Proxy Considerations
When creating a WCF service proxy, clients needs to access metadata that might consist of sensitive data such as service location, etc. It is important to secure the metadata because attackers can leverage this information and exploit your WCF services.
Consider the following guidelines when exposing your service metadata for client proxy creation:
- Publish your WCF service metadata only when required.
- If you need to publish your WCF service metadata, publish it over the HTTPS protocol.
- If you need to publish your WCF service metadata, publish it using a secure binding.
- If you turn off mutual authentication, be aware of service spoofing.
Publish your WCF service metadata only when required
Set the httpGetEnabled and httpsGetEnabled attributes to false on the serviceMetadata element, and remove any endpoints configured on your service that implement IMetadataExchange contracts.
This is especially important after your clients are built and deployed, and if you do not need other clients to discover and use the WCF service. If the metadata is exposed, unwanted clients will be able to generate proxy files (e.g., by using Svcutil.exe) and inspect potentially sensitive methods and parameters offered by the service. If your client programs already have access to the service proxy, set the httpGetEnabled attribute to false.
The following configuration disables sharing of service metadata:
<serviceMetadata httpGetEnabled="False" httpsGetEnabled="False"/>
Additional Resources
- For more information on publishing metadata endpoints, see Publishing Metadata.
- For more information, see Security Considerations with Metadata.
If you need to publish your WCF service metadata, publish it over the HTTPS protocol
Publish your service metadata over Secure HTTP (HTTPS) to protect clients from being spoofed when adding a service reference. Clients cannot be certain that they have added a reference to the right service if you expose your service metadata over HTTP. The service may have been spoofed through Domain Name System (DNS) poisoning or a man-in-the-middle attack.
To publish your service metadata over HTTPS, use mexHttpsBinding and configure a server certificate for the service.
Additional Resources
- For more detailed steps, see How to: Secure Metadata Endpoints.
- For more information on publishing metadata, see Publishing Metadata.
- For more information, see Security Considerations with Metadata.
If you need to publish your WCF service metadata, publish it using a secure binding
To protect service metadata from unauthorized access, you can use a secure binding for your metadata endpoint. The service metadata that a WCF service publishes contains a detailed description of the service and may intentionally or unintentionally contain sensitive information. For example, service metadata may contain information about infrastructure operations that was not intended to be broadcast publicly.
You can use any standard binding (which has security features) you want for the mex service endpoint. The only requirement is to use the IMetadataExchange contract.
Additional Resources
- For more information on using secure bindings, see Nicholas Allen's blog.
- For more information, see Security Considerations with Metadata.
If you turn off mutual authentication, be aware of service spoofing
Be aware that your service may be spoofed by a malicious attacker if you are running your service in a scenario in which mutual authentication has been turned off. Without mutual authentication, calls to your service could be diverted to a malicious service through DNS poisoning or a man-in-the-middle attack.
The follow scenarios will result in mutual authentication being turned off:
- If you turn off message and transport security on your binding
- If you use basicHttpBinding, which has message and transport security turned off by default
- If you use NTLM authentication
Additional Resources
- For more information on authentication, see Authentication.
- For more information on choosing a transport, see Choosing a Transport.