Why use CNG instead of CryptoAPI to store keysIn the last posts, I talked a bit about using CryptoAPI and CNG to manage encryption keys, and how using CNG sometimes requires some extra work. That begs the question – is that extra work justified? Continue »
Using a CNG-backed key as service account keyLast time, we looked at how you can use a CryptoAPI-backed key as a service account and use it to authenticate. Now let’s see how you can do the same with CNG. Continue »
Using a CryptoAPI-backed key as service account keyUsing service account keys to authenticate a service account is generally discouraged on Google Cloud, but sometimes difficult to avoid. The most common way to use service account keys is to create a new key by using the Cloud Console or gcloud, but you can also upload existing keys, including CryptoAPI-based keys. Continue »
Azure AD defaults to SAML Logout, but not all apps support thatWhen you create an enterprise app in Azure AD and configure SAML-based single sign-on, Azure AD assumes that the application also supports SAML for sign-out – but as it turns out, not all apps do. Continue »
Azure AD federation metadata, with or without authenticationWhen working with cloud services, you occasionally encounter two APIs that essentially do the same thing, but require different authentication or permissions. Such cases tend to pique my interest. Continue »
Limit metadata server access to specific Windows users or processesBy default, access to the Compute Engine metadata server is not limited to specific processes or users on a VM, even low-privilege processes can request service account credentials. Can we limit metadata server access to specific Windows users or processes? Continue »
Best practices for using, managing, and securing service accounts on Google CloudService accounts play a key role in Google Cloud IAM, but they are easy to get wrong. If you’re not careful, you quickly end up with over-permissioned service accounts, accounts that are used across multiple applications, and service account keys being spread all across your environment. Continue »
Using libssh2 on Windows: lessons learntDocumentation is not where libssh2 shines most. Continue »
Building libssh2 on Windows: lessons learntLibssh2 is written in plain C and runs on many platforms, including Windows. But to use the library on Windows, you have to build it first – and as it turns out, that is easier said than done. Continue »
Using Google Cloud’s “Set Windows password” function on a domain controllerWhat happens if you use the “Set Windows password” function on a domain controller? Continue »
Preventing users from requesting Windows credentials on GCPAfter creating a Windows VM on Google Cloud, users can use the Cloud Console or IAP Desktop to request login credentials. But what are the risks of letting users generate credentials, and is there a way to prevent them from doing so? Continue »
How IAP Desktop protects TCP tunnelsIn the last post, we looked at the risks of using local port forwarding and how it’s difficult to protect TCP tunnels in a multi-user environment. In this post, we take a look at how IAP Desktop protects its tunnels. Continue »
Hijacking other user’s TCP tunnelsIf you are a frequent SSH user, then you’ll be familiar with local port forwarding. Creating tunnels by using local port forwarding is useful, easy, but also not without risks. Continue »
Onboarding workforce identities to Google CloudIn a company’s journey to the cloud, one of the topics that is important to sort out early is identity management. To do anything meaningful with Google Cloud, employees need to be able to sign in to the Cloud Console – but manually creating user accounts for each employee is rarely a good idea. Continue »
Certificate enrollment: Creating a certificate signing request by using CertEnrollHaving covered the basics of certificate enrollment and relevant Windows APIs in previous posts, this post will look at how you can programmatically create a certificate signing requests by using the Certificate Enrollment API (CertEnroll). Continue »
Certificate enrollment: Crypto API, CNG, and other Windows APIsOne thing certreq and the Certificate Manager MMC snap-in have in common is that they rely heavily on Windows’ built-in APIs for managing certificates, encryption, and keys. This post takes a deeper look at which APIs Windows provides for cryptography, key management, certificate management, and certificate enrollment. Continue »
Certificate enrollment: Manually creating a certificate signing requestIn the last post, we looked at how certificates, private keys, and certificate signing requests relate to another. In this post, we’ll look at three common ways to create a certificate signing request (CSR) which can then be submitted to a certificate authority (CA) for signing. Continue »
Certificate enrollment: ConceptsMany of the protocols we use every day rely on certificates. The process to request and obtain a new certificate from a CA is called certificate enrollment. This post explains the basic concepts behind certificate enrollment. Continue »
Authenticating users in tools or desktop appsIf your plan is to develop a tool or desktop app instead of a server-side application, the benefits of application default credentials are less obvious and reusing the user’s personal gcloud credentials instead might seem attractive. But there are some pitfalls. Continue »
Application default credentials vs your personal gcloud credentialsgcloud manages two sets of credentials, your personal credentials and application default credentials. Having two separate credentials might seem redundant and can cause surprises the first time you use one of the Google Cloud client libraries. But the two credentials serve different purposes. Continue »