J.D. Meier's Blog : Security

Security Mental Model for Azure

J.D. Meier — Thu, 17 Sep 2009 02:04:15 GMT

We’ve been exploring Azure on the patterns & practices team for potential security guidance. To get our heads around it, we’ve had to create a simple view for our team that we could quickly whiteboard or drill into. We wanted a way to easily compare with our previous security guidance. Here’s what we ended up with …

Today’s application security mental model …

Compare that to our evolving security mental model for Azure …

The key thing to note is that on Azure you have a managed infrastructure, but you still have to address application security issues, as you would in today’s on-premise scenario. There are obviously more details to the story, but I’ll elaborate on those another day. For now, the key is to simply notice how you can carry forward your application security skills to the cloud as a new deployment channel.

Cloud Security Frame

J.D. Meier — Thu, 20 Aug 2009 03:45:22 GMT

I posted a draft of our Cloud Security Frame at Shaping Software. This frame is especially important because we’re using it to help us map out the Cloud security space for our patterns & practices Cloud Security Guidance project. It’s helps us scope our project. The frame is basically a set of Hot Spots. We use the Hot Spots to find, organize, and share principles, patterns, and practices. We also use the Hot Spots to find pain points and opportunity or to organize key engineering decisions. Here is our current set of Hot Spots:

Auditing and Logging
Authentication
Authorization
Communication
Configuration Management
Cryptography
Exception Management
Sensitive Data
Session Management
Validation

In this case, since it’s a security frame, we’re using the Hot Spots to organize threats, attacks, vulnerabilities and countermeasures. This helps make the information more actionable and relevant. We’re sharing this early and often so that you can give feedback and help us shape it as we go.

If you’re familiar with any of the following guides, this Hot Spot approach should look familiar:

Check out our evolving Cloud Security Frame and provide your feedback in the comments.

Cloud Security Survey Results

J.D. Meier — Tue, 18 Aug 2009 05:08:19 GMT

As a follow up to our earlier patterns & practices Cloud Security Survey, here is a quick summary of the results. Note that the the bulk of our respondents said they spend most of their time in architect roles. The next biggest buckets were developers and testers.

Key Take Aways
Here are some highlights from the survey:

As far as cloud adoption, there is fairly even spread in adoption from evaluation to testing to engaged migrations, with a slightly heavier emphasis on testing.
There is significant interest in data handling within the cloud, such as confining data to geographic regions.
There is significant interest in infrastructure and process related security issues such as SLA’s, policies, and intellectual property.
There is significant interest in threats and countermeasures.
There is some interest in OpenID as an authentication / authorization approach.
There is some interest in ingress/IP filtering.
There is some interest in eDiscovery.
There is some interest in HIPPA.

App Scenarios in Rank Order
Here are the top application scenarios in rank order based on respondents:

A cloud-based service used by different Enterprises (federated scenario).
An internet facing web application, deployed on the cloud.
An enterprise specific web application, deployed on the cloud.
An enterprise specific web application, deployed on premises using cloud-based services.
An enterprise specific web application, deployed on-premises using cloud-based services and cloud storage.

Authentication in Rank Order
Here is are the top authentication mechanisms in rank order based on respondents:

Windows Authentication
Forms Authentication
Cert Authentication
Windows Live

I think one of the most interesting things we've done as a result of the survey is we started to collect and organize relevant industry standards. We'll try to find any relevant technical intersections (our focus is on technical guidance.)

Security Hot Spots

J.D. Meier — Tue, 10 Mar 2009 00:36:33 GMT

I wrote a post about Security Hot Spots on Shaping Software. Hot Spots are a way to organize and share information more effectively. Hot Spots are also a way to turn Pareto's principle (the 80/20 rule) into action. By focusing on the hot spots, you find the levers in the system that produce the greatest results. You can use these levers to help find security flaws or improve security engineering. Read my post to find the what, why and how of Security Hot Spots.

New Release: patterns & practices WCF Security Guide

J.D. Meier — Wed, 11 Feb 2009 07:47:07 GMT

Today we released our patterns & practices Improving Web Service security: Scenarios and Implementation Guidance for WCF on MSDN. Using end-to-end application scenarios, this guide shows you how to design and implement authentication and authorization in WCF. You'll learn how to improve the security of your WCF services through prescriptive guidance including guidelines, a Q&A, practices at a glance, and step-by-step how to articles. The guide is the result of a collaborative effort between patterns & practices, WCF team members, and industry experts.

