This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "WCF Security Best Practices"
From OWASP
m (WCF Best Practices moved to WCF Security Best Practices: Clarity) |
|||
Line 2: | Line 2: | ||
J.D. Meier , Jason Taylor , Prashant Bansode , Carlos Farre, Madhu Sundararajan, Steve Gregersen. | J.D. Meier , Jason Taylor , Prashant Bansode , Carlos Farre, Madhu Sundararajan, Steve Gregersen. | ||
− | Design Considerations | + | '''Design Considerations''' |
* Design your service as a wrapper | * Design your service as a wrapper | ||
Line 15: | Line 15: | ||
− | Auditing and Logging | + | '''Auditing and Logging''' |
* Use WCF auditing to audit your service | * Use WCF auditing to audit your service | ||
Line 26: | Line 26: | ||
− | Authentication | + | '''Authentication''' |
* Know your authentication options | * Know your authentication options | ||
Line 44: | Line 44: | ||
− | Authorization | + | '''Authorization''' |
* If you store role information in Windows Groups, consider using the WCF PrincipalPermissionAttribute class for roles authorization | * If you store role information in Windows Groups, consider using the WCF PrincipalPermissionAttribute class for roles authorization | ||
Line 55: | Line 55: | ||
− | Binding | + | '''Binding''' |
* If you need to support clients over the internet, consider using wsHttpBinding. | * If you need to support clients over the internet, consider using wsHttpBinding. | ||
Line 65: | Line 65: | ||
− | Configuration Management | + | '''Configuration Management''' |
* Use Replay detection to protect against message replay attacks | * Use Replay detection to protect against message replay attacks | ||
Line 75: | Line 75: | ||
− | Exception Management | + | '''Exception Management''' |
* Use structured exception handling | * Use structured exception handling | ||
Line 83: | Line 83: | ||
− | Hosting | + | '''Hosting''' |
* If you are hosting your service in a Windows Service, use a least privileged custom domain account | * If you are hosting your service in a Windows Service, use a least privileged custom domain account | ||
Line 90: | Line 90: | ||
− | Impersonation and Delegation | + | '''Impersonation and Delegation''' |
* Know the impersonation options | * Know the impersonation options | ||
Line 102: | Line 102: | ||
− | Input/Data Validation | + | '''Input/Data Validation''' |
* If you need to validate parameters, use parameter inspectors | * If you need to validate parameters, use parameter inspectors | ||
Line 115: | Line 115: | ||
− | Proxy Considerations | + | '''Proxy Considerations''' |
* Publish your metadata over HTTPS to protect your clients from proxy spoofing | * Publish your metadata over HTTPS to protect your clients from proxy spoofing | ||
Line 121: | Line 121: | ||
− | Deployment considerations | + | '''Deployment considerations''' |
* Do not use temporary certificates in production | * Do not use temporary certificates in production |
Revision as of 04:17, 16 May 2008
From WCF 3.5 Security Guidelines
J.D. Meier , Jason Taylor , Prashant Bansode , Carlos Farre, Madhu Sundararajan, Steve Gregersen.
Design Considerations
- Design your service as a wrapper
- If you are coming from ASMX then use basicHttpBinding to support your existing clients
- If you are coming from DCOM then, use netTcpBinding
- If your clients are deployed within intranet then choose transport security
- If your clients are deployed over the internet then choose message security
- Know your Authentication options
- Know your binding options
- If you need to Interop with non MS clients, use basicHttpBinding or wsHttpBinding
- If your non-MS clients understand WS stack, use wsHttpBinding
Auditing and Logging
- Use WCF auditing to audit your service
- If non-repudiation is important, consider setting SuppressAuditFailure property to false
- Use message logging to log operations on your service
- Instrument for user management events
- Instrument for significant business operations
- Protect log files from unauthorized access
- Do not log sensitive information
Authentication
- Know your authentication options
- Use Windows Authentication when you can
- If you support non-WCF clients using windows authentication and message security, consider using the Kerberos direct option
- If your users are in AD, but you can’t use windows authentication, consider using username authentication
- If you are using username authentication, use Membership Provider instead of custom authentication
- If your users are in a SQL membership store, use the SQL Membership Provider
- If your users are in a custom store, consider using username authentication with a custom validator
- If your clients have certificates, consider using client certificate authentication
- If your partner applications need to be authenticated when calling WCF services, use client certificate authentication.
