Proxy Considerations

patterns & practices Developer Center

When creating a WCF service proxy, clients needs to access metadata that might consist of sensitive data such as service location, etc. It is important to secure the metadata because attackers can leverage this information and exploit your WCF services.

Consider the following guidelines when exposing your service metadata for client proxy creation:

Publish your WCF service metadata only when required

Set the httpGetEnabled and httpsGetEnabled attributes to false on the serviceMetadata element, and remove any endpoints configured on your service that implement IMetadataExchange contracts.

This is especially important after your clients are built and deployed, and if you do not need other clients to discover and use the WCF service. If the metadata is exposed, unwanted clients will be able to generate proxy files (e.g., by using Svcutil.exe) and inspect potentially sensitive methods and parameters offered by the service. If your client programs already have access to the service proxy, set the httpGetEnabled attribute to false.

The following configuration disables sharing of service metadata:

<serviceMetadata httpGetEnabled="False" httpsGetEnabled="False"/>

Additional Resources

If you need to publish your WCF service metadata, publish it over the HTTPS protocol

Publish your service metadata over Secure HTTP (HTTPS) to protect clients from being spoofed when adding a service reference. Clients cannot be certain that they have added a reference to the right service if you expose your service metadata over HTTP. The service may have been spoofed through Domain Name System (DNS) poisoning or a man-in-the-middle attack.

To publish your service metadata over HTTPS, use mexHttpsBinding and configure a server certificate for the service.

Additional Resources

If you need to publish your WCF service metadata, publish it using a secure binding

To protect service metadata from unauthorized access, you can use a secure binding for your metadata endpoint. The service metadata that a WCF service publishes contains a detailed description of the service and may intentionally or unintentionally contain sensitive information. For example, service metadata may contain information about infrastructure operations that was not intended to be broadcast publicly.

You can use any standard binding (which has security features) you want for the mex service endpoint. The only requirement is to use the IMetadataExchange contract.

Additional Resources

If you turn off mutual authentication, be aware of service spoofing

Be aware that your service may be spoofed by a malicious attacker if you are running your service in a scenario in which mutual authentication has been turned off. Without mutual authentication, calls to your service could be diverted to a malicious service through DNS poisoning or a man-in-the-middle attack.

The follow scenarios will result in mutual authentication being turned off:

  • If you turn off message and transport security on your binding
  • If you use basicHttpBinding, which has message and transport security turned off by default
  • If you use NTLM authentication

Additional Resources