From OWASP(https://www.owasp.org/index.php/WCF_Security_Best_Practices)
From WCF 3.5 Security Guidelines
(@Codeplex by J.D. Meier , Jason Taylor , Prashant Bansode , Carlos Farre, Madhu Sundararajan, Steve Gregersen.)
Design Considerations
Auditing and Logging
Authentication
Authorization
Binding
Configuration Management
Exception Management
Hosting
Impersonation and Delegation
Input/Data Validation
Proxy Considerations
Deployment considerations
(@Codeplex by J.D. Meier , Jason Taylor , Prashant Bansode , Carlos Farre, Madhu Sundararajan, Steve Gregersen.)
Design Considerations
- Design your service as a wrapper
- If you are coming from ASMX then use basicHttpBinding to support your existing clients
- If you are coming from DCOM then, use netTcpBinding
- If your clients are deployed within intranet then choose transport security
- If your clients are deployed over the internet then choose message security
- Know your Authentication options
- Know your binding options
- If you need to Interop with non MS clients, use basicHttpBinding or wsHttpBinding
- If your non-MS clients understand WS stack, use wsHttpBinding
Auditing and Logging
- Use WCF auditing to audit your service
- If non-repudiation is important, consider setting SuppressAuditFailure property to false
- Use message logging to log operations on your service
- Instrument for user management events
- Instrument for significant business operations
- Protect log files from unauthorized access
- Do not log sensitive information
Authentication
- Know your authentication options
- Use Windows Authentication when you can
- If you support non-WCF clients using windows authentication and message security, consider using the Kerberos direct option
- If your users are in AD, but you can’t use windows authentication, consider using username authentication
- If you are using username authentication, use Membership Provider instead of custom authentication
- If your users are in a SQL membership store, use the SQL Membership Provider
- If your users are in a custom store, consider using username authentication with a custom validator
- If your clients have certificates, consider using client certificate authentication
- If your partner applications need to be authenticated when calling WCF services, use client certificate authentication.
- If you are using username authentication, validate user login information
- Do not store passwords directly in the user store
- Enforce strong passwords
- Protect access to your credential store
- If you are using Windows Forms to connect to WCF, do not cache credentials
Authorization
- If you store role information in Windows Groups, consider using the WCF PrincipalPermissionAttribute class for roles authorization
- If you use ASP.NET roles, use the ASP.NET Role Provider
- If you use windows groups for authorization, use ASP.NET Role Provider with AspNetWindowsTokenRoleProvider
- If you store role information in SQL, consider using the SQL Server Role Provider for roles authorization
- If you store role information in ADAM, use the Authorization Store Role Provider for roles authorization
- If you need to authorize access to WCF operations, use declarative authorization
- If you need to perform fine-grained authorization based on business logic, use imperative authorization
Binding
- If you need to support clients over the internet, consider using wsHttpBinding.
- If you need to expose your WCF service to legacy clients as an ASMX web service, use basicHttpBinding
- If you need to support remote WCF clients within an intranet, consider using netTcpBinding.
- If you need to support local WCF clients, consider using netNamedPipeBinding.
- If you need to support disconnected queued calls, use netMsmqBinding.
- If you need to support bidirectional communication between WCF Client and WCF service, use wsDualHttpBinding.
