WCF Security

WCF Security
Sridhar Anjanappa
Agenda
Security Engineering
Web Services Security Frame
• Auditing and Logging
• Authentication
• Authorization
• Configuration Management
• Exception Management
• Impersonation / Delegation
• Message Validation
Threats & Attacks to Your
Web Service
Auditing and Logging
• Tampering with log files
• Ineffectual or nonexistent audit processes
Web Service
Authentication
• Network eavesdropping
• Brute force attacks
• Dictionary attacks
• Cookie replay attacks
• Credential theft
Web Service
Authorization
• Elevation of privilege
• Disclosure of confidential data
• Data tampering
• Luring attacks
Web Service
Configuration Management
• Unauthorized access to administration
interfaces
• Unauthorized access to configuration stores
• Retrieval of clear text
• Configuration secrets
• No individual accountability
Web Service
Exception Management
• System or application details are revealed
• Denial of service (DoS)
Web Service
Impersonation/Delegation
• Elevation of privilege
Web Service
Message Encryption
Information Disclosure
Web Service
Message Validation
• Buffer overflows
• Cross-site scripting (XSS)
• SQL injection
• Canonicalization attacks
Web Service
Session Management
• Session hijacking
• Session replay
• Man-in-the-middle attacks
Bindings and Behaviors
Bindings
• Bindings control the security mode, client
credential type, and other security settings.
Behaviors
• Service behaviors control impersonation
levels, how client credentials are
authenticated and authorized, and service
credentials.
Common Bindings
How to choose the right WCF
binding
• If you need to support clients over the
Internet, consider using wsHttpBinding.
• If you need to expose your WCF service to

legacy clients such as an ASMX Web service,
use basicHttpBinding.
• If you need to support WCF clients within an

intranet, consider using netTcpBinding.
How to choose the right WCF
binding
• If you need to support WCF clients on the
same machine, consider using
netNamedPipeBinding.
• If you need to support disconnected queued
calls, use netMsmqBinding.
• If you need to support bidirectional
communication between the WCF client and
WCF service, use wsDualHttpBinding or
netTcpBinding.
The Approach
The keys to building secure services include:
• Identify your security objectives.
• Know your threats.
• Apply proven principles, patterns, and
practices.
• Apply effective security engineering
throughout the application life cycle.
Transfer Security
• After selecting a binding, you can decide
which type of transfer security, otherwise
known as security mode, to use for your WCF
service.
• Transport Level (Point-to-Point)

• Message Level (End-to-End)
Transfer Security
Security Models
• Transport Level Security
• Message Level Security
Transport Level Security
• Simple
• Well Understood
• Adequate for Intranet based scenarios
• Transport mechanism and Endpoint
configuration can be tightly controlled.
• Security is Tightly coupled and dependent on
– The underlying platform
– Transport mechanism
– Security Service provider (NTLM, Kerberos, and so
on)
• Security is only on point-to-point basis, no

hops and routing through intermediate app
nodes.
…
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="Transport">
</security>
</binding>
</wsHttpBinding>
</bindings>
…
Message Level Security
• Independent from underlying platform
• Heterogeneous security architecture
• End-to-End security
• Routing through intermediate app nodes.
• Supports multiple encryption technologies.

• Protection Levels
• Protection Levels
Authentication in WCF
• The WCF authentication options available to
you depend on the transfer security mode you
use.
• Your choice of binding will also play a role in

the authentication options because not all
transport or message user credentials are
supported in every binding.
Transport Security Mode Authentication Options
• None
• Basic
• NTLM
• Windows
• Certificate
Message Security Mode Authentication Options
• None
• Windows
• Username
• Certificate
• Issue token
Authorization in WCF
WCF supports the following three basic authorization
approaches:
• Role-based
• Identity-based
• Resource-based
Role-based Authorization
WCF provides following options for role-based
authorization:
• Windows groups
• ASP.NET roles
– SQLRoleProvider
– WindowsTokenRoleProvider
– AuthorizationStoreRoleProvider
• Custom Roles
Impersonation / Delegation
• Impersonation is a technique that WCF
services use to assume the original caller’s
identity in order to authorize access to service
resources (such as files or database tables).
• Impersonation is used to access resources on

the same machine as the service, while
delegation is used to access resources that are
remote to the service.
Controlling Impersonation at the Service Side
• You can use the ImpersonationOption

