I'm trying to prevent unauthorized access to the google cloud console, via desktop and also via mobile device.
Via desktop, for example, when I try to access the admin workspace, even though I already have my account logged in, it asks me for the password again, I think that's good, would it be possible to do the same when accessing the google cloud console?
Let's say I got careless and left the computer unlocked with the browser opened, if the attacker tries to open the GCP console, he would succeed, I'm not comfortable with that.
And especially via mobile, let's say someone takes my phone and manages to unlock it, it would access the console freely.
Of course I've already enabled 2-factor authentication on my account, but as I said, if someone took my cell phone and managed to unlock or even unlock my computer, the attacker would access it without any difficulty.
At least configure to request the password again, is it possible to do with GCP?
Thanks!
One can set a very low session length time window: https://support.google.com/a/answer/9368756?hl=en
While one is at it restrict access based on IP address: Can you restrict Google Cloud web console logins to an ip address range?
Finally one can restrict service apis to private vpc ranges:
https://cloud.google.com/vpc-service-controls/docs/set-up-private-connectivity
What this all does is:
A) timeout the session while your away from keyboard
B) restrict web/mobile console logins to a whitelist of trusted /32's
C) restrict access to GCP to a trusted VPC and VPN connection.
Related
I have an IIS website on a server internal to my domain that is also published via azure application proxy, which is secured using windows authentication. Our AD structure is hosted locally and published to Azure AD via AD connect.
Users visiting from outside the domain are authenticated first via the login.microsoftonline.com page.
My problem is that users external to the domain are on shared devices and need to change users occasionally, and I can't figure out how to do that.
I have read that navigating to an url like https://login.microsoftonline.com/{tenant id}/oauth2/logout?client_id={client id}&post_logout_redirect_uri={???} is supposed to achieve this, but after arriving at the login page and logging in as a different user, when we return to the site the user turns out not to be the user that authenticated, but remains the same user as before the attempt to change the user.
I have also read that deleting the cookies named like AzureAppProxyUserSessionCookie, AzureAppProxyAnalyticCookie and AzureAppProxyAccessCookie can help, but doing so does not seem to make any difference.
I thought that perhaps the browser was auto-authenticating or pre filling in forms etc, but turning those features off does not affect anything.
My questions are:
Are any log-off / log-on via Azure AD event logs kept that I can view, and if so, where?
How are you meant to log-off for my scenario?
Context:
We have a VSTS account https://blahblahblah.visualtudio.com
We have configured it to block outside access by using Azure Premium conditional access and specifying the public IPs of our work network. So interactive access is blocked from clients outside the internal network.
But this does not block Personal Access Tokens (PATs). Nor do I see a setting to disable or block use of PATs. PATs can allow access to most of the data in our VSTS account via the REST API. Without a mechanism like the Azure AD Premium conditional access (whitelist), anyone in the world could access or modify our data by merely stealing a PAT. This seems like a huge security hole to me. Am I missing a control for that vulnerability?
Ideally, we would have a whitelist in VSTS instead of having to rely on Azure AD Premium. then the VSTS service would block both interactive and API calls that did not originate in our designated safe locations. But that does not exist so far as I know.
So, how can we protect our data from users out in the world who might access our account data via the API path and a stolen PAT?
You can disable Basic Authentication and Alternate Credentials, but that will also disable a few features on VSTS (like SSH Git and Git access from some tools that don't support the OAuth workflow).
Personal Access Token cannot be disabled this way unfortunately. Though you could have people limit the scope to their tokens and have them only create limited time tokens.
It's likely that in the future the integration with AAD will be tighter and will be able to check AAD Conditional Access.
Another important note: Once the user has logged on using AAD, they can take their laptop/device with them to another location. As long as the AAD authentication is still valid, they will not be blocked access from the other location. Conditional Access is checked upon login and renewal of the token in the case of VSTS as far as I know.
Right now only due diligence on the side of your users can prevent unauthorized access to your account. Have them treat their PAT the same way as they treat other important secret information. Use short duration PAT's, limit their scope to only what is needed and store them securely, in a Password vault like Lastpass or Keepass.
PS: in a cloud world where machines regularly get new IP addresses assigned and where IPv6 will make it harder to single out groups of machines, pure IP restrictions are not the way to keep your data safe. IP is also one of the things that is relatively easily spoofed or hidden.
I am using Azure Mobile Apps with deployment slots, with the service provider for login being Microsoft. I have some odd behaviour, during swapping and the users relogin.
Is the performance better/different for AD? [read that it was not for GA yet?]
I am developing in a developer slot with everything specifically configured for this environment, the test and updates are working. I upload the server to staging, now utilizing the same db and settings (except microsoft authentication). The server is again verified to be working both on client and server.
