The principle of least privilege states that we should grant users just enough access to carry out everyday activities, but no more. But what about the occasional case where a user does need privileged access, maybe to handle an incident or perform a rare configuration change? This is where just-in-time access can help.
Continue »
When we allow users to use SSH to connect to Linux VMs on Google Cloud, we need to keep track of their public keys, and which VMs they have access to. The latest version of IAP Desktop makes that a little easier.
Continue »
IAP Desktop uses a UI that’s similar to Visual Studio – we can dock tool windows, let them auto-hide when we don’t need them, or let them float as separate windows. But that flexibility didn’t apply to RDP windows… until now.
Continue »
By default, IAP Desktop uses the rsa-ssh public key signature algorithm when authenticating to a Linux VM. That can be a problem in certain situations, which is why the latest version now adds support for ECDSA.
Continue »
Workload identity federation lets us impersonate a Google Cloud service account by using credentials from an external identity provider. That’s a useful and powerful feature, but there are some things to watch out for.
Continue »
Service accounts play a key role in Google Cloud IAM, and there are multiple ways how service accounts can authenticate. One of them is by using a service account key – but service account keys turn into a security risk if they aren’t managed carefully.
Continue »
Google Cloud provides public images for a range of Windows Server versions, but in some situations, it’s necessary to build your own image. In this second part of the series, let’s look at how the build process works.
Continue »
Google Cloud provides public images for a range of Windows Server versions, but in some situations, it’s necessary to build your own image. In this first part of the series, let’s review of how Windows Setup works.
Continue »
Release 2.16 is out, and it contains multiple improvements to the Project Explorer tool window as well as the ability to customize your SSH terminal better.
Continue »
By default, access to the Compute Engine metadata server is not limited to specific processes or users on a VM, even low-privilege processes can request service account credentials. Can we limit metadata server access to specific Windows users or processes?
Continue »
Service accounts play a key role in Google Cloud IAM, but they are easy to get wrong. If you’re not careful, you quickly end up with over-permissioned service accounts, accounts that are used across multiple applications, and service account keys being spread all across your environment.
Continue »
Libssh2 is written in plain C and runs on many platforms, including Windows. But to use the library on Windows, you have to build it first – and as it turns out, that is easier said than done.
Continue »
IAP Desktop 2.13 now lets you connect to Linux instances by using SSH. You can run multiple SSH and Remote Desktop in parallel, all secured by Identity-Aware-Proxy.
Continue »
Compute Engine uses googet to pre-install drivers and other critical system components on Windows VMs. But how do you update these packages if the VM does not have internet access?
Continue »
After creating a Windows VM on Google Cloud, users can use the Cloud Console or IAP Desktop to request login credentials. But what are the risks of letting users generate credentials, and is there a way to prevent them from doing so?
Continue »
If you frequently use Remote Desktop, then you might be used to creating .rdp files for the servers you connect to most often. IAP Desktop does not support .rdp files, but there is an alternative way to open IAP Desktop and connect to a server in a single click.
Continue »
When you authenticate a user by using OpenID Connect and request the email scope, most identity providers add two additional claims to the ID Token, email and email_verified. The email claim does not need much explanation – but what about email_verified, what does this claim indicate and how does Google populate it?
Continue »