enumeration along with the
OperationBehaviorAttribute attribute to
control impersonation.
• Options:
– Not Allowed
– Allowed
– Required
Controlling Impersonation at the Client Side
• Windows credentials have an
AllowedImpersonationLevel property that is set to
one of the following TokenImpersonationLevel
options in order to control the impersonation level:
– None
– Anonymous
– Identification
– Impersonation
– Delegation
Auditing in WCF
• WCF Auditing allows you to audit security
events such as authentication and
authorization failures.
• WCF service auditing can allow you to detect

an attack that has occurred or is in progress.
• Auditing can help you debug security-related

problems.
Auditing in WCF
• ServiceSecurityAuditBehavior element
• auditLogLocation attribute.
Scenario 1 (Intranet)
This scenario applies to you if:
• Your users have browsers supporting
Integrated Windows Authentication.
• Your user accounts are in Active Directory
within a domain.
• Your user roles are Windows Groups.
• The business logic behind your WCF service
requires fine-grained authorization.
This scenario applies to you if:
• Your application transmits sensitive data over

the network that needs to be protected.
• A high-performance connection between the

ASP.NET application and the WCF service is
more important than the ability to host the
WCF service in IIS.
In this solution you will:
• Use SSL to protect sensitive data between the
Web client and IIS.
• Use Transport Security to protect sensitive
data between the ASP.NET application and the
WCF service.
• Use netTcpBinding to support the TCP
transport for improved performance.
• Use domain credentials to authenticate clients
against an Active Directory user store.
• Impersonate the original caller when calling
methods on the WCF service from the ASP.NET
application.
• Use a service account to call the SQL Server
from WCF (without impersonation).
• Host WCF in a Windows Service since IIS does
not support the TCP transport (prior to IIS7)
IIS Configuration:
• A dedicated application pool is created and
configured to run under a custom service
account. Use a domain account.
• The Web application is configured to run

under the service account and assign to
custom application pool.
IIS Configuration:
• Service Principal Name (SPN) is created if
domain identity is used in the ASP.NET
application pool.
setspn -a HTTP//WebServer.domain.com customDomainAccount

setspn -a HTTP//WebServer customDomainAccount
• Create an SPN for both the DNS and NETBIOS

machine name.
IIS Configuration:
• ASP.NET Process identity is configured as
Trusted for delegation.
• If you use a network service account, enable

the computer account for trusted for
delegation. If you use a domain user account.
enable the domain account for trusted for
delegation.
IIS Authentication:
• The IIS virtual directory is configured to use

Windows Integrated Authentication.
• Users will be authenticated with Windows
Authentication.
• Anonymous access is disabled.
ASP.NET Authentication:
• ASP.NET is configured for Windows Integrated

authentication.
<authentication mode = "Windows" >
• The Web application will authenticate the

users.
ASP.NET Authorization:
• If you have role segmentation in your
application then use URL authorization.
• The authorized users have access to specific
pages.
<authorization>
<allow roles="domainName\RoleName" />
<deny users="*" />
</authorization>
ASP.NET Authorization:
• Role Manager is enabled and Role-checks are
performed using Role Manager API.
• Original users are authorized using the
Windows groups before calling in WCF
Service.
<roleManager enabled="true”
defaultProvider="AspNetWindowsTokenRoleProvider"/>
if(Roles.IsUserInRole(@“SPL\\accounting“))
{
}
WCF Proxy:
• ASP.NET has a proxy reference to the WCF
service.
• The application has access to the WCF Service
metadata to create a service reference.
WCFTestService.MyServiceClient proxy = new
WCFTestService.MyServiceClient();
WCF Proxy:
• ASP.NET Impersonates the original callers
before calling the WCF operation.
• Used for downstream authorization.
using(((WindowsIdentity)HttpContext.Current.User.Identity).Impersonate())
{
WCFTestService.MyServiceClient proxy= new WCFTestService.MyServiceClient();
proxy.GetData("data");
proxy.Close();
}
Application Server (Windows Service) Configuration:
• Windows Service is configured to run under a
custom domain service account.
• WCF Service is hosted in a Windows Service
(Since IIS does not support netTcpBinding).
• Service Principal Name (SPN) is created since a
custom domain account is used for the
Windows service, and the ASP.NET application
needs to restrict trust for delegation to only
the WCF service.
WCF Service Configuration:
• Configure the WCF service to use
netTcpBinding.
<endpoint
address=“”
binding="netTcpBinding”
bindingConfiguration=“”
name="TcpBinding” contract="WCFServicecHost.IMyService”
/>
WCF Service Configuration:
• Service Metadata is configured in service
behavior.
• The service metadata entry is required for the
Windows service host to start. Both HTTP and
HTTPS get are disabled.
<serviceMetadata />
WCF Service Authentication:
• netTcpBinding by default supports Windows
Authentication and Transport Security.
<endpoint
address=""
binding="netTcpBinding"
bindingConfiguration="" />
WCF Service Authorization:
• Role Manager feature is enabled and
WindowsTokenRoleProvider is configured for
roles authorization.
<serviceAuthorization principalPermissionMode="UseAspNetRoles”
roleProviderName="AspNetWindowsTokenRoleProvider" />
• Roles authorization can be performed

