If you're building Web services or if you're implementing SOA on the Microsoft platform , then you're probably either working with or exploring WCF (Windows Communication Foundation.)   When we started our patterns & practices WCF Security Guidance project, one of the first things I did was compile a list of WCF security resources for our team.  This helped us quickly ramp up and as well as see gaps.  One thing that surprised me is how much is available in the product documentation, if you know where to look.  Here's a preliminary look at our WCF Security resources index which we'll include in our WCF Security Guide: 

Getting Started

• Microsoft
  MSDN Library - Fundamental Windows Communication Foundation Concepts
• MSDN Library – Windows Communication Foundation Security
• WCF Security Documentation

Community

• DevX.com - Fundamentals of WCF Security, by Michèle Leroux Bustamante
• Server Side - WCF Security Learning Guide ,by Brent Sheets

Articles

Microsoft

• MSDN Library - The .NET Developer's Guide to Identity, by Keith Brown
• MSDN Magazine - Identity - Secure Your ASP.NET Apps And WCF Services With Windows CardSpace by Michèle Leroux Bustamante
• MSDN Magazine - IIS 7.0 - Extend Your WCF Services Beyond HTTP With WAS by Dominick Baier, Christian Weyer, and Steve Maine
• MSDN Magazine - Security Briefs - Exploring Claims-Based Identity - Keith Brown
• MSDN Magazine - Security Briefs - Limited User Problems and Split Knowledge, By Keith Brown
• MSDN Magazine - Security Briefs - Security in Windows Communication Foundation, by Keith Brown
• MSDN Magazine - Service Station - WCF Messaging Fundamentals by Aaron Skonnard

Community

• DevX.com - Fundamentals of WCF Security, by Michèle Leroux Bustamante
• TheServerSide.NET - Building a Claims-Based Security Model in WCF, by Michele Leroux Bustamente
• TheServerSide.NET - Building a Claims-Based Security Model in WCF - Part 2, by Michele Leroux Bustamente
• TheServerSide.NET - Securing Your WCF Service, by William Tay
• TopXML - BizTalk and WCF: Part II, Security Patterns, by Richard Seroter

Blogs

Microsoft

• J.D. Meier
• Kim Cameron
• Kenny Wolf
• Nicholas Allen
• Ralph Squillace
• Steve Maine
• Tomasz Janczuk
• Vittorio Bertocci
• Wenlong Dong

Community

• Dominick Baier
• Keith Brown
• Michèle Leroux Bustamante
• Thomas Restrepo

Channel9

Podcasts

• ARCast - Secure, Reliable Transacted Messaging with WCF (Part 1)
• ARCast - Secure, Reliable Transacted Messaging with WCF (Part 2)

ARCast.TV

• ARCast.TV - WCF Session Behavior from Slovenia

Videos

• Vittorio Bertocci: WS-Trust - Under the Hood

Tags

• WCF tag

Documentation (MSDN Product Documentation)

Overview

• Architecture
• Concepts
• Distributed Application Security
• Overview
• Security Architecture
• Terminology

Guidance

• Best Practices
• Best Practices for Queued Communication
• Best Practices for Reliable Sessions

Scenarios

• Common Scenarios
• Identity Model Scenarios

Threats and Countermeasures

• Threats and Countermeasures

Topics

• Auditing
• Authentication
• Authorization
• Authorization Mechanisms
• Bindings and Security
• Claims-Based Authorization
• Configuration Schema - Configuration Schema
• Federation and Issued Tokens
• Hosting
• Impersonation and Delegation
• Impersonation with Transport Security
• Message Security in WCF
• Partial Trust
• Reliable Sessions Overview
• SAML Tokens and Claims
• Security Capabilities with Custom Bindings
• Secure Conversations and Secure Sessions
• Securing Services and Clients
• SSL
• Transport Security Overview
• X.509 Certificates