I then use swap to change the staging and production slots. The production slot has the microsoft account login settings.
Upon swap the login by users are continuing indefinitely (no timeout, i.e. several minutes running without any stop) if, the referesh token call is made, as per this link:
//retrieve user info
user = new MobileServiceUser(credential.UserName);
credential.RetrievePassword();
//refresh token
user.MobileServiceAuthenticationToken = credential.Password;
JObject refreshJson = (JObject)await ((App)Application.Current).MobileService.InvokeApiAsync(
"/.auth/refresh",
System.Net.Http.HttpMethod.Get,
null);
My initial question is therefore is it possible to insert a timeout e.g. 2 seconds on the call to force the user to re-enter their credentials?
Because it seems to work if the user logs out and then back in with normal login procedure:
user = await ((App)Application.Current).MobileService.LoginAsync(provider);
credential = new PasswordCredential(provider.ToString(), user.UserId, user.MobileServiceAuthenticationToken);
vault.Add(credential);
string newToken = refreshJson["authenticationToken"].Value<string>();
Question(s)
Is it possible to insert timeout on MobileServiceClient.invokeApiAsync calls?
Is there some setting that can be set so the swap mechanism does not introduce this issue?
Is there a way to improve the login/relogin flow, the users are complaining that the login is failing often. I cannot replicate it in other instances than during the swap. Can this be because of distance to the server?
Therefore would Traffic Manager be a solution? However, I cannot see how it should be enabled if I am using microsoft login. Since a service is bound to an application name for authentication. How should the Traffic Manager be used in this respect?
Is there some setting that can be set so the swap mechanism does not introduce this issue?
Not sure if this applies to your case, but there is a known issue where certain app settings can actually cause issues with swapping. Do you have any app settings defined that end with _EXTENSION_VERSION or that start with WEBSITE_AUTH_? If so, try removing them and see if that resolves the issues you're seeing.
Is there a way to improve the login/relogin flow, the users are complaining that the login is failing often. I cannot replicate it in other instances than during the swap. Can this be because of distance to the server?
I've never head of an issue like this. Anymore details on the failure you can provide, such as a status code? One thing you can do is enable Application Logging and you should be able to get detailed information about the refresh failures.
Therefore would Traffic Manager be a solution? However, I cannot see how it should be enabled if I am using microsoft login. Since a service is bound to an application name for authentication. How should the Traffic Manager be used in this respect?
I think the way to make this work is to use a single Microsoft account application for all mobile app backends that are being load-balanced by traffic manager. The redirect URL that gets configured needs to use the common host name that is registered with Traffic Manager.
Is it possible to insert timeout on MobileServiceClient.invokeApiAsync calls?
From the API, It seems we can not set timeout in this method, refer to https://msdn.microsoft.com/en-us/library/azure/mt691682%28v=azure.10%29.aspx?f=255&MSPPError=-2147217396 for more details.
Myself and a friend have a single user id to login to a website. I can login to the site but he has to wait until I log out to use the site on the same login id. Ive seen lots of screen sharing apps, looked at lots of ideas but technically it can be done im sure.
I want to login on my pc, he wants to access the site from a differnt pc.
Whats the easiest way to do this? I am using thinking about using opencoweb and iframes to simply share the session browser state and information. Is it possible?
Should I be able to do this with deploying an iframed page on app server?
buy another subscription to that service - or put a proxy on your computer and tell your friend to connect to that site through your proxy
First of all, you both should connect to the site from a single proxy server, so your ip will be the same. After one of you login into his account, the other should copy this site cookies to his computer. The site will check cookie and ip, it will be unable to distinguish between you.
No proxy needed. Simply copy the cookie file, import it via the other browser and you are done.
How can i restrict access to the admin/ section of my website? I can't limit it by IP address because we need to sometimes access the admin/ section from remote client locations (when giving a demo, etc).
there is of course, an admin username/password - but what else can i do?
Most applications just use a username/password for access control, and that's generally sufficient. Some that require extra security use two-factor authentication, which might mean using a token that you carry with you (e.g. a device that generates a token that's kept in sync with a server) or a token that is sent to you (e.g. the system sends a text message to your phone with a token that you have to type in in addition to your password).
An easier option is to authenticate using a client certificate; you can carry the cert around with you on a thumb drive in case you're at a remote location (just remember to remove the certificate from the remote machine when you're done).
Here's a nice write-up on client certificate authentication.
Another option is to only allow connections from your local network, and then use VPN to join a remote machine to a local network.
if the admin interface is in an seperate folder, you can use .htaccess and http auth. the same can be done using e.g. rails to restrict access to certain routes (controllers).