Está en la página 1de 116

WCF Security

Sridhar Anjanappa
Agenda
Security Engineering
Web Services Security Frame
• Auditing and Logging
• Authentication
• Authorization
• Configuration Management
• Exception Management
• Impersonation / Delegation
• Message Validation
Threats & Attacks to Your
Web Service
Auditing and Logging
• Tampering with log files
• Ineffectual or nonexistent audit processes
Threats & Attacks to Your
Web Service
Authentication
• Network eavesdropping
• Brute force attacks
• Dictionary attacks
• Cookie replay attacks
• Credential theft
Threats & Attacks to Your
Web Service
Authorization
• Elevation of privilege
• Disclosure of confidential data
• Data tampering
• Luring attacks
Threats & Attacks to Your
Web Service
Configuration Management
• Unauthorized access to administration
interfaces
• Unauthorized access to configuration stores
• Retrieval of clear text
• Configuration secrets
• No individual accountability
Threats & Attacks to Your
Web Service
Exception Management
• System or application details are revealed
• Denial of service (DoS)
Threats & Attacks to Your
Web Service
Impersonation/Delegation
• Elevation of privilege
Threats & Attacks to Your
Web Service
Message Encryption
Information Disclosure
Threats & Attacks to Your
Web Service
Message Validation
• Buffer overflows
• Cross-site scripting (XSS)
• SQL injection
• Canonicalization attacks
Threats & Attacks to Your
Web Service
Session Management
• Session hijacking
• Session replay
• Man-in-the-middle attacks
Bindings and Behaviors
Bindings
• Bindings control the security mode, client
credential type, and other security settings.
Behaviors
• Service behaviors control impersonation
levels, how client credentials are
authenticated and authorized, and service
credentials.
Common Bindings
How to choose the right WCF
binding
• If you need to support clients over the
Internet, consider using wsHttpBinding.

• If you need to expose your WCF service to


legacy clients such as an ASMX Web service,
use basicHttpBinding.

• If you need to support WCF clients within an


intranet, consider using netTcpBinding.
How to choose the right WCF
binding
• If you need to support WCF clients on the
same machine, consider using
netNamedPipeBinding.
• If you need to support disconnected queued
calls, use netMsmqBinding.
• If you need to support bidirectional
communication between the WCF client and
WCF service, use wsDualHttpBinding or
netTcpBinding.
The Approach
The keys to building secure services include:
• Identify your security objectives.
• Know your threats.
• Apply proven principles, patterns, and
practices.
• Apply effective security engineering
throughout the application life cycle.
Transfer Security
• After selecting a binding, you can decide
which type of transfer security, otherwise
known as security mode, to use for your WCF
service.

• Transport Level (Point-to-Point)


• Message Level (End-to-End)
Transfer Security
Security Models
• Transport Level Security
• Message Level Security
Transport Level Security
Transport Level Security
• Simple
• Well Understood
• Adequate for Intranet based scenarios
• Transport mechanism and Endpoint
configuration can be tightly controlled.
Transport Level Security
• Security is Tightly coupled and dependent on
– The underlying platform
– Transport mechanism
– Security Service provider (NTLM, Kerberos, and so
on)

• Security is only on point-to-point basis, no


hops and routing through intermediate app
nodes.
Transport Level Security

<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="Transport">
</security>
</binding>
</wsHttpBinding>
</bindings>

Message Level Security
Message Level Security
• Independent from underlying platform

• Heterogeneous security architecture

• End-to-End security

• Routing through intermediate app nodes.

• Supports multiple encryption technologies.


Message Level Security
• Protection Levels
Message Level Security
• Protection Levels
Authentication in WCF
• The WCF authentication options available to
you depend on the transfer security mode you
use.

