For this week's release in our patterns & practices WCF Security Guidance project, we released our first version of our WCF Security Practices at a Glance.  Practices At a Glance gives you a bird's-eye view of how to perform common tasks.  They are scannable and outcome-driven so that you can quickly browse the problem/solution pairs.  Rather than a laundry list of granular tasks, we organize them by our Web Services Security frame (still evolving.)

Categories
Here's how we grouped our WCF Security Practices at a Glance so far:

• Auditing and Logging
• Authentication
• Authorization
• Configuration Management
• Deployment Considerations
• Exception Management
• Hosting
• Impersonation/Delegation
• Input Validation
• Message Security
• Proxy Considerations
• Sensitive Data
• Transport Security

Here's a snapshot of the problems solved from our Practices At a Glance, but you can see our answers explained at our WCF Security Guidance project site.

Auditing and Logging

• How to audit authentication events
• How to audit authorization events
• How to enable WCF message logging
• How to enable WCF tracing
• How to use Health Monitoring in WCF
• How to view log information
• How to view trace information
• How to log traces to a WMI provider
• How to turn off audit failure suppression

Authentication

• How to authenticate users against the SQL Membership Provider
• How to authenticate users against Active Directory
• How to authenticate users against Active Directory without windows authentication
• How to authenticate users with certificates
• How to map certificates with windows accounts
• How to authenticate users against a custom user store
• How to authenticate users with Kerberos direct to support non-WCF clients with windows authentication

Authorization

• How to authorize imperatively
• How to authorize declaratively
• How to authorize users against Windows groups
• How to authorize users against Windows groups using the AspNetWindowsTokenRoleProvider
• How to authorize users against the SQL Role Provider
• How to authorize users against the ASP.Net Role Provider
• How to assign the current principal with IAuthorizationPolicy to allow authorization using custom authentication

Configuration Management

• How to encrypt sensitive data in your configuration files
• How to run your service under a specific identity
• How to create a service account for your WCF service
• How to stop clients from referencing your service
• How to protect against message replay attacks

Deployment Considerations

• How to configure certificates to enable SSL in IIS
• How to map Windows accounts with certificates
• How to create a Service Principle Name (SPN)
• How to configure WCF for NATs and Firewalls
• How to create an X.509 certificate

Exception Management

• How to shield exception information with fault contracts
• How to create an error handler to log details of faults for auditing purposes
• How to handle unhandled exceptions in downstream services
• How to throw an exception with complex types or data contracts with a fault exception
• How to handle unknown faults in a service
• How to implement a data contract to propagate exception details for debugging purposes
• How to implement fault contracts in call back functions

Hosting

• How to host WCF in IIS
• How to host WCF in a Windows service
• How to self-host WCF
• How to configure a least-privilege account to host your service

Impersonation/Delegation

• How to choose between trusted subsystem and impersonation/delegation
• How to impersonate the original caller when using Windows authentication
• How to impersonate programmatically in WCF
• How to impersonate declaratively in WCF
• How to delegate the original caller to call backend services when using Windows authentication
• How to impersonate the original caller without Windows authentication
• How to impersonate the original caller using S4U Kerberos extensions.
• How to delegate the original caller using S4U Kerberos extensions.
• How to impersonate and delegate using LogonUser Windows API
• How to flow the original caller from an ASP.NET client to WCF
• How to control access to a remote resource based on the original callers identity.

Input Validation

• How to protect your service from malicious messages
• How to protect your service from malicious input
• How to protect your service from denial of service attacks
• How to validate parameters with parameter inspectors
• How to validate parameters with message inspectors using schemas
• How to validate data contracts with message inspectors using schemas
• How to validate message contracts with message inspectors using schemas
• How to use regular expressions validate format, range and length in schemas
• How to validate inbound messages on a service
• How to validate outbound messages on a service
• How to validate outbound messages on the client
• How to validate inbound messages on the client
• How to validate input parameters
• How to validate output parameters

Message Security

• How to use message security
• How to partially encrypt a message
• How to use out-of-band credentials with message security

Proxy Considerations

• How to avoid proxy spoofing
• How to expose service metadata for your clients
• How to create a proxy to a service hosted in IIS that requires certificate authentication and transport security

Sensitive Data

• How to encrypt sensitive data in configuration files
• How to protect sensitive data in memory
• How to protect sensitive data on the network

Transport Security

• How to use transport security
• How to use secure conversations in WCF

X.509 Certificates

• How to create a temporary X.509 certificate for transport security
• How to create a temporary X.509 certificate for message security
• How to create a temporary X.509 certificate for certificate authentication

My Related Posts

• 6 New patterns & practices WCF Security How Tos
• patterns & practices WCF Security Questions and Answers Now Available
• patterns & practices WCF 3.5 Security Guidelines Now Available
• patterns & practices WCF Security Guidance: Updated Application Scenarios
• patterns & practices WCF Security Application Scenarios
• patterns & practices WCF Security Guidance Now Available