Download the patterns & practices WCF Security guide (CodePlex)
Read the patterns & practices WCF Security Guide online (MSDN)

Key Scenarios
Here's the key scenarios:

A development team that wants to adopt WCF.
A software architect or developer looking to get the most out of WCF, with regard to designing their application security.
Interested parties investigating the use of WCF but don’t know how well it would work for their deployment scenarios and constraints.
Individuals tasked with learning WCF security.
Authentication, authorization, and communication design for your services
Solution patterns for common distributed application scenarios using WCF
Principles, patterns, and practices for improving key security aspects in services

Contents at a Glance

Part I: Security Fundamentals for Web Services
Part II: Fundamentals of WCF Security
Part III: Intranet Application Scenarios
Part IV: Internet Application Scenarios

Chapters

Foreword by Nicholas Allen
Foreword by Rockford Lhotka
Chapter 1: Security Fundamentals for Web Services
Chapter 2: Threats and Countermeasures for Web Services
Chapter 3: Security Design Guidelines for Web Services
Chapter 4: WCF Security Fundamentals
Chapter 5: Authentication, Authorization, and Identities in WCF
Chapter 6: Impersonation and Delegation in WCF
Chapter 7: Message and Transport Security
Chapter 8: Bindings
Chapter 9: Intranet - Web to Remote WCF Using Transport Security (Original Caller, TCP)
Chapter 10: Intranet - Web to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
Chapter 11: Intranet - Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
Chapter 12: Intranet - Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)
Chapter 13: Internet - WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
Chapter 14: Internet - Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
Chapter 15: Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

Our Team

J.D. Meier
Carlos Farre
Jason Taylor
Prashant Bansode
Steve Gregersen
Madhu Sundararajan
Rob Boucher

Contributors / Reviewers

External Contributors / Reviewers: Andy Eunson; Anil John; Anu Rajendra; Brandon Bohling; Chaitanya Bijwe; Daniel Root; David P. Romig, Sr.; Dennis Rea; Kevin Lam; Michele Leroux Bustamante; Parameswaran Vaideeswaran; Rockford Lhotka; Rudolph Araujo; Santosh Bejugam
Microsoft Contributors / Reviewers: Alik Levin; Brandon Blazer; Brent Schmaltz; Curt Smith; David Bradley; Dmitri Ossipov; Jan Alexander; Jason Hogg; Jason Pang; John Steer; Marc Goodner; Mark Fussell; Martin Gudgin; Martin Petersen-Frey; Mike de Libero; Mohammad Al-Sabt; Nobuyuki Akama; Ralph Squillace; Richard Lewis; Rick Saling; Rohit Sharma; Scott Mason; Sidd Shenoy; Sidney Higa; Stuart Kwan; Suwat Chitphakdibodin; T.R. Vishwanath; Todd Kutzke; Todd West; Vijay Gajjala; Vittorio Bertocci; Wenlong Dong; Yann Christensen; Yavor Georgiev

patterns & practices Security Engineering Cheat Sheet

J.D. Meier — Thu, 20 Nov 2008 22:55:57 GMT

We posted our patterns & practices Security Engineering Cheat Sheet to our Application Architecture Knowledge Base on CodePlex. It’s a bird’s-eye view of applying our security techniques to the life cycle. The techniques and approach shipped with VSTS/MSF Agile starting in 2005.

Security Engineering Overlay
Here’s a view that overlays our key patterns & practices security techniques alongside common software engineering activities:

Key Activities in the Life Cycle
The core activities you should consider performing include the following:

Security Objectives.
Threat Modeling.
Security Design Guidelines.
Security Design Inspection.
Security Code Inspection.
Security Testing.
Security Deployment Inspection.

You can read more about these techniques and how to apply them to your software architecture and your software development life cycle on our Cheat Sheet – patterns & practices Security Engineering.

Additional Resources

Security Engineering (Guidance Share)
patterns & practices Security Engineering Explained (MSDN)
patterns & practices Threat Modeling Web Applications (MSDN)

My Related Posts

patterns & practices Performance Engineering Cheat Sheet

Agile Architecture Method

New Release: patterns & practices App Arch Guide 2.0 Beta 2

Microsoft Presentation, Data Access, Workflow and Integration Technology Cheat Sheets

patterns & practices Security Engineering

J.D. Meier — Tue, 09 Sep 2008 18:53:30 GMT

As part of our patterns & practices App Arch Guide 2.0 project, we're consolidating our information on our patterns & practices Security Engineering. Our security engineering approach is simply a collection of security-focused techniques that we found to be effective. One of the keys to the effectiveness is our security frame. Our security frame is a collection of "hot spots" that organize principles, patterns, and practices, as well as anti-patterns. We use the frame to perform security code and design inspections. Here's a preview of our cheat sheet so far.

Security Overlay
This is our patterns & practices Security Overlay:

It simply shows a common set of activities that customers already do, and then we overlay a set of security techniques.

Summary of Key Activities in the Life Cycle
Our patterns & practices Security Engineering approach extends these proven core activities to create security specific activities. These activities include:

Security Objectives. Setting objectives helps you scope and prioritize your work by setting boundaries and constraints. Setting security objectives helps you identify where to start, how to proceed, and when you are done.
Threat Modeling. Threat modeling is an engineering technique that can help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application. You can use threat modeling to shape your application's design, meet your company's security objectives, and reduce risk.
Security Design Guidelines. Creating design guidelines is a common practice at the start of an application project to guide development and share knowledge across the team. Effective design guidelines for security organize security principles, practices, and patterns by actionable categories.
Security Design Inspection. Security design inspections are an effective way to identify problems in your application design. By using pattern-based categories and a question-driven approach, you simplify evaluating your design against root cause security issues.
Security Code Inspection. Many security defects are found during code reviews. Analyzing code for security defects includes knowing what to look for and how to look for it. Security code inspections optimize inspecting code for common security issues.
Security Testing. Use a risk-based approach and use the output from the threat modeling activity to help establish the scope of your testing activities and define your test plans.
Security Deployment Inspection. When you deploy your application during your build process or staging process, you have an opportunity to evaluate runtime characteristics of your application in the context of your infrastructure. Deployment reviews for security focus on evaluating your security design and configuration of your application, host, and network.

