Improving Web Services Security Guide

By | November 1, 2011

Source: Microsoft Patterns & Practices

Introduction

This guide shows you how to improve security for your WCF services. It also shows you how to effectively design your authentication, authorization, and communication strategies for Microsoft® Windows Communication Foundation.

The information in this guide is based on practices learned from customer feedback and product support, as well as experience gained in the field and while implementing real solutions. The guidance is task-based and presented in the following parts:

  • Part I – Security Fundamentals for Web Services gives you a quick overview of fundamental security concepts as they relate to services, service-oriented design, and Service-Oriented Architecture (SOA).
  • Part II – WCF Security Fundamentals gives you a firm foundation in key WCF security concepts, with special attention on authentication, authorization, and secure communication, as well as WCF binding configurations.
  • Part III – Intranet Application Scenarios shows you a set of end-to-end intranet application scenarios that you can use to jump-start your application architecture designs, with a focus on authentication, authorization, and communication for your intranet from a WCF perspective.
  • Part IV – Internet Application Scenarios shows you a set of end-to-end Internet application scenarios that you can use to jump-start your application architecture design for the Internet from a WCF perspective.

WCF / Services Security

Many factors and decisions combine to improve security in WCF services and applications. This guide focuses on the following:

  • Authentication, authorization, and communication design for your services
  • Solution patterns for common distributed application scenarios using WCF
  • Principles, patterns, and practices for improving key security aspects in services

The following diagram illustrates a common solution pattern for WCF intranet scenarios: 

Figure 1. Example WCF Implementation Solution Pattern

Scope of This Guide

This guide is focused on key security aspects of WCF. The guide addresses security across the three primary physical tiers: the client, remote application server, and database server. Clients include Microsoft Windows Forms, ASP.NET, and WCF.

Out of Scope

The following are outside the scope for this guide:

  • Federation
  • Claims authorization

Why We Wrote This Guide

From our own experience with WCF, and through conversations with customers and Microsoft employees who work in the field, we determined that there was significant demand for a guide that would show how to use WCF in the real world. While there is information in the product documentation, in blog posts, and in forums, there has been no single place to find proven practices for the effective use of WCF in the context of line-of-business (LOB) applications under real-world constraints.

Who Should Read This Guide

This guide is targeted at individuals involved in building applications with WCF. The following are examples of roles that would benefit from this guidance:

  • A development team that wants to adopt WCF
  • A software architect or developer looking to get the most out of WCF, with regard to designing his or her application security
  • Interested parties investigating the use of WCF who don’t know how well it would work for their particular deployment scenarios and constraints
  • Individuals tasked with learning WCF security practices

How to Use This Guide

Use the first part of the guide to gain a firm foundation in key security concepts and WCF. Next, use the application scenarios to evaluate potential designs for your own scenario. The application scenarios are skeletal, end-to-end examples of how you might design your authentication, authorization, and communication from a security perspective. Use the appendix of “Guidelines,” “Practices,” “How To” articles, and “Questions and Answers” to dive into implementation details. This separation allows you to understand the topics first and then explore the details as you see fit.

Organization of This Guide

You can read this guide from end to end, or you can read only the chapters you need for your job.

Parts

This guide is divided into four parts:

  • Part I – Security Fundamentals for Web Services
  • Part II – WCF Security Fundamentals
  • Part III – Intranet Application Scenarios
  • Part IV – Internet Application Scenarios

Part I Security Fundamentals for Web Services

  • Chapter 01 – Security Fundamentals for Web Services
  • Chapter 02 – Threats and Countermeasures for Web Services
  • Chapter 03 – Security Design Guidelines for Web Services

Part II WCF Security Fundamentals

  • Chapter 04 – WCF Security Fundamentals
  • Chapter 05 – Authentication, Authorization, and Identities in WCF
  • Chapter 06 – Impersonation and Delegation in WCF
  • Chapter 07 – Message and Transport Security
  • Chapter 08 – Bindings

Part III Intranet Application Scenarios

  • Chapter 09 – Intranet – Web to Remote WCF Using Transport Security (Original Caller, TCP)
  • Chapter 10 – Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem,HTTP)
  • Chapter 11 – Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem TCP)
  • Chapter 12 – Intranet – Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)

Part IV Internet Application Scenarios

  • Chapter 13 – Internet – WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
  • Chapter 14 – Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem,TCP)
  • Chapter 15 – Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

Checklist

  • WCF Security Checklist

Guidelines

  • WCF Security Guidelines

Practices

  • WCF Security Practices at a Glance

Questions and Answers

  • WCF Security Questions and Answers (Q&A)

“How To” Articles

  • How To – Audit and Log Security Events in WCF Calling from Windows Forms
  • How To – Create and Install Temporary Certificates in WCF for Message Security During

Development

  • How To – Create and Install Temporary Certificates in WCF for Transport Security During Development
  • How To – Create and Install Temporary Client Certificates in WCF During Development
  • How To – Host WCF in a Windows Service Using TCP
  • How To – Impersonate the Original Caller in WCF Calling from a Web Application
  • How To – Impersonate the Original Caller in WCF Calling from Windows Forms
  • How To – Perform Input Validation in WCF
  • How To – Perform Message Validation with Schema Validation in WCF
  • How To – Use basicHttpBinding with Windows Authentication and TransportCredentialOnly in WCF from Windows Forms
  • How To – Use Certificate Authentication and Message Security in WCF calling from Windows Forms
  • How To – Use Certificate Authentication and Transport Security in WCF Calling from

Windows Forms

  • How To – Use Delegation for Flowing the Original Caller Credentials to the Back-end in WCF

Calling from Windows Forms

  • How To – Use Health Monitoring to Instrument a WCF Service for Security
  • How To – Use netTcpBinding with Windows Authentication and Message Security in WCF from Windows Forms
  • How To – Use netTcpBinding with Windows Authentication and Transport Security in WCF from Windows Forms
  • How To – Use Protocol Transition for Impersonating and Delegating the Original Caller in WCF
  • How To – Use the SQL Server Role Provider with Username Authentication in WCF Calling from Windows Forms
  • How To – Use SQL Server Role Provider with Windows Authentication in WCF Calling from Windows Forms
  • How To – Use Username Authentication with Custom Authentication and Message Security in WCF Calling from Windows Forms
  • How To – Use Username Authentication with the SQL Server Membership Provider and Message Security in WCF Calling from Windows Forms
  • How To – Use Username Authentication with Transport Security in WCF Calling from Windows Forms
  • How To – Use wsHttpBinding with Username Authentication and TransportWithMessageCredential in WCF Calling from Windows Forms
  • How To – Use wsHttpBinding with Windows Authentication and Message Security in WCF Calling from Windows Forms
  • How To – Use wsHttpBinding with Windows Authentication and Transport Security in WCF Calling from Windows Forms

Resources

  • WCF Security Resources

Download the full guide here.

Leave a Reply