|
|
Browse by Tags
All Tags » Indigo » Security (RSS)
-
How do I force propagation of changes to information about a certificate revocation list after an update? A service is going to have several kinds of caching around the information that links the certificate to revocation information. The first kind of caching is based on the revocation mode of the certificate. A revocation mode of NoCheck disables checking on the certificate while a revocation mode of Offline directs checking to use a cached certificate revocation list. A revocation mode of Online gets the freshest data. The second kind of caching is at the service process. Information is stored in memory as long as the process continues to run to reduce the number of active checks required. This memory cache is cleared when the process restarts. The third kind of caching is at the machine. Information is cached by the machine for a limited time to again reduce the number of active checks required. The machine cache can be viewed by running "certutil -urlcache" and the same command is used to delete or force updating of specific cache entries. Next time: Getting Rid of Namespaces Read More...
|
-
If you've been following along, I have mentioned the WCF security guide project being worked on in the patterns and practices team a few times now. After months of drafts and betas, the complete guide is now ready for official release. The WCF security guide is available as a free download. Read More...
|
-
How do I find the address of a client connection to make a trust decision? Don't base security decisions on the perceived client address. Any address that we have comes from the underlying socket implementation and could be spoofed. The data that the socket has is sourced by the client. You should be using a source of information that has a verification process that the server trusts, such as a certificate, to distinguish clients. Next time: Reader Trends Read More...
|
-
Host headers in IIS are a way to associate multiple names with a single address. The typical use of host headers is to be able to host more than one web site at a single IP address by giving each of the web sites a distinct DNS name. Host headers also play a role in WCF beyond the definition of a web site. Metadata for a web service, such as that appearing WSDL, uses host headers as a way to pick a preferred name when talking about the service. The user interface for setting host headers is relatively straightforward when the web site is hosted over HTTP but becomes a challenge when the web site is hosted over HTTPS. Here are the command line equivalents that you can use to set HTTPS host headers. On IIS 6, you need to know the id of the web site. Assuming that SSL is taking place on the default port, the command looks like this. cscript.exe adsutil.vbs set w3svc/<id>/SecureBindings ":443:<header>" On IIS 7, the command line looks very different due to the more flexible but complicated support for different web site bindings. You can also use a name that's meaningful for you to distinguish web sites. appcmd set site /site.name:<name> /+bindings.[protocol='https',bindingInformation='*:443:<header>'] To keep the example simple, I'm assuming that you're adding a new binding rather than modifying an existing binding. Next time: Transaction Header Magic Read More...
|
-
What does the InactivityTimeout on a secure channel do? The inactivity timeout on a message security channel controls how long the channel will allow pending security sessions to linger in its cache before giving up on them. This is completely different from the inactivity timeout on a reliable messaging channel, which controls how long the reliable session will live without an infrastructure message before being torn down, and the inactivity timeout in the application, which controls how long the service instance will live without an application message before being torn down. Next time: JSON Service Speed Read More...
|
-
Whenever my service receives a message the service operation fails because the user identity is not mapped to a Windows identity. How can I make this mapping? What's probably going wrong is that the user identity is specified by a certificate but there's no active mapping from the client certificate to a Windows account. By default, no mapping is performed. You can enable certificate mapping by setting mapClientCertificateToWindowsAccount on the service credentials to be true. < serviceCredentials > < clientCertificate > < authentication mapClientCertificateToWindowsAccount ="true" /> </ clientCertificate > </ serviceCredentials > The actual mappings are not provided by the service configuration. Mappings are typically defined using the certificate mapping features of either IIS or Active Directory. IIS mappings can be varied from web site to web site but it's difficult to manage more than a small number of mappings. Active Directory mappings are the same all across the directory but the centralized directory makes the mappings easier to manage. Next time: How WebServiceHost Works Read More...
