Wednesday, June 13, 2012

WCF Security Best Practices

From OWASP(https://www.owasp.org/index.php/WCF_Security_Best_Practices)
From WCF 3.5 Security Guidelines
(@Codeplex by J.D. Meier , Jason Taylor , Prashant Bansode , Carlos Farre, Madhu Sundararajan, Steve Gregersen.)

Design Considerations
  • Design your service as a wrapper
  • If you are coming from ASMX then use basicHttpBinding to support your existing clients
  • If you are coming from DCOM then, use netTcpBinding
  • If your clients are deployed within intranet then choose transport security
  • If your clients are deployed over the internet then choose message security
  • Know your Authentication options
  • Know your binding options
  • If you need to Interop with non MS clients, use basicHttpBinding or wsHttpBinding
  • If your non-MS clients understand WS stack, use wsHttpBinding

Auditing and Logging
  • Use WCF auditing to audit your service
  • If non-repudiation is important, consider setting SuppressAuditFailure property to false
  • Use message logging to log operations on your service
  • Instrument for user management events
  • Instrument for significant business operations
  • Protect log files from unauthorized access
  • Do not log sensitive information

Authentication
  • Know your authentication options
  • Use Windows Authentication when you can
  • If you support non-WCF clients using windows authentication and message security, consider using the Kerberos direct option
  • If your users are in AD, but you can’t use windows authentication, consider using username authentication
  • If you are using username authentication, use Membership Provider instead of custom authentication
  • If your users are in a SQL membership store, use the SQL Membership Provider
  • If your users are in a custom store, consider using username authentication with a custom validator
  • If your clients have certificates, consider using client certificate authentication
  • If your partner applications need to be authenticated when calling WCF services, use client certificate authentication.
  • If you are using username authentication, validate user login information
  • Do not store passwords directly in the user store
  • Enforce strong passwords
  • Protect access to your credential store
  • If you are using Windows Forms to connect to WCF, do not cache credentials

Authorization
  • If you store role information in Windows Groups, consider using the WCF PrincipalPermissionAttribute class for roles authorization
  • If you use ASP.NET roles, use the ASP.NET Role Provider
  • If you use windows groups for authorization, use ASP.NET Role Provider with AspNetWindowsTokenRoleProvider
  • If you store role information in SQL, consider using the SQL Server Role Provider for roles authorization
  • If you store role information in ADAM, use the Authorization Store Role Provider for roles authorization
  • If you need to authorize access to WCF operations, use declarative authorization
  • If you need to perform fine-grained authorization based on business logic, use imperative authorization

Binding
  • If you need to support clients over the internet, consider using wsHttpBinding.
  • If you need to expose your WCF service to legacy clients as an ASMX web service, use basicHttpBinding
  • If you need to support remote WCF clients within an intranet, consider using netTcpBinding.
  • If you need to support local WCF clients, consider using netNamedPipeBinding.
  • If you need to support disconnected queued calls, use netMsmqBinding.
  • If you need to support bidirectional communication between WCF Client and WCF service, use wsDualHttpBinding.

Configuration Management
  • Use Replay detection to protect against message replay attacks
  • If you host your service in a Windows service, expose a metadata exchange (mex) binding
  • If you don’t want to expose your WSDL, turn off HttpGetEnabled and metadata exchange (mex)
  • Manage bindings and endpoints in config not code
  • Associate names with the service configuration when you create service behavior, endpoint behavior, and binding configuration
  • Encrypt configuration sections that contain sensitive data

Exception Management
  • Use structured exception handling
  • Do not divulge exception details to clients in production
  • Use a fault contract to return error information to clients
  • Use a global exception handler to catch unhandled exceptions

Hosting
  • If you are hosting your service in a Windows Service, use a least privileged custom domain account
  • If you are hosting your service in IIS, use a least privileged service account
  • Use IIS to host your service unless you need to use a transport that IIS does not support

