patterns & practices: WCF Security Guidance

WCF 3.5 Security Questions and Answers

Design Considerations

• How do I decide on an authentication strategy?
• How do I decide on an authorization strategy?
• When should I use message security vs. transport security?
• How do I use my existing Active Directory infrastructure?
• What bindings should I use over the Internet?
• What bindings should I use over the Intranet?
• When should I use resource-based authorization vs. roles-based authorization?
• When should I impersonate the original caller?
• When should I flow the original caller’s identity to back-end resources?
• How do I migrate to WCF from an ASMX web service?
• How do I migrate to WCF from a COM application?
• How do I migrate to WCF from a DCOM application?
• How do I migrate to WCF from a WSE application?

Auditing and Logging

• What WCF Service security events should be logged?
• How do I enable logging and auditing in WCF?
• How do I enable auditing in WCF?
• How do I stop my service if there has been an auditing failure?
• How do I log important business events in WCF?
• How do I implement log throttling in WCF?
• How do I use Health Monitoring Feature with WCF?
• How do I protect my log files?
• How to I pass user identity information in a message for auditing purpose?

Authentication

• How do I decide on an authentication strategy in WCF?
• When should I use brokered authentication?
• When should I use the SQL Server Membership provider?
• How do I authenticate against Active Directory?
• How do I authenticate against a SQL store?
• How do I authenticate against a custom store?
• How do I protect passwords in my user store?
• How do I use certificate authentication with X.509 certificates?
• What is the most common authentication scenario for intranet applications?
• What is the most common authentication scenario for internet applications?
• How do I support authentication for multiple client types?
• What is federated security?
• How do I send credentials in the message when I am using transport security?
• How do I avoid cleartext passwords?

Authorization

• How do I decide on an authorization strategy in WCF?
• What’s the difference between resource-based, roles-based and claims-based authorization?
• How do I use Windows groups for role authorization in WCF?
• How do I use the SQL Role provider for ASPNET role authorization in WCF?
• How do I use the Windows Token role provider for ASPNET role authorization in WCF?
• How do I use the Authorization Store role provider for ASPNET role authorization in WCF?
• What’s the difference between declarative and imperative roles authorization?
• How do I restrict access to WCF operations to specific Windows users?
• How do I associate roles with a certificate?
• What is a service principle name (SPN)?
• How do I create a service principle name (SPN)?

Bindings

• What is a binding?
• What bindings are available?
• Which bindings are best suited for the Internet?
• Which bindings are best suited for the Intranet?
• How do I choose an appropriate binding?

Configuration Management

• How do I encrypt sensitive data in WCF configuration file?
• How do I run a WCF Service with a particular identity?
• How do I create a service account for running my WCF Service?
• When should I use a configuration file versus the WCF object model?
• What is a metadata exchange (MEX) binding?
• How do I keep clients from referencing my service?

Exception Management

• How do I implement a global exception handler?
• What is a fault contract?
• How do I define a fault contract?
• How do I avoid sending exception details to the client?

Hosting

• How do I configure a least privileged account to host my service?
• When should I host my service in IIS?
• When should I host my service in a Windows service?
• When should I self-host my service?

Impersonation/Delegation

• What are my impersonation options?
• What is the difference between impersonation and delegation?
• How do I impersonate the original caller for an operation call?
• How do I temporarily impersonate the original caller in an operation call?
• How do I impersonate a specific (fixed) identity?
• What is constrained delegation?
• What is protocol transition?
• How do I flow original caller from ASP.NET client to WCF Service?
• What is the difference between declarative and programmatic impersonation?
• What is the trusted subsystem model?
• When should I flow the original caller to back-end code?
• How do I control access to a remote resource based on the original caller’s identity?

Input/Data Validation

• How do I implement input and data validation in WCF?
• What is schema validation?
• What is parameter validation?
• Should I validate before or after message serialization?
• How do I protect my service from denial of service attacks?
• How do I protect my service from malicious input attacks?
• How do I protect my service from malformed messages?

Message Protection

• When should I use message security?
• When should I use transport security?
• How do I protect my message when there are intermediaries routing my message?
• How do I protect my message when there are multiple protocols used during message transit?
• How do I implement partial message encryption?

Proxy Considerations

• When should I use a channel factory?
• When do I need to expose a metadata exchange endpoint for my service?
• How do I avoid proxy spoofing?

Sensitive Data

• How do I protect sensitive data in configuration files?
• How do I protect sensitive data in memory?
• How do I protect my metadata?
• How do I protect sensitive data from being read on the wire?
• How do I protect sensitive data from being tampered with on the wire?
• How do I authenticate a message was sent by the expected sender?
• How do I encrypt data within my message?

X.509 Certificates

• How do I create X.509 certificates?
• Do I need to create a certificate signed by the root CA certificate?
• How do I use X.509 certificate revocation?
• How do I authenticate users with X.509 certificates, and then perform role-based access control using an Active Directory domain?

Deployment Considerations

• What are the additional considerations for using WCF in a webfarm?
• How do I configure WCF for NATs and Firewalls?
• How do I configure Active Directory groups and accounts for role-based authorization checks?
• How do I create an X.509 certificate?
• When should I use a Service Principle Name (SPN)?
• How do I configure a least privileged account for my service?