June, 2008

| |

J.D. Meier's Blog

Designing an Authentication and Authorization Strategy

Posted over 4 years ago

by JD Meier
- 2 Comments
What are the key steps to designing an effective authentication and authorization strategy? The keys are knowing your user stores, role stores, and who need to access what or perform which operations. In this post, I share the approaches we've used in two of our patterns & practices guides. These are the approaches we've used to help customers design successfully design their authentication and authorization approaches.
Designing an Authentication and Authorization Strategy - v1
When we first wrote Building Secure ASP.NET Applications, here's the meta-process we came up with for working through your authentication and authorization strategies:
1. Identify resources
2. Choose an authorization strategy
3. Choose the identities used for resource access
4. Consider identity flow
5. Choose an authentication approach
6. Decide how to flow identity
For elaboration, see Authentication and Authorization.
Designing an Authentication and Authorization Strategy - v2
When we recently wrote Improving Web Application Security, we made some revisions:
1. Identify your user stores.
2. Identify your role stores.
3. Identify resources you need to access and operations you need to perform.
4. Identify which identities need to access the resources and perform the operations.
5. Choose your authentication and authorization strategies.
Personally, I've found it really cuts to the chase if you start with your user stores and role stores, since they tend to be somewhat fixed.

Identities
When you think through the identities, I've found it helpful to think in terms of who needs to access which resources or perform which actions. Consider the following:
- Original caller
- Process identity
- Service account
- Custom identity
- Role
Resource Types
When you think through the resource types, I find it helpful to think in terms of:
- System
- Application
- User
Authorization Strategies
When thinking through the authorization strategies, I find it helpful to consider:
- Role-based
- Resource-based
- Operation-based
Resource Access Patterns
When thinking through the resource access patterns, I find it helpful to consider:
- Trusted subsystem model
- Impersonation/delegation model
Designing authentication and authorization can be a gnarly topic. I hope the scaffolding above helps you find a path that works for you.
J.D. Meier's Blog

WCF Security Guide is Now Available in HTML

Posted over 4 years ago

by JD Meier
- 2 Comments
Our guide, patterns & practices Improving Web Services Security:Scenarios and Implementation Guidance for WCF is now available in HTML.
J.D. Meier's Blog

New Release: patterns & practices WCF Security Guide (BETA)

Posted over 4 years ago

by JD Meier
- 3 Comments
Today we released our WCF Security guide, patterns & practices Improving Web Services Security: Scenarios and Implementation Guidance for WCF. This is our Microsoft playbook for Windows Communication Foundation (WCF - "Indigo".) It shows you how to build secure Web services using WCF. It's a compendium of proven practices, product team recommendations and insights from the field.
Download the guide
- Download the Guide
Contents at a Glance
- Part I, "Security Fundamentals for Web Services"
- Part II, "Fundamentals of WCF Security"
- Part III, "Intranet Application Scenarios"
- Part IV, "Internet Application Scenarios"
Chapters
- Ch 01 - Security Fundamentals for Web Services
- Ch 02 - Threats and Countermeasures for Web Services
- Ch 03 - Security Design Guidelines for Web Services
- Ch 04 - WCF Security Fundamentals
- Ch 05 - Authentication, Authorization and Identities in WCF
- Ch 06 - Impersonation and Delegation in WCF
- Ch 07 - Message and Transport Security in WCF
- Ch 08 - WCF Bindings Fundamentals
- Ch 09 - Intranet – Web to Remote WCF Using Transport Security (Original Caller, TCP)
- Ch 10 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem,HTTP)
- Ch 11 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem TCP)
- Ch 12 - Intranet – Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)
- Ch 13 - Internet – WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
- Ch 14 - Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
- Ch 15 - Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)
Reference
- WCF Security Checklist
- WCF Security Guidelines
- WCF Security Practices at a Glance
- WCF Questions and Answers (Q&A)
- How Tos
- WCF Security Resources
Contributors and Reviewers
- External: Andy Eunson; Anil John; Anu Rajendra; Brandon Bohling; Chaitanya Bijwe; Daniel Root; David P. Romig, Sr.; Dennis Rea; Kevin Lam; Michele Bustamante; Parameswaran Vaideeswaran; Rockford Lotka; Rudolph Araujo; Santosh Bejugam
- Microsoft: Alik Levin; Brandon Blazer; Brent Schmaltz; Curt Smith; David Bradley; Dmitri Ossipov; Don Smith; Jan Alexander; Jason Hogg; Jason Pang; John Steer; Marc Goodner; Mark Fussell; Martin Gudgin; Martin Petersen-Frey; Mike de Libero; Mohammad Al-Sabt; Nobuyuki Akama; Ralph Squillace; Richard Lewis; Rick Saling; Rohit Sharma; Scott Mason; Sidd Shenoy; Sidney Higa; Stuart Kwan; Suwat Chitphakdibodin; T.R. Vishwanath; Todd Kutzke; Todd West; Vijay Gajjala; Vittorio Bertocci; Wenlong Dong; Yann Christensen; Yavor Georgiev