How Tos

• How to: Audit Windows Communication Foundation Security Events
• How to: Configure Credentials on a Federation Service
• How to: Configure a Local Issuer
• How to: Configure a Port with an SSL Certificate
• How to: Consistently Reference X.509 Certificates
• How to: Create a Custom Binding Using the SecurityBindingElement
• How to: Create a Federated Client
• How to: Create a Secure Session
• How to: Create a Security Token Service
• How to: Create a Stateful Security Context Token for a Secure Session
• How to: Create a Supporting Credential
• How to: Create Temporary Certificates for Use During Development
• How to: Create a WSFederationHttpBinding
• How to: Create a Custom Reliable Session Binding with HTTPS
• How to: Disable Encryption of Digital Signatures
• How to: Disable Secure Sessions on a WSFederationHttpBinding
• How to: Enable Message Replay Detection
• How to: Exchange Messages Within a Reliable Session
• How to: Impersonate a Client on a Service
• How to: Make X.509 Certificates Accessible to WCF
• How to: Obtain a Certificate (WCF)
• How to: Restrict Access with the PrincipalPermissionAttribute Class
• How to: Retrieve the Thumbprint of a Certificate
• How to: Secure Messages within Reliable Sessions
• How to: Secure a Service with Windows Credentials
• How to: Secure a Service with an X.509 Certificate
• How to: Set Up a Signature Confirmation
• How to: Set a Max Clock Skew
• How to: Specify the Certificate Authority Certificate Chain Used to Verify Signatures (WCF)
• How to: Use the ASP.NET Authorization Manager Role Provider with a Service
• How to: Use the ASP.NET Membership Provider
• How to: Use the ASP.NET Role Provider with a Service
• How to: Use a Custom User Name and Password Validator
• How to: Use Multiple Security Tokens of the Same Type
• How to: Use Transport Security and Message Credentials
• How to: View Certificates with the MMC Snap-in

Guides

Community

• dasblonde.net - WCF Security Fundamentals, by Michèle Leroux Bustamante
• Server Side - WCF Security Learning Guide, by Brent Sheets

Posts

Microsoft

• Alexander Strauss   - WCF - Let's Start The Dialogue
• Alik Levine  - How To Consume WCF Using AJAX Without ASP.NET

Community

• Dominick Baier  - Using IdentityModel: Authorization Policies, Context and Claims Transformation
• Dominick Baier  - Using IdentityModel: Creating Custom Claim Sets
• Dominick Baier  - Using IdentityModel: Typical Operations on Claim Sets
• Dominick Baier  - Using IdentityModel: Windows and X509Certificate Claim Sets
• Dominick Baier  - Using IdentityModel: Inspecting Claim Sets
• Dominick Baier  - Using IdentityModel: Claim Sets
• Dominick Baier  - Using IdentityModel: Claims
• Dominick Baier  - Be careful with ServiceAuthorizationManager.CheckAccess()
• Dominick Baier  - UserName SupportingToken in WCF
• Paolo Pialorsi - WCF Custom Authentication and Impersonation
• Tomas Restrepo  - WCF Configuration Complexity

patterns & practices

• WCF Security Guidance Package

Product Support Services (PSS)

• WCF Troubleshooting Quickstart

Samples

Microsoft

• Basic Windows Communication Foundation Technology Samples
• Windows Communication Foundation Samples

Community

• WCF Security Full Demo 

Videos

• MSDN TV - Windows Communication Foundation Bindings and Channels by Clemens Vastor
• MSDN Webcast: Windows Communication Foundation Top to Bottom (Part 10 of 15): Security Fundamentals (Level 200)

Web Casts

MSDN Support WebCasts

• MSDN Support WebCast: Building distributed services on the Windows Communication Foundation

For this week's release in our patterns & practices WCF Security Guidance project, we released our first version of our WCF Security Practices at a Glance.  Practices At a Glance gives you a bird's-eye view of how to perform common tasks.  They are scannable and outcome-driven so that you can quickly browse the problem/solution pairs.  Rather than a laundry list of granular tasks, we organize them by our Web Services Security frame (still evolving.)

