Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

WCF Security Checklist

patterns & practices Developer Center

Design Considerations

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Consider exposing different endpoints.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support ASMX clients, use basicHttpBinding.

Ff648500.checkbox(en-us,PandP.10).gif

If you are migrating from DCOM, use netTcpBinding.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support legacy WSE clients, use a customBinding in WCF.

Ff648500.checkbox(en-us,PandP.10).gif

If you require interoperability with non-Microsoft clients, use bindings that are targeted for interoperability.

Ff648500.checkbox(en-us,PandP.10).gif

If your non-Microsoft clients understand the WS* stack, use ws2007HttpBinding or wsHttpBinding.

Ff648500.checkbox(en-us,PandP.10).gif

Consider transport security as your preferred security mode.

Ff648500.checkbox(en-us,PandP.10).gif

Know your authentication options.

Ff648500.checkbox(en-us,PandP.10).gif

Know your authorization options.

Ff648500.checkbox(en-us,PandP.10).gif

Know your binding options.

Ff648500.checkbox(en-us,PandP.10).gif

Choose the right binding for your scenario.


Auditing and Logging

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Use WCF auditing to audit your service.

Ff648500.checkbox(en-us,PandP.10).gif

If non-repudiation is important, consider setting the SuppressAuditFailure property to false.

Ff648500.checkbox(en-us,PandP.10).gif

Use message logging for debugging purposes.

Ff648500.checkbox(en-us,PandP.10).gif

Instrument for user management events.

Ff648500.checkbox(en-us,PandP.10).gif

Instrument for significant business operations.

Ff648500.checkbox(en-us,PandP.10).gif

Protect log files from unauthorized access.

Ff648500.checkbox(en-us,PandP.10).gif

Do not log sensitive information.

Ff648500.checkbox(en-us,PandP.10).gif

Protect information in log files.

Ff648500.checkbox(en-us,PandP.10).gif

Use a custom trace listener only when message filtering is needed.


Authentication

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Know your authentication options.

Ff648500.checkbox(en-us,PandP.10).gif

Use Windows authentication when you can.

Ff648500.checkbox(en-us,PandP.10).gif

If your users are in Active Directory but you can’t use Windows authentication, consider using Username authentication.

Ff648500.checkbox(en-us,PandP.10).gif

If you are using Username authentication, use a membership provider instead of custom authentication.

Ff648500.checkbox(en-us,PandP.10).gif

If your users are in a SQL membership store, use the SQL Server membership provider.

Ff648500.checkbox(en-us,PandP.10).gif

If your users are in a custom store, consider using Username authentication with a custom validator.

Ff648500.checkbox(en-us,PandP.10).gif

If your clients have certificates, consider using client certificate authentication.

Ff648500.checkbox(en-us,PandP.10).gif

If your partner applications need to be authenticated when calling WCF services, use client certificate authentication.

Ff648500.checkbox(en-us,PandP.10).gif

If you are using Username authentication, validate user login information.

Ff648500.checkbox(en-us,PandP.10).gif

Do not store passwords directly in the user store.

Ff648500.checkbox(en-us,PandP.10).gif

Enforce strong passwords.

Ff648500.checkbox(en-us,PandP.10).gif

Protect access to your credential store.

Ff648500.checkbox(en-us,PandP.10).gif

If you are using client certificate authentication, limit the certificates in the certificate store.


Authorization

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

If you store role information in Windows groups, consider using the WCF PrincipalPermissionAttribute class for role authorization.

Ff648500.checkbox(en-us,PandP.10).gif

If you use ASP.NET roles, use the ASP.NET Role Manager for role authorization.

Ff648500.checkbox(en-us,PandP.10).gif

If you use Windows groups for authorization, use the ASP.NET role provider with AspNetWindowsTokenRoleProvider.

Ff648500.checkbox(en-us,PandP.10).gif

If you store role information in SQL Server, consider using the SQL Server role provider for role authorization.

Ff648500.checkbox(en-us,PandP.10).gif

If you store role information in ADAM, use the Authorization Manager role provider.

Ff648500.checkbox(en-us,PandP.10).gif

If you store role information in a custom store, create a custom authorization policy.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to authorize access to WCF operations, use declarative authorization.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to perform fine-grained authorization based on business logic, use imperative authorization.


Bindings

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support clients over the Internet, consider using wsHttpBinding.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to expose your WCF service to legacy clients as an ASMX Web service, use basicHttpBinding.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support WCF clients within an intranet, consider using netTcpBinding.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support WCF Clients on the same machine, consider using netNamedPipeBinding.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support disconnected queued calls, use netMsmqBinding.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support bidirectional communication between a WCF client and WCF service, use wsDualHttpBinding or netTcpBinding.


Configuration Management

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Use replay detection to protect against message replay attacks.

Ff648500.checkbox(en-us,PandP.10).gif

If you host your service in a Windows service, expose a metadata exchange (mex) binding.

Ff648500.checkbox(en-us,PandP.10).gif

If you don’t want to expose your WSDL, turn off HttpGetEnabled and metadata exchange (mex).

Ff648500.checkbox(en-us,PandP.10).gif

Encrypt configuration sections that contain sensitive data.


Exception Management

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Use structured exception handling.