Impersonation and Delegation
  • Know the impersonation options
  • If you have to flow the original caller, use constrained delegation
  • Consider LogonUser when you need to impersonate but you don’t have trusted delegation
  • Consider S4U when you need a Windows token and you don’t have the original caller’s credentials
  • Use programmatic impersonation to impersonate based on business logic
  • When impersonating programmatically be sure to revert to original context
  • Only impersonate on operations that require it
  • Use OperationBehavior to impersonate declaratively

Input/Data Validation
  • If you need to validate parameters, use parameter inspectors
  • If your service has operations that accept message or data contracts, use schemas to validate your messages
  • If you need to do schema validation, use message inspectors
  • Validate operation parameters for length, range, format and type
  • Validate parameter input on the server
  • Validate service responses on the client
  • Do not rely on client-side validation
  • Avoid user-supplied file name and path input
  • Do not echo untrusted input

Proxy Considerations
  • Publish your metadata over HTTPS to protect your clients from proxy spoofing
  • If you turn off mutual authentication, be aware of service spoofing

Deployment considerations
  • Do not use temporary certificates in production
  • If you are using a custom domain account in the identity pool for your WCF application, create an SPN for Kerberos to authenticate the client.
  • If you are using a custom service account and need to use trusted for delegation, create an SPN
  • If you are hosting your service in a Windows Service, using a custom domain identity, and ASP.NET needs to use constrained trusted for delegation when calling the service, create an SPN
  • Use IIS to host your service unless you need to use a transport that IIS does not support
  • Use a least privileged account to run your WCF service
  • Protect sensitive data in your configuration files 

41 comments:

Anonymous said...

Oh my goodness! Incredible article dude! Thanks,
However I am having troubles with your RSS.
I don't know the reason why I cannot subscribe to it. Is there anyone else getting the same RSS issues? Anyone who knows the solution can you kindly respond? Thanx!!
My web page > mode store online

Anonymous said...

bookmarked!!, I like your blog!
Also see my web site: krankenkasse vergleich leistungen

Anonymous said...

I do not even know how I ended up right here, however
I thought this post was great. I do not recognise who you're however certainly you are going to a famous blogger in the event you are not already. Cheers!
My site :: günstige kleidung online bestellen

Anonymous said...

Hello, I enjoy reading through your article post.
I like to write a little comment to support you.
Visit my blog post who is the best web host

Anonymous said...

Hello, I enjoy reading through your article post.
I like to write a little comment to support you.
my webpage: who is the best web host

Anonymous said...

I need to to thank you for this very good read!
! I certainly enjoyed every little bit of it.
I have you book marked to check out new things you post…
Here is my site : wechsel private krankenversicherung 2012

Anonymous said...

Howdy, i read your blog occasionally and i own a similar one and i was just curious if you get a lot of spam responses?

If so how do you protect against it, any plugin
or anything you can suggest? I get so much lately it's driving me mad so any assistance is very much appreciated.
My website : food business ideas

Anonymous said...

My spouse and I stumbled over here from a different page and thought
I should check things out. I like what I see
so now i'm following you. Look forward to looking over your web page for a second time.
Also visit my webpage - handys trotz negativer schufa

Anonymous said...

You really make it seem so easy with your presentation but I find this matter to be really something
which I think I would never understand. It seems too complex and extremely broad for me.

I am looking forward for your next post, I'll try to get the hang of it!

Here is my web site :: schufa kreditkarte

Anonymous said...

This is really interesting, You are a very skilled blogger.

I have joined your rss feed and look forward to seeking more of your excellent
post. Also, I've shared your website in my social networks!

my page best website hosting and design
Also see my website - linux hosting services

Anonymous said...

I’m not that much of a online reader to be honest but your sites really nice, keep it up!
I'll go ahead and bookmark your site to come back down the road. Cheers

Here is my blog post :: private zusatzversicherung krankenkasse

Anonymous said...

Good day! I know this is somewhat off topic but I was wondering which blog platform are you using for this website?
I'm getting sick and tired of Wordpress because I've had
issues with hackers and I'm looking at options for another platform. I would be great if you could point me in the direction of a good platform.