• Your choice of binding will also play a role in


the authentication options because not all
transport or message user credentials are
supported in every binding.
Authentication in WCF
Transport Security Mode Authentication Options
• None
• Basic
• NTLM
• Windows
• Certificate
Authentication in WCF
Message Security Mode Authentication Options
• None
• Windows
• Username
• Certificate
• Issue token
Authorization in WCF
WCF supports the following three basic authorization
approaches:

• Role-based

• Identity-based

• Resource-based
Role-based Authorization
WCF provides following options for role-based
authorization:
• Windows groups
• ASP.NET roles
– SQLRoleProvider
– WindowsTokenRoleProvider
– AuthorizationStoreRoleProvider
• Custom Roles
Impersonation / Delegation
• Impersonation is a technique that WCF
services use to assume the original caller’s
identity in order to authorize access to service
resources (such as files or database tables).

• Impersonation is used to access resources on


the same machine as the service, while
delegation is used to access resources that are
remote to the service.
Controlling Impersonation at the Service Side

• You can use the ImpersonationOption


enumeration along with the
OperationBehaviorAttribute attribute to
control impersonation.
• Options:
– Not Allowed
– Allowed
– Required
Controlling Impersonation at the Client Side
• Windows credentials have an
AllowedImpersonationLevel property that is set to
one of the following TokenImpersonationLevel
options in order to control the impersonation level:

– None
– Anonymous
– Identification
– Impersonation
– Delegation
Auditing in WCF
• WCF Auditing allows you to audit security
events such as authentication and
authorization failures.

• WCF service auditing can allow you to detect


an attack that has occurred or is in progress.

• Auditing can help you debug security-related


problems.
Auditing in WCF
• ServiceSecurityAuditBehavior element
• auditLogLocation attribute.
Scenario 1 (Intranet)
Scenario 1 (Intranet)
This scenario applies to you if:
• Your users have browsers supporting
Integrated Windows Authentication.
• Your user accounts are in Active Directory
within a domain.
• Your user roles are Windows Groups.
• The business logic behind your WCF service
requires fine-grained authorization.
Scenario 1 (Intranet)
This scenario applies to you if:

• Your application transmits sensitive data over


the network that needs to be protected.

• A high-performance connection between the


ASP.NET application and the WCF service is
more important than the ability to host the
WCF service in IIS.
Scenario 1 (Intranet)
Scenario 1 (Intranet)
In this solution you will:
• Use SSL to protect sensitive data between the
Web client and IIS.
• Use Transport Security to protect sensitive
data between the ASP.NET application and the
WCF service.
• Use netTcpBinding to support the TCP
transport for improved performance.
Scenario 1 (Intranet)
In this solution you will:
• Use domain credentials to authenticate clients
against an Active Directory user store.
• Impersonate the original caller when calling
methods on the WCF service from the ASP.NET
application.
• Use a service account to call the SQL Server
from WCF (without impersonation).
Scenario 1 (Intranet)
In this solution you will:
• Host WCF in a Windows Service since IIS does
not support the TCP transport (prior to IIS7)
Scenario 1 (Intranet)
IIS Configuration:
• A dedicated application pool is created and
configured to run under a custom service
account. Use a domain account.

• The Web application is configured to run


under the service account and assign to
custom application pool.
Scenario 1 (Intranet)
IIS Configuration:
• Service Principal Name (SPN) is created if
domain identity is used in the ASP.NET
application pool.

setspn -a HTTP//WebServer.domain.com customDomainAccount


setspn -a HTTP//WebServer customDomainAccount

• Create an SPN for both the DNS and NETBIOS


machine name.
Scenario 1 (Intranet)
IIS Configuration:
• ASP.NET Process identity is configured as
Trusted for delegation.

• If you use a network service account, enable


the computer account for trusted for
delegation. If you use a domain user account.
enable the domain account for trusted for
delegation.
Scenario 1 (Intranet)
IIS Authentication:

• The IIS virtual directory is configured to use


Windows Integrated Authentication.
• Users will be authenticated with Windows
Authentication.
• Anonymous access is disabled.
Scenario 1 (Intranet)
ASP.NET Authentication:

• ASP.NET is configured for Windows Integrated


authentication.

