Today we released our patterns & practices Improving Web Service security: Scenarios and Implementation Guidance for WCF on MSDN.  Using end-to-end application scenarios, this guide shows you how to design and implement authentication and authorization in WCF. You'll learn how to improve the security of your WCF services through prescriptive guidance including guidelines, a Q&A, practices at a glance, and step-by-step how to articles. The guide is the result of a collaborative effort between patterns & practices, WCF team members, and industry experts.

• Download the patterns & practices WCF Security guide (CodePlex)
• Read the patterns & practices WCF Security Guide online (MSDN)

Key Scenarios
Here's the key scenarios:

• A development team that wants to adopt WCF.
• A software architect or developer looking to get the most out of WCF, with regard to designing their application security.
• Interested parties investigating the use of WCF but don’t know how well it would work for their deployment scenarios and constraints.
• Individuals tasked with learning WCF security.
• Authentication, authorization, and communication design for your services
• Solution patterns for common distributed application scenarios using WCF
• Principles, patterns, and practices for improving key security aspects in services

Contents at a Glance

• Part I: Security Fundamentals for Web Services
• Part II: Fundamentals of WCF Security
• Part III: Intranet Application Scenarios
• Part IV: Internet Application Scenarios

Chapters

• Foreword by Nicholas Allen
• Foreword by Rockford Lhotka
• Chapter 1: Security Fundamentals for Web Services
• Chapter 2: Threats and Countermeasures for Web Services
• Chapter 3: Security Design Guidelines for Web Services
• Chapter 4: WCF Security Fundamentals
• Chapter 5: Authentication, Authorization, and Identities in WCF
• Chapter 6: Impersonation and Delegation in WCF
• Chapter 7: Message and Transport Security
• Chapter 8: Bindings
• Chapter 9: Intranet - Web to Remote WCF Using Transport Security (Original Caller, TCP)
• Chapter 10: Intranet - Web to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
• Chapter 11: Intranet - Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
• Chapter 12: Intranet - Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)
• Chapter 13: Internet - WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
• Chapter 14: Internet - Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
• Chapter 15: Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

Our Team

• J.D. Meier
• Carlos Farre
• Jason Taylor
• Prashant Bansode
• Steve Gregersen
• Madhu Sundararajan
• Rob Boucher

Contributors / Reviewers

• External Contributors / Reviewers: Andy Eunson; Anil John; Anu Rajendra; Brandon Bohling; Chaitanya Bijwe; Daniel Root; David P. Romig, Sr.; Dennis Rea; Kevin Lam; Michele Leroux Bustamante; Parameswaran Vaideeswaran; Rockford Lhotka; Rudolph Araujo; Santosh Bejugam
• Microsoft Contributors / Reviewers: Alik Levin; Brandon Blazer; Brent Schmaltz; Curt Smith; David Bradley; Dmitri Ossipov; Jan Alexander; Jason Hogg; Jason Pang; John Steer; Marc Goodner; Mark Fussell; Martin Gudgin; Martin Petersen-Frey; Mike de Libero; Mohammad Al-Sabt; Nobuyuki Akama; Ralph Squillace; Richard Lewis; Rick Saling; Rohit Sharma; Scott Mason; Sidd Shenoy; Sidney Higa; Stuart Kwan; Suwat Chitphakdibodin; T.R. Vishwanath; Todd Kutzke; Todd West; Vijay Gajjala; Vittorio Bertocci; Wenlong Dong; Yann Christensen; Yavor Georgiev