J.D. Meier's Blog

Software Engineering, Project Management, and Effectiveness

patterns & practices WCF Security Practices at a Glance Now Available

patterns & practices WCF Security Practices at a Glance Now Available

  • Comments 3

For this week's release in our patterns & practices WCF Security Guidance project, we released our first version of our WCF Security Practices at a Glance.  Practices At a Glance gives you a bird's-eye view of how to perform common tasks.  They are scannable and outcome-driven so that you can quickly browse the problem/solution pairs.  Rather than a laundry list of granular tasks, we organize them by our Web Services Security frame (still evolving.)

Categories
Here's how we grouped our WCF Security Practices at a Glance so far:

  • Auditing and Logging
  • Authentication
  • Authorization
  • Configuration Management
  • Deployment Considerations
  • Exception Management
  • Hosting
  • Impersonation/Delegation
  • Input Validation
  • Message Security
  • Proxy Considerations
  • Sensitive Data
  • Transport Security

Here's a snapshot of the problems solved from our Practices At a Glance, but you can see our answers explained at our WCF Security Guidance project site.

Auditing and Logging

  • How to audit authentication events
  • How to audit authorization events
  • How to enable WCF message logging
  • How to enable WCF tracing
  • How to use Health Monitoring in WCF
  • How to view log information
  • How to view trace information
  • How to log traces to a WMI provider
  • How to turn off audit failure suppression

Authentication

  • How to authenticate users against the SQL Membership Provider
  • How to authenticate users against Active Directory
  • How to authenticate users against Active Directory without windows authentication
  • How to authenticate users with certificates
  • How to map certificates with windows accounts
  • How to authenticate users against a custom user store
  • How to authenticate users with Kerberos direct to support non-WCF clients with windows authentication

Authorization

  • How to authorize imperatively
  • How to authorize declaratively
  • How to authorize users against Windows groups
  • How to authorize users against Windows groups using the AspNetWindowsTokenRoleProvider
  • How to authorize users against the SQL Role Provider
  • How to authorize users against the ASP.Net Role Provider
  • How to assign the current principal with IAuthorizationPolicy to allow authorization using custom authentication

Configuration Management

  • How to encrypt sensitive data in your configuration files
  • How to run your service under a specific identity
  • How to create a service account for your WCF service
  • How to stop clients from referencing your service
  • How to protect against message replay attacks

Deployment Considerations

  • How to configure certificates to enable SSL in IIS
  • How to map Windows accounts with certificates
  • How to create a Service Principle Name (SPN)
  • How to configure WCF for NATs and Firewalls
  • How to create an X.509 certificate

Exception Management

  • How to shield exception information with fault contracts
  • How to create an error handler to log details of faults for auditing purposes
  • How to handle unhandled exceptions in downstream services
  • How to throw an exception with complex types or data contracts with a fault exception
  • How to handle unknown faults in a service
  • How to implement a data contract to propagate exception details for debugging purposes
  • How to implement fault contracts in call back functions

Hosting

  • How to host WCF in IIS
  • How to host WCF in a Windows service
  • How to self-host WCF
  • How to configure a least-privilege account to host your service

Impersonation/Delegation

  • How to choose between trusted subsystem and impersonation/delegation
  • How to impersonate the original caller when using Windows authentication
  • How to impersonate programmatically in WCF
  • How to impersonate declaratively in WCF
  • How to delegate the original caller to call backend services when using Windows authentication
  • How to impersonate the original caller without Windows authentication
  • How to impersonate the original caller using S4U Kerberos extensions.
  • How to delegate the original caller using S4U Kerberos extensions.
  • How to impersonate and delegate using LogonUser Windows API
  • How to flow the original caller from an ASP.NET client to WCF
  • How to control access to a remote resource based on the original callers identity.

Input Validation

  • How to protect your service from malicious messages
  • How to protect your service from malicious input
  • How to protect your service from denial of service attacks
  • How to validate parameters with parameter inspectors
  • How to validate parameters with message inspectors using schemas
  • How to validate data contracts with message inspectors using schemas
  • How to validate message contracts with message inspectors using schemas
  • How to use regular expressions validate format, range and length in schemas
  • How to validate inbound messages on a service
  • How to validate outbound messages on a service
  • How to validate outbound messages on the client
  • How to validate inbound messages on the client
  • How to validate input parameters
  • How to validate output parameters

Message Security

  • How to use message security
  • How to partially encrypt a message
  • How to use out-of-band credentials with message security

Proxy Considerations

  • How to avoid proxy spoofing
  • How to expose service metadata for your clients
  • How to create a proxy to a service hosted in IIS that requires certificate authentication and transport security

Sensitive Data

  • How to encrypt sensitive data in configuration files
  • How to protect sensitive data in memory
  • How to protect sensitive data on the network

Transport Security

  • How to use transport security
  • How to use secure conversations in WCF

X.509 Certificates

  • How to create a temporary X.509 certificate for transport security
  • How to create a temporary X.509 certificate for message security
  • How to create a temporary X.509 certificate for certificate authentication

My Related Posts

Page 1 of 1 (3 items)