<authentication mode = "Windows" >

• The Web application will authenticate the


users.
Scenario 1 (Intranet)
ASP.NET Authorization:
• If you have role segmentation in your
application then use URL authorization.
• The authorized users have access to specific
pages.
<authorization>
<allow roles="domainName\RoleName" />
<deny users="*" />
</authorization>
Scenario 1 (Intranet)
ASP.NET Authorization:
• Role Manager is enabled and Role-checks are
performed using Role Manager API.
• Original users are authorized using the
Windows groups before calling in WCF
Service.
<roleManager enabled="true”
defaultProvider="AspNetWindowsTokenRoleProvider"/>

if(Roles.IsUserInRole(@“SPL\\accounting“))
{
}
Scenario 1 (Intranet)
WCF Proxy:
• ASP.NET has a proxy reference to the WCF
service.
• The application has access to the WCF Service
metadata to create a service reference.
WCFTestService.MyServiceClient proxy = new
WCFTestService.MyServiceClient();
Scenario 1 (Intranet)
WCF Proxy:
• ASP.NET Impersonates the original callers
before calling the WCF operation.
• Used for downstream authorization.

using(((WindowsIdentity)HttpContext.Current.User.Identity).Impersonate())
{
WCFTestService.MyServiceClient proxy= new WCFTestService.MyServiceClient();
proxy.GetData("data");
proxy.Close();
}
Scenario 1 (Intranet)
Application Server (Windows Service) Configuration:
• Windows Service is configured to run under a
custom domain service account.
• WCF Service is hosted in a Windows Service
(Since IIS does not support netTcpBinding).
• Service Principal Name (SPN) is created since a
custom domain account is used for the
Windows service, and the ASP.NET application
needs to restrict trust for delegation to only
the WCF service.
Scenario 1 (Intranet)
WCF Service Configuration:
• Configure the WCF service to use
netTcpBinding.

<endpoint
address=“”
binding="netTcpBinding”
bindingConfiguration=“”
name="TcpBinding” contract="WCFServicecHost.IMyService”
/>
Scenario 1 (Intranet)
WCF Service Configuration:
• Service Metadata is configured in service
behavior.
• The service metadata entry is required for the
Windows service host to start. Both HTTP and
HTTPS get are disabled.

<serviceMetadata />
Scenario 1 (Intranet)
WCF Service Authentication:
• netTcpBinding by default supports Windows
Authentication and Transport Security.

<endpoint
address=""
binding="netTcpBinding"
bindingConfiguration="" />
Scenario 1 (Intranet)
WCF Service Authorization:
• Role Manager feature is enabled and
WindowsTokenRoleProvider is configured for
roles authorization.
<serviceAuthorization principalPermissionMode="UseAspNetRoles”
roleProviderName="AspNetWindowsTokenRoleProvider" />

• Roles authorization can be performed


declaratively or imperatively in the operation
contract.
Scenario 1 (Intranet)
WCF Service Authorization:
• Perform role-checks declaratively using the
PrinciplePermission attribute.
• Use declarative check to authorize the user on
individual methods.
[PrincipalPermission(SecurityAction.Demand, Role = “SPL\\accounting")]
public string GetData(string message)
{
return "hello";
}
Scenario 1 (Intranet)
WCF Service Authorization:
• Perform role-checks imperatively using
IsUserInRole() method.
• Use programmatic check to authorize the user
based on business logic.
if(Roles.IsUserInRole(@“SPL\Accounting“))
{
//business operation for accounting
}
else
{
//business operation for others
}
Scenario 1 (Intranet)
WCF Service SQL:
• The connection string for database is
configured to use Windows Authentication.
The service does not impersonate the original
caller to benefit for connection pooling.
SqlConnection sqlcon = new SqlConnection("Server=10.3.19.11;Database=No
rthwind;IntegratedSecurity=SSPI");
Scenario 1 (Intranet)
WCF Service SQL:
• The connection string for database is
configured to use Windows Authentication.
The service does not impersonate the original
caller to benefit for connection pooling.
SqlConnection sqlcon = new SqlConnection("Server=10.3.19.11;Database=No
rthwind;IntegratedSecurity=SSPI;TrustedConnection=Yes");
Scenario 1 (Intranet)
Database Server:
• A SQL Server login is created for the WCF’s
service account (process identity).
exec sp_grantlogin 'Custom Service Account'
Scenario 1 (Intranet)
Database Server:
• The login is mapped to a database user for the
Web application.
use targetDatabase
go
exec sp_grantdbaccess ' Custom Service Account'
go
Scenario 1 (Intranet)
Database Server:
• The login is added to the database role.
• Grant minimum permissions. For example
grant execute permissions to selected stored
procedures and provide no direct table access.
use targetDatabase
go
exec sp_addrolemember 'DB Role Name‘, 'Custom Service Account'
go
Scenario 1 (Intranet)
Database Server - Authentication:
• SQL Server is configured to use Windows
Authentication.
Scenario 1 (Intranet)
Communication Security:
Browser to Web Server
• Use SSL between the browser and Web server
to protect sensitive data on the wire.
• Install certificate in the Web site. Configure
the virtual directory of the Web application to
use SSL.
Scenario 1 (Intranet)
Communication Security:
App Server to Database Server