declaratively or imperatively in the operation
contract.
• Perform role-checks declaratively using the
PrinciplePermission attribute.
• Use declarative check to authorize the user on
individual methods.
[PrincipalPermission(SecurityAction.Demand, Role = “SPL\\accounting")]
public string GetData(string message)
{
return "hello";
}
• Perform role-checks imperatively using
IsUserInRole() method.
• Use programmatic check to authorize the user
based on business logic.
if(Roles.IsUserInRole(@“SPL\Accounting“))
{
//business operation for accounting
}
else
{
//business operation for others
}
WCF Service SQL:
• The connection string for database is
configured to use Windows Authentication.
The service does not impersonate the original
caller to benefit for connection pooling.
SqlConnection sqlcon = new SqlConnection("Server=10.3.19.11;Database=No
rthwind;IntegratedSecurity=SSPI");
WCF Service SQL:
The service does not impersonate the original
SqlConnection sqlcon = new SqlConnection("Server=10.3.19.11;Database=No
rthwind;IntegratedSecurity=SSPI;TrustedConnection=Yes");
Database Server:
• A SQL Server login is created for the WCF’s
service account (process identity).
exec sp_grantlogin 'Custom Service Account'
Database Server:
• The login is mapped to a database user for the
Web application.
use targetDatabase
go
exec sp_grantdbaccess ' Custom Service Account'
go
Database Server:
• The login is added to the database role.
• Grant minimum permissions. For example
grant execute permissions to selected stored
procedures and provide no direct table access.
use targetDatabase
go
exec sp_addrolemember 'DB Role Name‘, 'Custom Service Account'
go
Database Server - Authentication:
• SQL Server is configured to use Windows
Authentication.
Communication Security:
Browser to Web Server
• Use SSL between the browser and Web server
to protect sensitive data on the wire.
• Install certificate in the Web site. Configure
the virtual directory of the Web application to
use SSL.
Communication Security:
App Server to Database Server
• You can use IPSec or SSL between the App

Server and Database Server to protect
sensitive data on the wire.
Scenario 1 (Internet)
• This scenario applies to you if:
• Your users have Windows Forms clients.
• Your user accounts are stored in SQL.
• Your user roles are stored in SQL.
• Your application transmits sensitive data over
the network that needs to be protected.
• The ability to host the WCF service in IIS is
more important than a high performance
connection between the ASP.NET application
and the WCF service.
• Use username and password to authenticate
users against the SQL Server Membership
Provider.
• Use a service account to call the SQL Server
from WCF.
• Use message security to protect sensitive data
between the ASP.NET application and the WCF
service.
• Use wsHttpBinding to allow IIS to host the
service.
Thick Client - WCF Proxy:
• Thick Client has a proxy reference to the WCF
service.
• The application has access to the WCF
metadata to create a service reference.
WCFTestService.ServiceClient myService = new

WCFTestService.ServiceClient();
• Root CA certificate for the service is installed
in “Trusted Root Certification Authorities.”
• All certificates that are signed with this
certificate will be trusted by the client
machine.
• Pass user credentials to the WCF service when
calling service operations.
myService.ClientCredentials.UserName.UserName= "username";
myService.ClientCredentials.UserName.Password= "p@ssw0rd";
myService.GetData(123);
Application Server – IIS Configuration:
• A dedicated application pool is created and

configured to run under a custom service
account.
• Use a domain account if possible.

Application Server – IIS Authentication:
• The IIS virtual directory is configured to use

Anonymous access.
WCF Service – Configuration:
• ASP.NET database is created for use with SQL
Membership Provider and SQL Role provider.
aspnet_regsql -S .\SQLExpress -E -A r m
• Aspnet_regsql.exe creates the SQL database