- If you are using username authentication, validate user login information
- Do not store passwords directly in the user store
- Enforce strong passwords
- Protect access to your credential store
- If you are using Windows Forms to connect to WCF, do not cache credentials
Authorization
- If you store role information in Windows Groups, consider using the WCF PrincipalPermissionAttribute class for roles authorization
- If you use ASP.NET roles, use the ASP.NET Role Provider
- If you use windows groups for authorization, use ASP.NET Role Provider with AspNetWindowsTokenRoleProvider
- If you store role information in SQL, consider using the SQL Server Role Provider for roles authorization
- If you store role information in ADAM, use the Authorization Store Role Provider for roles authorization
- If you need to authorize access to WCF operations, use declarative authorization
- If you need to perform fine-grained authorization based on business logic, use imperative authorization
Binding
- If you need to support clients over the internet, consider using wsHttpBinding.
- If you need to expose your WCF service to legacy clients as an ASMX web service, use basicHttpBinding
- If you need to support remote WCF clients within an intranet, consider using netTcpBinding.
- If you need to support local WCF clients, consider using netNamedPipeBinding.
- If you need to support disconnected queued calls, use netMsmqBinding.
- If you need to support bidirectional communication between WCF Client and WCF service, use wsDualHttpBinding.
Configuration Management
- Use Replay detection to protect against message replay attacks
- If you host your service in a Windows service, expose a metadata exchange (mex) binding
- If you don’t want to expose your WSDL, turn off HttpGetEnabled and metadata exchange (mex)
- Manage bindings and endpoints in config not code
- Associate names with the service configuration when you create service behavior, endpoint behavior, and binding configuration
- Encrypt configuration sections that contain sensitive data
Exception Management
- Use structured exception handling
- Do not divulge exception details to clients in production
- Use a fault contract to return error information to clients
- Use a global exception handler to catch unhandled exceptions
Hosting
- If you are hosting your service in a Windows Service, use a least privileged custom domain account
- If you are hosting your service in IIS, use a least privileged service account
- Use IIS to host your service unless you need to use a transport that IIS does not support
Impersonation and Delegation
- Know the impersonation options
- If you have to flow the original caller, use constrained delegation
- Consider LogonUser when you need to impersonate but you don’t have trusted delegation
- Consider S4U when you need a Windows token and you don’t have the original caller’s credentials
- Use programmatic impersonation to impersonate based on business logic
- When impersonating programmatically be sure to revert to original context
- Only impersonate on operations that require it
- Use OperationBehavior to impersonate declaratively
Input/Data Validation
- If you need to validate parameters, use parameter inspectors
- If your service has operations that accept message or data contracts, use schemas to validate your messages
- If you need to do schema validation, use message inspectors
- Validate operation parameters for length, range, format and type
- Validate parameter input on the server
- Validate service responses on the client
- Do not rely on client-side validation
- Avoid user-supplied file name and path input
- Do not echo untrusted input
Proxy Considerations
- Publish your metadata over HTTPS to protect your clients from proxy spoofing
- If you turn off mutual authentication, be aware of service spoofing
Deployment considerations
- Do not use temporary certificates in production
- If you are using a custom domain account in the identity pool for your WCF application, create an SPN for Kerberos to authenticate the client.
- If you are using a custom service account and need to use trusted for delegation, create an SPN
- If you are hosting your service in a Windows Service, using a custom domain identity, and ASP.NET needs to use constrained trusted for delegation when calling the service, create an SPN
- Use IIS to host your service unless you need to use a transport that IIS does not support
- Use a least privileged account to run your WCF service
- Protect sensitive data in your configuration files