Feel free to visit my blog post ... how to get a home mortgage loan with bad credit
my web site :: can you purchase a home with bad credit

Anonymous said...

Excellent post. I was checking constantly this blog and I'm impressed! Very useful info specially the last part :) I care for such information much. I was looking for this particular information for a long time. Thank you and best of luck.

my homepage internet business ideas

Anonymous said...

I am actually grateful to the holder of this web page who has shared this
enormous paragraph at here.

my page - private krankenversicherung voraussetzungen
my webpage: Privat Oder gesetzlich

Anonymous said...

My coder is trying to persuade me to move to .net from PHP.
I have always disliked the idea because of the costs. But he's tryiong none the less. I've been using Movable-type on various websites for about a year and am worried about switching to another platform.
I have heard fantastic things about blogengine.net. Is there a way I can import all my wordpress content into it?
Any kind of help would be greatly appreciated!

My web-site :: private krankenversicherung einkommen

Anonymous said...

I am extremely impressed along with your writing talents as well as with
the layout for your weblog. Is that this a paid subject
or did you modify it your self? Either way stay up the excellent high quality writing, it's rare to see a great weblog like this one today..

Also visit my web-site :: cheap company hosting uk web
my web page > en iyi reseller hosting

Anonymous said...

Magnificent goods from you, man. I've understand your stuff previous to and you are just too excellent. I really like what you have acquired here, really like what you are saying and the way in which you say it. You make it entertaining and you still take care of to keep it wise. I can't wait to read
far more from you. This is really a great
web site.

My web blog :: Search Engine Optimization Services Provider

Anonymous said...

hey there and thank you for your information – I have definitely picked up anything new
from right here. I did however expertise several technical issues using this website, since I
experienced to reload the web site a lot of times previous to I could get it
to load correctly. I had been wondering if your web hosting is OK?
Not that I am complaining, but slow loading instances times will very
frequently affect your placement in google and can damage
your high quality score if ads and marketing with Adwords.
Anyway I am adding this RSS to my e-mail and can look out
for a lot more of your respective interesting content.
Ensure that you update this again soon.

Here is my web site; business idea s

Anonymous said...

Simply desire to say your article is as astonishing.
The clearness in your post is simply spectacular and i can assume you're an expert on this subject. Well with your permission let me to grab your feed to keep up to date with forthcoming post. Thanks a million and please keep up the rewarding work.

Also visit my web site :: Private loan rates
My site > traditional student loan consolidation

Anonymous said...

Very good information. Lucky me I found your website by chance (stumbleupon).

I have bookmarked it for later!

Also visit my site :: anwartschaft private krankenversicherung

Anonymous said...

I got this web page from my friend who informed me concerning this web site and at the moment this time I am browsing this web site and reading very informative articles or reviews here.


Take a look at my blog post; bad credit refinance mortgage loans

Anonymous said...

My brother suggested I may like this website. He was once totally right.
This post actually made my day. You cann't believe simply how much time I had spent for this info! Thank you!

Also visit my webpage: all inclusive Couples resorts
My site > padre island vacation rentals

Anonymous said...

As the admin of this site is working, no doubt very
shortly it will be famous, due to its feature contents.


Also visit my website - markenmode online bestellen
my webpage - kinderschuhe günstig online kaufen

Anonymous said...

When I initially commented I clicked the "Notify me when new comments are added"
checkbox and now each time a comment is added I get three e-mails
with the same comment. Is there any way you can remove me from that service?

Thanks a lot!

Feel free to visit my page - handyverträge trotz schufa

Anonymous said...

Right now it looks like Drupal is the best blogging platform out there right
now. (from what I've read) Is that what you are using on your blog?

Also visit my blog post: no credit loans

Anonymous said...

hello there and thank you for your information – I've definitely picked up anything new from right here. I did however expertise a few technical points using this website, as I experienced to reload the website a lot of times previous to I could get it to load correctly. I had been wondering if your web host is OK? Not that I'm complaining, but slow loading instances times will often affect your
placement in google and could damage your high quality score if advertising and marketing with Adwords.
Anyway I am adding this RSS to my email and could look out for a lot more of your respective interesting content.
Ensure that you update this again soon.

