Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

WCF Security Questions and Answers (Q&A)

patterns & practices Developer Center

Index

Design Considerations

  • How do I decide on an authentication strategy?
  • How do I decide on an authorization strategy?
  • When should I use message security versus transport security?
  • How do I use my existing Active Directory infrastructure?
  • What bindings should I use over the Internet?
  • What bindings should I use over an intranet?
  • When should I use resource-based authorization versus roles-based authorization?
  • When should I impersonate the original caller?
  • When should I flow the original caller's identity to back-end resources?
  • How do I migrate to WCF from an ASMX Web service?
  • How do I migrate to WCF from a COM application?
  • How do I migrate to WCF from a DCOM application?
  • How do I migrate to WCF from a WSE application?

Auditing and Logging

  • What WCF service security events should be logged?
  • How do I enable logging and auditing in WCF?
  • How do I stop my service if there has been an auditing failure?
  • How do I log important business events in WCF?
  • How do I implement log throttling in WCF?
  • How do I use the health monitoring feature with WCF?
  • How do I protect my log files?
  • How do I pass user identity information in a message for auditing purpose?

Authentication

  • How do I decide on an authentication strategy in WCF?
  • When should I use the SQL Server membership provider?
  • How do I authenticate against Active Directory?
  • How do I authenticate against a SQL store?
  • How do I authenticate against a custom store?
  • How do I protect passwords in my user store?
  • How do I use certificate authentication with X.509 certificates?
  • What is the most common authentication scenario for intranet applications?
  • What is the most common authentication scenario for Internet applications?
  • How do I support authentication for multiple client types?
  • What is federated security?
  • How do I send credentials in the message when I am using transport security?
  • How do I avoid cleartext passwords?

Authorization

  • How do I decide on an authorization strategy in WCF?
  • What is the difference between resource-based, roles-based, and claims-based authorization?
  • How do I use Windows groups for role authorization in WCF?
  • How do I use the SQL Server role provider for ASP.NET role authorization in WCF?
  • How do I use the Windows Token role provider for ASP.NET role authorization in WCF?
  • How do I use the Authorization Store role provider for ASP.NET role authorization in WCF?
  • What is the difference between declarative and imperative roles authorization?
  • How do I restrict access to WCF operations to specific Windows users?
  • How do I associate roles with a certificate?
  • What is a service principal name (SPN)?
  • How do I create a service principal name (SPN)?

Bindings

  • What is a binding?
  • What bindings are available?
  • Which bindings are best suited for the Internet?
  • Which bindings are best suited for an intranet?
  • How do I choose an appropriate binding?

Configuration Management

  • How do I encrypt sensitive data in the WCF configuration file?
  • How do I run a WCF service with a particular identity?
  • How do I create a service account for running my WCF service?
  • When should I use a configuration file versus the WCF object model?
  • What is a metadata exchange (mex) binding?
  • How do I keep clients from referencing my service?

Deployment Considerations

  • What are the additional considerations for using WCF in a Web farm?
  • How do I configure Active Directory groups and accounts for roles-based authorization checks?
  • How do I create an X.509 certificate?
  • When should I use a service principal name (SPN)?
  • How do I configure a least-privileged account for my service?

Exception Management

  • How do I implement a global exception handler?
  • What is a fault contract?
  • How do I define a fault contract?
  • How do I avoid sending exception details to the client?

Hosting

  • How do I configure a least-privileged account to host my service?
  • When should I host my service in Internet Information Services (IIS)?
  • When should I host my service in a Windows service?
  • When should I self-host my service?

Impersonation/Delegation

  • What are my impersonation options?
  • What is the difference between impersonation and delegation?
  • How do I impersonate the original caller for an operation call?
  • How do I temporarily impersonate the original caller in an operation call?
  • How do I impersonate a specific (fixed) identity?
  • What is constrained delegation?
  • What is protocol transition?
  • How do I flow the original caller from the ASP.NET client to a WCF service?
  • What is the difference between declarative and programmatic impersonation?
  • What is the trusted subsystem model?
  • When should I flow the original caller to back-end code?
  • How do I control access to a remote resource based on the original caller's identity?

Input/Data Validation

  • How do I implement input and data validation in WCF?
  • What is schema validation?
  • What is parameter validation?
  • Should I validate before or after message serialization?
  • How do I protect my service from denial of service (DoS) attacks?
  • How do I protect my service from malicious input attacks?
  • How do I protect my service from malformed messages?

Message Protection

  • When should I use message security?
  • When should I use transport security?
  • How do I protect my message when there are intermediaries routing the message?
  • How do I protect my message when there are multiple protocols used during message transit?

Proxy Considerations

  • When should I use a channel factory?
  • When do I need to expose a metadata exchange (mex) endpoint for my service?
  • How do I avoid proxy spoofing?

Sensitive Data

  • How do I protect sensitive data in configuration files?
  • How do I protect sensitive data in memory?
  • How do I protect my metadata?
  • How do I protect sensitive data from being read on the wire?
  • How do I protect sensitive data from being tampered with on the wire?

X.509 Certificates

  • How do I create X.509 certificates?
  • Do I need to create a certificate signed by the root CA certificate?
  • How do I use X.509 certificate revocation?
Show:
© 2015 Microsoft