WCF 3.5 Security Guidelines Now Available

A whole bunch of WCF 3.5 Security Guidelines are wow available from the Microsoft Patterns & Practices WCF Security Guidance Project. This is in addition to the previously released samples and videos.

• WCF Security Guidance Project on CodePlex
• WCF Security Videos Tutorials and Samples

WCF 3.5 Security Guidelines

A list of WCF 3.5 Security Guidelines from Microsoft Patterns & Practices. Get the details on the CodePlex Site.

WCF Auditing and Logging

• Use WCF auditing to audit your service
• If non-repudiation is important, consider setting SuppressAuditFailure property to false
• Use message logging to log operations on your service
• Instrument for user management events
• Instrument for significant business operations
• Protect log files from unauthorized access
• Do not log sensitive information

WCF Authentication

• Know your authentication options
• Use Windows Authentication when you can
• If you support non-WCF clients using windows authentication and message security, consider using the Kerberos direct option
• If your users are in AD, but you can’t use windows authentication, consider using username authentication
• If your clients have certificates, consider using client certificate authentication
• If you need to streamline certificate distribution to your clients for message encryption, consider using the negotiate credentials option
• If your users are in a custom store, consider using username authentication with a custom validator
• If your users are in a SQL membership store, use the SQL Membership Provider
• If your partner applications need to be authenticated when calling WCF services, use client certificate authentication.
• If you are using username authentication, use SQL Server Membership Provider instead of custom authentication
• If you need to support intermediaries and a variety of transports between client and service, use message security to protect credentials
• If you are using username authentication, validate user login information
• Do not store passwords directly in the user store
• Enforce strong passwords
• Protect access to your credential store
• If you are using Windows Forms to connect to WCF, do not cache credentials

WCF Authorization

• If you use ASP.NET roles, use the ASP.NET Role Provider
• If you use windows groups for authorization, use ASP.NET Role Provider with AspNetWindowsTokenRoleProvider
• If you store role information in SQL, consider using the SQL Server Role Provider for roles authorization
• If you store role information in Windows Groups, consider using the WCF PrincipalPermissionAttribute class for roles authorization
• If you need to authorize access to WCF operations, use declarative authorization
• If you need to perform fine-grained authorization based on business logic, use imperative authorization

WCF Binding Guidelines

• If you need to support clients over the internet, consider using wsHttpBinding.
• If you need to expose your WCF service to legacy clients as an ASMX web service, use basicHttpBinding
• If you need to support remote WCF clients within an intranet, consider using netTcpBinding.
• If you need to support local WCF clients, consider using netNamedPipeBinding.
• If you need to support disconnected queued calls, use netMsmqBinding.
• If you need to support bidirectional communication between WCF Client and WCF service, use wsDualHttpBinding.

WCF Configuration Management Guidelines

• Use Replay detection to protect against message replay attacks
• If you host your service in a Windows service, expose a metadata exchange (mex) binding
• If you don’t want to expose your WSDL, turn off HttpGetEnabled and metadata exchange (mex)
• Manage bindings and endpoints in config not code
• Associate names with the service configuration when you create service behavior, endpoint behavior, and binding configuration
• Encrypt configuration sections that contain sensitive data

WCF Exception Management Guidelines

• Use structured exception handling
• Do not divulge exception details to clients in production
• Use a fault contract to return error information to clients
• Use a global exception handler to catch unhandled exceptions

WCF Hosting Guidelines

• If you are hosting your service in a Windows Service, use a least privileged custom domain account
• If you are hosting your service in IIS, use a least privileged service account
• Use IIS to host your service unless you need to use a transport that IIS does not support

WCF Impersonation and Delegation Guidelines

• Know the impersonation options
• If you have to flow the original caller, use constrained delegation
• Consider LogonUser when you need to impersonate but you don’t have trusted delegation
• Consider S4U when you need a Windows token and you don’t have the original caller’s credentials
• Use programmatic impersonation to impersonate based on business logic
• When impersonating programmatically be sure to revert to original context
• Only impersonate on operations that require it
• Use OperationBehavior to impersonate declaratively

WCF Input/Data Validation Guidelines

• If you need to validate parameters, use parameter inspectors
• If your service has operations that accept message or data contracts, use schemas to validate your messages
• If you need to do schema validation, use message inspectors
• Validate operation parameters for length, range, format and type
• Validate parameter input on the server
• Validate service responses on the client
• Do not rely on client-side validation
• Avoid user-supplied file name and path input
• Do not echo untrusted input

WCF Proxy Considerations

• Publish your metadata over HTTPS to protect your clients from proxy spoofing
• If you turn off mutual authentication, be aware of service spoofing

WCF Deployment Considerations

• Do not use temporary certificates in production
• If you are using a custom domain account in the identity pool for your WCF application, create an SPN for Kerberos to authenticate the client.
• If you are using a custom service account and need to use trusted for delegation, create an SPN
• If you are hosting your service in a Windows Service, using a custom domain identity, and ASP.NET needs to use constrained trusted for delegation when calling the service, create an SPN
• Use IIS to host your service unless you need to use a transport that IIS does not support
• Use a least privileged account to run your WCF service
• Protect sensitive data in your configuration files

