This project is read-only.

Intranet - Web App to Remote WCF to SQL Server - Trusted subsystem

In this scenario, a Web server that runs ASP.NET pages connects to a WCF service on a remote server. This server in turn connects to a remote database server. The application relies on the WCF service for data retrieval. The basic model for this application scenario is shown in the following figure.

scenario.gif

Key Characteristics

  • Users have browsers supporting Integrated Windows Authentication.
  • User accounts are in Active Directory within a single forest.
  • User roles are windows groups.
  • The Application Server trusts web server for authorizing users and hence don’t need to flow the original caller security context to application server (WCF).
  • All tiers should use Windows authentication.

Solution – Web to Application to Database

solution1.gif

Solution Summary Table

Web Server

What Checks Example More Info
IIS
Configuration A dedicated application pool is used and configured to run under a custom service account. ServiceAccount1 In developer environment use Network Service account and in production environment use custom domain service account.
The web application is configured to run under the service account. Assign the web application to the custom application pool.
Authentication The IIS virtual directory is configured to use Windows Integrated Authentication. Users will be authenticated with Windows authentication.
ASP.NET
Authentication ASP.NET is configured for Windows Integrated authentication <authentication mode = "Windows" > The web application will authenticate the service.
Authorization If you have role segmentation in your application then you use URL authorization. The authorized users have access to specific pages
If required, Role-checks (user's Windows group membership) are performed by using role manager APIs with WindowsTokenRoleProvider Ensure at this level only authorized users can call the WCF service methods
Configuration ASP.NET has a proxy reference to the WCF service. The application has access to the WCF metadata to create a service reference.
WCF Proxy
Proxy invokes services with the security context of service account without passing credentials A proxy will invoke a WCF method within the service contained on the application server using the “service” account.


Application Server

What Checks Example More Info
IIS
Configuration A dedicated application pool is used and configured to run under a custom service account. ServiceAccount1 In developer environment use Network Service account, in production environment use a custom domain service account.
The WCF service is configured to run under a service account. Assign the WCF service to the custom application pool.
Authentication The IIS virtual directory is configured to use Windows Integrated Authentication. IIS validates the service account using Windows authentication.
Anonymous access is disabled.
WCF Service
Authentication The WCF service is configured to authenticate clients with Windows credentials. <transport clientCredentialType="Windows" /> Basic Http binding with transport credential only mode and windows credentials.
Authorization ??? ??? Need to check if we can pass original user creds even when using the service account for calling WCF.
Configuration Configure the WCF service to use Basic Http binding <endpoint binding="basicHttpBinding" … /> This is required when you need to pass credentials and not be forced to use SSL.
The connection string for database is configured to use windows authentication The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes Use the WCF / ASP.NET identity for accessing database
Encrypt the connection string section Using a protected configuration provider (DPAPI on a single machine, RSA if in a Web farm). Tradeoff here is added deployment complexity vs. keeping the database name and location a secret


Database Server

What Check Example More Info
Configuration A SQL Server login is created for the application's service account (process identity).
The login is mapped to a database user for the Web application.
Authentication SQL Server is configured to use Windows authentication.
SQL Server authorizes the user.
Authorization The database user is placed in a database role for the Web application SQL Server authorizes the role rather than the user login.
Database permissions are granted to the database role. Only grants execute permissions on necessary stored procedures.


Communication Security

What Check Example More Info
Browser to Web Server SSL is used between browser and Web server to protect sensitive data on the wire.
Web Server to App Server To protect sensitive data, if using transport layer security – use SSL
To protect sensitive data, if using message level security – encrypt and sign messages using windows token
App server to Database IPSec or SSL can be used between App server and database server to protect sensitive data on the wire.

Analysis

Authentication

  • On the Web Server the Integrated Windows authentication is used in IIS, because all users have Windows accounts. The benefit of Integrated Windows authentication is that the user's password is never sent over the network. Additionally, the logon is transparent for the user because Windows uses the current interactive user's logon session.
  • On the Application Server, WCF uses Windows Integrated authentication because the service account, either Network Service or custom domain service account, have windows identity, allowing for positive authentication and additionally if message security is required the windows token can be used to encrypt and sign the message.
  • Using Windows authentication to SQL Server means that you avoid storing credentials in files and passing credentials over the network to the database server.

Authorization

  • In the ASP.NET application on the Web server, the Url authorization is used to performs role checks against the original caller to restrict access to pages.
  • In the ASP.NET application on Web Server, role based authorization on the original caller's Windows group membership is done to control access to the WCF service methods.
  • No authorization is used in the WCF service as it trusts and relies on the web server to provide access to authorized users only.
  • The WCF service accesses local system resources and the database using the ASP.NET / WCF process identity. As a result, all calls are made using the single process account. This enables database connection pooling to be used.

