Improving Web Services Security: Scenarios and Implementation Guidance for WCF

patterns & practices Developer Center

J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

Microsoft Corporation

February 2009

Summary

This guide shows you how to make the most of Microsoft® Windows Communication Foundation (WCF). WCF is Microsoft's solution for developing applications based on a service-oriented architecture (SOA) methodology. The guide contains proven practices, end-to-end applications scenarios, guidelines, a Q&A, and task-based “how-to” articles.

Download the Guide

This guide is available in a downloadable PDF form on Codeplex.

Abstract

Using end-to-end application scenarios, this guide shows you how to design and implement authentication and authorization in WCF. You will learn how to improve the security of your WCF services through prescriptive guidance including guidelines, a Q&A, practices at a glance, and step-by-step how to articles. The guide is the result of a collaborative effort between patterns & practices, WCF team members, and industry experts.

Table of Contents

Getting Started

• Foreword by Nicholas Allen
• Foreword by Rockford Lhotka
• Introduction
• Solutions at a Glance
• Fast Track: A Guide for Getting Started and Applying the Guidance

Part I: Security Fundamentals for Web Services

This part gives you a quick overview of fundamental security concepts as they relate to services, service-oriented design, and Service-Oriented Architecture (SOA).

• Chapter 1: Security Fundamentals for Web Services
• Chapter 2: Threats and Countermeasures for Web Services
• Chapter 3: Security Design Guidelines for Web Services

Part II: Fundamentals of WCF Security

This part gives you a firm foundation in key WCF security concepts, with special attention to authentication, authorization, and secure communication, as well as WCF binding configurations.

• Chapter 4: WCF Security Fundamentals
• Chapter 5: Authentication, Authorization, and Identities in WCF
• Chapter 6: Impersonation and Delegation in WCF
• Chapter 7: Message and Transport Security
• Chapter 8: Bindings

Part III: Intranet Application Scenarios

This part shows you a set of end-to-end intranet application scenarios that you can use to jump-start your application architecture designs, with a focus on authentication, authorization, and communication for your intranet from a WCF perspective.

• Chapter 9: Intranet - Web to Remote WCF Using Transport Security (Original Caller, TCP)
• Chapter 10: Intranet - Web to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
• Chapter 11: Intranet - Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
• Chapter 12: Intranet - Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)

Part IV: Internet Application Scenarios

This part shows you a set of end-to-end Internet application scenarios that you can use to jump-start your application architecture design for the Internet from a WCF perspective.

• Chapter 13: Internet - WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
• Chapter 14: Internet - Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
• Chapter 15: Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

Checklist

• WCF Security Checklist

Guidelines

• WCF Security Guidelines

Practices

• WCF Security Practices at a Glance

Questions and Answers

• WCF Security Questions and Answers (Q&A)

"How-to" Articles

• How to: Audit and Log Security Events in WCF Calling from Windows Forms
• How to: Create and Install Temporary Certificates in WCF for Message Security During Development
• How to: Create and Install Temporary Certificates in WCF for Transport Security During Development
• How to: Create and Install Temporary Client Certificates in WCF During Development
• How to: Host WCF in a Windows Service Using TCP
• How to: Impersonate the Original Caller in WCF Calling from a Web Application
• How to: Impersonate the Original Caller in WCF Calling from Windows Forms
• How to: Perform Input Validation in WCF
• How to: Perform Message Validation with Schema Validation in WCF
• How to: Use basicHttpBinding with Windows Authentication and TransportCredentialOnly in WCF from Windows Forms
• How to: Use Certificate Authentication and Message Security in WCF calling from Windows Forms
• How to: Use Certificate Authentication and Transport Security in WCF Calling from Windows Forms
• How to: Use Delegation for Flowing the Original Caller Credentials to the Back-end in WCF Calling from Windows Forms
• How to: Use Health Monitoring to Instrument a WCF Service for Security
• How to: Use netTcpBinding with Windows Authentication and Message Security in WCF from Windows Forms
• How to: Use netTcpBinding with Windows Authentication and Transport Security in WCF from Windows Forms
• How to: Use Protocol Transition for Impersonating and Delegating the Original Caller in WCF
• How to: Use the SQL Server Role Provider with Username Authentication in WCF Calling from Windows Forms
• How to: Use SQL Server Role Provider with Windows Authentication in WCF Calling from Windows Forms
• How to: Use Username Authentication with the SQL Server Membership Provider and Message Security in WCF Calling from Windows Forms
• How to: Use Username Authentication with Transport Security in WCF Calling from Windows Forms
• How to: Use wsHttpBinding with Username Authentication and TransportWithMessageCredential in WCF Calling from Windows Forms
• How to: Use wsHttpBinding with Windows Authentication and Message Security in WCF Calling from Windows Forms
• How to: Use wsHttpBinding with Windows Authentication and Transport Security in WCF Calling from Windows Forms

Resources

WCF Security Resources

Feedback on the Guide

We have provided a short questionnaire on the Internet that should only take 5 to 10 minutes fill out. Copy these questions into an e-mail message and send the answers to WCFSec@microsoft.com.

We are also particularly interested in feedback regarding the following:

• Technical issues specific to recommendations
• Usefulness and usability issues

Any input can be sent in e-mail to WCFSec@microsoft.com.

Technical Support

Technical support for the Microsoft products and technologies referenced in this guide is provided by Microsoft Product Support Services (PSS). For product support information, please visit the Microsoft Product Support Web site.

Community Support

Microsoft MSDN newsgroups:

Forum	Address
Windows Communication Foundation ("Indigo")	https://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=118&SiteID=1
Architecture General	https://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=228&SiteID=1

The Team Who Brought You This Guide

This guide was created by the following team members:

• J.D. Meier
• Carlos Farre
• Jason Taylor
• Prashant Bansode
• Steve Gregersen
• Madhu Sundararajan
• Rob Boucher

Contributors and Reviewers

• External Contributors / Reviewers: Andy Eunson; Anil John; Anu Rajendra; Brandon Bohling; Chaitanya Bijwe; Daniel Root; David P. Romig, Sr.; Dennis Rea; Kevin Lam; Michele Leroux Bustamante; Parameswaran Vaideeswaran; Rockford Lhotka; Rudolph Araujo; Santosh Bejugam
• Microsoft Contributors / Reviewers: Alik Levin; Brandon Blazer; Brent Schmaltz; Curt Smith; David Bradley; Dmitri Ossipov; Jan Alexander; Jason Hogg; Jason Pang; John Steer; Marc Goodner; Mark Fussell; Martin Gudgin; Martin Petersen-Frey; Mike de Libero; Mohammad Al-Sabt; Nobuyuki Akama; Ralph Squillace; Richard Lewis; Rick Saling; Rohit Sharma; Scott Mason; Sidd Shenoy; Sidney Higa; Stuart Kwan; Suwat Chitphakdibodin; T.R. Vishwanath; Todd Kutzke; Todd West; Vijay Gajjala; Vittorio Bertocci; Wenlong Dong; Yann Christensen; Yavor Georgiev

Tell Us About Your Success

If this guide helps you, we would like to know. Tell us by writing a short summary of the problems you faced and how this guide helped you out. Submit your summary to MyStory@Microsoft.com.