Configuration Management
- Use Replay detection to protect against message replay attacks
- If you host your service in a Windows service, expose a metadata exchange (mex) binding
- If you don’t want to expose your WSDL, turn off HttpGetEnabled and metadata exchange (mex)
- Manage bindings and endpoints in config not code
- Associate names with the service configuration when you create service behavior, endpoint behavior, and binding configuration
- Encrypt configuration sections that contain sensitive data
Exception Management
- Use structured exception handling
- Do not divulge exception details to clients in production
- Use a fault contract to return error information to clients
- Use a global exception handler to catch unhandled exceptions
Hosting
- If you are hosting your service in a Windows Service, use a least privileged custom domain account
- If you are hosting your service in IIS, use a least privileged service account
- Use IIS to host your service unless you need to use a transport that IIS does not support
Impersonation and Delegation
- Know the impersonation options
- If you have to flow the original caller, use constrained delegation
- Consider LogonUser when you need to impersonate but you don’t have trusted delegation
- Consider S4U when you need a Windows token and you don’t have the original caller’s credentials
- Use programmatic impersonation to impersonate based on business logic
- When impersonating programmatically be sure to revert to original context
- Only impersonate on operations that require it
- Use OperationBehavior to impersonate declaratively
Input/Data Validation
- If you need to validate parameters, use parameter inspectors
- If your service has operations that accept message or data contracts, use schemas to validate your messages
- If you need to do schema validation, use message inspectors
- Validate operation parameters for length, range, format and type
- Validate parameter input on the server
- Validate service responses on the client
- Do not rely on client-side validation
- Avoid user-supplied file name and path input
- Do not echo untrusted input
Proxy Considerations
- Publish your metadata over HTTPS to protect your clients from proxy spoofing
- If you turn off mutual authentication, be aware of service spoofing
Deployment considerations
- Do not use temporary certificates in production
- If you are using a custom domain account in the identity pool for your WCF application, create an SPN for Kerberos to authenticate the client.
- If you are using a custom service account and need to use trusted for delegation, create an SPN
- If you are hosting your service in a Windows Service, using a custom domain identity, and ASP.NET needs to use constrained trusted for delegation when calling the service, create an SPN
- Use IIS to host your service unless you need to use a transport that IIS does not support
- Use a least privileged account to run your WCF service
- Protect sensitive data in your configuration files
42 comments:
Oh my goodness! Incredible article dude! Thanks,
However I am having troubles with your RSS.
I don't know the reason why I cannot subscribe to it. Is there anyone else getting the same RSS issues? Anyone who knows the solution can you kindly respond? Thanx!!
My web page > mode store online
bookmarked!!, I like your blog!
Also see my web site: krankenkasse vergleich leistungen
I do not even know how I ended up right here, however
I thought this post was great. I do not recognise who you're however certainly you are going to a famous blogger in the event you are not already. Cheers!
My site :: günstige kleidung online bestellen
Hello, I enjoy reading through your article post.
I like to write a little comment to support you.
Visit my blog post who is the best web host
Hello, I enjoy reading through your article post.
I like to write a little comment to support you.
my webpage: who is the best web host
I need to to thank you for this very good read!
! I certainly enjoyed every little bit of it.
I have you book marked to check out new things you post…
Here is my site : wechsel private krankenversicherung 2012
Howdy, i read your blog occasionally and i own a similar one and i was just curious if you get a lot of spam responses?
If so how do you protect against it, any plugin
or anything you can suggest? I get so much lately it's driving me mad so any assistance is very much appreciated.
My website : food business ideas
My spouse and I stumbled over here from a different page and thought
I should check things out. I like what I see
so now i'm following you. Look forward to looking over your web page for a second time.
Also visit my webpage - handys trotz negativer schufa
You really make it seem so easy with your presentation but I find this matter to be really something
which I think I would never understand. It seems too complex and extremely broad for me.
I am looking forward for your next post, I'll try to get the hang of it!
Here is my web site :: schufa kreditkarte
This is really interesting, You are a very skilled blogger.
I have joined your rss feed and look forward to seeking more of your excellent
post. Also, I've shared your website in my social networks!
my page best website hosting and design
Also see my website - linux hosting services
I’m not that much of a online reader to be honest but your sites really nice, keep it up!
I'll go ahead and bookmark your site to come back down the road. Cheers
Here is my blog post :: private zusatzversicherung krankenkasse
Good day! I know this is somewhat off topic but I was wondering which blog platform are you using for this website?
I'm getting sick and tired of Wordpress because I've had
issues with hackers and I'm looking at options for another platform. I would be great if you could point me in the direction of a good platform.
