WCF Security Checklist

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

Design Considerations

Check Description
Consider Exposing Different Endpoints
If you need to support ASMX clients, use basicHttpBinding
If you are migrating from DCOM then use netTcpBinding
If you need to support legacy WSE clients then use a customBinding in WCF
Consider transport security as your preferred security mode
Know your Authentication options
Know your Authorization options
Know your binding options
Choose the right binding for your scenario

Auditing and Logging

Check Description
Use WCF auditing to audit your service
If non-repudiation is important, consider setting SuppressAuditFailure property to false
Use message logging to log operations on your service
Instrument for user management events
Instrument for significant business operations
Protect log files from unauthorized access
Do not log sensitive information
Protect information in log files
Use a Custom Trace Listener only when message filtering is needed

Authentication

Check Description
Know your authentication options
Use Windows Authentication when you can
If your users are in AD, but you can’t use windows authentication, consider using username authentication
If you are using username authentication, use Membership Provider instead of custom authentication
If your users are in a SQL membership store, use the SQL Membership Provider
If your users are in a custom store, consider using username authentication with a custom validator
If your clients have certificates, consider using client certificate authentication
If your partner applications need to be authenticated when calling WCF services, use client certificate authentication.
If you are using username authentication, validate user login information
Do not store passwords directly in the user store
Enforce strong passwords
Protect access to your credential store
If you are using client certificate authentication, consider reducing the attack surface by limiting the certificates in the certificate store

Authorization

Check Description
If you store role information in Windows Groups
If You Use ASP.NET Roles
If you use Windows groups for authorization
If you store role information in SQL
If you store role information in ADAM
If you store role information in a custom store
If you need to authorize access to WCF operations
If you need to perform fine-grained authorization based on business logic

Bindings

Check Description
If you need to support clients over the internet
If you need to expose your WCF service to legacy clients as an ASMX web service
If you need to support WCF clients within an intranet
If you need to support WCF clients on the same machine
If you need to support disconnected queued calls
If you need to support bidirectional communication between WCF Client and WCF service

Configuration Management

Check Description
Use Replay detection to protect against message replay attacks
If you host your service in a Windows service, expose a metadata exchange (mex) binding
If you don’t want to expose your WSDL, turn off HttpGetEnabled and metadata exchange (mex)
Encrypt configuration sections that contain sensitive data

Exception Management

Check Description
Use structured exception handling
Do not divulge exception details to clients in production
Use a fault contract to return error information to clients
Use a Global Exception Handler with IErrorHandler to Catch Unhandled Exceptions

Hosting

Check Description
Run your service in a least privileged account
Use IIS to host your service unless you need to use a transport that IIS does not support

Impersonation/Delegation

Check Description
Know Your Tradeoffs with Impersonation
Know Your Impersonation Options
Know Your Impersonation Methods
Consider Using Programmatic Instead of Declarative Impersonation
When Impersonating Programmatically be Sure to Revert to Original Context
When Impersonating Declaratively, Only Impersonate on the Operations That Require It
Consider Using S4U Feature for Impersonation and Delegation, When You Cannot do a Windows Mapping
Consider Using LogonUser API, If Your WCF Service Cannot be Trusted for Delegation
If You Have to Flow the Original Caller to the Backend Services, Use Constrained Delegation

Input/Data Validation

Check Description
If You Need To Validate Parameters, Use Parameter Inspectors
Use Schemas to Validate Messages, Using Message Inspectors
Use Regular Expressions in Schemas to Validate Format, Range or Length
Implement AfterReceiveRequest Method to Validate Inbound Messages on the Service
Implement BeforeSendReply Method to Validate Outbound Messages on the Service
Implement AfterReceiveReply Method to Validate Inbound Messages on the Client
Implement BeforeSendRequest Method to Validate Outbound Messages on the Client
Validate Operation Parameters for Length, Range, Format and Type
Do Not Rely on Client-side Validation
Avoid User-supplied File Name and Path Input
Do Not Echo Untrusted Input

Message Security

Check Description
If You Need to Support Clients Over the Internet, Consider Using Message Security
If You There are Intermediaries between Client and Service, Consider Using Message Security
If you Need to Support Selective Message Protection, Use Message Security
If You Need to Support Multiple Transactions Per Session Using Secure Conversation, Use Message Security
Do Not Pass Sensitive Information In SOAP Headers When Using Http Transport and Message Security
If You Need to Support Interoperability, Consider Setting negotiateServiceCredentials to False
If You Need to Streamline Certificate Distribution to Your Clients, Consider Negotiating the Service Credentials
If You Need to Limit the Clients that Will Consume Your Service, Consider Setting negotiateServiceCredentials to False

Transport Security

Check Description
Use Transport Security When Possible
If You Need to Support Clients in an Intranet, Use Transport Security
If You need to Support Interoperability with Non-WCF Clients, Use Transport Security
Use Hardware Accelerator When Using Transport Security

Proxy Considerations

Check Description
Publish Your WCF Service Metadata Only When Required
If You Need to Publish Your WCF Service Metadata, Publish it Over HTTPS Protocol
If You Need to Publish Your WCF Service Metadata, Publish it Using Secure Binding
If You Turn Off Mutual Authentication, Be Aware of Service Spoofing

Sensitive Data

Check Description
Avoid Plain Text Passwords or Other Sensitive Data in Configuration Files
Use Platform Features to Manage Keys Where Possible
Protect Sensitive Data Over the Wire
Do Not Cache Sensitive Data
Minimize Exposure of Secrets in Memory
Be Aware That basicHttpBinding Will Not Protect Sensitive Data by Default
Use Appropriately Sized Keys

Deployment Considerations

Check Description
Do Not Use Temporary Certificates in Production
If You are Using Kerberos Authentication or Delegation, Create an SPN
Use IIS to Host Your WCF Service Wherever Possible
Use a Least Privileged Account to Run Your WCF Service
Protect sensitive data in your configuration files

Last edited Jun 13, 2008 at 9:45 PM by prashantbansode, version 1

Comments

No comments yet.