Categories
Here's how we grouped our WCF Security Practices at a Glance so far:

• Auditing and Logging
• Authentication
• Authorization
• Configuration Management
• Deployment Considerations
• Exception Management
• Hosting
• Impersonation/Delegation
• Input Validation
• Message Security
• Proxy Considerations
• Sensitive Data
• Transport Security

Here's a snapshot of the problems solved from our Practices At a Glance, but you can see our answers explained at our WCF Security Guidance project site.

Auditing and Logging

• How to audit authentication events
• How to audit authorization events
• How to enable WCF message logging
• How to enable WCF tracing
• How to use Health Monitoring in WCF
• How to view log information
• How to view trace information
• How to log traces to a WMI provider
• How to turn off audit failure suppression

Authentication

• How to authenticate users against the SQL Membership Provider
• How to authenticate users against Active Directory
• How to authenticate users against Active Directory without windows authentication
• How to authenticate users with certificates
• How to map certificates with windows accounts
• How to authenticate users against a custom user store
• How to authenticate users with Kerberos direct to support non-WCF clients with windows authentication

Authorization

• How to authorize imperatively
• How to authorize declaratively
• How to authorize users against Windows groups
• How to authorize users against Windows groups using the AspNetWindowsTokenRoleProvider
• How to authorize users against the SQL Role Provider
• How to authorize users against the ASP.Net Role Provider
• How to assign the current principal with IAuthorizationPolicy to allow authorization using custom authentication

Configuration Management

• How to encrypt sensitive data in your configuration files
• How to run your service under a specific identity
• How to create a service account for your WCF service
• How to stop clients from referencing your service
• How to protect against message replay attacks

Deployment Considerations

• How to configure certificates to enable SSL in IIS
• How to map Windows accounts with certificates
• How to create a Service Principle Name (SPN)
• How to configure WCF for NATs and Firewalls
• How to create an X.509 certificate

Exception Management

• How to shield exception information with fault contracts
• How to create an error handler to log details of faults for auditing purposes
• How to handle unhandled exceptions in downstream services
• How to throw an exception with complex types or data contracts with a fault exception
• How to handle unknown faults in a service
• How to implement a data contract to propagate exception details for debugging purposes
• How to implement fault contracts in call back functions

Hosting

• How to host WCF in IIS
• How to host WCF in a Windows service
• How to self-host WCF
• How to configure a least-privilege account to host your service

Impersonation/Delegation

• How to choose between trusted subsystem and impersonation/delegation
• How to impersonate the original caller when using Windows authentication
• How to impersonate programmatically in WCF
• How to impersonate declaratively in WCF
• How to delegate the original caller to call backend services when using Windows authentication
• How to impersonate the original caller without Windows authentication
• How to impersonate the original caller using S4U Kerberos extensions.
• How to delegate the original caller using S4U Kerberos extensions.
• How to impersonate and delegate using LogonUser Windows API
• How to flow the original caller from an ASP.NET client to WCF
• How to control access to a remote resource based on the original callers identity.

Input Validation

• How to protect your service from malicious messages
• How to protect your service from malicious input
• How to protect your service from denial of service attacks
• How to validate parameters with parameter inspectors
• How to validate parameters with message inspectors using schemas
• How to validate data contracts with message inspectors using schemas
• How to validate message contracts with message inspectors using schemas
• How to use regular expressions validate format, range and length in schemas
• How to validate inbound messages on a service
• How to validate outbound messages on a service
• How to validate outbound messages on the client
• How to validate inbound messages on the client
• How to validate input parameters
• How to validate output parameters

Message Security

• How to use message security
• How to partially encrypt a message
• How to use out-of-band credentials with message security

Proxy Considerations

• How to avoid proxy spoofing
• How to expose service metadata for your clients
• How to create a proxy to a service hosted in IIS that requires certificate authentication and transport security

Sensitive Data

• How to encrypt sensitive data in configuration files
• How to protect sensitive data in memory
• How to protect sensitive data on the network

Transport Security

• How to use transport security
• How to use secure conversations in WCF

X.509 Certificates

• How to create a temporary X.509 certificate for transport security
• How to create a temporary X.509 certificate for message security
• How to create a temporary X.509 certificate for certificate authentication

My Related Posts

• 6 New patterns & practices WCF Security How Tos
• patterns & practices WCF Security Questions and Answers Now Available
• patterns & practices WCF 3.5 Security Guidelines Now Available
• patterns & practices WCF Security Guidance: Updated Application Scenarios
• patterns & practices WCF Security Application Scenarios
• patterns & practices WCF Security Guidance Now Available

Ken Blanchard spoke at Microsoft last week.  He's all about empowering people, growing people, and helping everybody get an A.  This post is my notes from the session.

