Choosing the correct host and process identity to run your WCF application is very important from a security perspective.
Consider the following guidelines when choosing a host for your WCF application:
- Run your service in a least-privileged account.
- Use IIS to host your service unless you need to use a transport that IIS does not support.
Each of these guidelines is described in the following sections.
Run your service in a least-privileged account
If you are hosting your WCF service in a Windows service or in IIS, run your service using a least-privileged service account. By default, IIS is run under the ASPNET (in IIS 5.0) or NetworkService account (in IIS 6.0).
By using a custom domain account, you can audit and authorize your service individually, and your service is protected from changes made to the privileges and permissions within the System account. Configure your account to use the least number of privileges necessary to allow your service to run. This will reduce the attack surface and constrain the impact of any malicious attack.
The following steps outline how to use a least-privileged custom domain account:
- Create a Windows account.
- Run the following aspnet_regiis.exe command to assign the relevant ASP.NET permissions to the account:
aspnet_regiis.exe -ga machineName\userName
Note: This step is needed only if your application needs to run in ASP.NET compatibility mode.
- Use the Local Security Policy tool to grant the Windows account the Deny logon locally user right.
This reduces the privileges of the account and prevents anyone from logging on to Windows locally with this account.
- If your service is hosted in a Windows service, configure the Windows service to run using the account identity.
The WCF service will run under the security context of the Windows service.
- If your service is hosted in IIS 6.0, use IIS Manager to create an application pool running as an account identity. Use IIS Manager to assign your WCF service to that application pool.
- For more information, see Hosting.
- For more information on running IIS under a least-privileged service account, see How To: Create a Service Account for an ASP.NET 2.0 Application.
- For a hosting Q&A, see the Hosting section of WCF Security Questions and Answers.
Use IIS to host your service unless you need to use a transport that IIS does not support
Use IIS to host your WCF service because it provides a large number of features for efficient service management and scalability. IIS 6.0 only supports bindings over HTTP, so if you need to use TCP, Microsoft Message Queuing (MSMQ), or named pipes, you should host in a Windows service instead. IIS 7.0 supports all of the commonly used transport protocols such as HTTP, TCP, MSMQ, and named pipes.
By using IIS as your WCF service host, you can take full advantage of IIS features, such as process recycling, idle shutdown, process health monitoring, and message-based activation.