Skip to main content

5 Free Microsoft & Google Security Settings Every School Should Enable

Most schools today run either Google Workspace for Education or Microsoft 365 for email, collaboration, and identity. Unfortunately, attackers know this too, and they target school accounts with phishing, password spraying, and credential theft.

The good news is you don’t need to buy premium licenses to improve security. Both platforms include free settings that can significantly reduce risk if you enable them.

Here are 5 to prioritize in every school environment.


1. Require Multi-Factor Authentication (MFA)

Why it matters:

Passwords alone aren’t enough. MFA stops most account takeover attempts cold.

Microsoft 365 / Entra:

  • Go to Entra Admin Center → Security → Conditional Access.
  • Enforce MFA for admins first, then expand to all staff.
  • Students can be handled differently depending on age/policy.

Google Workspace:

  • Admin Console → Security → Authentication → 2-Step Verification.
  • Enforce for staff and administrators.
  • Use security keys or mobile apps for stronger protection.

Impact: Even if a password is stolen, attackers can’t log in without the second factor.


2. Block Legacy Authentication

Why it matters:

Older protocols (POP, IMAP, SMTP) don’t support MFA and are favorite targets for password-spray attacks.

Microsoft 365:

  • Entra Admin Center → Security → Conditional Access.
  • Block legacy protocols.
  • Run a report first to identify accounts still using them: Legacy Authentication

Google Workspace:

  • Admin Console → Security → Less Secure Apps → Disable.

Impact: Reduces one of the most common ways attackers break in.


3. Turn Off Auto-Forwarding

Why it matters:

Attackers often set up auto-forwarding rules after compromising accounts, silently exfiltrating all email.

Microsoft 365:

  • Exchange Admin Center → Mail Flow → Remote Domains → Disable auto-forwarding.

Google Workspace:

  • Admin Console → Apps → Gmail → User Settings → Disable automatic forwarding.

Impact: Stops attackers from siphoning data unnoticed. Be sure to exclude any accounts that may need automatic forwarding enabled.


4. Enable Admin Alerts

Why it matters:

You can’t fix what you don’t know about. Both Microsoft and Google can send alerts when suspicious activity occurs.

Microsoft 365:

  • Entra Admin Center → ID Protection → Dashboard → Users at risk detected alerts.
  • Examples: unusual admin role changes and high volume of failed logins.

Google Workspace:

  • Admin Console → Rules → Activity Rules → Enable predefined templates (suspicious login, admin role change).

Impact: Gives IT visibility into critical security events.


5. Enforce Strong Password Policies

Why it matters:

Weak passwords remain one of the easiest ways into school systems.

Microsoft 365 / Entra:

  • Use fine-grained password policies for staff/admins.
  • Example: Staff = 8 chars minimum; Admins = 12 chars + MFA required.

Google Workspace:

  • Admin Console → Security → Password Management.
  • Set minimum length and complexity.

Impact: Makes brute force attacks much less effective.


Closing Thoughts

Schools don’t always have a budget for expensive security platforms, but that doesn’t mean they’re defenseless. You can dramatically improve your security posture by enabling free, built-in settings in Microsoft 365 and Google Workspace at no additional cost.

Start with MFA, block legacy protocols, disable auto-forwarding, enable alerts, and enforce strong password rules. These steps alone stop many of the most common attacks schools face every day.

Labels:

Comments

Post a Comment

Popular posts from this blog

Why Securing Things “Backwards” Is So Difficult in K–12 IT

Many K–12 districts are facing a difficult reality: after years of convenience-first technology use, the time has come to adopt a more secure, structured approach. Cyber insurance requirements are tightening. State and federal regulations are growing. Threats are increasing. And school systems are expected to modernize their security posture quickly and without disrupting learning. But strengthening security in a district that has operated with wide-open access for years isn’t just a technical challenge; it’s a cultural renovation. Transitioning from “anything goes” to “secured by design” is one of the hardest shifts for schools to make. Not because people don’t care about security, but because securing things backwards means undoing years of habits, expectations, and legacy decisions. Here’s why it’s so difficult , and how districts can make the transition without breaking what’s working. Why Securing Things Backwards Is Hard 1. You’re Taking Away What People Are Used To When classr...
Post a Comment
Read more

Vendor and Third-Party Risk Management in K–12: Protecting Student Data Beyond Your Walls

Modern school districts rely on hundreds of third-party applications, ranging from learning management systems and browser extensions to assessment platforms and parent communication tools. Each of these vendors connects to your network, accesses your data, or processes sensitive student information. Every one of them represents potential risk. While internal defenses like patching, MFA, and backups are essential, vendor risk management ensures your district is protected from vulnerabilities that originate outside your network . Why Vendor Risk Management Matters for Schools School technology ecosystems have expanded rapidly over the last decade. What used to be a handful of software systems is now a web of cloud tools, integrations, and data sharing agreements. Without strong oversight, this complexity creates real-world risk: Data Breaches via EdTech Vendors: Many school breaches occur not from internal attacks, but through compromised third-party systems. Privacy Compliance Exp...
Post a Comment
Read more

Incident Response for Schools: Why Playbooks Matter

When a cybersecurity incident occurs, such as a phishing email, ransomware outbreak, or accidental exposure of student data, the first few minutes are crucial. Yet, many school districts lack a clear, step-by-step plan for responding. The result? Confusion, delayed decisions, extended downtime, and even compliance failures. That’s why every school should have Incident Response (IR) playbooks : simple, one-page guides that outline who to call, what to do, and how to contain and recover from common incidents. Why Playbooks Are Critical in Schools Clarity Under Pressure: When panic sets in, playbooks provide structure. Staff know exactly what steps to take. Consistency: Every incident is handled the same way, reducing the risk of mistakes. Compliance: For Kansas schools, ITEC 7230a requires incident response planning and documentation. Playbooks help districts meet that standard. Framework Alignment: The NIST Cybersecurity Framework (CSF) 2.0 emphasizes Respond as o...
Post a Comment
Read more