WCF Security Guidelines

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

Design Considerations

The key issues to consider at design time are what bindings you will choose for your particular scenario. Choosing an appropriate binding is important from security perspective as it drives your security choices like transfer security which determines your confidentiality, integrity and authentication of the messages. Additionally you need to consider what authentication and authorizations options you have and which makes sense for your scenario.

When designing your WCF service, you should:

Auditing and Logging

You should audit and log activity across the tiers of your application. Using logs, you can detect suspicious-looking activity. This frequently provides early indications of a full-blown attack and the logs help address the repudiation threat where users deny their actions. Log files may be required in legal proceedings to prove the wrongdoing of individuals. Generally, auditing is considered most authoritative if the audits are generated at the precise time of resource access and by the same routines that access the resource.

When implementing auditing and logging in WCF applications:

Authentication

Authentication is the one of the most important pillars of security. Where possible, you should use Windows authentication because this enables you to use an existing identity store such as your corporate Active Directory, it enables you to enforce strong password policies, you do not need to build custom identity store management tools and passwords are not transmitted over the network.

This section provides guidance on choosing the correct authentication option for your scenario:

Authorization

Authorizing users of your WCF applications helps in reducing the attack surface. You control authorization by using resourced-based authorization or roles-based authorization.

Use the following guidelines to decide authorization strategy when implementing roles-base authorization:

Bindings

Choosing the right binding for your scenario is important from security and performance perspective. One thumb of rule you can follow is, in intranet use netTcpbinding and over internet use wsHttpBinding. You can fine tune your selection based on your unique needs and your infrastructure limitations.

Use the following recommendations as a rule of thumb when choosing a binding option.

Configuration

To avoid introducing vulnerabilities when you configure your WCF application:

Exception Management

Correct exception handling in your WCF application prevents sensitive exception details from being revealed to the user, improves application robustness, and helps avoid leaving your application in an inconsistent state in the event of errors. Consider the following guidelines:

Hosting

Choosing the correct host and process identity to run your WCF application is important from security perspective. Consider following guidelines when choosing a host for your WCF application:

Impersonation / Delegation

By default, WCF applications do not impersonate, although in some scenarios, you need to use impersonation to perform operations or access resources using the authenticated user's identity. If you use impersonation, consider the following guidelines:

Message Security

If your WCF application passes sensitive data over networks, consider the threats of eavesdropping, tampering, and unauthorized callers accessing your end point. In an internet scenario, where you don’t have control on the intermediate systems, consider using Message security. Following sections outlines guidance for choosing message security:

Message Validation

If you make unfounded assumptions about the type, length, format, or range of input, your application is unlikely to be robust. Input validation can become a security issue if an attacker discovers that you have made unfounded assumptions. The attacker can then supply carefully crafted input that compromises your application. The misplaced trust of user input is one of the most common and serious vulnerabilities in WCF applications.

To help avoid input data validation vulnerabilities:

Proxy Considerations

When creating a WCF service proxy, clients needs to access the metadata which might have consist of sensitive data like service location etc. Attackers can leverage the metadata information and exploit your WCF services, so you need to secure the metadata.

Following are the guidelines which you need to consider when exposing your service metadata for client proxy creation:

Sensitive Data

Sensitive data usually needs to be protected in persistent storage, in memory, and while it is on the network. Where possible, look for opportunities to avoid storing sensitive data. To make sure that sensitive data cannot be viewed, use encryption.

To help protect sensitive data:

Transport Security

If your WCF application passes sensitive data over networks, consider the threats of eavesdropping, tampering, and unauthorized callers accessing your end point. In an intranet scenario, where you have control on the intermediate systems, consider using transport security. Following sections outlines guidance for choosing transport security:

Deployment Considerations

To avoid introducing vulnerabilities when you deploy your WCF application into a production environment:

Last edited Jun 30, 2008 at 10:53 PM by rboucher, version 16

Comments

No comments yet.