain, powered by Gmail
• Additional customization features: customize your domain’s start page, logo and login page
• Domain web pages, powered by Google Page Creator
• Management features: create and delete user accounts, control document and calendar sharing settings, and much more!

To begin managing Google Apps, you’ll need to prove that you control your domain. Here’s how to get started:

1. Log in to your Google Apps dashboard at http://www.google.com/a/your_domain.com. Make sure to replace ‘your_domain.com’ with your actual domain name.
2. Near the bottom of the page you’ll see the text ‘If you are the IT administrator, you can access administrative features for your organization. Learn How.’ Click on ‘Learn how.’
3. Enter a contact email address outside your domain.
4. Review the Terms and Conditions and click ‘I accept. Continue to activate.’
5. Verify domain ownership using the instructions provided. You can verify by creating a CNAME record we specify, or by uploading an HTML file with your domain host.
6. Once you’ve made the necessary changes with your domain host, click on ‘Verify.’
7. If you’re unable to verify your account right away, click ‘I will verify later’ to cancel verification and return to the Team Edition. You can restart the verification process at any time. If you have trouble making the required changes, you can contact your domain host for assistance.

Now that you have become the Administrator for this app you can disable all of the services. Then if anyone signs up you can ensure that nothing can be done.
You can disable the service by following these steps:

1. Log in to your control panel.
2. From the Service settings drop-down menu, select the service that you’d like to disable.
3. Click Disable (service) at the bottom of the page.
4. After reading the possible issues relating to disabling that service, click Yes, disable (service).

My recommendations are that all administrators head this off at the pass before your users over run you and you are forced to play catch up.

-secauditor