Catch People Doing Something Right, Accentuate the Positive
I'm putting this right up front because Ken said if there was only one thing he could be remembered for, he would want it to be:

"Catch People Doing Something Right, Accentuate the Positive."

Random Highlights
Here's a sampling of some of the one-liners and insights from the session:

• The triad is the provider of choice, employer of choice, investment of choice.
• People will compete with you in garages -- have the triad.
• Bring your brains to the job vs. kiss up the hierarchy.
• Write the final exam up front.
• Life's about getting A's.  Everybody gets A's.
• The journey of an effective leader starts with self-leadership (who are you)
• None of us is as smart as all of us (the collective brain)
• Don't ask yes/no questions -- ask, what's one thing we could have done differently to make your experience better?
• Know your rank order values.  Walk your values.  Don't have too many values.
• Profit is the applause you get for taking care of customers and being a motivating place to work.
• Get customers telling stories about you.
• Who does she work for? a duck or an eagle? Ducks quack excuses.  Eagles soar above the crowd.   Bring your brains to work.
• You got what you got (your team), what are you going to do?
• Help people accomplish goals and have goals tied into the organization.
• Now you have the position, don't use it (don't use your position -- it's on loan.)
• All the important stickers went on people (people are the most important asset.)
• Ken's favorite insight from the movie Ghost - "You can take the love with you."
• What Ken's mom taught him -- "Don't act like you're better than anybody ...but don't let anybody act like they're better than you."

Philanthropy is the News Around the World
Ken travels the world and the big news he kept hearing about was the philanthropy.  Specifically, the news was focused on Bill Gates and Warren Buffet.  The fact that Buffet trusts the Bill & Melinda Gates Foundation to help the world sends a powerful message.

4 Keys to Lead at a Higher Level
Ken framed out 4 keys to lead at a higher level:

1. Set your sights on the right target and vision.  Ken reminded us that since Alice didn't know where she wanted to go, the Chesire cat told her that the direction doesn't matter.
2. Treat your customers right.  Decide, discover, and deliver.
3. Treat your people right.  If you don't treat your people right, they won't take care of your customers (the customers are the only people they can beat up.)
4. Have the right kind of leadership.  Effective leadership starts on the inside.  You don't own the position, it's on loan.  Be a servant leader over a self-serving leader.

Decide, Discover and Deliver
To treat your customers right, Ken provided a decide, discover, deliver approach:

• Decide.  Decide what experience you want your customers to have.  For example, one gas station used the "Indianapolis pitstop experience" and had the slogan, "jump to the pump." 
• Discover.  Listen to what your customers want and see if it makes sense to include their suggestions in your vision.  Don't ask yes/no questions -- ask, what's one thing we could have done differently to make your experience better?
• Deliver.   To implement your customer service vision, invert the traditional pyramid and empower your people.

Turn the Pyramid Upside Down
Turn the pyramid upside down.  Have your team bring their brains to work vs. kiss up the hierarchy.  Don't have them be ducks (who just quack excuses why they can't do this or can't do that.) Empower them to be eagles who soar above the crowd. 

A Fortunate 500 List According to Ken Blanchard
Ken suggested the idea of a Fortunate 500 list.  A Fortunate 500 Company would have a triple bottom line and be a good citizen in the community.

Customers, Business, Employees (The Triple Bottom Line)
The triple bottom line includes:

1. Provider of choice (customers)
2. Employer of choice (employees)
3. Investment of choice (business)

Ken remarked that profit is the applause you get for taking care of customers and being a motivating place to work.