• You can use IPSec or SSL between the App


Server and Database Server to protect
sensitive data on the wire.
Scenario 2 (Intranet)
Scenario 3 (Intranet)
Scenario 1 (Internet)
Scenario 1 (Internet)
• This scenario applies to you if:
• Your users have Windows Forms clients.
• Your user accounts are stored in SQL.
• Your user roles are stored in SQL.
• Your application transmits sensitive data over
the network that needs to be protected.
• The ability to host the WCF service in IIS is
more important than a high performance
connection between the ASP.NET application
and the WCF service.
Scenario 1 (Internet)
Scenario 1 (Internet)
In this solution you will:
• Use username and password to authenticate
users against the SQL Server Membership
Provider.
• Use a service account to call the SQL Server
from WCF.
• Use message security to protect sensitive data
between the ASP.NET application and the WCF
service.
• Use wsHttpBinding to allow IIS to host the
service.
Scenario 1 (Internet)
Thick Client - WCF Proxy:
• Thick Client has a proxy reference to the WCF
service.
• The application has access to the WCF
metadata to create a service reference.

WCFTestService.ServiceClient myService = new


WCFTestService.ServiceClient();
Scenario 1 (Internet)
Thick Client - WCF Proxy:
• Root CA certificate for the service is installed
in “Trusted Root Certification Authorities.”
• All certificates that are signed with this
certificate will be trusted by the client
machine.
Scenario 1 (Internet)
Thick Client - WCF Proxy:
• Pass user credentials to the WCF service when
calling service operations.

myService.ClientCredentials.UserName.UserName= "username";
myService.ClientCredentials.UserName.Password= "p@ssw0rd";
myService.GetData(123);
Scenario 1 (Internet)
Application Server – IIS Configuration:

• A dedicated application pool is created and


configured to run under a custom service
account.

• Use a domain account if possible.


Scenario 1 (Internet)
Application Server – IIS Authentication:

• The IIS virtual directory is configured to use


Anonymous access.
Scenario 1 (Internet)
WCF Service – Configuration:
• ASP.NET database is created for use with SQL
Membership Provider and SQL Role provider.

aspnet_regsql -S .\SQLExpress -E -A r m

• Aspnet_regsql.exe creates the SQL database


to store the user and role information.
Scenario 1 (Internet)
WCF Service – Configuration:
• Connection string is configured to point to the
user and role stored in SQL Server.
• The database connection string includes
Integrated Security=SSPI or
TrustedConnection=Yes for Windows
Authentication.
<add name="MyLocalSQLServer" connectionString="Initial
Catalog=aspnetdb;data source=localhost;Integrated
Security=SSPI;" />
Scenario 1 (Internet)
WCF Service – Configuration:
• SqlMembershipProvider is configured to use
with Membership.
<membership defaultProvider="MySqlMembershipProvider">
<providers>
<clear/>
<add name="MySqlMembershipProvider"
connectionStringName="MyLocalSQLServer"
applicationName="MyAppName"
type="System.Web.Security.SqlMembershipProvider"/>
</providers>
</membership>
Scenario 1 (Internet)
WCF Service – Configuration:
• The membership feature helps protect
credentials, can enforce strong passwords,
and provides consistent APIs for user
validation and secure user management.
Scenario 1 (Internet)
WCF Service – Configuration:
• Role Manager feature is enabled and
SqlRoleProvider is configured for roles
authorization.
<roleManager enabled="true”defaultProvider="MySqlRoleProvider" >
<providers>
<clear/>
<add name="MySqlRoleProvider”
connectionStringName="MyLocalSQLServer”
applicationName="MyAppName”
type="System.Web.Security.SqlRoleProvider"
/>
</providers>
</roleManager>
Scenario 1 (Internet)
WCF Service – Configuration:
• WCF Service process identity is given access
permissions on the ASP.NET database.

