patterns & practices Improving Web Services Security Guide

patterns & practices Improving Web Services Security - Now Released

Welcome to the patterns & practices Improving Web Services Security: Scenarios and Implementation Guidance for WCF project site! This guide shows you how to make the most of WCF (Windows Communication Foundation). With end-to-end application scenarios, it shows you how to design and implement authentication and authorization in WCF. Learn how to improve the security of your WCF services through prescriptive guidance including guidelines, Q&A, practices at a glance, and step-by-step how tos. It's a collaborative effort between patterns & practices, WCF team members, and industry experts. This guide is related to our WCF Security Guidance Project.

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

Download the Guide

Released version posted on August 1st. Start using the guide today!

• Download the Improving Web Services Security Guide - Release v1

Parts

Part I, "Security Fundamentals for Web Services"
Part II, "Fundamentals of WCF Security"
Part III, "Intranet Application Scenarios"
Part IV, "Internet Application Scenarios"

Forewords

• Foreword By Nicholas Allen
• Foreword By Rockford Lhotka

Chapters

• Introduction
• Solutions at a Glance
• Fast Track - A Guide for Getting Started

Part I, Security Fundamentals for Web Services

• Ch 01 - Security Fundamentals for Web Services
• Ch 02 - Threats and Countermeasures for Web Services
• Ch 03 - Security Design Guidelines for Web Services

Part II, Fundamentals of WCF Security

• Ch 04 - WCF Security Fundamentals
• Ch 05 - Authentication, Authorization and Identities in WCF
• Ch 06 - Impersonation and Delegation in WCF
• Ch 07 - Message and Transport Security in WCF
• Ch 08 - WCF Bindings Fundamentals

Part III - Intranet Application Scenarios

• Ch 09 - Intranet – Web to Remote WCF Using Transport Security (Original Caller, TCP)
• Ch 10 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem,HTTP)
• Ch 11 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem TCP)
• Ch 12 - Intranet – Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)

Part IV - Internet Application Scenarios

• Ch 13 - Internet – WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
• Ch 14 - Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
• Ch 15 - Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

Checklist

• WCF Security Checklist

Guidelines

• WCF Security Guidelines

Practices

• WCF Security Practices at a Glance

Questions and Answers

• WCF Questions and Answers (Q&A)

How Tos

• How To - Audit and Log Security Events in WCF calling from Windows Forms
• How To - Create and Install Temporary Certificates in WCF for Message Security During Development
• How To - Create and Install Temporary Certificates in WCF for Transport Security During Development
• How To - Create and Install Temporary Client Certificates in WCF During Development
• How To - Host WCF in a Windows Service Using TCP
• How To - Impersonate the Original Caller in WCF calling from Web Application
• How To - Impersonate the Original Caller in WCF calling from Windows Forms
• How To - Perform Input Validation in WCF
• How To - Perform Message Validation with Schemas in WCF
• How To - Use basicHttpBinding with Windows Authentication and TransportCredentialOnly in WCF from Windows Forms
• How To - Use Certificate Authentication and Message Security in WCF calling from Windows Forms
• How To - Use Certificate Authentication and Transport Security in WCF Calling from Windows Forms
• How To - Use Delegation for Flowing the Original Caller Credentials to Back-end in WCF Calling from Windows Forms
• How To - Use Health Monitoring to Instrument WCF Service for Security
• How To - Use netTcpBinding with Windows Authentication and Message Security in WCF from Windows Forms
• How To - Use netTcpBinding with Windows Authentication and Transport Security in WCF from Windows Forms
• How To - Use Protocol Transition for Impersonating and Delegating Original Caller in WCF
• How To - Use SQL Role Provider with Username Authentication in WCF calling from Windows Forms
• How To - Use SQL Role Provider with Windows Authentication in WCF calling from Windows Forms
• How To - Use Username Authentication with the SQL Membership Provider and Message Security in WCF from Windows Forms
• How To - Use Username Authentication with Transport Security in WCF from Windows Forms
• How To - Use wsHttpBinding with Username Authentication and TransportWithMessageCredential in WCF calling from Windows Forms
• How To - Use wsHttpBinding with Windows Authentication and Message Security in WCF from Windows Forms
• How To - Use wsHttpBinding with Windows Authentication and Transport Security in WCF calling from Windows Forms

Resources

• WCF Security Resources

Team

• Core Team: J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher
• Contributors and Reviewers

Feedback

• Send mail to WCFSec@microsoft.com
• Post comments on the Discussions page.
• Fill out our questionaire and send the answers to WCFSec@microsoft.com

Community

• Guidance Share