Organizational Vitality, Employee Passion, Customer Devotion
Ken outlined the keys to organizational vitality:

• Organizational vitality.  Organizational vitality is supported by customer devotion and employee passion (which support each other).  The employees don't see strategic initiatives in their day to day, so the biggest impact on org vitality is how does their boss threat them and how are they evaluated? (fair/just?)
• Strategic leadership.  Strategic leadership supports org vitality.  Strategic leadership includes vision, culture, and strategic imperatives.
• Organizational leadership.  Organizational leadership supports employee passion and customer devotion.   Organizational leadership includes policies and procedures (indirect relationship on strategy), leader behaviors, and fairness / justice.

From Self-Leadership to Organizational Leadership
The journey of an effective leader starts with self-leadership (who are you) and progresses to organizational leadership:

• Self-leadership (who are you)
• One-to-one leadership
• Team leadership
• Organizational leadership

Ken noted that one of his favorite mantras is -- none of us is as smart as all of us.

3 Skills of Situational Leader
Ken identified 3 skills of a situational leader:

1. Diagnosis - figuring our the development level.
2. Flexibility - adapting your leadership style based on the development level.
3. Partnering for performance - helping everybody get A's. 

The 4 D's (Development Level)
The four development levels vary by competence and motivation.  If you can identify which development level somebody is in, you can use the right leadership style:

• D1 - Enthusiastic beginner (low competence, high commitment)
• D2 - Disillusioned learner (low competence, low commitment)
• D3 - The capable, but cautious performer (low to some competence, variable commitment)
• D4 - The self-reliant achiever (high competence, high commitment)

4 Leadership Styles
The four leadership styles range from directing to delegating:

• S1 - Directive
• S2 - Coaching
• S3 - Supportive
• S4 - Delegating

Your leadership style varies by how you need to teach skills and provide motivation.   You match your leadership style based on the development level.

More Supporting, Less Delegating
Ken noted that the most common style in tech is delegating (telling folks what to do), but that it only works if you have self-reliant achievers.  He said lots of situations where somebody fails, it's because the leader didn't spend enough time supporting.  For example, somebody might be great at sales, but poor at administration and could use more support.

Don't Be a Seagul
Ken described the seagul type manager:

1. Flies in
2. Makes a lot of noise
3. Dumps on everyone
4. Flies out

Yuck!  Don't be a seagul.

How to Manage Effectively
Ken gave us a recipe for managing effectively:

1. Teach situational leadership II
2. Agree on goals
3. Agree on level of performance
4. Diagnose development level
5. Agree on appropriate leadership style
6. Follow up on agreements

Leadership vs. Management
When a colleague asked Ken about his thoughts on the difference between leadership and management, he said he doesn't get involved in the debate.  He doesn't think management should play 2nd fiddle.

Don't Rank Employees on a Bell Curve
Ken made a few key points against ranking employees on a bell curve:

• Why screw a certain percentage?
• You don't hire losers to fill slots.
• Putting your new people at the bottom doesn't encourage them.

Help Everybody Get A's
Ken's recipe for results is:

• Give out the final exam up front
• Teach people answers to get the A's
• Demonstrate how you've helped them get A's each quarter
• Have an informal formal review each quarter
• A review at the end of the year should be a review -- not a surprise.

Share Them With Your Competition
What happens if you give help people get A's but they don't get A's:

• If they're a good citizen, then help them find the right position.
• If they're not a good citizen, then share them with your competition.

From self-serving leaders to Servant Leadership
Ken gave us three ways that somebody moves from a self-serving leader to servant-leadership:

1. Near death experience
2. Spiritual awakening
3. Be a role model

Basically it's life-changing events or by following an example.

Egos Anonymous
There's two ends of the spectrum with ego issues:

1. False pride
2. Self-doubt / fear

The problem with ego issues is that the world spins around you.  Ken said the key is to put the focus somewhere else.  When you put the focus on something else, the fear goes away.