Security Frame
Security frames define a set of patterns-based categories that can organize repeatable problems and solutions. You can use these categories to divide your application architecture for further analysis and to help identify application vulnerabilities. The categories within the frame represent the critical areas where mistakes are most often made.

Category	Description
Auditing and Logging	Who did what and when? Auditing and logging refer to how your application records security-related events.
Authentication	Who are you? Authentication is the process where an entity proves the identify of another entity, typically through credentials, such as a user name and password.
Authorization	What can you do? Authorization is how your application provides access controls for resources and operations.
Configuration Management	Who does your application run as? Which databases does it connect to? How is your application administered? How are these settings protected? Configuration management refers to how your application handles these operations and issues.
Cryptography	How are you handling secrets (confidentiality)? How are you tamper proofing your data or libraries (integrity)? how are you providing seeds for random values that must be cryptographically strong? Cryptography refers to how your application enforces confidentiality and integrity.
Exception Management	When a method call in your application fails, what does your application do? How much do you reveal? Do you return friendly information to end users? Do you pass valuable exception information back to the caller? Does your application fail gracefully?
Input and Data Validation	How do you know that the input your application receives is valid and safe? Input validation refers to how your application filters, scrubs, or rejects input before additional processing. Consider constraining input through entry points and encoding output through exit points. Do you trust data sources such as databases and file shares?
Sensitive data	How does your application handle sensitive data? Sensitive data refers to how your application handles any data that must be protected either in memory, over the network, or in persistent stores.
Session Management	How does your application handle and protect user sessions? A session refers to a session of related interactions between a user and your Web application.

Architecture and Design Issues
Use the diagram below to help you think about architecture and design issues in your application.

The key areas of concern for each application tier are:

Browser. Authenticating users on the client. Protecting sensitive data on the wire. Preventing common attacks such as parameter manipulation and session hijacking.
Web Server. Validating untrusted input. Exception handling. Authorizing your users. Securing the configuration.
Application Server. Authenticating and Authorizing users. Auditing and logging. Protecting sensitive data on the wire. Securing configuration.
Database Server. Protecting sensitive data in the database. Securing configuration. Locking down database users.

Design Guidelines
This table represents a set of secure design guidelines for application architects. Use this as a starting point for secure design and to improve security design inspections

Category	Guidelines
Auditing and Logging	Identify malicious behavior. Know what good traffic looks like. Audit and log activity through all of the application tiers. Secure access to log files. Back up and regularly analyze log files.
Authentication	Partition site by anonymous, identified, and authenticated area. Use strong passwords. Support password expiration periods and account disablement. Do not store credentials (use one-way hashes with salt). Encrypt communication channels to protect authentication tokens. Pass Forms authentication cookies only over HTTPS connections.
Authorization	Use least privileged accounts. Consider authorization granularity. Enforce separation of privileges. Restrict user access to system-level resources.
Configuration Management	Use least privileged process and service accounts. Do not store credentials in plaintext. Use strong authentication and authorization on administration interfaces. Do not use the LSA. Secure the communication channel for remote administration. Avoid storing sensitive data in the Web space.
Cryptography	Do not develop your own. Use tried and tested platform features. Keep unencrypted data close to the algorithm. Use the right algorithm and key size. Avoid key management (use DPAPI). Cycle your keys periodically. Store keys in a restricted location.
Exception Management	Use structured exception handling. Do not reveal sensitive application implementation details. Do not log private data such as passwords. Consider a centralized exception management framework.
Input and Data Validation	Do not trust input; consider centralized input validation. Do not rely on client-side validation. Be careful with canonicalization issues. Constrain, reject, and sanitize input. Validate for type, length, format, and range.
Parameter Manipulation	Encrypt sensitive cookie state. Do not trust fields that the client can manipulate (query strings, form fields, cookies, or HTTP headers). Validate all values sent from the client.
Sensitive Data	Avoid storing secrets. Encrypt sensitive data over the wire. Secure the communication channel. Provide strong access controls on sensitive data stores. Do not store sensitive data in persistent cookies. Do not pass sensitive data using the HTTP-GET protocol.
Session Management	Limit the session lifetime. Secure the channel. Encrypt the contents of authentication cookies. Protect session state from unauthorized access.