Administration

  • The ASP.NET application on the Web Server is running under the security context of the Service account which is a least privileged local / domain account, so potential damage from compromise is mitigated.
  • If sensitive data is being passed between the browser and the web server, consider using SSL which will protect the data.
  • The WCF service on the Application server is running under the security context of the service account which is a least privileged local / domain account, so potential damage from compromise is mitigated.
  • If Web server and App server are in trusted environment and you don’t need transport level security – you need to use basic http binding.
  • If the Web Server and WCF service exchange sensitive data which needs to be protected – use transport layer security, which needs to use SSL or use message level security where the messages are encrypted and signed using the windows token.
  • SQL Server database user roles are preferred to SQL server application roles to avoid the associated password management and connection pooling issues associated with the use of SQL application roles.
  • The database user is added to a database user role and permissions are assigned for the role so that if the database account changes; you don't have to change the permissions on all database objects.
  • If the sensitive data exchanged between the WCF service and the database is to be protected consider using IPSec / SSL.

ASP.NET Compatibility

WCF service hosted in IIS can run with ASP.NET compatible mode. For this to happen a entry in configuration file needs to be included and an attribute at a service level also needs to be used
  • Configuration entry
<system.serviceModel>
  <serviceHostingEnvironment aspNetCompatibilityEnabled="false"/>
</system.serviceModel>
  • Attribute of service contract
[ServiceBehavior]
[AspNetCompatibilityRequirements(RequirementsMode=AspNetCompatibilityRequirementsMode.Allowed)]
class BarService : IHelloContract
{
    // ...
}
  • Using asp.net compatible mode provides the following benefits:
    • ASP.net impersonation if WCF impersonation is not enabled. If WCF impersonation is enabled it prevails over ASP.net impersonation.
    • ASP.net session state, which provides with a shared state mechanism, surviving app domain recycles and support in web farms environments.
    • File URL authorization in ASP.net.
    • HTTPcurrent. Context features also present in OperationContext.Current WCF counterpart.
    • Globalization and configuration in ASP.net
    • Support for cookies with HttpTransportBindingElement.AllowCookies binding configuration.

Service Accounts

When deciding on the Service accounts to be used, you need to consider whether it’s a development or production scenario. For development scenario you need to use the easier method to avoid the overheads, but with production scenario you need to ensure its secure and practical in production environment.

Development Scenario

  • Local network service accounts can be used on both Web and WCF servers. The network service account is identified as machine account in the domain and hence can be used to windows authentication.

Production Scenario

  • Create a custom domain service accounts with least privilege. For more information see “How To: Create a Service Account for an ASP.NET 2.0 Application” at http://msdn2.microsoft.com/en-us/library/ms998297.aspx
  • The same domain account can be used both at Web and WCF servers. If a domain account is used then is necessary to create service principal name attached to the domain account for Kerberos to work.
setspn -a http/perfapp01.npscode.com npscode\aspnethost
  • In web farms configurations a domain account must be used, instead of local network service account. Additionally a SPN identity must be configured in the endpoint configuration for clients to be able to authenticate the service
<identity>
          <servicePrincipalName value=" HOST/perfapp01.npscode.com.com" />
</identity>

Auditing and Logging

  • Auditing for authorization and authentication in WCF can be configured via service behavior. Configure the service behavior as follows:
<serviceSecurityAudit serviceAuthorizationAuditLevel="Failure"
messageAuthenticationAuditLevel="Failure" />
  • Logging can be configured to log messages at transport or message level
<system.diagnostics>
 <sources>
   <source name="System.ServiceModel" switchValue="Off,ActivityTracing"
     propagateActivity="true">
     <listeners>
       <add type="System.Diagnostics.DefaultTraceListener" name="Default">
         <filter type="" />
       </add>
       <add name="ServiceModelTraceListener">
         <filter type="" />
       </add>
     </listeners>
   </source>
   <source name="System.ServiceModel.MessageLogging" switchValue="Warning, ActivityTracing">
     <listeners>
       <add type="System.Diagnostics.DefaultTraceListener" name="Default">
         <filter type="" />
       </add>
       <add name="ServiceModelMessageLoggingListener">
         <filter type="" />
       </add>
     </listeners>
   </source>
 </sources>
 <sharedListeners>
   <add initializeData="c:\pag\wcfservice1\web_tracelog2.svclog"
     type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
     name="ServiceModelTraceListener" traceOutputOptions="Timestamp">
     <filter type="" />
   </add>
   <add initializeData="c:\pag\wcfservice1\web_messages4.svclog"
     type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
     name="ServiceModelMessageLoggingListener" traceOutputOptions="DateTime, Timestamp, ProcessId, ThreadId">
     <filter type="" />
   </add>
 </sharedListeners>
 <trace autoflush="true" />
</system.diagnostics>

Last edited Jan 17, 2008 at 4:01 AM by prashantbansode, version 3

Comments

No comments yet.