Feel free to visit my blog post ... how to get a home mortgage loan with bad credit
my web site :: can you purchase a home with bad credit
Excellent post. I was checking constantly this blog and I'm impressed! Very useful info specially the last part :) I care for such information much. I was looking for this particular information for a long time. Thank you and best of luck.
my homepage internet business ideas
I am actually grateful to the holder of this web page who has shared this
enormous paragraph at here.
my page - private krankenversicherung voraussetzungen
my webpage: Privat Oder gesetzlich
My coder is trying to persuade me to move to .net from PHP.
I have always disliked the idea because of the costs. But he's tryiong none the less. I've been using Movable-type on various websites for about a year and am worried about switching to another platform.
I have heard fantastic things about blogengine.net. Is there a way I can import all my wordpress content into it?
Any kind of help would be greatly appreciated!
My web-site :: private krankenversicherung einkommen
I am extremely impressed along with your writing talents as well as with
the layout for your weblog. Is that this a paid subject
or did you modify it your self? Either way stay up the excellent high quality writing, it's rare to see a great weblog like this one today..
Also visit my web-site :: cheap company hosting uk web
my web page > en iyi reseller hosting
Magnificent goods from you, man. I've understand your stuff previous to and you are just too excellent. I really like what you have acquired here, really like what you are saying and the way in which you say it. You make it entertaining and you still take care of to keep it wise. I can't wait to read
far more from you. This is really a great
web site.
My web blog :: Search Engine Optimization Services Provider
hey there and thank you for your information – I have definitely picked up anything new
from right here. I did however expertise several technical issues using this website, since I
experienced to reload the web site a lot of times previous to I could get it
to load correctly. I had been wondering if your web hosting is OK?
Not that I am complaining, but slow loading instances times will very
frequently affect your placement in google and can damage
your high quality score if ads and marketing with Adwords.
Anyway I am adding this RSS to my e-mail and can look out
for a lot more of your respective interesting content.
Ensure that you update this again soon.
Here is my web site; business idea s
Simply desire to say your article is as astonishing.
The clearness in your post is simply spectacular and i can assume you're an expert on this subject. Well with your permission let me to grab your feed to keep up to date with forthcoming post. Thanks a million and please keep up the rewarding work.
Also visit my web site :: Private loan rates
My site > traditional student loan consolidation
Very good information. Lucky me I found your website by chance (stumbleupon).
I have bookmarked it for later!
Also visit my site :: anwartschaft private krankenversicherung
I got this web page from my friend who informed me concerning this web site and at the moment this time I am browsing this web site and reading very informative articles or reviews here.
Take a look at my blog post; bad credit refinance mortgage loans
My brother suggested I may like this website. He was once totally right.
This post actually made my day. You cann't believe simply how much time I had spent for this info! Thank you!
Also visit my webpage: all inclusive Couples resorts
My site > padre island vacation rentals
As the admin of this site is working, no doubt very
shortly it will be famous, due to its feature contents.
Also visit my website - markenmode online bestellen
my webpage - kinderschuhe günstig online kaufen
When I initially commented I clicked the "Notify me when new comments are added"
checkbox and now each time a comment is added I get three e-mails
with the same comment. Is there any way you can remove me from that service?
Thanks a lot!
Feel free to visit my page - handyverträge trotz schufa
Right now it looks like Drupal is the best blogging platform out there right
now. (from what I've read) Is that what you are using on your blog?
Also visit my blog post: no credit loans
hello there and thank you for your information – I've definitely picked up anything new from right here. I did however expertise a few technical points using this website, as I experienced to reload the website a lot of times previous to I could get it to load correctly. I had been wondering if your web host is OK? Not that I'm complaining, but slow loading instances times will often affect your
placement in google and could damage your high quality score if advertising and marketing with Adwords.
Anyway I am adding this RSS to my email and could look out for a lot more of your respective interesting content.