|
-
The WCF Security Guide content that I've mentioned a few times before is now done with early drafts and has been rolled up into a beta release of the full book. There's a ton of content in the real thing on top of what you've been seeing in the drafts. You can download the beta of the full security guide from CodePlex now. If you want to know what I think about the guide, here's the foreword I wrote for them: The computer industry has come to a realization – based on many years of slowly learning from painful experiences – that computer networks are hostile environments. Nevertheless, computer users demand as part of their basic expectations that applications take advantage of the ubiquitous and continuously available connectivity at their disposal to deliver a rich connected experience. It is now your task to design and assemble the loosely coupled service components that you have available in a way that blunts threats and thwarts attacks on the user’s precious assets. Your applications must withstand the hazards of living in a hostile networked environment. To make that possible, you must understand the risks that your applications face and you must be certain that the remedies you put in place properly mitigate the dangers of those risks. As someone who has been through several rounds of security and threat modeling for Windows Communication Foundation, I can say without hesitation that knowledge and experience are your greatest assets for designing secure Web service applications. The trick is to gain as much of that knowledge as possible from the painful experiences of other people rather than painful experiences of your own. J.D. Meier and team have done a fantastic job of assembling and digesting countless practical experiences into a convenient and centralized resource. Practitioners of service-oriented development with WCF will want to use this guide as both a means of learning about the fundamentals of Web service security and a reference for getting specific, step-by-step instructions for dozens of the most common security problems. I enjoy that this guide collects together several different approaches for learning about and implementing security solutions. By combining a variety of formats – scenarios, how-to articles, and guidelines are only a sample of the offered modes – solutions are both reinforced and made more easily discoverable through different entry points. The reason that I’m so excited to see Improving Web Services Security: Scenarios Read More...
|
-
After the first announcement for the WCF Security Guidance Project , the amount of content has grown tremendously. Here's a summary of what's new over the last month. Seven new application scenarios: Intranet - Web to Remote WCF Using Transport Security (Trusted Subsystem TCP) Intranet - Web to Remote WCF Using Transport Security (Trusted Subsystem, HTTP) Intranet - Web to Remote WCF Using Transport Security (Original Caller, TCP) Intranet - Windows Forms to Remote WCF Using Transport Security (TCP) Internet - Web to Remote WCF Using Transport Security (Trusted Subsystem) Internet - Windows Forms Client Calling WCF Using Message Security Internet - WCF and ASMX Client to Remote WCF Using Transport Security (HTTP) More than eighty annotated guidelines . Six new how-to guides: How To - Perform Input Validation in WCF How To - Perform Message Validation with Schemas in WCF How To - Use basicHttpBinding with Windows Authentication and TransportCredentialOnly in WCF from Windows Forms How To - Use Certificate Authentication and Message Security in WCF calling from Windows Forms How To - Use netTcpBinding with Windows Authentication and Message Security in WCF from Windows Forms How To - Use wsHttpBinding with Username Authentication and TransportWithMessageCredential in WCF calling from Windows Forms Answers to more than one hundred security questions . Read More...
|
-
Continuing on with the theme of messaging additions in Orcas, today I'll look at some more of the protocols and community-driven features that were added. WS Atomic Transaction 1.1 . Transactions tie together multiple participants in a distributed application. The framework of transactions is built on various coordination protocols between parties. Transactions are a kind of coordination in which either all or none of the parties agree to perform an action. Validation for issued token certificates . We've added support for configuring the certificate validation policy for issued token authentication, similar to the configuration for other certificates that are used for service credentials. Flowing SAML tokens. We've added support to flow a SAML assertion without having to re-sign the token. This allows these assertions to be handled by proxies without special configuration. Using message contents for authorization . We've added support to ServiceAuthorizationManager for performing access checks that make use of the body of the message. WS Secure Conversation 1.3 . A secure conversation is an exchange of multiple, protected messages. Using a conversation mechanism allows a security context to be established across several messages, which performs better than having to exchange security keys with every message. WS Trust 1.3 . Building a secure conversation requires that the two parties exchange security credentials. In order to perform this exchange, the two parties need to establish a trust relationship where they can evaluate the assertions made by the other side. The protocols that I've talked about today and last time are available through the new WS2007HttpBinding and WS2007FederationHttpBinding as updates to the previous web service standard bindings. Next time: Messaging Additions in Orcas, Part 3 Read More...
