Security Practices for WCF
Windows Communications Foundation (WCF) is Microsoft s still relatively new unified communications infrastructure for distributed applications. It brings together Web services, Microsoft Message Queue, .NET remoting, and other inter-application communication protocols and technologies into a single API, in theory making it easier to implement communications between the separate parts of a distributed application. Although it is a unifying technology, it is breathtakingly comprehensive and complex, and takes a lot of work to learn. Even worse, it takes a whole lot more work to learn how to use WCF securely.
I m tempted here to make a snide remark about how when Microsoft introduces a complex technology that is hard to secure, they don t typically work harder to make the technology simpler and more straightforward. Instead, the typical response is to call on the company s Patterns & Practices group to produce a comprehensive (read: long) guide to using the technology effectively and securely. But such an observation would probably be unfair; within five years or so there will be tools and wizards to simplify WCF. Maybe.
Ahem. But I digress.
In response to the glaring need to provide developers with information about using WCF securely, Microsoft has released version 1 of its WCF Security Guide, a 689-page guide to making your WCF-based applications safer and more secure. Like most Patterns & Practices guides, it is available on CodePlex for free download. Although not for the faint of heart, the guide provides just about everything you need to know about WCF security in just about every scenario in which you ll use WCF. It s an amazing resource that few developers will need to read in its entirety, but it is worthwhile for any WCF developer to peruse to know what is there and to get a feel for security issues with WCF.
The body of the guide is organized in four sections. But before you arrive at the first section, you ll find a section that briefly introduces you to the guide, along with forwards by Nicholas Allen, a WCF program manager, and Rocky Lhotka, a technology evangelist and architect for Magenic. Then there is a Solutions at a Glance chapter, a roadmap into the various solutions covered in the guide to find quick answers to WCF security problems. It s not really the place to start when you have a problem, but once you have a decent feel for WCF security it will steer you to the right solutions.
The final introductory chapter is Fast Track: A Guide for Getting Started and Applying the Guidance. Here s where you re likely to get lost and throw up your hands in despair if you don t already know WCF pretty well. The chapter provides a framework for approaching WCF security problems, as well as a way to think about those problems (and some likely solutions). It also includes some brief information about Web services security patterns, along with links to MSDN for more information. There is a lot here, but you ll probably want to skip past most of it to get into the meat of the guide, at least the first time through.
After all the introductory material, 36 pages later, you get to Part I of the guide: Security Fundamentals for Web Services. This part provides an overview of fundamental security concepts related to services, service-oriented design, and Service Oriented Architecture (SOA). Everyone should read these three chapters so that you have a solid understanding of the important security concepts, to begin developing the security way of thinking you need to succeed with WCF.
Part II, WCF Security Fundamentals, takes the security fundamentals from Part I and applies them to WCF. These 50 or so pages are the meat of this part of the guide, covering authentication, authorization, identities, impersonation and delegation, message and transport security, and bindings fundamentals. Here is where you ll discover that you ll need some pretty deep knowledge if you re going to effectively implement WCF security. Unlike other technologies where you can follow a few best practices, with WCF you have to earn your security.
Parts III and IV cover Intranet and Internet Application Scenarios, in that order. Here you ll find a set of scenarios on which you can base your application design. If your application scenario is similar to any of these seven scenarios, you ll find detailed information about how to determine whether the scenario applies to you, and the solution as a diagram and as text and tables. Usually, detailed tables cover every tier in the application, including a thick client, application server, and database server. You ll also find an analysis of the solution, with an example of how to implement it in your application. These parts contain most of the practical value of the guide.
The end matter in the guide includes a WCF security checklist, security guidelines, WCF security practices at a glance, and a Q&A section. It wraps up with a couple dozen comprehensive How To articles that show exactly how to implement various WCF security features. All in all, there is a wealth of security information here that represent the current state of best practices for WCF security.
The only real down side to the guide is its sheer heft and bulk. The PDF weighs in at just shy of 700 pages, and the writing is at times dense and detailed. Thankfully, you probably won t need to read it from cover to cover. Instead, read the introductory material and then the sections that apply to your situation. Most of all, don t let its length and depth deter you from making use of all the information here. Practice secure WCF!
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and read his blog at http://www.sqljunkies.com/weblog/donkiely/.