Ken told us about "Egos Anonymous" meetings.   He said at the meetings, people introduce themselves with "I'm an ego maniac, the last time my ego got in the way ..." 

The irony is, everybody wants to go last to be more clever, funnier -- and that's an ego thing.

Bigger Emphasis on Results or Developing People?
Ken pointed out that it's not an either/or it's a both/and.  The keys are:

1. Fixing motivation.
2. Fixing capability.

The Secret of Great Leaders
Ken told us the secret of great leaders:

• Values, results and people
• Emphasis on results
• Significant investment in their lives
• Express appreciation

You're Learning or Dying
Ken told us we're learning or dying:

• Reinvent continuously.
• How will your resume be different next year?
• Are you learning from mentors?

SERVE - What Great Leaders Know and Do
Ken explained that SERVE is what great leaders know and do:

• See the future.
• Engage and develop others
• Reinvent continuously.
• Value results and relationship.
• Embody the values.

Leadership is Love
Ken told us leadership is love:

• Loving your mission
• Loving your customers
• Loving your people
• Loving yourself -- enough to get out of the way so others can be magnificent.

How To Implement the program
Ken said he's seen remarkable impact when organizations apply the knowledge.  He said there's three keys:

1. Performance management program (3,4,5x the difference)
2. Situational leadership
3. Final exam.

Wrap Up
At the end of the talk, I met Ken and he signed my copy of The 3 Keys to Empowerment.   What surprised me the most was how down to earth and engaged in the moment he was.   I thanked him for teaching people situational leadership.  I asked him where the II part came from in Situational Leadership II and he told me the story of the split.   I told him it would be great to be able to read stories like that in his blog, if he had one. 

3 Actions
As a habit, I challenge myself to turn what I learn into three things I can apply.  There's always more I can do, but I start with three.  Here they are:

1. Help everybody get A's.  I'll start by diagnose the development levels on my team.  Does somebody on the team need more encouragement or more instruction than they're getting right now?
2. Figure out how my resume will be different next year.  I used to do this exercise regularly, but it's been a while.  Flashing forward is a great way to help me choose certain paths over others.
3. Decide, discover, and deliver the right customer experience.  Very practically put, stop asking yes, no questions and start asking, what's one thing we could have done differently to make your experience better?

If you need to make an important decision, the following can help:

1. Identify the criteria
2. Identify the weighting of each criteria
3. Rate your options against the criteria and multiply by the weightings

For example, when I was giving input on hiring our PUM, I identified the following criteria:

• Microsoft Experience
• patterns & practices Experience
• Attract the right talent
• Execution
• Customer-connection
• Engineering Competence
• Business Competence
• Political Competence

I then assigned a weighting.  For example:

• Microsoft Experience - (2)
• patterns & practices Experience - (3)
• Attract the right talent - (3)
• Execution - (3)
• Customer-connection - (3)
• Engineering Competence  - (2)
• Business Competence - (2)
• Political Competence - (2)

I rated the candidate against each criteria and then multiplied by the weighting.  This gave me a quick frame to compare different candidates as well as have more meaningful dialogues with others.  The actual numbers were less important than testing and clarifying criteria.

We have 6 new How Tos for this week's release of our patterns & practices WCF Security Guidance Project.

WCF Security How Tos

• How To - Perform Input Validation in WCF
• How To - Perform Message Validation with Schemas in WCF
• How To - Use basicHttpBinding with Windows Authentication and TransportCredentialOnly in WCF from Windows Forms
• How To - Use Certificate Authentication and Message Security in WCF calling from Windows Forms
• How To - Use netTcpBinding with Windows Authentication and Message Security in WCF from Windows Forms
• How To - Use wsHttpBinding with Username Authentication and TransportWithMessageCredential in WCF calling from Windows Forms

My Related Posts

• patterns & practices WCF Security Questions and Answers Now Available
• patterns & practices WCF 3.5 Security Guidelines Now Available
• patterns & practices WCF Security Guidance: Updated Application Scenarios
• patterns & practices WCF Security Application Scenarios
• patterns & practices WCF Security Guidance Now Available