In the world of building client consumable APIs, security is always a priority. Let it be a web service, WCF or a remoting service, they cannot be vulnerable because they directly expose the operational methods to the outside clients.
In this article I will concentrate on the WCF service and take you through the top 7 tips in securing a WCF service. The top 7 list is based on my own sagacity and picked from the list of OWASP recommendations.
As a first point, the communication between the client and server should be secure. The intermediate hackers should not be able to interrupt the communication messages. In WCF there is a feature called Transfer Security, which is intended to make the communication a secure one. There are two types of Transfer Security modes.
The security will be enforced at the transport layer level. This means the transport layer will mask the plain message. Transport Security will help in maintaining the good performance level of the WCF service where as it can’t be used on the service that is hosted on the internet or on a network where there is an intermediate router or any other proxy server. It is best suited for the WCF services hosted on the intranet.
netTcpBinding has the default security mode as Transport.
2. Message Security
The communication message will be encrypted in this case. It is best suited for the WCF services that are hosted and available over the internet.
wsHttpBinding has the default security mode as Message.
Shown below is the sample web.config entry to set the security mode for a particular binding.
<bindings> <wsHttpBinding> <binding> <security mode="Transport/Message"></security> </binding> </wsHttpBinding> </bindings>
Authentication is an important piece during the process of client and server communication. Basically the WCF service should ensure that it is serving the request of a legitimate client. Below are some of the tips to implement authentication.
1. In the case of intranet WCF services, you can better choose windows authentication. A powerful credential management and enforcement is guaranteed.
2. When you decide to use username and password validation then make use of the membership providers instead of implementing a custom authentication mechanism. It will provide you more sophistication with less development effort.
3. It is also advisable for the client not to hard code or configure the credentials, rather prompt the user every time.
4. If you plan to use custom authentication then make use of in build WCF classes like System.IdentityModel.Selectors.UserNamePasswordValidator to validate the user credentials.
Enable WCF Audit and Message Logs
In order to get the audit information, you need to enable the WCF Audit and message logs. It will allow you to monitor the incoming requests to your WCF service.
WCF Audit will log the security events of your service. It includes authentication success or failure. The information will get logged to the event viewer’s security log or application log. Below is how the WCF auditing feature has to be enabled.
<behaviors> <serviceBehaviors> <behavior> <serviceSecurityAudit auditLogLocation="Security" suppressAuditFailure="True" serviceAuthorizationAuditLevel="SuccessOrFailure" messageAuthenticationAuditLevel="SuccessOrFailure"/> </behavior> </serviceBehaviors> </behaviors>
Enabling message logs will log the incoming messages that are processed by the service onto the configured logs. The message logging can be enabled by configuring the below mentioned tag and its attributes.
<diagnostics> <messageLogging logEntireMessage="True"></messageLogging> </diagnostics>
These WCF process instrumentation logs will help you in investigating potential hack attempts.
Use Replay Detection Feature
Some hackers may well intercept the WCF request message and try to replay those requests multiple times. This can be prevented using a WCF feature called replay detection. In order to create replay detection a custom binding is required. Its security tag’s local client and service settings should be configured with the below attribute values.
Exception Handling – Fault Contracts
Another important security part to take care of while developing a WCF service is not to disclose detailed exception information like the exception message or the stack trace to the client application. It is always recommended to use the FaultContracts to transport any operation failure with generic error information.
Host the Service on IIS
Host the WCF service on IIS in order to take full advantage of the IIS features like authentication, certificate set up and other processing features.
The WCF service should be hosted under SSL in order to create trust between the clients. This will provide the confidence to the clients that they will not get into any phishing attacks.