• Your WCF service process identity requires


access to the Aspnetdb database.
Scenario 1 (Internet)
WCF Service – Configuration:
• WCF Service is configured to use
wsHttpBinding binding.

• wsHttpBinding uses the HTTP protocol and


provides full support for SOAP security,
transactions, and reliability. As clients are in
the Internet, this is the only choice.
Scenario 1 (Internet)
• WCF Service – Configuration:

<endpoint address="" binding="wsHttpBinding"


bindingConfiguration="BindingConfiguration"
name="WsBinding" contract="IService"/>
Scenario 1 (Internet)
• WCF Service – Authentication:
• wsHttpBinding is configured to use Username
Authentication and Message security.

<wsHttpBinding>
<binding name="BindingConfiguration">
<security>
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
Scenario 1 (Internet)
• WCF Service – Authentication:
• Service behavior is configured to use
membership provider for using with username
authentication.

<userNameAuthentication
userNamePasswordValidationMode="MembershipProvider"
membershipProviderName="MySqlMembershipProvider" />
Scenario 1 (Internet)
• WCF Service – Authentication:
• Service behavior is configured to publish
metadata.

<serviceMetadata httpGetEnabled="true" />


Scenario 1 (Internet)
• WCF Service – Authentication:
• Service certificate is installed on the WCF
Service machine. The service behavior is
configured to use the service certificate.

<serviceCertificate findValue="CN=machine.domain.com" />

• This is required for protecting the user


credentials in the message.
Scenario 1 (Internet)
• WCF Service – Authorization:
• Service behavior is configured to use
AspNetRoles with SqlRoleProvider.

<serviceAuthorization
principalPermissionMode="UseAspNetRoles"
roleProviderName="MySqlRoleProvider" />
Scenario 1 (Internet)
• WCF Service – Authorization:
• WCF Operations areconfigured to do role
checks at operation level,declaratively.
[PrincipalPermission(SecurityAction.Demand, Role="Managers")]
public string GetData(int value)
{
return string.Format("You entered: {0}", value);
}

• Declarative role-checks on operations is the


preferred mechanism.
Scenario 1 (Internet)
• WCF Service – Authorization:
• Roles APIs are used to do programmatic roles
checks, for fine grained access control.

If(Roles.IsUserInRole(“Manager”))
{
// do something for the manager
}
else
{
// throw an error.
}
Scenario 1 (Internet)
• WCF Service – SQL:
• The connection string for database is
configured to use Windows Authentication.

SqlConnection sqlcon = new


SqlConnection("Server=10.3.19.11;Database=Northwind;IntegratedSecurity=SSPI
");
Scenario 1 (Internet)
• WCF Service – SQL:
• Open the database connection using the WCF
process identity’s security context.

• Service does not impersonate the original


caller to benefit for connection pooling.
Scenario 2 (Internet)
Scenario 3 (Internet)
WCF Security Checklist
WCF Security Checklist
WCF Security Checklist
WCF Security Checklist
WCF Security Checklist
WCF Security Checklist
WCF Security Checklist
WCF Security Checklist
WCF Security Checklist
WCF Security Checklist
WCF Security Checklist
WCF Security Checklist
WCF Security Checklist
WCF Security Checklist
WCF Security Checklist
Questions?

También podría gustarte