Securing Slack Workspaces (Free or Paid)

Many groups, companies and other organisations use the free version of Slack to communicate.

All settings here apply to the Free AND Paid versions of Slack, though the Paid versions can benefit from other options, discussed at the end of this article.

While the free version does not have all the security features of the paid Standard and Plus editions, which offer retention policies, single sign-on and other more advanced features, a few settings can be configured to secure the free workspaces adequately for most needs.

For simple video tutorials, follow us on YouTube.

For more advanced video training, you can subscribe to Guillaume’s Pluralsight account by signing-up for a Free Trial on Pluralsight and following this link.

Two-Factor Authentication (2FA)

Two-Factor authentication will prevent a simple phishing attack from turning into a potential compromise instantly. Slack users can always enable 2FA, but as an administrator, you can enforce it.

As with most of the settings we’ll look at, 2FA is managed in workspace settings.

  • Go to workspace settings
  • Under Settings & Permissions, go to Authentication
  • Expand “Workspace-wide two-factor authentication”
  • Click “Activate two-factor authentication for my workspace”

You will then be prompted to add a customized message, which you can include to explain what is happening to the people using your Slack.

Once this is enabled, they will get emailed and/or messaged over Slack, telling them they must enable 2FA. If they login after the forced activation date, they will be asked to configure 2FA on login.

I recommend using one-time passwords with the “app” method, as it is more convenient than SMS (does not require cellular connectivity) and more secure, but SMS based 2FA is incredibly better than lack of 2FA.

Permissions to add apps

Apps can be super useful in Slack, but they can request access to a lot of data. In many cases, you do not want anyone to be able to add any app.

Permissions to add applications
  • Enable “Only allow apps from the Slack App Directory” unless you have a very specific need, such as your own apps you built to connect to Slack. That way, only apps in the official directory can be added, reducing risk of malicious applications being added to Slack.
  • In workspace settings, go to “Configure apps”.
  • Go to the “Permissions”tab
  • Enable “Approved Apps” — that will make it so only approved apps can be added by users.
  • To help build that list, you can enable “Allow members to request additions to Approved Apps”, and require that they add a comment. That way, everyone can request apps they need, you can then review the permissions the app requests, and approve it.

Hide workspace URL

When someone follows a link on any website, information about the source page is sometimes sent to the destination server.

Since slack workspaces are sub-domains of Slack.com, it could reveal to someone that users of that Slack are posting and consulting links.

Imagine you are a newspaper, posting links to a company’s website where archives of their SEC documents are. The administrators of the target websites could see that “newspaper.slack.com” are all reading the site, tipping them off.

In workspace settings, check that “Hide your workspace URL from external sites’ logs” is enabled. It is enabled by default, but it’s worth double-checking.

Workspace Signup Mode / Invitations

Inviting new users to Slack grants them access to all the public channels, and potentially more.

We need to decide how to handle new users by either:

  1. Allowing everyone to invite anyone (best for public types of groups).
  2. Restricting invitations to administrators or other users.
  3. Allowing users with email addresses in specific domain(s) to sign up (best for companies or organizations using the same email domain(s)).
  • Go to “Settings & Permissions” in the “Settings” tab, and expand “Workspace Signup Mode”
  • Configure it to either invitation only, or to the specific domains you want to automatically allow.
  • If using invitation mode, go to the “Permissions” tab and expand the “Invitations” setting, and un-check “Allow everyone (except guests) to invite new members”. Only administrators will now have the power to invite users.

Public File Sharing

If your Slack is meant for internal collaboration, disable “Public File Sharing” in “Settings &Permissions” under the “Permissions” tab.

That way, no one can accidentally share an internal document externally, where it is not protected by any authentication.

Email Display

Back under the “Settings” tab of “Settings & Permissions”, the “Email Display” controls the ability for people in the Slack to see each other’s email address.

In a company Slack where an address book is probably already available, it can remain enabled, but in a community Slack where people do not necessarily know each other directly, hiding it is a good way to ensure people have to ask each other before using external contact methods.

Paid Versions

Paid versions of Slack have more features, like retention policies and single sign-on (SSO).

Enabling SSO can allow you to leverage existing authentication policies, and retentions can allow you to periodically wipe the content of channels that do not need to be archived.

Remember, what’s not there can’t be stolen, so if a channel is not relevant over time, setting a retention period might one day mean that only a few days or weeks worth of messages can be stolen, not the entire history!