Patterns
Design patterns in this context refer to generic solutions that address commonly occurring application design problems. Some of the patterns identified below are well known design patterns. Their use in certain scenarios enables better security as a secondary goal. Some of the main patterns that help improve security are summarized below:

Brokered Authentication. Use brokered authentication where the application validates the credentials presented by the client, without the need for a direct relationship between the two parties. An authentication broker that both parties trust independently issues a security token to the client. The client can then present credentials, including the security token, to the application.
Direct Authentication. Use direct authentication where the application acts as an authentication service to validate credentials from the client. The credentials, which include proof-of-possession that is based on shared secrets, are verified against an identity store.
Roles-based authorization. Role-based authorization is used to associate clients and groups with the permissions that they need to perform particular functions or access resources. When a user or group is added to a role, the user or group automatically inherits the various security permissions.
Resource-based authorization. Resource-based authorization is performed on a resource, depending on the type of the resource and the mechanism used to perform authorization. Resource-based authorization can be based on access control lists (ACLs) or URLs.
Trusted Subsystem. The application acts as a trusted subsystem to access additional resources. It uses its own credentials instead of the user's credentials to access the resource. The application must perform appropriate authentication and authorization of all requests that enter the subsystem. Remote resources should also be able to verify that the midstream caller is a trusted subsystem and not an upstream user of the application that is trying to bypass access to the trusted subsystem.
Impersonation and Delegation. The application uses original user’s credentials to access the resource. The application must perform appropriate authentication and authorization of all requests that enter the subsystem and then impersonation or delegation while accessing resources. Remote resources should also be able to verify that individual users are trusted to access the resource.
Transfer Security. Sensitive data passed between layers or remote tiers should be encrypted and signed to ensure confidentiality and integrity of the data.
Exception Shielding. Sanitize unsafe exceptions by replacing them with exceptions that are safe by design. Return only those exceptions to the client that have been sanitized or exceptions that are safe by design. Exceptions that are safe by design do not contain sensitive information in the exception message, and they do not contain a detailed stack trace, either of which might reveal sensitive information about the application’s inner workings.

Additional Resources

Security Engineering Explained (MSDN)
Security Engineering (GuidanceShare)

My Related Posts

Designing an Authentication and Authorization Strategy

J.D. Meier — Wed, 25 Jun 2008 21:35:46 GMT

What are the key steps to designing an effective authentication and authorization strategy? The keys are knowing your user stores, role stores, and who need to access what or perform which operations. In this post, I share the approaches we've used in two of our patterns & practices guides. These are the approaches we've used to help customers design successfully design their authentication and authorization approaches.

Designing an Authentication and Authorization Strategy - v1
When we first wrote Building Secure ASP.NET Applications, here's the meta-process we came up with for working through your authentication and authorization strategies:

Identify resources
Choose an authorization strategy
Choose the identities used for resource access
Consider identity flow
Choose an authentication approach
Decide how to flow identity

For elaboration, see Authentication and Authorization.

Designing an Authentication and Authorization Strategy - v2
When we recently wrote Improving Web Application Security, we made some revisions:

Identify your user stores.
Identify your role stores.
Identify resources you need to access and operations you need to perform.
Identify which identities need to access the resources and perform the operations.
Choose your authentication and authorization strategies.

Personally, I've found it really cuts to the chase if you start with your user stores and role stores, since they tend to be somewhat fixed.

Identities
When you think through the identities, I've found it helpful to think in terms of who needs to access which resources or perform which actions. Consider the following:

Original caller
Process identity
Service account
Custom identity
Role

Resource Types
When you think through the resource types, I find it helpful to think in terms of:

System
Application
User

Authorization Strategies
When thinking through the authorization strategies, I find it helpful to consider:

Role-based
Resource-based
Operation-based

Resource Access Patterns
When thinking through the resource access patterns, I find it helpful to consider:

Trusted subsystem model
Impersonation/delegation model

Designing authentication and authorization can be a gnarly topic. I hope the scaffolding above helps you find a path that works for you.

WCF Security Guide is Now Available in HTML

J.D. Meier — Thu, 19 Jun 2008 05:07:00 GMT

Our guide, patterns & practices Improving Web Services Security:Scenarios and Implementation Guidance for WCF is now available in HTML.

New Release: patterns & practices WCF Security Guide (BETA)

J.D. Meier — Wed, 04 Jun 2008 23:01:12 GMT

Today we released our WCF Security guide, patterns & practices Improving Web Services Security: Scenarios and Implementation Guidance for WCF. This is our Microsoft playbook for Windows Communication Foundation (WCF - "Indigo".) It shows you how to build secure Web services using WCF. It's a compendium of proven practices, product team recommendations and insights from the field.

