I am building a wcf service that needs to be secured as information that the client inter-exchanges with the service is sensitive to the company. I am planning to have it hosted on iis6. What would be the best practice to make sure that nobody but the client application can call the service to get/set data?
The service calls need to happen under the user's real identity as all the calls have to be monitored and audited. I am planning to use PolicyInjection for audit calls.
It all depends.
But basically there are two main approaches:
Transport security with SSL with basicHttpBinding
SSL security with wsHttpBinding
If you provide more information, I should be able to help you more.
There are certain aspects of security:
1) Data integrity: no-one has tampered with data but the data itself are not secret. This is achieved by signing.
2) Data security: This is so that no one could see sensitive/secret information. This is by encryption.
3) Authentication: this is by sending username/password or using certificates. This makes sure the person is the same who is claiming.
4) Authorization: This is to make sure the person has access to the specific features in the service.
Related
I'm planning on deploying a WCF service to multiple devices to receive notifications of certain events. All of the events will originate from a client machine that can provide a certificate to the service to authenticate.
I'm less concerned about the client authenticating each service, but I'm having difficulty choosing the proper WCF security settings to provide this setup. It appears that message-level security requires a client certificate and a service certificate.
But the devices hosting the service will not be able to be maintained in a way that allows us to update the service certificate periodically when it expires. So here are my questions:
Is there a way to set up a WCF service for client certificate authentication without a service certificate on the server?
Is there a simpler approach for verifying the identity of the caller that I'm missing?
I apologize for the brevity of this answer, but it is better to think of it as a Server certificate, rather than a Service certificate. Multiple services could use the same certificate, and you can work around the expiration by not checking for expiration client side. In terms of is there any easier way, WCF supports a variety of authentication and authorization models, here's some useful links.
http://msdn.microsoft.com/en-us/library/ee748498.aspx
http://msdn.microsoft.com/en-us/library/ms733131(v=vs.110).aspx
I am moving from ASMX web services across to WCF. With ASMX, for security purposes I passed a password as a parameter to my web methods. I'd like to introduce a better layer of security going forward. Theoretically an attacker could decompile my application that consumes the web service, extract the password and consume the web service maliciously. Can I make it in some way so that the web service can only be consumed by my client application and not by any other means including a decompiled version of its executable? Does WCF introduce any any superior security methods? I notice that the client object that consumes the web services has properties for credentials. What exactly are these properties and how are they implemented?
A good way to add security, when using WCF, is through message security (WCF also supports transport security but this has some quirks) which is configured in the binding on an endpoint, very straightforward. With this security you authenticate clients via a username or password or even a SQL membership store (with the correct configuration)
Check this example out:
http://dotnetmentors.com/wcf/wcf-message-level-security-by-example.aspx
Biggest benefits are quick bolting on of secure messaging and not having username and password parameters on your operations!
I have a WCF service that needs some authentication functionality
The service is exposed by a SOAP endpoint and a REST one. (i.e. the authentication mechanism should be usable from both types of clients)
I have custom user/password authentication on the back end.
I need the credentials to be passed from the client in plaintext, i.e. unencrypted (service runs in corporate VPN, password is already hashed).
What's the most elegant way to handle this?
Thanks.
For username+password authentication, current recommended way is to use UserNameSecurityTokenHandler:
http://msdn.microsoft.com/en-us/library/system.identitymodel.tokens.usernamesecuritytokenhandler.aspx
You need System.IdentityModel which is newest version, do not mistake it for Microsoft.IdentityModel.
It works great with SOAP when you're able to generate proxy classes on the client side. You simply have to supply credentials to your client proxy class and handle the logic on the server side via the mentioned token handler.
I would strongly suggest this blog to use as a reference, just search for blog comments that contain word WCF. Dominick is one of the top experts in the field.
http://www.leastprivilege.com/
I'm kinda new in the mobile world and wcf world.
I have develop a mobile app that communicates with a WCF service.
What security topics should I look into?
I do not know much about security either ... usually you try to secure the channel? the messages being sent?
When you decide security you usually deals with following terms:
Confidentiality - ensures that only supposed recipient can read and understand the message
Integrity - ensures that message cannot be changed during transmission
Authentication - ensures that only callers with allowed identity can use the service
Autorization - ensures that only callers with exact claim are allowed to call given method
Authorization is always handled in code. Confidentiality, integrity and authentication can be handled on message level, transport level or mixed mode. Based on some very small knowledge about CF I suggest you should be able to use transport security = HTTPS to provide integrity, confidentiality and also Basic HTTP authentication. CF should also allow using message security secured by certificates (also provides integrity, confidentiality and authentication).
MSDN contains example for creating service and CF client secured by HTTPS with client certificate (used for authentication).
let's say we have a WCF service like the one from msdn examples -- c#, calculatorservice, with all the service settings on default.
if i were a hacker and i knew that calculatorservice was something important, that i want to make it stop working, i could simply hack the code for service references and make an application of my own that creates 10 clients. these clients would call a random (nonterminating) method on calculatorservice every now on then, to keep the session alive, and never close.
now obviously, since all 10 sessions are taken (or whatever the number of maximum sessions is), noone can access the calculatorservice, it is completely blocked!
how can we protect our services from that?
If you're afraid a malicious hacker will clog up your service with bogus sessions, then don't use sessions! Use the "per-call" approach, and authenticate your users, e.g. make sure they're either in your Windows/AD domain, or they do have knowledge of a username/password to make calls to your service.
Should a malicious hacker get a valid username/password combination for your service, then you cannot do much to stop him from constantly sending you 10 or 20 concurrent requests and clogging up your service - at least not at the WCF service level. WCF provides service throttling behaviors to prevent 1'000s of malicious concurrent calls in order to protect your server from being flooded and crashed.
If you need to keep away specific IP's or ranges of IP's, you'll have to approach that earlier on - in your routers/firewalls - the WCF service can't really help you there.
The best thing to do would be to secure your WCF service:
In this article I will show you how
you can implement security on a WCF
service. There are many options and
extensibility points for implementing
security in WCF. You can also use
specific products, such as the Windows
2003 Server Authorization Manager,
together with WCF to implement the
authorization requirements of a
solution. Out of the box, WCF supports
Windows credentials, Username Tokens
and X.509 Digital Certificates as
security credentials.