to store the user and role information.
• Connection string is configured to point to the
user and role stored in SQL Server.
• The database connection string includes
Integrated Security=SSPI or
TrustedConnection=Yes for Windows
Authentication.
<add name="MyLocalSQLServer" connectionString="Initial
Catalog=aspnetdb;data source=localhost;Integrated
Security=SSPI;" />
• SqlMembershipProvider is configured to use
with Membership.
<membership defaultProvider="MySqlMembershipProvider">
<providers>
<clear/>
<add name="MySqlMembershipProvider"
connectionStringName="MyLocalSQLServer"
applicationName="MyAppName"
type="System.Web.Security.SqlMembershipProvider"/>
</providers>
</membership>
• The membership feature helps protect
credentials, can enforce strong passwords,
and provides consistent APIs for user
validation and secure user management.
• Role Manager feature is enabled and
SqlRoleProvider is configured for roles
authorization.
<roleManager enabled="true”defaultProvider="MySqlRoleProvider" >
<providers>
<clear/>
<add name="MySqlRoleProvider”
connectionStringName="MyLocalSQLServer”
applicationName="MyAppName”
type="System.Web.Security.SqlRoleProvider"
/>
</providers>
</roleManager>
• WCF Service process identity is given access
permissions on the ASP.NET database.
• Your WCF service process identity requires

access to the Aspnetdb database.
• WCF Service is configured to use
wsHttpBinding binding.
• wsHttpBinding uses the HTTP protocol and

provides full support for SOAP security,
transactions, and reliability. As clients are in
the Internet, this is the only choice.
• WCF Service – Configuration:
<endpoint address="" binding="wsHttpBinding"

bindingConfiguration="BindingConfiguration"
name="WsBinding" contract="IService"/>
• WCF Service – Authentication:
• wsHttpBinding is configured to use Username
Authentication and Message security.
<wsHttpBinding>
<binding name="BindingConfiguration">
<security>
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
• Service behavior is configured to use
membership provider for using with username
authentication.
<userNameAuthentication
userNamePasswordValidationMode="MembershipProvider"
membershipProviderName="MySqlMembershipProvider" />
• Service behavior is configured to publish
metadata.
<serviceMetadata httpGetEnabled="true" />

• Service certificate is installed on the WCF
Service machine. The service behavior is
configured to use the service certificate.
<serviceCertificate findValue="CN=machine.domain.com" />
• This is required for protecting the user

credentials in the message.
• WCF Service – Authorization:
• Service behavior is configured to use
AspNetRoles with SqlRoleProvider.
<serviceAuthorization
principalPermissionMode="UseAspNetRoles"
roleProviderName="MySqlRoleProvider" />
• WCF Operations areconfigured to do role
checks at operation level,declaratively.
[PrincipalPermission(SecurityAction.Demand, Role="Managers")]
public string GetData(int value)
{
return string.Format("You entered: {0}", value);
}
• Declarative role-checks on operations is the

preferred mechanism.
• Roles APIs are used to do programmatic roles
checks, for fine grained access control.
If(Roles.IsUserInRole(“Manager”))
{
// do something for the manager
}
else
{
// throw an error.
}
• WCF Service – SQL:
SqlConnection sqlcon = new

SqlConnection("Server=10.3.19.11;Database=Northwind;IntegratedSecurity=SSPI
");
• WCF Service – SQL:
• Open the database connection using the WCF
process identity’s security context.
• Service does not impersonate the original

WCF Security Checklist
Questions?

WCF Security

Uploaded by

Copyright:

Available Formats

WCF Security

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WCF Security

Uploaded by

Copyright:

Available Formats

WCF Security

• If you need to expose your WCF service to

• If you need to support WCF clients within an

• Transport Level (Point-to-Point)

• Security is only on point-to-point basis, no

• Heterogeneous security architecture

• Routing through intermediate app nodes.

• Supports multiple encryption technologies.

• Your choice of binding will also play a role in

• Impersonation is used to access resources on

• You can use the ImpersonationOption

• WCF service auditing can allow you to detect

• Auditing can help you debug security-related

• Your application transmits sensitive data over

• A high-performance connection between the

• The Web application is configured to run

setspn -a HTTP//WebServer.domain.com customDomainAccount

• Create an SPN for both the DNS and NETBIOS

• If you use a network service account, enable

• The IIS virtual directory is configured to use

• ASP.NET is configured for Windows Integrated

<authentication mode = "Windows" >

• The Web application will authenticate the

• Roles authorization can be performed

• You can use IPSec or SSL between the App

WCFTestService.ServiceClient myService = new

• A dedicated application pool is created and

• Use a domain account if possible.

• The IIS virtual directory is configured to use

• Aspnet_regsql.exe creates the SQL database

• Your WCF service process identity requires

• wsHttpBinding uses the HTTP protocol and

<endpoint address="" binding="wsHttpBinding"

<serviceMetadata httpGetEnabled="true" />

<serviceCertificate findValue="CN=machine.domain.com" />

• This is required for protecting the user

• Declarative role-checks on operations is the

SqlConnection sqlcon = new

• Service does not impersonate the original

You might also like