Download the guide

Download the Guide

Contents at a Glance

Part I, "Security Fundamentals for Web Services"
Part II, "Fundamentals of WCF Security"
Part III, "Intranet Application Scenarios"
Part IV, "Internet Application Scenarios"

Chapters

Ch 01 - Security Fundamentals for Web Services
Ch 02 - Threats and Countermeasures for Web Services
Ch 03 - Security Design Guidelines for Web Services
Ch 04 - WCF Security Fundamentals
Ch 05 - Authentication, Authorization and Identities in WCF
Ch 06 - Impersonation and Delegation in WCF
Ch 07 - Message and Transport Security in WCF
Ch 08 - WCF Bindings Fundamentals
Ch 09 - Intranet – Web to Remote WCF Using Transport Security (Original Caller, TCP)
Ch 10 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem,HTTP)
Ch 11 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem TCP)
Ch 12 - Intranet – Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)
Ch 13 - Internet – WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
Ch 14 - Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
Ch 15 - Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

Reference

WCF Security Checklist
WCF Security Guidelines
WCF Security Practices at a Glance
WCF Questions and Answers (Q&A)
How Tos
WCF Security Resources

Contributors and Reviewers

External: Andy Eunson; Anil John; Anu Rajendra; Brandon Bohling; Chaitanya Bijwe; Daniel Root; David P. Romig, Sr.; Dennis Rea; Kevin Lam; Michele Bustamante; Parameswaran Vaideeswaran; Rockford Lotka; Rudolph Araujo; Santosh Bejugam
Microsoft: Alik Levin; Brandon Blazer; Brent Schmaltz; Curt Smith; David Bradley; Dmitri Ossipov; Don Smith; Jan Alexander; Jason Hogg; Jason Pang; John Steer; Marc Goodner; Mark Fussell; Martin Gudgin; Martin Petersen-Frey; Mike de Libero; Mohammad Al-Sabt; Nobuyuki Akama; Ralph Squillace; Richard Lewis; Rick Saling; Rohit Sharma; Scott Mason; Sidd Shenoy; Sidney Higa; Stuart Kwan; Suwat Chitphakdibodin; T.R. Vishwanath; Todd Kutzke; Todd West; Vijay Gajjala; Vittorio Bertocci; Wenlong Dong; Yann Christensen; Yavor Georgiev

Web Services Security Frame

J.D. Meier — Wed, 04 Jun 2008 21:27:00 GMT

The key to making principles, patterns, and practices more effective is to have an organizing frame. While working on our patterns & practices WCF Security Guidance Project, we created the Web Services Security Frame for just such a purpose. We use the frame throughout the guidance to organize threats, attacks, vulnerabilities and countermeasures, as well as to organize principles, patterns, and practices.

Web Services Security Frame

Here's a snapshot of the frame (the power of the frame is that it's a durable, evolvable backdrop -- in other words, you can shape it to your own purposes.) You'll see this frame used throughout our upcoming guide. Notice that the categories serve as a pivot that we can hang other viewpoints (threats/attacks, vulnerabilities, countermeasures.)

Category	Description
Auditing and Logging	Auditing and logging refers to how security-related events are recorded, monitored, and audited.
Authentication	Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.
Authorization	Authorization is how your service provides access controls for resources and operations.
Configuration Management	Configuration management refers to how your service handles database connections, administration and other configuration settings.
Exception Management	Exception management refers to how you handle exceptions within your application, including fault contracts.
Impersonation/Delegation	Impersonation and delegation refers to how your service impersonates users and passes identity information downstream for authorization purposes.
Message Encryption	Message encryption refers to protecting a message by converting the contents to cipher-text using cryptographic methods.
Message Replay Detection	Message replay detection refers to identifying and rejecting messages that are re-submitted.
Message Signing	Message signing refers to signing a message with a digital signature using cryptographic methods, to confirm the source of the message and detect if the contents have been tampered with (i.e. authentication and integrity of the message.)
Message Validation	Message validation refers to how you verify the message payload against schema, as well as message size, content and character sets. This includes how your service filters, scrubs and rejects input and output before additional processing. Input and output includes input from clients consuming the service as well as file-system input, as well as input from network resources, such as databases. Output typically includes the return values from your service or disk / database writes among others.
Sensitive Data	Sensitive data includes data integrity and confidentiality of your user and application data that you need to protect. This includes how you protect sensitive data from being stolen from memory, from configuration files or when transmitted over the network.
Session Management	A session refers to a series of related interactions between a client and your service.

Threats / Attacks Organized By the Web Services Security Frame

Category	Threats / Attacks
Auditing and Logging	Repudiation Denial of services Disclosure of confidential information
Authentication	Network eavesdropping Brute force attacks Dictionary attacks Cookie replay attack Credential theft
Authorization	Elevation of privilege Disclosure of confidential data Data tampering Luring attacks Token stealing
Configuration Management	Unauthorized access to configuration stores Retrieval of clear text configuration secrets
Exception Management	Information disclosure Denial of service Elevation of privilege
Impersonation/Delegation	Elevation of privilege Disclosure of confidential information
Message Encryption	Stealing sensitive data. Theft of encryption keys. Man in the middle attack.
Message Replay Detection	Session replay
Message Singing	Data tampering.
Message Validation	XPath injection XML Bombs Canonicalization issues Cross-site scripting SQL injection
Sensitive Data	Memory dumping Network eavesdropping Configuration file sniffing
Session Management	Session hijacking Session replay Man in the middle attack Inability to logout successfully Cross-site request forgery Session fixation Load balancing and session affinity