J.D. Meier's Blog

Web Services Security Frame

Posted over 4 years ago

JD Meier

4 Comments

The key to making principles, patterns, and practices more effective is to have an organizing frame. While working on our patterns & practices WCF Security Guidance Project, we created the Web Services Security Frame for just such a purpose. We use the frame throughout the guidance to organize threats, attacks, vulnerabilities and countermeasures, as well as to organize principles, patterns, and practices.

Web Services Security Frame

Here's a snapshot of the frame (the power of the frame is that it's a durable, evolvable backdrop -- in other words, you can shape it to your own purposes.) You'll see this frame used throughout our upcoming guide. Notice that the categories serve as a pivot that we can hang other viewpoints (threats/attacks, vulnerabilities, countermeasures.)

Category	Description
Auditing and Logging	Auditing and logging refers to how security-related events are recorded, monitored, and audited.
Authentication	Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.
Authorization	Authorization is how your service provides access controls for resources and operations.
Configuration Management	Configuration management refers to how your service handles database connections, administration and other configuration settings.
Exception Management	Exception management refers to how you handle exceptions within your application, including fault contracts.
Impersonation/Delegation	Impersonation and delegation refers to how your service impersonates users and passes identity information downstream for authorization purposes.
Message Encryption	Message encryption refers to protecting a message by converting the contents to cipher-text using cryptographic methods.
Message Replay Detection	Message replay detection refers to identifying and rejecting messages that are re-submitted.
Message Signing	Message signing refers to signing a message with a digital signature using cryptographic methods, to confirm the source of the message and detect if the contents have been tampered with (i.e. authentication and integrity of the message.)
Message Validation	Message validation refers to how you verify the message payload against schema, as well as message size, content and character sets. This includes how your service filters, scrubs and rejects input and output before additional processing. Input and output includes input from clients consuming the service as well as file-system input, as well as input from network resources, such as databases. Output typically includes the return values from your service or disk / database writes among others.
Sensitive Data	Sensitive data includes data integrity and confidentiality of your user and application data that you need to protect. This includes how you protect sensitive data from being stolen from memory, from configuration files or when transmitted over the network.
Session Management	A session refers to a series of related interactions between a client and your service.

Threats / Attacks Organized By the Web Services Security Frame

Category	Threats / Attacks
Auditing and Logging	Repudiation Denial of services Disclosure of confidential information
Authentication	Network eavesdropping Brute force attacks Dictionary attacks Cookie replay attack Credential theft
Authorization	Elevation of privilege Disclosure of confidential data Data tampering Luring attacks Token stealing
Configuration Management	Unauthorized access to configuration stores Retrieval of clear text configuration secrets
Exception Management	Information disclosure Denial of service Elevation of privilege
Impersonation/Delegation	Elevation of privilege Disclosure of confidential information
Message Encryption	Stealing sensitive data. Theft of encryption keys. Man in the middle attack.
Message Replay Detection	Session replay
Message Singing	Data tampering.
Message Validation	XPath injection XML Bombs Canonicalization issues Cross-site scripting SQL injection
Sensitive Data	Memory dumping Network eavesdropping Configuration file sniffing
Session Management	Session hijacking Session replay Man in the middle attack Inability to logout successfully Cross-site request forgery Session fixation Load balancing and session affinity

