Share via


WCF Security Checklist

patterns & practices Developer Center

Design Considerations

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Consider exposing different endpoints.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support ASMX clients, use basicHttpBinding.

Ff648500.checkbox(en-us,PandP.10).gif

If you are migrating from DCOM, use netTcpBinding.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support legacy WSE clients, use a customBinding in WCF.

Ff648500.checkbox(en-us,PandP.10).gif

If you require interoperability with non-Microsoft clients, use bindings that are targeted for interoperability.

Ff648500.checkbox(en-us,PandP.10).gif

If your non-Microsoft clients understand the WS* stack, use ws2007HttpBinding or wsHttpBinding.

Ff648500.checkbox(en-us,PandP.10).gif

Consider transport security as your preferred security mode.

Ff648500.checkbox(en-us,PandP.10).gif

Know your authentication options.

Ff648500.checkbox(en-us,PandP.10).gif

Know your authorization options.

Ff648500.checkbox(en-us,PandP.10).gif

Know your binding options.

Ff648500.checkbox(en-us,PandP.10).gif

Choose the right binding for your scenario.

Auditing and Logging

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Use WCF auditing to audit your service.

Ff648500.checkbox(en-us,PandP.10).gif

If non-repudiation is important, consider setting the SuppressAuditFailure property to false.

Ff648500.checkbox(en-us,PandP.10).gif

Use message logging for debugging purposes.

Ff648500.checkbox(en-us,PandP.10).gif

Instrument for user management events.

Ff648500.checkbox(en-us,PandP.10).gif

Instrument for significant business operations.

Ff648500.checkbox(en-us,PandP.10).gif

Protect log files from unauthorized access.

Ff648500.checkbox(en-us,PandP.10).gif

Do not log sensitive information.

Ff648500.checkbox(en-us,PandP.10).gif

Protect information in log files.

Ff648500.checkbox(en-us,PandP.10).gif

Use a custom trace listener only when message filtering is needed.

Authentication

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Know your authentication options.

Ff648500.checkbox(en-us,PandP.10).gif

Use Windows authentication when you can.

Ff648500.checkbox(en-us,PandP.10).gif

If your users are in Active Directory but you can’t use Windows authentication, consider using Username authentication.

Ff648500.checkbox(en-us,PandP.10).gif

If you are using Username authentication, use a membership provider instead of custom authentication.

Ff648500.checkbox(en-us,PandP.10).gif

If your users are in a SQL membership store, use the SQL Server membership provider.

Ff648500.checkbox(en-us,PandP.10).gif

If your users are in a custom store, consider using Username authentication with a custom validator.

Ff648500.checkbox(en-us,PandP.10).gif

If your clients have certificates, consider using client certificate authentication.

Ff648500.checkbox(en-us,PandP.10).gif

If your partner applications need to be authenticated when calling WCF services, use client certificate authentication.

Ff648500.checkbox(en-us,PandP.10).gif

If you are using Username authentication, validate user login information.

Ff648500.checkbox(en-us,PandP.10).gif

Do not store passwords directly in the user store.

Ff648500.checkbox(en-us,PandP.10).gif

Enforce strong passwords.

Ff648500.checkbox(en-us,PandP.10).gif

Protect access to your credential store.

Ff648500.checkbox(en-us,PandP.10).gif

If you are using client certificate authentication, limit the certificates in the certificate store.

Authorization

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

If you store role information in Windows groups, consider using the WCF PrincipalPermissionAttribute class for role authorization.

Ff648500.checkbox(en-us,PandP.10).gif

If you use ASP.NET roles, use the ASP.NET Role Manager for role authorization.

Ff648500.checkbox(en-us,PandP.10).gif

If you use Windows groups for authorization, use the ASP.NET role provider with AspNetWindowsTokenRoleProvider.

Ff648500.checkbox(en-us,PandP.10).gif

If you store role information in SQL Server, consider using the SQL Server role provider for role authorization.

Ff648500.checkbox(en-us,PandP.10).gif

If you store role information in ADAM, use the Authorization Manager role provider.

Ff648500.checkbox(en-us,PandP.10).gif

If you store role information in a custom store, create a custom authorization policy.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to authorize access to WCF operations, use declarative authorization.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to perform fine-grained authorization based on business logic, use imperative authorization.

Bindings

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support clients over the Internet, consider using wsHttpBinding.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to expose your WCF service to legacy clients as an ASMX Web service, use basicHttpBinding.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support WCF clients within an intranet, consider using netTcpBinding.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support WCF Clients on the same machine, consider using netNamedPipeBinding.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support disconnected queued calls, use netMsmqBinding.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support bidirectional communication between a WCF client and WCF service, use wsDualHttpBinding or netTcpBinding.

Configuration Management

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Use replay detection to protect against message replay attacks.

Ff648500.checkbox(en-us,PandP.10).gif

If you host your service in a Windows service, expose a metadata exchange (mex) binding.

Ff648500.checkbox(en-us,PandP.10).gif

If you don’t want to expose your WSDL, turn off HttpGetEnabled and metadata exchange (mex).

