Browse by Tags

• Indigo
• Message Security
• Service Architecture
• Transport Security

• WCF Security Guide Released

  If you've been following along, I have mentioned the WCF security guide project being worked on in the patterns and practices team a few times now. After months of drafts and betas, the complete guide is now ready for official release. The WCF security guide is available as a free download. Read More... Posted Wednesday, August 06, 2008 8:00 AM from Nicholas Allen's Indigo Blog | 0 Comments Filed under: Indigo, Announcements, Transport Security, Security, Message Security

• Improving Web Services Security Beta Guide

  The WCF Security Guide content that I've mentioned a few times before is now done with early drafts and has been rolled up into a beta release of the full book. There's a ton of content in the real thing on top of what you've been seeing in the drafts. You can download the beta of the full security guide from CodePlex now. If you want to know what I think about the guide, here's the foreword I wrote for them: The computer industry has come to a realization – based on many years of slowly learning from painful experiences – that computer networks are hostile environments. Nevertheless, computer users demand as part of their basic expectations that applications take advantage of the ubiquitous and continuously available connectivity at their disposal to deliver a rich connected experience. It is now your task to design and assemble the loosely coupled service components that you have available in a way that blunts threats and thwarts attacks on the user’s precious assets. Your applications must withstand the hazards of living in a hostile networked environment. To make that possible, you must understand the risks that your applications face and you must be certain that the remedies you put in place properly mitigate the dangers of those risks. As someone who has been through several rounds of security and threat modeling for Windows Communication Foundation, I can say without hesitation that knowledge and experience are your greatest assets for designing secure Web service applications. The trick is to gain as much of that knowledge as possible from the painful experiences of other people rather than painful experiences of your own. J.D. Meier and team have done a fantastic job of assembling and digesting countless practical experiences into a convenient and centralized resource. Practitioners of service-oriented development with WCF will want to use this guide as both a means of learning about the fundamentals of Web service security and a reference for getting specific, step-by-step instructions for dozens of the most common security problems. I enjoy that this guide collects together several different approaches for learning about and implementing security solutions. By combining a variety of formats – scenarios, how-to articles, and guidelines are only a sample of the offered modes – solutions are both reinforced and made more easily discoverable through different entry points. The reason that I’m so excited to see Improving Web Services Security: Scenarios Read More... Posted Thursday, June 05, 2008 8:00 AM from Nicholas Allen's Indigo Blog | 0 Comments Filed under: Indigo, Announcements, Transport Security, Service Architecture, Security, Message Security

• Updates to WCF Security Guidance

  After the first announcement for the WCF Security Guidance Project , the amount of content has grown tremendously. Here's a summary of what's new over the last month. Seven new application scenarios: Intranet - Web to Remote WCF Using Transport Security (Trusted Subsystem TCP) Intranet - Web to Remote WCF Using Transport Security (Trusted Subsystem, HTTP) Intranet - Web to Remote WCF Using Transport Security (Original Caller, TCP) Intranet - Windows Forms to Remote WCF Using Transport Security (TCP) Internet - Web to Remote WCF Using Transport Security (Trusted Subsystem) Internet - Windows Forms Client Calling WCF Using Message Security Internet - WCF and ASMX Client to Remote WCF Using Transport Security (HTTP) More than eighty annotated guidelines . Six new how-to guides: How To - Perform Input Validation in WCF How To - Perform Message Validation with Schemas in WCF How To - Use basicHttpBinding with Windows Authentication and TransportCredentialOnly in WCF from Windows Forms How To - Use Certificate Authentication and Message Security in WCF calling from Windows Forms How To - Use netTcpBinding with Windows Authentication and Message Security in WCF from Windows Forms How To - Use wsHttpBinding with Username Authentication and TransportWithMessageCredential in WCF calling from Windows Forms Answers to more than one hundred security questions . Read More... Posted Tuesday, May 06, 2008 8:00 AM from Nicholas Allen's Indigo Blog | 0 Comments Filed under: Indigo, Announcements, Transport Security, Security, Message Security

• General Security Guidance Videos

  After talking about some of the work on WCF security I thought I'd mention an unrelated but similarly beneficial collection of videos on the MSDN security developer center . These security videos cover a wide variety of topics, each in the format of explaining how to solve a particular problem. The videos aren't specific to WCF so you might not be interested in all of them but there are quite a few that should be usable either directly or with minor adaptation. Look at the problem proposed in the video title and don't be afraid to skip through sections that go into detail on a technology that you're not using. The videos on general security topics, such as user principals or cryptography, tend to carry over the best. Read More... Posted Wednesday, April 02, 2008 8:00 AM from Nicholas Allen's Indigo Blog | 0 Comments Filed under: Announcements, Security

• WCF Security Guidance Project

  The patterns & practices team at Microsoft has put together their first release of guidance for WCF security . They've included how-to guides and videos that walk you through a number of security tasks, such as working with certificates and configuring role providers. The overall guide is still under development so these represent individual modules that are being published as they're completed. Here's what's currently available: How To - Create and Install Temporary Certificates in WCF for Message Security During Development How To - Create and Install Temporary Certificates in WCF for Transport Security during Development How To - Impersonate the Original Caller in WCF calling from Web Application How To - Impersonate the Original Caller in WCF calling from Windows Forms How To - Use netTcpBinding with Windows Authentication and Transport Security in WCF from Windows Forms How To - Use SQL Role Provider with Username Authentication in WCF calling from Windows Forms How To - Use SQL Role Provider with Windows Authentication in WCF calling from Windows Forms How To - Use Username Authentication with the SQL Membership Provider and Message Security in WCF from Windows Forms How To - Use wsHttpBinding with Windows Authentication and Message Security in WCF from Windows Forms How To - Use wsHttpBinding with Windows Authentication and Transport Security in WCF calling from Windows Forms Video: How To - Host WCF in a Windows Service (Length: 2:45 - Size: 1.2MB) Video: How To - Impersonate the Original Caller in WCF calling from a Windows Form (Length: 2:15 - Size: 1MB) Video: How To - Use basicHttpBinding with Certificate Authentication from Windows Forms (Length: 2:38 - Size: 1.1MB) Video: How To - Use netTcpBinding with Windows Authentication and Message Security (Length: 1:55 - Size: 1.5 MB) Video: How To - Use SQL Role Provider with Username Authentication in WCF calling from Windows Forms (Length: 3:28 - Size: 1.8MB) Video: How To - Use WsHttpBinding with Certificate Authentication with Message Security (Length: 1:01 - Size: 757KB) Video: How To - Use WsHttpBinding with Windows Authentication with Message Security (Length: 1:41 - Size: 781kb) Video: How To - Create and Install temporary Certificates in WCF for Transport Security during Development (Length: 3:45 - Size: 2.3MB) Video: How To - Create and Install temporary Certificates in WCF for Message Security during Development (Length: 3:40 - Size: 2.3MB) Intranet - Web App to Remote WCF to SQL Server Read More... Posted Monday, March 31, 2008 8:00 AM from Nicholas Allen's Indigo Blog | 0 Comments Filed under: Indigo, Announcements, Transport Security, Security, Message Security