Limit metadata server access to specific Windows users or processesBy default, access to the Compute Engine metadata server is not limited to specific processes or users on a VM, even low-privilege processes can request service account credentials. Can we limit metadata server access to specific Windows users or processes? Continue »
Best practices for using, managing, and securing service accounts on Google CloudService accounts play a key role in Google Cloud IAM, but they are easy to get wrong. If you’re not careful, you quickly end up with over-permissioned service accounts, accounts that are used across multiple applications, and service account keys being spread all across your environment. Continue »
Updating googet packages behind a proxyCompute Engine uses googet to pre-install drivers and other critical system components on Windows VMs. But how do you update these packages if the VM does not have internet access?
Continue »
Using Google Cloud’s “Set Windows password” function on a domain controllerWhat happens if you use the “Set Windows password” function on a domain controller? Continue »
Preventing users from requesting Windows credentials on GCPAfter creating a Windows VM on Google Cloud, users can use the Cloud Console or IAP Desktop to request login credentials. But what are the risks of letting users generate credentials, and is there a way to prevent them from doing so? Continue »
What does the email_verified claim indicate in Google ID Tokens?When you authenticate a user by using OpenID Connect and request the email scope, most identity providers add two additional claims to the ID Token, email and email_verified. The email claim does not need much explanation – but what about email_verified, what does this claim indicate and how does Google populate it?
Continue »
IAP Desktop 2.11Yesterday I released version 2.11 of IAP Desktop. This new version introduces multi-display support and more. Continue »
Compute Engine feature flags controlled by metadataWhen you create a VM instance on Google Cloud, you can optionally specify instance metadata. Instance metadata is a list of key/value pairs and the most common use case for using metadata is passing a startup or shutdown script to a VM. But startup and shutdown scripts are not the only platform features that rely on metadata. Continue »
Using PowerShell in Cloud ShellOne of the less well known features of Google Cloud Shell is that it has PowerShell preinstalled. All it takes to convert your Cloud Shell session into a PowerShell session is to run a single command. Continue »
How IAP Desktop protects TCP tunnelsIn the last post, we looked at the risks of using local port forwarding and how it’s difficult to protect TCP tunnels in a multi-user environment. In this post, we take a look at how IAP Desktop protects its tunnels. Continue »
Hijacking other user’s TCP tunnelsIf you are a frequent SSH user, then you’ll be familiar with local port forwarding. Creating tunnels by using local port forwarding is useful, easy, but also not without risks. Continue »
Onboarding workforce identities to Google CloudIn a company’s journey to the cloud, one of the topics that is important to sort out early is identity management. To do anything meaningful with Google Cloud, employees need to be able to sign in to the Cloud Console – but manually creating user accounts for each employee is rarely a good idea. Continue »
Creating a CI/CD pipeline with Azure Pipelines and Cloud RunAzure DevOps has come a long way since its humble beginnings as Visual Studio Team System. Especially its CI/CD component, Azure Pipelines, has made some major leaps over the past years and is now actually quite nice to use. Continue »
Creating an image from an ISO fileIf you have been an MSDN, TechNet, or Action Pack subscriber in the past, you probably remember the binders full of discs that Microsoft used to ship. Continue »
Application default credentials vs your personal gcloud credentialsgcloud manages two sets of credentials, your personal credentials and application default credentials. Having two separate credentials might seem redundant and can cause surprises the first time you use one of the Google Cloud client libraries. But the two credentials serve different purposes. Continue »
Dealing with credentials when using the Google Cloud client libraries (.NET edition)Google APIs use OAuth 2.0 for authentication and authorization. To call an API, you first have to obtain an access token for the right scope and then pass it to the respective API by using the Authorization HTTP header.
But the trouble with access tokens is that they are short-lived, and you somehow have to deal with expiring tokens…
Continue »
Relaunching the blogA bit over 12 years ago I started this blog to write about Windows development. Back then, I spent the majority of both my free time and time at work developing Win32 and COM-based software and I was just starting to tip my toes into Kernel-mode development.
One year later, in 2008, I begun working on my master’s thesis on function boundary tracing in the Windows kernel, which led to posts about runtime code modification on IA-32, Hotpatching, Detours, NTrace, and other fun stuff.
Things got quiet after 2010 when I changed careers and begun working as a consultant. My focus shifted from Windows development to architecting scalable systems and later led me to entirely different topics such as leading development teams and optimizing the software development lifecycle.
Although I never stopped doing Windows development, it got less over time – and I had less to write about on this blog.
Now it is about time to get more active again on this blog. And as a first step, I moved this blog to a new home.
Continue »
Articles I recently published on the Google Cloud websiteA key part of my job as Solutions Architect at Google Cloud is to work with customers to identify and capture best practices and to turn these into public documentation.
Over the past six months, I have published the following guides.
Continue »
Articles I recently published on the Google Cloud websiteA key part of my job as Solutions Architect at Google Cloud is to work with customers to identify and capture best practices and to turn these into public documentation.
Over the past six months, I have published the following guides
Continue »
Google Calendar, WTF?Quite obviously, Google does not always get it right either. Ever when I try to see my Google Calendar (using Opera), I am requested to login. So I enter my credentials, am redirected a couple of times and – are broght to the login page again. Logging in again does not help, I have by then entered an infinite loop. Thankfully, I can escape this loop by jumping to the original calendar URL again – now Google recognizes that I have already logged in and shows me my calendar. Continue »