Keep your software packages smallIt wasn’t until 2004 that I got broadband internet at home. So I remember the times when downloading a new JDK (which was around 20 MB at the time) over my 56K modem line meant blocking my family’s phone line for 2 hours. Today, bandwidth doesn’t seem like a limiting factor anymore. But that doesn’t mean that download sizes for applications don’t matter. Continue »
Using registry-based group policies in applicationsGroup policies let you control and tweak thousands of Windows settings. But group policies aren’t limited to Windows or Microsoft applications. We can also use group policies to manage custom applications, either by registering a group policy extension for the app, or (more commonly) by using registry-based policies. Continue »
Managing IAP Desktop by using group policiesIAP Desktop 2.20 now lets you use group policies to ensure all users in your organization use consistent settings. Continue »
Playing certificate authority: Using Cloud KMS to sign certificate signing requestsLast time, we looked at how we can use a Cloud KMS asymmetric signing key to create a self-signed X.509 certificate. But we’re not limited to self-signed certificates. We can use Cloud KMS to sign other certificate signing requests too, just like a certificate authority (CA). Continue »
Using a Cloud KMS asymmetric signing key to create an X.509 certificateAfter you create an asymmetric signing key in Cloud KMS, you can download the key pair’s public key. The key is provided in PEM format – that’s pretty standard and all you need in many use cases. But especially when dealing with third party services, you sometimes need an X.509 certificate instead of a plain public key. Continue »
Best practices for managing service account keysService accounts play a key role in Google Cloud IAM, and there are multiple ways how service accounts can authenticate. One of them is by using a service account key – but service account keys turn into a security risk if they aren’t managed carefully. Continue »
Using IAM to control SSH and RDP accessWhenever we grant users SSH or RDP access to VM instances, we have to ensure that access is revoked when the user changes teams or leaves the organization. This is easier said than done. Continue »
Limiting the validity of service account keysWhen you create a service account key, Google Cloud doesn’t let you specify an expiry date. The key stays valid until you either delete the key or the entire service account. But there’s a way to limit the validity of a service account key. Continue »
Why use CNG instead of CryptoAPI to store keysIn the last posts, I talked a bit about using CryptoAPI and CNG to manage encryption keys, and how using CNG sometimes requires some extra work. That begs the question – is that extra work justified? Continue »
Using a CNG-backed key as service account keyLast time, we looked at how you can use a CryptoAPI-backed key as a service account and use it to authenticate. Now let’s see how you can do the same with CNG. Continue »
Using a CryptoAPI-backed key as service account keyUsing service account keys to authenticate a service account is generally discouraged on Google Cloud, but sometimes difficult to avoid. The most common way to use service account keys is to create a new key by using the Cloud Console or gcloud, but you can also upload existing keys, including CryptoAPI-based keys. Continue »
Azure AD defaults to SAML Logout, but not all apps support thatWhen you create an enterprise app in Azure AD and configure SAML-based single sign-on, Azure AD assumes that the application also supports SAML for sign-out – but as it turns out, not all apps do. Continue »
Azure AD federation metadata, with or without authenticationWhen working with cloud services, you occasionally encounter two APIs that essentially do the same thing, but require different authentication or permissions. Such cases tend to pique my interest. Continue »
Image creation on Google Cloud, part 2: Build processGoogle Cloud provides public images for a range of Windows Server versions, but in some situations, it’s necessary to build your own image. In this second part of the series, let’s look at how the build process works. Continue »
Image creation on Google Cloud, part 1: Windows SetupGoogle Cloud provides public images for a range of Windows Server versions, but in some situations, it’s necessary to build your own image. In this first part of the series, let’s review of how Windows Setup works. Continue »
IAP Desktop 2.16 improves the Project Explorer and lets you customize fontsRelease 2.16 is out, and it contains multiple improvements to the Project Explorer tool window as well as the ability to customize your SSH terminal better. Continue »
Limit metadata server access to specific Windows users or processesBy default, access to the Compute Engine metadata server is not limited to specific processes or users on a VM, even low-privilege processes can request service account credentials. Can we limit metadata server access to specific Windows users or processes? Continue »
Tracking GitHub downloads using Google SheetsIf you use GitHub releases to host download packages, then you’re probably interested in how often these packages are being downloaded. You’d expect that the GitHub website provided that information, but that’s not the case. Continue »
Best practices for using, managing, and securing service accounts on Google CloudService accounts play a key role in Google Cloud IAM, but they are easy to get wrong. If you’re not careful, you quickly end up with over-permissioned service accounts, accounts that are used across multiple applications, and service account keys being spread all across your environment. Continue »
Using libssh2 on Windows: lessons learntDocumentation is not where libssh2 shines most. Continue »