Ff648500.checkbox(en-us,PandP.10).gif

Encrypt configuration sections that contain sensitive data.

Exception Management

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Use structured exception handling.

Ff648500.checkbox(en-us,PandP.10).gif

Do not divulge exception details to clients in production.

Ff648500.checkbox(en-us,PandP.10).gif

Use a fault contract to return error information to clients.

Ff648500.checkbox(en-us,PandP.10).gif

Use a global exception handler to catch unhandled exceptions.

Hosting

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Run your service in a least-privileged account.

Ff648500.checkbox(en-us,PandP.10).gif

Use IIS to host your service, unless you need to use a transport that IIS does not support.

Impersonation/Delegation

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Know the tradeoffs involved in impersonation.

Ff648500.checkbox(en-us,PandP.10).gif

Know your impersonation options.

Ff648500.checkbox(en-us,PandP.10).gif

Know your impersonation methods.

Ff648500.checkbox(en-us,PandP.10).gif

Consider using programmatic instead of declarative impersonation.

Ff648500.checkbox(en-us,PandP.10).gif

When impersonating programmatically, be sure to revert to the original context.

Ff648500.checkbox(en-us,PandP.10).gif

When impersonating declaratively, only impersonate on the operations that require it.

Ff648500.checkbox(en-us,PandP.10).gif

When you cannot do a Windows mapping, consider using the S4U feature for impersonation and delegation.

Ff648500.checkbox(en-us,PandP.10).gif

If your WCF service cannot be trusted for delegation, consider using the LogonUser API.

Ff648500.checkbox(en-us,PandP.10).gif

If you have to flow the original caller to the back-end services, use constrained delegation.

Message Validation

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

If you need to validate parameters, use parameter inspectors.

Ff648500.checkbox(en-us,PandP.10).gif

Use schemas with message inspectors to validate messages.

Ff648500.checkbox(en-us,PandP.10).gif

Use regular expressions in schemas to validate format, range, or length.

Ff648500.checkbox(en-us,PandP.10).gif

Implement the AfterReceiveRequest method to validate inbound messages on the service.

Ff648500.checkbox(en-us,PandP.10).gif

Implement the BeforeSendReply method to validate outbound messages on the service.

Ff648500.checkbox(en-us,PandP.10).gif

Implement the AfterReceiveReply method to validate inbound messages on the client.

Ff648500.checkbox(en-us,PandP.10).gif

Implement the BeforeSendRequest method to validate outbound messages on the client.

Ff648500.checkbox(en-us,PandP.10).gif

Validate operation parameters for length, range, format, and type.

Ff648500.checkbox(en-us,PandP.10).gif

Do not rely on client-side validation.

Ff648500.checkbox(en-us,PandP.10).gif

Avoid user-supplied file name and path input.

Ff648500.checkbox(en-us,PandP.10).gif

Do not echo untrusted input.

Message Security

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support clients over the Internet, consider using message security.

Ff648500.checkbox(en-us,PandP.10).gif

If there are intermediaries between the client and service, consider using message security.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support selective message protection, use message security.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support multiple transactions per session using secure conversation, use message security.

Ff648500.checkbox(en-us,PandP.10).gif

Do not pass sensitive information in SOAP headers when using HTTP transport and message security.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support interoperability, consider setting negotiateServiceCredentials to false.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to streamline certificate distribution to your clients, consider negotiating the service credentials.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to limit the clients that will consume your service, consider setting negotiateServiceCredentials to false.

Transport Security

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Use transport security when possible.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support clients in an intranet, use transport security.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support interoperability with non-WCF clients, use transport security.

Ff648500.checkbox(en-us,PandP.10).gif

Use a hardware accelerator when using transport security.

Proxy Considerations

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Publish your WCF service metadata only when required.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to publish your WCF service metadata, publish it over the HTTPS protocol.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to publish your WCF service metadata, publish it using secure binding.

Ff648500.checkbox(en-us,PandP.10).gif

If you turn off mutual authentication, be aware of service spoofing.

Sensitive Data

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Avoid plain-text passwords or other sensitive data in configuration files.

Ff648500.checkbox(en-us,PandP.10).gif

Use platform features to manage keys where possible.

Ff648500.checkbox(en-us,PandP.10).gif

Protect sensitive data over the network.

Ff648500.checkbox(en-us,PandP.10).gif

Do not cache sensitive data.

Ff648500.checkbox(en-us,PandP.10).gif

Minimize exposure of secrets in memory.

Ff648500.checkbox(en-us,PandP.10).gif

Be aware that basicHttpBinding will not protect sensitive data by default.

Ff648500.checkbox(en-us,PandP.10).gif

Use appropriately sized keys.

Deployment Considerations

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Do not use temporary certificates in production.

Ff648500.checkbox(en-us,PandP.10).gif

If you are using Kerberos authentication or delegation, create an SPN.

Ff648500.checkbox(en-us,PandP.10).gif

Use IIS to host your WCF service wherever possible.

Ff648500.checkbox(en-us,PandP.10).gif

Use a least-privileged account to run your WCF service.

Ff648500.checkbox(en-us,PandP.10).gif

Protect sensitive data in your configuration files.