Ensure that you update this again soon.
Feel free to surf to my web site :: günstige kredite für selbstständige
my site: kredite ohne schufa auskunft sofort
Hey this is kind of of off topic but I was wondering
if blogs use WYSIWYG editors or if you have to manually code with HTML.
I'm starting a blog soon but have no coding expertise so I wanted to get guidance from someone with experience. Any help would be greatly appreciated!
Here is my homepage; all inclusive vacations honeymoon
I blog frequently and I seriously thank you for your
content. The article has really peaked my interest. I will
bookmark your site and keep checking for new details about once a week.
I opted in for your Feed too.
Here is my homepage worldwidemedinsurance.com
Woah! I'm really loving the template/theme of this site. It's simple, yet effective.
A lot of times it's hard to get that "perfect balance" between user friendliness and visual appeal. I must say you've done a superb job with this.
In addition, the blog loads super quick for me on Opera.
Superb Blog!
my blog post: self employment ideas
I’m not that much of a internet reader to be honest but
your sites really nice, keep it up! I'll go ahead and bookmark your site to come back down the road. Cheers
Feel free to surf to my web-site ... home loans for bad credit
Hello! I know this is kinda off topic however I'd figured I'd ask.
Would you be interested in exchanging links or maybe guest
writing a blog post or vice-versa? My website goes over a
lot of the same subjects as yours and I believe we could greatly benefit from each
other. If you happen to be interested feel free to shoot me an e-mail.
I look forward to hearing from you! Fantastic blog by the way!
Check out my site ... house loan with bad credit
An impressive share! I have just forwarded this onto a friend who had been doing a little
homework on this. And he actually bought me breakfast because I stumbled upon it for him.
.. lol. So let me reword this.... Thank YOU for the meal!
! But yeah, thanx for spending some time to discuss
this subject here on your web page.
Visit my blog post - outlet designermode
Hello my family member! I wish to say that this article is awesome, great
written and include almost all vital infos. I would like to look more posts like this .
Also visit my weblog - private krankenversicherer
I am really inspired together with your writing skills and also with the format to your blog.
Is that this a paid topic or did you customize it your self?
Either way stay up the nice quality writing, it is rare to see a great blog like
this one today..
Here is my web blog :: best place to get private student loans
Hello there! I know this is somewhat off topic but I was wondering which blog platform are you using for
this site? I'm getting sick and tired of Wordpress because I've had problems with hackers and I'm looking at options for another platform. I would be great if you could point me in the direction of a good platform.
Also visit my web site - making money from clickbank
Hello, Neat post. There is an issue along with your website in web explorer, could check this?
IE nonetheless is the market leader and a huge section of other people will
leave out your magnificent writing because of this problem.
Feel free to visit my blog post ... affiliates programs
For the reason that the admin of this web page is working, no hesitation very soon it will be well-known,
due to its feature contents.
my web page :: private krankenversicherung beitragsbemessungsgrenze
If you would like to obtain a good deal from this piece of writing then
you have to apply these methods to your won weblog.
Here is my site - click the up coming post
I will right away take hold of your rss as I can't to find your email subscription hyperlink or e-newsletter service. Do you have any? Please allow me understand so that I may just subscribe. Thanks.
Also visit my page: http://www.freespiritpeople.com/how-to-design-your-own-clothes-online.html
I think the admin of this web page is genuinely working hard
in favor of his web site, because here every stuff is quality based data.
Take a look at my site: http://www.cheaphighheels.net/trendy-clothes-for-women/
I am genuinely grateful to the holder of this site who has shared this wonderful
article at at this place.
Also visit my webpage; Article Source
Just wish to say your article is as surprising.
The clarity in your post is simply spectacular
and i can assume you're an expert on this subject. Fine with your permission let me to grab your RSS feed to keep updated with forthcoming post.
Thanks a million and please carry on the gratifying work.
Feel free to surf to my web page :: magento themes
Post a Comment