tags:

views:

138

answers:

2
+1  Q: 

WCF Security and what to use in this situation.....

I have a client/server application that has many client machines and one service on a server.....

On the server side I will be using a Windows Service to host my WCF service. The service will be passing data across the internet to the client machines. I figure I will be using wsHttpBinding with message level security, which requires a username or a certificate.

Now here's the problem.....

-We don't want to have the user log in to the system

-there is no Windows Authentication on the client machines

-and I would use certificates but, we have tons of client machines going out everyday, so installing certificates manually on each machine is not gonna be an option (unless it can all be done through code... and I mean creation and installing)

anybody have any ideas on how to secure this kind of service? Thanks in advance

Peace

A: 

In your scenario, it seems like you're looking for the "basicHttpBinding" with no security whatsoever.

<bindings>
  <basicHttpBinding>
    <binding name="NoSecurity">
      <security mode="None" />
    </binding>
  </basicHttpBinding>
</bindings>

and then configure your endpoints to use that binding configuration:

<system.serviceModel>
    <services>
        <service name="YourNamespace.YourService"
                 behaviorConfiguration="MyServiceBehavior">
           <endpoint address="" 
                     binding="basicHttpBinding" 
                     bindingConfiguration="NoSecurity" 
                     contract="YourNamespace.IMyService">
            </endpoint>
            <endpoint address="mex" 
                      binding="mexHttpBinding" 
                      contract="IMetadataExchange" />
        </service>
    </services>

There's also a really good blog post series that talk about the basics of WCF security in terms of five different, typical scenarios - excellent read! Your scenario would be the "No security at all" scenario.

Another good introductory article is Michele Leroux Bustamante's Fundamentals of WCF Security.

A more thorough (but also more complex) set of guidance for WCF can be found at the WCF Security Guidance on Codeplex.

Marc

marc_s  2009-08-05 18:12:18
A quick note about basicHttpBinding. If you need any of the WS-* capabilities, then you will want to use the wsHttpBinding. The basicHttpBinding is absolutely bare-bones, and doesn't offer much of anything beyond simple SOAP communication. You can still use no security with the wsHttpBinding if thats what is needed.
jrista  2009-08-05 18:19:07
yeah, I read the Fundamentals of WCF Securiy blog..... lol.. I actually have her book.....and I am currently using basicHttpBinding for testing, but won't this solution leave me open for attack? WCF encrypts data by default right? but is that enough?
DJ Burb  2009-08-05 18:19:40
Is it enough? depends on your needs and scenario :-) So "it depends"As jrista notes - the basicHttpBinding is just that - very very basic. If you ever imagine wanting to have more security, or possibly things like reliable messaging etc., you should absolutely use the wsHttpBinding instead.
marc_s  2009-08-05 18:25:43
wshttpbinding encrypts by default, not all WCF bindings.
Shiraz Bhaiji  2009-08-05 18:25:58
As long as you don't require any proof on the client's side - neither a certificate, nor a username/password combination, nor Windows credentials - anyone can call your service, obviously. As long as your service is written in a safe manner, that just means any troll can send you messages - but only those that you've defined.
marc_s  2009-08-05 18:26:45
A: 

Since you will be using an app wirtten by yourself. You can use wshttpbinding with username and password authentication (Client credential type basic) where your app reads the username and password from a config file.

http://msdn.microsoft.com/en-us/library/ms731299.aspx

EDIT

The windows service could run under an account that the user does not have the password for. The service is in a directory that is protected with ACLs, such that the user of the machine does not have access to the config file.

Shiraz Bhaiji  2009-08-05 18:33:01
thanks Shiraz..... that MIGHT be just what I am looking for.... I'll look into trying this.
DJ Burb  2009-08-05 18:37:31
You really aren't gaining much security here... anyone who is on one of those machines would be able to get this configuration file.You are better off just encrypting and just allowing any yahoo send you data. You are basically going to have to guard against that anyway with this approach. At least with some encryption, the data flying back and forth from your other clients can't be seen.
Anderson Imes  2009-08-05 19:47:54
90% of successful corporate hacking is done by employees of said corporation.
Anderson Imes  2009-08-05 19:49:29
yeah Anderson, you are correct, I am looking into using this approach: http://msdn.microsoft.com/en-us/library/ms752231.aspxIt's a service certificate with the client just have the findValue in its configuration file ... but is there a way to create your own PERMANENT certificate..... or can you only create temporary ones?
DJ Burb  2009-08-05 20:06:55

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security