Vulnerabilities Organized by the Web Services Security Frame

Category	Vulnerabilities
Auditing and Logging	Failing to audit failed logons Failing to secure log files Storing sensitive information in log files Failing to audit across application tiers Failure to throttle log files
Authentication	Using weak passwords Storing clear text credentials in configuration files Passing clear text credentials over the network Permitting prolonged session lifetime Mixing personalization with authentication Using weak authentication mechanisms (For example, using basic authentication over an untrusted network.)
Authorization	Relying on a single gatekeeper (e.g. relying on client-side validation only) Failing to lock down system resources against application identities Failing to limit database access to specified stored procedures Using inadequate separation of privileges Permitting over-privileged accounts
Configuration Management	Using insecure custom administration interfaces Failing to secure configuration files on the server Storing sensitive information in the clear text Having too many administrators Using over-privileged process accounts and service accounts
Exception Management	Failing to use structured exception handling (try/catch) Revealing too much information to the client Failure to specify fault contracts with the client Failure to use a global exception handler
Impersonation / Delegation	Failure to revert to a lower privilege after using impersonation Improper use of global impersonation across the entire service
Message Encryption	Failure to encrypt messages Using custom cryptography Distributing keys insecurely Managing or storing keys insecurely
Message Replay Detection	Failure to implement message replay detection feature
Message Signing	Unsigned messages that don't confirm the source Unsigned messages that don't detect tampering
Message Validation	Using non-validated input used to generate SQL queries Relying only on client-side validation Using input file names, URLs, or user names for security decisions Using application-only filters for malicious input Looking for known bad patterns of input Trusting data read from databases, file shares, and other network resources Failing to validate input from all sources including cookies, SOAP headers, SOAP parameters, databases, and network resources
Session Management	Passing session identifiers over unencrypted channels Permitting prolonged session lifetime Having insecure session state stores Placing session identifiers in query strings

Countermeasures Organized by the Web Services Security Frame

Category	Countermeasures
Auditing and Logging	Identify malicious behavior. Know your baseline (know what good traffic looks like) Use application instrumentation to expose behavior that can be monitored Throttle logging Strip sensitive data before logging
Authentication	Use strong password policies Do not store credentials in an insecure manner Use authentication mechanisms that do not require clear text credentials to be passed over the network Encrypt communication channels to secure authentication tokens Use HTTPS only with forms authentication cookies Separate anonymous from authenticated pages Using cryptographic random number generators to generate session IDs
Authorization	Use least privilege accounts. Authentication tied to authorization on the same tier Consider granularity of access Enforce separation of privileges Use multiple gatekeepers Secure system resources against system identities
Configuration Management	Use ACLs. Encrypt sensitive sections of configuration files Use secure settings for various operations of web services using configuration files
Exception Management	Use structured exception handling (by using try/catch blocks) Catch and wrap exceptions only if the operation adds value/information Do not reveal sensitive system or application information Implement a global exception handler Do not log private data such as passwords
Impersonation / Delegation	Use Using statement to automatically revert impersonation Granularly impersonate only those operations that need it
Message Encryption	Use message security or transport security to encrypt your messages Use platform-provided cryptography Use platform features for key management Periodically change your keys
Message Replay Detection	Cache an identifier for incoming messages, and use message replay detection to identify and reject messages that match an entry in the replay detection cache
Message Signing	verify messages have not been tampered with in transit (data integrity) verify messages originate from the expected sender (authenticity)
Message Validation	verify the message payload against schema verify the message message size, content and character sets filter, scrub and reject input and output before additional processing
Sensitive Data	Do not store secrets in software Encrypt sensitive data over the network Secure the channel Encrypt sensitive data in configuration files
Session Management	Partition site by anonymous, identified, and authenticated users Reduce session timeouts Avoid storing sensitive data in session stores Secure the channel to the session store Authenticate and authorize access to the session store

Thanks
Special thanks to Rudy Araujo and ACE Team members, Richard Lewis and John Steer for their contribution toward helping shape a better frame.

My Related Posts

WCF Security Resources

J.D. Meier — Fri, 23 May 2008 20:45:09 GMT

If you're building Web services or if you're implementing SOA on the Microsoft platform , then you're probably either working with or exploring WCF (Windows Communication Foundation.) When we started our patterns & practices WCF Security Guidance project, one of the first things I did was compile a list of WCF security resources for our team. This helped us quickly ramp up and as well as see gaps. One thing that surprised me is how much is available in the product documentation, if you know where to look. Here's a preliminary look at our WCF Security resources index which we'll include in our WCF Security Guide:

Getting Started

Community

Articles

Microsoft

Community

Blogs

Microsoft

Community

Channel9

Podcasts

ARCast.TV

ARCast.TV - WCF Session Behavior from Slovenia

Videos

Vittorio Bertocci: WS-Trust - Under the Hood

patterns & practices WCF Security Practices at a Glance Now Available

J.D. Meier — Fri, 09 May 2008 23:53:27 GMT

For this week's release in our patterns & practices WCF Security Guidance project, we released our first version of our WCF Security Practices at a Glance. Practices At a Glance gives you a bird's-eye view of how to perform common tasks. They are scannable and outcome-driven so that you can quickly browse the problem/solution pairs. Rather than a laundry list of granular tasks, we organize them by our Web Services Security frame (still evolving.)

