WCF Security Questions and Answers (Q&A)

  • Article

patterns & practices Developer Center

Index

Design Considerations

  • How do I decide on an authentication strategy?
  • How do I decide on an authorization strategy?
  • When should I use message security versus transport security?
  • How do I use my existing Active Directory infrastructure?
  • What bindings should I use over the Internet?
  • What bindings should I use over an intranet?
  • When should I use resource-based authorization versus roles-based authorization?
  • When should I impersonate the original caller?
  • When should I flow the original caller's identity to back-end resources?
  • How do I migrate to WCF from an ASMX Web service?
  • How do I migrate to WCF from a COM application?
  • How do I migrate to WCF from a DCOM application?
  • How do I migrate to WCF from a WSE application?

Auditing and Logging

  • What WCF service security events should be logged?
  • How do I enable logging and auditing in WCF?
  • How do I stop my service if there has been an auditing failure?
  • How do I log important business events in WCF?
  • How do I implement log throttling in WCF?
  • How do I use the health monitoring feature with WCF?
  • How do I protect my log files?
  • How do I pass user identity information in a message for auditing purpose?

Authentication

  • How do I decide on an authentication strategy in WCF?
  • When should I use the SQL Server membership provider?
  • How do I authenticate against Active Directory?
  • How do I authenticate against a SQL store?
  • How do I authenticate against a custom store?
  • How do I protect passwords in my user store?
  • How do I use certificate authentication with X.509 certificates?
  • What is the most common authentication scenario for intranet applications?
  • What is the most common authentication scenario for Internet applications?
  • How do I support authentication for multiple client types?
  • What is federated security?
  • How do I send credentials in the message when I am using transport security?
  • How do I avoid cleartext passwords?

Authorization

  • How do I decide on an authorization strategy in WCF?
  • What is the difference between resource-based, roles-based, and claims-based authorization?
  • How do I use Windows groups for role authorization in WCF?
  • How do I use the SQL Server role provider for ASP.NET role authorization in WCF?
  • How do I use the Windows Token role provider for ASP.NET role authorization in WCF?
  • How do I use the Authorization Store role provider for ASP.NET role authorization in WCF?
  • What is the difference between declarative and imperative roles authorization?
  • How do I restrict access to WCF operations to specific Windows users?
  • How do I associate roles with a certificate?
  • What is a service principal name (SPN)?
  • How do I create a service principal name (SPN)?

Bindings

  • What is a binding?
  • What bindings are available?
  • Which bindings are best suited for the Internet?
  • Which bindings are best suited for an intranet?
  • How do I choose an appropriate binding?

Configuration Management

  • How do I encrypt sensitive data in the WCF configuration file?
  • How do I run a WCF service with a particular identity?
  • How do I create a service account for running my WCF service?
  • When should I use a configuration file versus the WCF object model?
  • What is a metadata exchange (mex) binding?
  • How do I keep clients from referencing my service?

Deployment Considerations

  • What are the additional considerations for using WCF in a Web farm?
  • How do I configure Active Directory groups and accounts for roles-based authorization checks?
  • How do I create an X.509 certificate?
  • When should I use a service principal name (SPN)?
  • How do I configure a least-privileged account for my service?

Exception Management

  • How do I implement a global exception handler?
  • What is a fault contract?
  • How do I define a fault contract?
  • How do I avoid sending exception details to the client?

Hosting

  • How do I configure a least-privileged account to host my service?
  • When should I host my service in Internet Information Services (IIS)?
  • When should I host my service in a Windows service?
  • When should I self-host my service?

Impersonation/Delegation

  • What are my impersonation options?
  • What is the difference between impersonation and delegation?
  • How do I impersonate the original caller for an operation call?
  • How do I temporarily impersonate the original caller in an operation call?
  • How do I impersonate a specific (fixed) identity?
  • What is constrained delegation?
  • What is protocol transition?
  • How do I flow the original caller from the ASP.NET client to a WCF service?
  • What is the difference between declarative and programmatic impersonation?
  • What is the trusted subsystem model?
  • When should I flow the original caller to back-end code?
  • How do I control access to a remote resource based on the original caller's identity?

Input/Data Validation

  • How do I implement input and data validation in WCF?
  • What is schema validation?
  • What is parameter validation?
  • Should I validate before or after message serialization?
  • How do I protect my service from denial of service (DoS) attacks?
  • How do I protect my service from malicious input attacks?
  • How do I protect my service from malformed messages?

Message Protection

  • When should I use message security?
  • When should I use transport security?
  • How do I protect my message when there are intermediaries routing the message?
  • How do I protect my message when there are multiple protocols used during message transit?

Proxy Considerations

  • When should I use a channel factory?
  • When do I need to expose a metadata exchange (mex) endpoint for my service?
  • How do I avoid proxy spoofing?

Sensitive Data

  • How do I protect sensitive data in configuration files?
  • How do I protect sensitive data in memory?
  • How do I protect my metadata?
  • How do I protect sensitive data from being read on the wire?
  • How do I protect sensitive data from being tampered with on the wire?

X.509 Certificates

  • How do I create X.509 certificates?
  • Do I need to create a certificate signed by the root CA certificate?
  • How do I use X.509 certificate revocation?