Managing IAP Desktop by using group policies

IAP Desktop 2.20 now lets you use group policies to ensure all users in your organization use consistent settings. Continue »

Playing certificate authority: Using Cloud KMS to sign certificate signing requests

Last time, we looked at how we can use a Cloud KMS asymmetric signing key to create a self-signed X.509 certificate. But we’re not limited to self-signed certificates. We can use Cloud KMS to sign other certificate signing requests too, just like a certificate authority (CA). Continue »

Using a Cloud KMS asymmetric signing key to create an X.509 certificate

After you create an asymmetric signing key in Cloud KMS, you can download the key pair’s public key. The key is provided in PEM format – that’s pretty standard and all you need in many use cases. But especially when dealing with third party services, you sometimes need an X.509 certificate instead of a plain public key. Continue »

Using IAM to control SSH and RDP access

Whenever we grant users SSH or RDP access to VM instances, we have to ensure that access is revoked when the user changes teams or leaves the organization. This is easier said than done. Continue »

Limiting the validity of service account keys

When you create a service account key, Google Cloud doesn’t let you specify an expiry date. The key stays valid until you either delete the key or the entire service account. But there’s a way to limit the validity of a service account key. Continue »

Why use CNG instead of CryptoAPI to store keys

In the last posts, I talked a bit about using CryptoAPI and CNG to manage encryption keys, and how using CNG sometimes requires some extra work. That begs the question – is that extra work justified? Continue »

Using a CNG-backed key as service account key

Last time, we looked at how you can use a CryptoAPI-backed key as a service account and use it to authenticate. Now let’s see how you can do the same with CNG. Continue »

Using a CryptoAPI-backed key as service account key

Using service account keys to authenticate a service account is generally discouraged on Google Cloud, but sometimes difficult to avoid. The most common way to use service account keys is to create a new key by using the Cloud Console or gcloud, but you can also upload existing keys, including CryptoAPI-based keys. Continue »

Image creation on Google Cloud, part 2: Build process

Google Cloud provides public images for a range of Windows Server versions, but in some situations, it’s necessary to build your own image. In this second part of the series, let’s look at how the build process works. Continue »

Image creation on Google Cloud, part 1: Windows Setup

Google Cloud provides public images for a range of Windows Server versions, but in some situations, it’s necessary to build your own image. In this first part of the series, let’s review of how Windows Setup works. Continue »

IAP Desktop 2.16 improves the Project Explorer and lets you customize fonts

Release 2.16 is out, and it contains multiple improvements to the Project Explorer tool window as well as the ability to customize your SSH terminal better. Continue »

Limit metadata server access to specific Windows users or processes

By default, access to the Compute Engine metadata server is not limited to specific processes or users on a VM, even low-privilege processes can request service account credentials. Can we limit metadata server access to specific Windows users or processes? Continue »

Using libssh2 on Windows: lessons learnt

Documentation is not where libssh2 shines most. Continue »

Building libssh2 on Windows: lessons learnt

Libssh2 is written in plain C and runs on many platforms, including Windows. But to use the library on Windows, you have to build it first – and as it turns out, that is easier said than done. Continue »

Using IAP Desktop for zero-trust SSH access

IAP Desktop 2.13 now lets you connect to Linux instances by using SSH. You can run multiple SSH and Remote Desktop in parallel, all secured by Identity-Aware-Proxy. Continue »

Updating googet packages behind a proxy

Compute Engine uses googet to pre-install drivers and other critical system components on Windows VMs. But how do you update these packages if the VM does not have internet access? Continue »

Using Google Cloud’s “Set Windows password” function on a domain controller

What happens if you use the “Set Windows password” function on a domain controller? Continue »

Preventing users from requesting Windows credentials on GCP

After creating a Windows VM on Google Cloud, users can use the Cloud Console or IAP Desktop to request login credentials. But what are the risks of letting users generate credentials, and is there a way to prevent them from doing so? Continue »

NTrace, 13 years later

13 years ago, I wrote NTrace, a dynamic function boundary tracing toolkit for Windows NT inspired by DTrace. NTrace supported both user-mode and kernel mode tracing and, like DTrace, was able to instrument machine code on the fly. Continue »

Does IAP Desktop support .rdp files, or anything similar?

If you frequently use Remote Desktop, then you might be used to creating .rdp files for the servers you connect to most often. IAP Desktop does not support .rdp files, but there is an alternative way to open IAP Desktop and connect to a server in a single click. Continue »