Thursday, December 18, 2014

WCF Security guidelines

I have been working on various WCF based service implementation and have a good working knowledge on security considerations.  I have selective readings from MSDN and posting for myself to have a better understanding.  (All the information below are excerpts from MSDN site)

Design considerations

different end points
custom binding for legacy WSE Clients
interoperability with non-Microsoft clients
Consider Transport Security as your preferred security mode
authentication/authorization options
binding options (choose right binding)
Auditing and logging

WCF auditing to audit your service
consider using SuppressAuditFailure to false (non-repudiation)
use message logging only for debugging
Instrument for user Management events
Instrument for significant business operations
Protect log files from unauthorized access
do not log sensitive informaition
Protect info in log files
custom trace listener only when message filtering is needed

available authentication options
use windows authentication
users in AD but cant use windows authentication consider using usernam authentication
membership provider for usernam
SQL Server membership provider
custom validator
partner apps to be authenticated, use client certificate authentication
usernam authentication validate user login information
protect access to your credential store
limit certificates

WCF PrincipalPermissionAttribute class for role authorization
for ASP.Net roles, use the ASP.NET Role Manager for role authorization
ASPNETWindowsTokenRoleProvider -> windows groups authorization
SQL Server role provider for role authorization
Authorization Manager role provider for ADAM
custom authorization policy for a custom store
declarative authorization for WCF operations
imperative authorization for fine-grained authorization based on business logic

over the internet - wsHttpBinding
expose to legacy clients using ASMX - basichttpbinding
clients within intranet - nettcpbinding
clients in the same machine - netNamedPipeBinding
disconnected queued calls, use netMsmqBinding
bidirectional communication - wsDualHttpbinding or netTcpBinding
Configuration Management

replay detection to protect against message replay attacks
host is a windows service, expose metadata exchange (mex) binding
not to expose your WSDL turn off HTTPGetEnabled and mex
Ecrypt configuration sections that contain sensitive data
Exception Management

Use structured Exception handling
donot divulge exceptoin details to client in production
use a fault contract to return error information to clients
use a global exception handler to catch unhandled exceptions

Run service in a least privileged account
Use IIS to host your service, unless need to use a transport that IIS does not support

tradeoffs involved in impersonation
impersonation options
impersonation methods
programmatic instead of declarative impersonation
impersonating programmatically be sure to revert to the original context
impersonating declaratively, only impersonate on the operations that require it
cannot use windows mapping, use S4U feature for impersonation and delegation
WCF service cannot be trusted for delegation, consider using LogonUser API
constrained delegation for to flow the original caller to the back-end services
Message Validation

validate Parameters use parameter inspectors
use schemas with message inspectors to validate messages
use regular expressions in schemas to validate format, range or length
inbound messages on the service implement AfterReceiveRequest
outbound messages on the service implement BeforeSendReply
inbound messages on the client AfterReceiveReply
outbound messages on the client BeforeSentRequest
validate operation parameters for length, range, format and type
not only rely on client-side validation
avoid user-supplied file name and path input
do not echo untrusted input
Message Security

clients over the internet -> message security
intermediaties between the client and service -> message security
support selective message protection -> message security
multiple transactions per session using secure conversation -> message security
donot pass sensitive information in SOAP headers when using HTTP transport and message security
support interoperability, consider setting negotiateServiceCredentials to false
streamline certificate distribution to your clients, consider negotiating the service credentials
need to limit the clients that will consume your service, consider setting negotiateServiceCredentials to false
Transport Security

 use when possible
 support clients in an intranet, use transort security
 need to support interoperability with non-WCF clients, use transport security
 use a hardware accelerator when using transport security
Proxy considerations

publish WCF Service metadata only when required
publish WCF service metadata over the https protocol
publish WCF service metadata over a secure binding
if you turn off mutual authentication, be aware of service spoofing
Sensitive Data

avoid plain-text passwords or other sensitive data in config files
use platform features to manage keys where possible
Protect sensitive data over the network
Do not cache sensitive dat
Minimize exposure of secrets in memory
basicHTTPbinding will not protect sensitive data by default
use appropriately sized keys
Deployment considerations

do not use temporary certifications in production
If you use Kerberos authentication or delegation, create an SPN
Use IIS to host your WCF service where possible
use a least-privileged account to run your WCF service
Protect sensitive data in your config files

No comments:

Post a Comment