WCF 3.5 Security Guidelines
WCF 3.5 Security Guidelines
WCF 3.5 Security Guidelines was released in codeplex.
The purpose of this project is to build some insightful and practical guidance around using Microsoft Windows Communication Foundation (WCF). It's a collaborative effort between patterns & practices, product teams, and industry experts. - J.D. Meier , Jason Taylor , Prashant Bansode , Carlos Farre, Madhu Sundararajan, Steve Gregersen, Don Smith .
The following are guidelines for Web services created with Windows Communication Foundation (WCF) 3.5. They are based on principles where possible. The recommendations are also as contextual as possible, but abstracted for reuse. Use them as a starting point, but you will likely need to tailor for your scenario:
Auditing and Logging
Authentication
- Know your authentication options
- Use Windows Authentication when you can
- If you support non-WCF clients using windows authentication and message security, consider using the Kerberos direct option
- If your users are in AD, but you can’t use windows authentication, consider using username authentication
- If your clients have certificates, consider using client certificate authentication
- If you need to streamline certificate distribution to your clients for message encryption, consider using the negotiate credentials option
- If your users are in a custom store, consider using username authentication with a custom validator
- If your users are in a SQL membership store, use the SQL Membership Provider
- If your partner applications need to be authenticated when calling WCF services, use client certificate authentication.
- If you are using username authentication, use SQL Server Membership Provider instead of custom authentication
- If you need to support intermediaries and a variety of transports between client and service, use message security to protect credentials
- If you are using username authentication, validate user login information
- Do not store passwords directly in the user store
- Enforce strong passwords
- Protect access to your credential store
- If you are using Windows Forms to connect to WCF, do not cache credentials
Authorization
Binding
Configuration Management
Exception Management
Hosting
Impersonation and Delegation
Input/Data Validation
Proxy Considerations
Deployment considerations
So go ahead and ADD SECURITY TO YOUR WCF Service !