Practices at a Glance: WCF Security

  • Article

patterns & practices Developer Center

Index

Auditing and Logging

  • How to: Audit Security Events
  • How to: Enable WCF Message Logging
  • How to: Enable WCF Tracing
  • How to: Use Health Monitoring in WCF
  • How to: Filter Sensitive Data from Your Logs
  • How to: View Log Information
  • How to: View Trace Information
  • How to: Log Traces to a WMI Provider
  • How to: Turn Off Audit Failure Suppression

Authentication

  • How to: Authenticate Users Against the SQL Server Membership Provider
  • How to: Authenticate Users Against Active Directory
  • How to: Authenticate Users Against Active Directory Without Windows Authentication
  • How to: Authenticate Users with Certificates
  • How to: Map Certificates with Windows Accounts
  • How to: Authenticate Users Against a Custom User Store

Authorization

  • How to: Authorize Declaratively
  • How to: Authorize Imperatively if You Use a Role Provider
  • How to: Authorize Imperatively
  • How to: Perform Resource-based Authorization
  • How to: Perform Role-based Authorization
  • How to: Authorize Users Against Windows Groups
  • How to: Authorize Users Against Windows Groups Using Aspnetwindowstokenroleprovider
  • How to: Authorize Users Against the SQL Server Role Provider
  • How to: Authorize Users Against the ASP.NET Role Provider
  • How to: Assign the Current Principal with Iauthorizationpolicy to Allow Authorization Using Custom Authentication
  • How to: Authorize Users Against ADAM Using the Authorization Manager Role Provider
  • How to: Map Roles to Certificates

Configuration Management

  • How to: Encrypt Sensitive Data in Your Configuration Files
  • How to: Run Your Service Under a Specific Identity
  • How to: Create a Service Account for Your WCF Service
  • How to: Stop Clients from Referencing Your Service
  • How to: Protect Against Message Replay Attacks

Deployment Considerations

  • How to: Configure Certificates to Enable SSL In IIS
  • How to: Map Windows Accounts with Certificates
  • How to: Create a Service Principle Name (SPN)
  • How to: Configure WCF For NATs and Firewalls
  • How to: Create an X.509 Certificate

Exception Management

  • How to: Shield Exception Information with Fault Contracts
  • How to: Check the State of a Channel in WCF Proxy Client
  • How to: Avoid Faulting the Channels with Fault Contracts
  • How to: Create an Error Handler to Log Details of Faults for Auditing Purposes
  • How to: Handle Unhandled Exceptions in Downstream Services
  • How to: Throw an Exception with Complex Types or Data Contracts with a Fault Exception
  • How to: Handle Unknown Faults in a Service
  • How to: Implement a Data Contract to Propagate Exception Details for Debugging Purposes
  • How to: Implement Fault Contracts in Callback Functions

Hosting

  • How to: Host WCF in IIS
  • How to: Host WCF in a Windows Service
  • How to: Self-host WCF
  • How to: Configure a Least-privileged Account to Host your Service

Impersonation/Delegation

  • How to: Choose Between a Trusted Subsystem and Impersonation/Delegation
  • How to: Impersonate the Original Caller When Using Windows Authentication
  • How to: Impersonate Programmatically in WCF
  • How to: Impersonate Declaratively in WCF
  • How to: Delegate the Original Caller to Call Back-end Services When Using Windows Authentication
  • How to: Impersonate the Original Caller Without Windows Authentication
  • How to: Impersonate the Original Caller Using S4U Kerberos Extensions
  • How to: Delegate the Original Caller Using S4U Kerberos Extensions
  • How to: Impersonate and Delegate Using the LogonUser Windows API
  • How to: Flow the Original Caller from an ASP.NET Client to WCF
  • How to: Control Access to a Remote Resource Based on the Original Caller's Identity

Message Validation

  • How to: Protect Your Service from Malicious Messages
  • How to: Protect Your Service from Malicious Input
  • How to: Protect Your Service from Denial of Service Attacks
  • How to: Validate Parameters with Parameter Inspectors
  • How to: Validate Parameters with Message Inspectors Using Schemas
  • How to: Validate Data Contracts with Message Inspectors Using Schemas
  • How to: Validate Message Contracts with Message Inspectors Using Schemas
  • How to: Use Regular Expressions to Validate Format, Range, and Length in Schemas
  • How to: Validate Inbound Messages on a Service
  • How to: Validate Outbound Messages on a Service
  • How to: Validate Outbound Messages on the Client
  • How to: Validate Inbound Messages on the Client
  • How to: Validate Input Parameters
  • How to: Validate Output Parameters

Message Security

  • How to: Use Message Security
  • How to: Control the Level of Message Encryption
  • How to: Use Out-of-Band Credentials with Message Security

Proxy Considerations

  • How to: Avoid Proxy Spoofing
  • How to: Publish Service Metadata for Your Clients
  • How to: Create a Proxy for an IIS-hosted Service with Certificate Authentication and Transport Security

Sensitive Data

  • How to: Encrypt Sensitive Data in Configuration Files
  • How to: Protect Sensitive Data in Memory
  • How to: Protect Sensitive Data on the Network

Transport Security

  • How to: Use Transport Security
  • How to: Use Secure Conversations in WCF

X.509 Certificates

  • How to: Create a Temporary X.509 Certificate for Transport Security
  • How to: Create a Temporary X.509 Certificate for Message Security
  • How to: Create a Temporary X.509 Certificate for Certificate Authentication