Categories
Here's how we grouped our WCF Security Practices at a Glance so far:

Auditing and Logging
Authentication
Authorization
Configuration Management
Deployment Considerations
Exception Management
Hosting
Impersonation/Delegation
Input Validation
Message Security
Proxy Considerations
Sensitive Data
Transport Security

Here's a snapshot of the problems solved from our Practices At a Glance, but you can see our answers explained at our WCF Security Guidance project site.

Auditing and Logging

How to audit authentication events
How to audit authorization events
How to enable WCF message logging
How to enable WCF tracing
How to use Health Monitoring in WCF
How to view log information
How to view trace information
How to log traces to a WMI provider
How to turn off audit failure suppression

Authentication

How to authenticate users against the SQL Membership Provider
How to authenticate users against Active Directory
How to authenticate users against Active Directory without windows authentication
How to authenticate users with certificates
How to map certificates with windows accounts
How to authenticate users against a custom user store
How to authenticate users with Kerberos direct to support non-WCF clients with windows authentication

Authorization

How to authorize imperatively
How to authorize declaratively
How to authorize users against Windows groups
How to authorize users against Windows groups using the AspNetWindowsTokenRoleProvider
How to authorize users against the SQL Role Provider
How to authorize users against the ASP.Net Role Provider
How to assign the current principal with IAuthorizationPolicy to allow authorization using custom authentication

Configuration Management

How to encrypt sensitive data in your configuration files
How to run your service under a specific identity
How to create a service account for your WCF service
How to stop clients from referencing your service
How to protect against message replay attacks

Deployment Considerations

How to configure certificates to enable SSL in IIS
How to map Windows accounts with certificates
How to create a Service Principle Name (SPN)
How to configure WCF for NATs and Firewalls
How to create an X.509 certificate

Exception Management

How to shield exception information with fault contracts
How to create an error handler to log details of faults for auditing purposes
How to handle unhandled exceptions in downstream services
How to throw an exception with complex types or data contracts with a fault exception
How to handle unknown faults in a service
How to implement a data contract to propagate exception details for debugging purposes
How to implement fault contracts in call back functions

Hosting

How to host WCF in IIS
How to host WCF in a Windows service
How to self-host WCF
How to configure a least-privilege account to host your service

Impersonation/Delegation

How to choose between trusted subsystem and impersonation/delegation
How to impersonate the original caller when using Windows authentication
How to impersonate programmatically in WCF
How to impersonate declaratively in WCF
How to delegate the original caller to call backend services when using Windows authentication
How to impersonate the original caller without Windows authentication
How to impersonate the original caller using S4U Kerberos extensions.
How to delegate the original caller using S4U Kerberos extensions.
How to impersonate and delegate using LogonUser Windows API
How to flow the original caller from an ASP.NET client to WCF
How to control access to a remote resource based on the original callers identity.

Input Validation

How to protect your service from malicious messages
How to protect your service from malicious input
How to protect your service from denial of service attacks
How to validate parameters with parameter inspectors
How to validate parameters with message inspectors using schemas
How to validate data contracts with message inspectors using schemas
How to validate message contracts with message inspectors using schemas
How to use regular expressions validate format, range and length in schemas
How to validate inbound messages on a service
How to validate outbound messages on a service
How to validate outbound messages on the client
How to validate inbound messages on the client
How to validate input parameters
How to validate output parameters

Message Security

How to use message security
How to partially encrypt a message
How to use out-of-band credentials with message security

Proxy Considerations

How to avoid proxy spoofing
How to expose service metadata for your clients
How to create a proxy to a service hosted in IIS that requires certificate authentication and transport security

Sensitive Data

How to encrypt sensitive data in configuration files
How to protect sensitive data in memory
How to protect sensitive data on the network

Transport Security

How to use transport security
How to use secure conversations in WCF

X.509 Certificates

How to create a temporary X.509 certificate for transport security
How to create a temporary X.509 certificate for message security
How to create a temporary X.509 certificate for certificate authentication

My Related Posts

6 New patterns & practices WCF Security How Tos

J.D. Meier — Thu, 01 May 2008 23:12:44 GMT

We have 6 new How Tos for this week's release of our patterns & practices WCF Security Guidance Project.

WCF Security How Tos

My Related Posts

patterns & practices WCF Security Questions and Answers Now Available

J.D. Meier — Fri, 25 Apr 2008 05:13:59 GMT

What are your key security-related questions with WCF? More importantly, what are the answers? For this week's release of our WCF Security Guidance Project, we posted our WCF Security Q&A (Questions and Answers) to CodePlex.

To create the questions and answers set, we first gathered and organized recurring questions from our field, support, customers and forums. We then worked through to create precise answers. What you get is a browsable collection of questions and answers, organized by our security frame. The security frame maps to actionable categories of your application.