Feel free to surf to my web site :: günstige kredite für selbstständige
my site: kredite ohne schufa auskunft sofort

Anonymous said...

Hey this is kind of of off topic but I was wondering
if blogs use WYSIWYG editors or if you have to manually code with HTML.
I'm starting a blog soon but have no coding expertise so I wanted to get guidance from someone with experience. Any help would be greatly appreciated!

Here is my homepage; all inclusive vacations honeymoon

Anonymous said...

I blog frequently and I seriously thank you for your
content. The article has really peaked my interest. I will
bookmark your site and keep checking for new details about once a week.
I opted in for your Feed too.

Here is my homepage worldwidemedinsurance.com

Anonymous said...

Woah! I'm really loving the template/theme of this site. It's simple, yet effective.

A lot of times it's hard to get that "perfect balance" between user friendliness and visual appeal. I must say you've done a superb job with this.
In addition, the blog loads super quick for me on Opera.

Superb Blog!

my blog post: self employment ideas

Anonymous said...

I’m not that much of a internet reader to be honest but
your sites really nice, keep it up! I'll go ahead and bookmark your site to come back down the road. Cheers

Feel free to surf to my web-site ... home loans for bad credit

Anonymous said...

Hello! I know this is kinda off topic however I'd figured I'd ask.
Would you be interested in exchanging links or maybe guest
writing a blog post or vice-versa? My website goes over a
lot of the same subjects as yours and I believe we could greatly benefit from each
other. If you happen to be interested feel free to shoot me an e-mail.
I look forward to hearing from you! Fantastic blog by the way!


Check out my site ... house loan with bad credit

Anonymous said...

An impressive share! I have just forwarded this onto a friend who had been doing a little
homework on this. And he actually bought me breakfast because I stumbled upon it for him.
.. lol. So let me reword this.... Thank YOU for the meal!
! But yeah, thanx for spending some time to discuss
this subject here on your web page.

Visit my blog post - outlet designermode

Anonymous said...

Hello my family member! I wish to say that this article is awesome, great
written and include almost all vital infos. I would like to look more posts like this .


Also visit my weblog - private krankenversicherer

Anonymous said...

I am really inspired together with your writing skills and also with the format to your blog.

Is that this a paid topic or did you customize it your self?

Either way stay up the nice quality writing, it is rare to see a great blog like
this one today..

Here is my web blog :: best place to get private student loans

Anonymous said...

Hello there! I know this is somewhat off topic but I was wondering which blog platform are you using for
this site? I'm getting sick and tired of Wordpress because I've had problems with hackers and I'm looking at options for another platform. I would be great if you could point me in the direction of a good platform.

Also visit my web site - making money from clickbank

Anonymous said...

Hello, Neat post. There is an issue along with your website in web explorer, could check this?
IE nonetheless is the market leader and a huge section of other people will
leave out your magnificent writing because of this problem.


Feel free to visit my blog post ... affiliates programs

Anonymous said...

For the reason that the admin of this web page is working, no hesitation very soon it will be well-known,
due to its feature contents.

my web page :: private krankenversicherung beitragsbemessungsgrenze

Anonymous said...

If you would like to obtain a good deal from this piece of writing then
you have to apply these methods to your won weblog.



Here is my site - click the up coming post

Anonymous said...

I will right away take hold of your rss as I can't to find your email subscription hyperlink or e-newsletter service. Do you have any? Please allow me understand so that I may just subscribe. Thanks.

Also visit my page: http://www.freespiritpeople.com/how-to-design-your-own-clothes-online.html

Anonymous said...

I think the admin of this web page is genuinely working hard
in favor of his web site, because here every stuff is quality based data.


Take a look at my site: http://www.cheaphighheels.net/trendy-clothes-for-women/

Anonymous said...

I am genuinely grateful to the holder of this site who has shared this wonderful
article at at this place.

Also visit my webpage; Article Source