Security Model (Windows Server AppFabric Caching)

  • Article

Windows Server AppFabric caching features provide several options for managing security. By default, communication between cache clients and the cache cluster use both encryption and signing. In addition, you must explicitly add a Windows account to the list of allowed accounts before the associated user can access the cache cluster.

Cache Cluster Security Settings

There are two protection modes that can be set on the cache cluster: None and Transport. When set to None, the data sent between the cache cluster and cache clients is not encrypted or signed. This potentially exposes the data to malicious network attacks that log or modify data. In addition, any cache clients can communicate with the cache cluster, even if they have not explicitly been granted access. When the protection mode is set to the default Transport setting, only permitted Windows accounts can access the cache cluster.

There are three protection levels for the data sent between a cache cluster and cache clients: None, Sign, and EncryptAndSign. A setting of None provides no additional security. A setting of Sign protects the data on the network from tampering. A setting of EncryptAndSign encrypts the data before signing it. Sign and EncryptAndSign can only be specified when the security mode is set to Transport.

To change the security mode or protection level for the cache cluster, use the Set-CacheClusterSecurity Windows PowerShell command.

Note

When the security is enabled, the AppFabric Caching Service must run under an appropriate identity. For domain environments, this should be the built-in "NT Authority\Network Service" account. For workgroup environments, this should be a local machine account. However, there is one exception to the service account setting for a domain environment. When security is disabled by setting the security mode to None, it is possible to run the AppFabric Caching Service as a specific domain account other than Network Service.

Cache Client Security Settings

As with the cache cluster security settings, the cache client can configure security settings in the application configuration file using the securityProperties element. Or the client can programmatically configure security using the DataCacheSecurity class in conjunction with the SecurityProperties property of the DataCacheFactoryConfiguration class. For more information, see Application Configuration Settings (Windows Server AppFabric Caching).

It is important that the cache client and cache cluster use security settings that enable a connection. In the table below, the columns represent the server security setting and the rows represent the client security setting. Each combination is listed as "Pass" or "Fail" depending on whether the connection is allowed.

Client Settings Mode=None, ProtectionLevel=Any Mode=Transport, ProtectionLevel=None Mode=Transport, ProtectionLevel=Sign Mode=Transport, ProtectionLevel=EncryptAndSign

None, Any

Pass

Fail

Fail

Fail

Transport, None

Fail

Pass

Fail

Fail

Transport, Sign

Fail

Pass

Pass

Fail

Transport, EncryptAndSign

Fail

Pass

Pass

Pass

Allowed Client Accounts

When the security mode is set to Transport, any cache clients attempting to connect to the cache cluster must be explicitly allowed. This is done by using the Grant-CacheAllowedClientAccount command in Windows PowerShell. For more information, see Using Windows PowerShell to Manage Windows Server AppFabric Caching Features.

Security Configuration Wizard

AppFabric supports the use of the Security Configuration Wizard (SCW) on Windows Server 2008. You can register a provided template file with SCW that will specify the minimal settings that AppFabric caching requires to run. Although the template file WindowsServerAppFabric.xml is installed with AppFabric, you must manually register it with SCW before using the tool. The following steps describe this process.

  1. Locate the WindowsServerAppFabric.xml file in the .\Windows\System32\AppFabric directory.

  2. Open the WindowsServerAppFabric.xml file. Ensure that the operating system version information in the SCWKBRegistrationInfo element matches your current machine. If not, change the attributes according to the following table and save the changes.

    Operating System OSMajorVersion OSMinorVersion ServicePackMajorVersion ServicePackMinorVersion

    Windows Server 2008

    6

    0

    0

    0

    Windows Server 2008 SP1

    6

    0

    1

    0

    Windows Server 2008 SP2

    6

    0

    2

    0

    Windows Server 2008 R2

    6

    1

    0

    0

  3. Open an administrative command prompt.

  4. Run the following command:

    scwcmd register /kbname:appfabric /kbfile:%windir%\System32\AppFabric\WindowsServerAppFabric.xml

When using the Security Configuration Wizard administrative tool, you should now see an installed role called "Windows Server AppFabric Caching Service".

See Also

Concepts

Using Windows PowerShell to Manage Windows Server AppFabric Caching Features
Windows Server AppFabric Caching Concepts