Here's a snapshot of the questions from our Q&A, but you can see our answers explained at our WCF Security Guidance project site.

Design Considerations

How do I decide on an authentication strategy?
How do I decide on an authorization strategy?
When should I use message security vs. transport security?
How do I use my existing Active Directory infrastructure?
What bindings should I use over the Internet?
What bindings should I use over the Intranet?
When should I use resource-based authorization vs. roles-based authorization?
When should I impersonate the original caller?
When should I flow the original caller’s identity to back-end resources?
How do I migrate to WCF from an ASMX web service?
How do I migrate to WCF from a COM application?
How do I migrate to WCF from a DCOM application?
How do I migrate to WCF from a WSE application?

Auditing and Logging

What WCF Service security events should be logged?
How do I enable logging and auditing in WCF?
How do I enable auditing in WCF?
How do I stop my service if there has been an auditing failure?
How do I log important business events in WCF?
How do I implement log throttling in WCF?
How do I use Health Monitoring Feature with WCF?
How do I protect my log files?
How to I pass user identity information in a message for auditing purpose?

Authentication

How do I decide on an authentication strategy in WCF?
When should I use brokered authentication?
When should I use the SQL Server Membership provider?
How do I authenticate against Active Directory?
How do I authenticate against a SQL store?
How do I authenticate against a custom store?
How do I protect passwords in my user store?
How do I use certificate authentication with X.509 certificates?
What is the most common authentication scenario for intranet applications?
What is the most common authentication scenario for internet applications?
How do I support authentication for multiple client types?
What is federated security?
How do I send credentials in the message when I am using transport security?
How do I avoid cleartext passwords?

Authorization

How do I decide on an authorization strategy in WCF?
What’s the difference between resource-based, roles-based and claims-based authorization?
How do I use Windows groups for role authorization in WCF?
How do I use the SQL Role provider for ASPNET role authorization in WCF?
How do I use the Windows Token role provider for ASPNET role authorization in WCF?
How do I use the Authorization Store role provider for ASPNET role authorization in WCF?
What’s the difference between declarative and imperative roles authorization?
How do I restrict access to WCF operations to specific Windows users?
How do I associate roles with a certificate?
What is a service principle name (SPN)?
How do I create a service principle name (SPN)?

Bindings

What is a binding?
What bindings are available?
Which bindings are best suited for the Internet?
Which bindings are best suited for the Intranet?
How do I choose an appropriate binding?
Configuration Management
How do I encrypt sensitive data in WCF configuration file?
How do I run a WCF Service with a particular identity?
How do I create a service account for running my WCF Service?
When should I use a configuration file versus the WCF object model?
What is a metadata exchange (MEX) binding?
How do I keep clients from referencing my service?

Exception Management

How do I implement a global exception handler?
What is a fault contract?
How do I define a fault contract?
How do I avoid sending exception details to the client?

Hosting

How do I configure a least privileged account to host my service?
When should I host my service in IIS?
When should I host my service in a Windows service?
When should I self-host my service?
Impersonation/Delegation
What are my impersonation options?
What is the difference between impersonation and delegation?
How do I impersonate the original caller for an operation call?
How do I temporarily impersonate the original caller in an operation call?
How do I impersonate a specific (fixed) identity?
What is constrained delegation?
What is protocol transition?
How do I flow original caller from ASP.NET client to WCF Service?
What is the difference between declarative and programmatic impersonation?
What is the trusted subsystem model?
When should I flow the original caller to back-end code?
How do I control access to a remote resource based on the original caller’s identity?

Input/Data Validation

How do I implement input and data validation in WCF?
What is schema validation?
What is parameter validation?
Should I validate before or after message serialization?
How do I protect my service from denial of service attacks?
How do I protect my service from malicious input attacks?
How do I protect my service from malformed messages?
Message Protection
When should I use message security?
When should I use transport security?
How do I protect my message when there are intermediaries routing my message?
How do I protect my message when there are multiple protocols used during message
transit?
How do I implement partial message encryption?

Proxy Considerations

When should I use a channel factory?
When do I need to expose a metadata exchange endpoint for my service?
How do I avoid proxy spoofing?

Sensitive Data

How do I protect sensitive data in configuration files?
How do I protect sensitive data in memory?
How do I protect my metadata?
How do I protect sensitive data from being read on the wire?
How do I protect sensitive data from being tampered with on the wire?
How do I authenticate a message was sent by the expected sender?
How do I encrypt data within my message?

X.509 Certificates

How do I create X.509 certificates?
Do I need to create a certificate signed by the root CA certificate?
How do I use X.509 certificate revocation?
How do I authenticate users with X.509 certificates, and then perform role-based access control using an Active Directory domain?

Deployment Considerations

What are the additional considerations for using WCF in a webfarm?
How do I configure WCF for NATs and Firewalls?
How do I configure Active Directory groups and accounts for role-based authorization checks?
How do I create an X.509 certificate?
When should I use a Service Principle Name (SPN)?
How do I configure a least privileged account for my service?

My Related Posts