Vulnerabilities Organized by the Web Services Security Frame

Category	Vulnerabilities
Auditing and Logging	Failing to audit failed logons Failing to secure log files Storing sensitive information in log files Failing to audit across application tiers Failure to throttle log files
Authentication	Using weak passwords Storing clear text credentials in configuration files Passing clear text credentials over the network Permitting prolonged session lifetime Mixing personalization with authentication Using weak authentication mechanisms (For example, using basic authentication over an untrusted network.)
Authorization	Relying on a single gatekeeper (e.g. relying on client-side validation only) Failing to lock down system resources against application identities Failing to limit database access to specified stored procedures Using inadequate separation of privileges Permitting over-privileged accounts
Configuration Management	Using insecure custom administration interfaces Failing to secure configuration files on the server Storing sensitive information in the clear text Having too many administrators Using over-privileged process accounts and service accounts
Exception Management	Failing to use structured exception handling (try/catch) Revealing too much information to the client Failure to specify fault contracts with the client Failure to use a global exception handler
Impersonation / Delegation	Failure to revert to a lower privilege after using impersonation Improper use of global impersonation across the entire service
Message Encryption	Failure to encrypt messages Using custom cryptography Distributing keys insecurely Managing or storing keys insecurely
Message Replay Detection	Failure to implement message replay detection feature
Message Signing	Unsigned messages that don't confirm the source Unsigned messages that don't detect tampering
Message Validation	Using non-validated input used to generate SQL queries Relying only on client-side validation Using input file names, URLs, or user names for security decisions Using application-only filters for malicious input Looking for known bad patterns of input Trusting data read from databases, file shares, and other network resources Failing to validate input from all sources including cookies, SOAP headers, SOAP parameters, databases, and network resources
Session Management	Passing session identifiers over unencrypted channels Permitting prolonged session lifetime Having insecure session state stores Placing session identifiers in query strings

Countermeasures Organized by the Web Services Security Frame

Category	Countermeasures
Auditing and Logging	Identify malicious behavior. Know your baseline (know what good traffic looks like) Use application instrumentation to expose behavior that can be monitored Throttle logging Strip sensitive data before logging
Authentication	Use strong password policies Do not store credentials in an insecure manner Use authentication mechanisms that do not require clear text credentials to be passed over the network Encrypt communication channels to secure authentication tokens Use HTTPS only with forms authentication cookies Separate anonymous from authenticated pages Using cryptographic random number generators to generate session IDs
Authorization	Use least privilege accounts. Authentication tied to authorization on the same tier Consider granularity of access Enforce separation of privileges Use multiple gatekeepers Secure system resources against system identities
Configuration Management	Use ACLs. Encrypt sensitive sections of configuration files Use secure settings for various operations of web services using configuration files
Exception Management	Use structured exception handling (by using try/catch blocks) Catch and wrap exceptions only if the operation adds value/information Do not reveal sensitive system or application information Implement a global exception handler Do not log private data such as passwords
Impersonation / Delegation	Use Using statement to automatically revert impersonation Granularly impersonate only those operations that need it
Message Encryption	Use message security or transport security to encrypt your messages Use platform-provided cryptography Use platform features for key management Periodically change your keys
Message Replay Detection	Cache an identifier for incoming messages, and use message replay detection to identify and reject messages that match an entry in the replay detection cache
Message Signing	verify messages have not been tampered with in transit (data integrity) verify messages originate from the expected sender (authenticity)
Message Validation	verify the message payload against schema verify the message message size, content and character sets filter, scrub and reject input and output before additional processing
Sensitive Data	Do not store secrets in software Encrypt sensitive data over the network Secure the channel Encrypt sensitive data in configuration files
Session Management	Partition site by anonymous, identified, and authenticated users Reduce session timeouts Avoid storing sensitive data in session stores Secure the channel to the session store Authenticate and authorize access to the session store

Thanks
Special thanks to Rudy Araujo and ACE Team members, Richard Lewis and John Steer for their contribution toward helping shape a better frame.

My Related Posts