Ff648500.checkbox(en-us,PandP.10).gif

Do not divulge exception details to clients in production.

Ff648500.checkbox(en-us,PandP.10).gif

Use a fault contract to return error information to clients.

Ff648500.checkbox(en-us,PandP.10).gif

Use a global exception handler to catch unhandled exceptions.


Hosting

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Run your service in a least-privileged account.

Ff648500.checkbox(en-us,PandP.10).gif

Use IIS to host your service, unless you need to use a transport that IIS does not support.


Impersonation/Delegation

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Know the tradeoffs involved in impersonation.

Ff648500.checkbox(en-us,PandP.10).gif

Know your impersonation options.

Ff648500.checkbox(en-us,PandP.10).gif

Know your impersonation methods.

Ff648500.checkbox(en-us,PandP.10).gif

Consider using programmatic instead of declarative impersonation.

Ff648500.checkbox(en-us,PandP.10).gif

When impersonating programmatically, be sure to revert to the original context.

Ff648500.checkbox(en-us,PandP.10).gif

When impersonating declaratively, only impersonate on the operations that require it.

Ff648500.checkbox(en-us,PandP.10).gif

When you cannot do a Windows mapping, consider using the S4U feature for impersonation and delegation.

Ff648500.checkbox(en-us,PandP.10).gif

If your WCF service cannot be trusted for delegation, consider using the LogonUser API.

Ff648500.checkbox(en-us,PandP.10).gif

If you have to flow the original caller to the back-end services, use constrained delegation.


Message Validation

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

If you need to validate parameters, use parameter inspectors.

Ff648500.checkbox(en-us,PandP.10).gif

Use schemas with message inspectors to validate messages.

Ff648500.checkbox(en-us,PandP.10).gif

Use regular expressions in schemas to validate format, range, or length.

Ff648500.checkbox(en-us,PandP.10).gif

Implement the AfterReceiveRequest method to validate inbound messages on the service.

Ff648500.checkbox(en-us,PandP.10).gif

Implement the BeforeSendReply method to validate outbound messages on the service.

Ff648500.checkbox(en-us,PandP.10).gif

Implement the AfterReceiveReply method to validate inbound messages on the client.

Ff648500.checkbox(en-us,PandP.10).gif

Implement the BeforeSendRequest method to validate outbound messages on the client.

Ff648500.checkbox(en-us,PandP.10).gif

Validate operation parameters for length, range, format, and type.

Ff648500.checkbox(en-us,PandP.10).gif

Do not rely on client-side validation.

Ff648500.checkbox(en-us,PandP.10).gif

Avoid user-supplied file name and path input.

Ff648500.checkbox(en-us,PandP.10).gif

Do not echo untrusted input.


Message Security

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support clients over the Internet, consider using message security.

Ff648500.checkbox(en-us,PandP.10).gif

If there are intermediaries between the client and service, consider using message security.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support selective message protection, use message security.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support multiple transactions per session using secure conversation, use message security.

Ff648500.checkbox(en-us,PandP.10).gif

Do not pass sensitive information in SOAP headers when using HTTP transport and message security.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support interoperability, consider setting negotiateServiceCredentials to false.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to streamline certificate distribution to your clients, consider negotiating the service credentials.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to limit the clients that will consume your service, consider setting negotiateServiceCredentials to false.


Transport Security

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Use transport security when possible.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support clients in an intranet, use transport security.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to support interoperability with non-WCF clients, use transport security.

Ff648500.checkbox(en-us,PandP.10).gif

Use a hardware accelerator when using transport security.


Proxy Considerations

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Publish your WCF service metadata only when required.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to publish your WCF service metadata, publish it over the HTTPS protocol.

Ff648500.checkbox(en-us,PandP.10).gif

If you need to publish your WCF service metadata, publish it using secure binding.

Ff648500.checkbox(en-us,PandP.10).gif

If you turn off mutual authentication, be aware of service spoofing.


Sensitive Data

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Avoid plain-text passwords or other sensitive data in configuration files.

Ff648500.checkbox(en-us,PandP.10).gif

Use platform features to manage keys where possible.

Ff648500.checkbox(en-us,PandP.10).gif

Protect sensitive data over the network.

Ff648500.checkbox(en-us,PandP.10).gif

Do not cache sensitive data.

Ff648500.checkbox(en-us,PandP.10).gif

Minimize exposure of secrets in memory.

Ff648500.checkbox(en-us,PandP.10).gif

Be aware that basicHttpBinding will not protect sensitive data by default.

Ff648500.checkbox(en-us,PandP.10).gif

Use appropriately sized keys.


Deployment Considerations

Check

Description

Ff648500.checkbox(en-us,PandP.10).gif

Do not use temporary certificates in production.

Ff648500.checkbox(en-us,PandP.10).gif

If you are using Kerberos authentication or delegation, create an SPN.

Ff648500.checkbox(en-us,PandP.10).gif

Use IIS to host your WCF service wherever possible.

Ff648500.checkbox(en-us,PandP.10).gif

Use a least-privileged account to run your WCF service.

Ff648500.checkbox(en-us,PandP.10).gif

Protect sensitive data in your configuration files.



Show:
© 2015 Microsoft