Topics

• Acceptance Test Engineering Guidance
• ASP.NET MVC Framework
• Enterprise Library
• Prism
• Repository Factory
• Smart Client Software Factory
• Unity
• Web Client Software Factory
• Web Service Software Factory

Popular Tags

• AcceptanceTestGuidance
• ADODataServices
• ADONET
• ADONETEntityFramework
• AJAX
• AltNetConf
• AOP
• ApplicationBlockSoftwareFactory
• AppSettings
• ArchitectureJournal
• ArchitectureJournalReader
• ArgumentValidationException
• AuthorizationRulesService
• AuthorizationService
• AutocompleteGuidanceBundle
• Autofac
• Caliburn
• CastleActiveRecord
• CastleWindsor
• CodeGeneration
• CompositeWebApplicationBlock
• CompositeWebClientAutomation
• ConfigurationSectionEncryption
• ContextAutoCompleteExtender
• DataAccessApplicationBlock
• DataAccessGuidancePackage
• DataAccessLayer
• DataContract
• DayOfPnP
• DependencyInjection
• DesignByContract
• DynamicData
• DynamicProxy
• EnterpriseLibrary
• EnterpriseLibrary4
• EntLibConfigurationEditor
• EnvironmentalOverrides
• F#
• Frameworks
• Gallio
• GAT
• GAX
• GuidanceBundles
• GuidanceExplorer
• IASA
• IControllerFactory
• IoC
• IronPython
• LinFu
• LINQ
• LinqToSql
• MembershipProvider
• MessageTemplateTokens
• ModelViewPresenter
• ModularityBundle
• ModuleInitializer
• Moq
• MVC
• MVPBundle
• NHibernate
• ObjectBuilder
• ObjectContainerDataSource
• OrlandoCodeCamp
• PageFlowApplicationBlock
• PartialClasses
• PassiveView
• PerformanceTesting
• PolicyInjectionApplicationBlock
• PostSharp
• Prism
• PropertyProxyValidator
• RealTimeSearchMonitor
• RhinoMocks
• RoleProvider
• SCSF
• SCSFContrib
• SearchBundle
• SecurityApplicationBlock
• ServerSideValidationExtender
• ServiceContract
• ServiceFactory
• SiteMapBuilderService
• SoftwareFactories
• Speaking
• SpecSharp
• SpringFramework
• SQLSaturday
• StateValue
• SupervisingController
• T4
• TDD
• TFSPowerTools
• Typemock
• UnitTesing
• UnitTesting
• Unity
• ValidationApplicationBlock
• ValidationCallHandler
• ValidationGuidanceBundle
• Volta
• WCF
• WCFSecurity
• WCSFContrib
• WebClientAuthorizationModule
• WPF
• WPFCompositeClient
• xUnit

Recent Links

• Adobe Flash Player 10 Beta Open: 3D Effects - Enhanced Drawing API - Filters - Advanced Text Layout
• Microsoft Virtual PC 2007 SP1 Download - Windows Server 2008, Vista SP1 and Windows XP SP3
• Dynamic Data Websites - Displaying Tables and Columns using ScaffoldTable and ScaffoldColumn Attributes
• ASP.NET Dynamic Data Websites Preview May 12 Refresh for Visual Studio 2008 SP1 on MSDN Code Gallery
• Dynamic Data Entities Websites - EntityDataSource and ASP.NET Website Scaffolding - Rapid Application Development ( RAD )
• EntityDataSource Companion to ADO.NET Entity Data Model in Visual Studio 2008 SP1
• Download Visual Studio 2008 and .NET Framework 3.5 Service Pack 1 Beta: ASP.NET Dynamic Data - ADO.NET Entity Framework - ADO.NET Data Services
• dotTrace Profiler 3.1 - Support for Visual Studio 2008, Vista and Windows Server 2008
• CodeRush and Refactor! Pro v3.0.8 Download Available - Visual Studio 2008 Add-Ins
• Download Zune 2.5 Software - Gapless Playback - Smart Playlists - Multiple Device Syncing...
• Download XNA Game Developer Studio 3.0 CTP - Zune XBOX 360 Windows
• Expression Web 2 - FTP Explorer to Publish Websites Should be a TreeView
• Expression Design 2 Needs Some Bitmap Graphics Tools like Crop Lasso Magic Wand Marquee
• Popfly Game Creator Alpha Released - Online Tool for Creating Web-based Games
• Coda - Mac Web Design and Web Development Tool
• Free VMware Fusion 1.1.2 Update - Better Support for MacBook Air and Time Machine
• Microsoft Hires Adobe's Former Chief Architect of Photoshop
• Microsoft Expression Studio 2 Released
• SQL Server 2008 Management Studio Gets T-SQL Intellisense
• Composite ASP.NET MVC Applications WCSF, SCSF, and Prism Style