|
-
How can I run a service operation hosted in IIS using a specific identity? There are two ways for your operation to be running using a specific identity: start off running under that identity; or, start off running under a different identity and change to the right identity later. You can make either approach work although having to change the identity every time a service operation is called will introduce a small performance hit. Let's look at the two options. Impersonation is a mechanism that you can use to change to the right identity when the service operation is invoked. I've talked about impersonation in the past, mostly for impersonating the caller rather than impersonating a specific identity. However, impersonating a specific identity works in much the same way in terms of the Windows calls involved and generally works simpler in terms of the service setup required. That simplicity partially comes from not having the client involved in the act of impersonation but also because impersonating a specific identity doesn't have the same level of configurable options for automatically applying impersonation rules. The application pool is a mechanism that you can use to start with the right identity. This approach assumes that your service always wants to be running under the same specific identity. That partially covers the case of those missing configuration options. By default your application pool runs under the Network Service account. You can change that application pool identity to be any specific identity you want. Configuring Application Pool Identity with IIS 6.0 (IIS 6.0) IIS 7.0: Specify an Identity for an Application Pool This may require reorganizing how applications map into pools because the identity is shared by everyone in that pool. Next time: Why Dual is Reliable Read More...
|
-
Previously I've described how messages are protected by using the ProtectionLevel attribute to specify the minimum level of protection. If you don't specify a protection level explicitly, then you'll get one by default that is computed based on the binding. This default protection level is the maximum protection level that the binding can achieve with the configuration that you've given it. Every configuration is going to be different so the only way to definitively know your protection level is to check. If you start with one of the standard bindings though, then here's what your protection level will be assuming that you haven't applied any configuration changes. BasicHttpBinding: None BasicHttpContextBinding: None NetNamedPipeBinding: EncryptAndSign NetPeerTcpBinding: None NetTcpBinding: EncryptAndSign NetTcpContextBinding: EncryptAndSign WebHttpBinding: None WSDualHttpBinding: EncryptAndSign WSFederationHttpBinding: EncryptAndSign WSHttpBinding: EncryptAndSign WSHttpContextBinding: EncryptAndSign WS2007FederationHttpBinding: EncryptAndSign WS2007HttpBinding: EncryptAndSign Next time: Running Setup with Pkgmgr Read More...
|
-
When a named pipe channel listener creates a new named pipe it has to supply a discretionary ACL that describes who can connect to the pipe. Here is how that DACL is constructed: An access control entry is added to deny GENERIC_ALL access to the well-known network SID (S-1-5-2). Access control entries are added to allow GENERIC_READ and GENERIC_WRITE access to a list of SIDs that is defined on the binding element. The default is to allow the well-known world SID (S-1-1-0). Since this list is an internal setting, you will almost always be using the default. An access control entry is added to allow GENERIC_READ and GENERIC_WRITE access to the well-known creator owner SID (S-1-3-0). And that's how the DACL gets built. There are a few other settings as well required to create the pipe if you're interested in their values. The pipe is bidirectional (PIPE_ACCESS_DUPLEX), data is written to the pipe as messages (PIPE_TYPE_MESSAGE), data is read from the pipe as messages (PIPE_READMODE_MESSAGE), we use overlapped IO (FILE_FLAG_OVERLAPPED), and if this is the first pipe created by the listener, then we need to say that more pipes are coming (FILE_FLAG_FIRST_PIPE_INSTANCE). Next time: Writing Multiple Detail Elements in Faults Read More...
|
-
The patterns & practices team at Microsoft has put together their first release of guidance for WCF security . They've included how-to guides and videos that walk you through a number of security tasks, such as working with certificates and configuring role providers. The overall guide is still under development so these represent individual modules that are being published as they're completed. Here's what's currently available: How To - Create and Install Temporary Certificates in WCF for Message Security During Development How To - Create and Install Temporary Certificates in WCF for Transport Security during Development How To - Impersonate the Original Caller in WCF calling from Web Application How To - Impersonate the Original Caller in WCF calling from Windows Forms How To - Use netTcpBinding with Windows Authentication and Transport Security in WCF from Windows Forms How To - Use SQL Role Provider with Username Authentication in WCF calling from Windows Forms How To - Use SQL Role Provider with Windows Authentication in WCF calling from Windows Forms How To - Use Username Authentication with the SQL Membership Provider and Message Security in WCF from Windows Forms How To - Use wsHttpBinding with Windows Authentication and Message Security in WCF from Windows Forms How To - Use wsHttpBinding with Windows Authentication and Transport Security in WCF calling from Windows Forms Video: How To - Host WCF in a Windows Service (Length: 2:45 - Size: 1.2MB) Video: How To - Impersonate the Original Caller in WCF calling from a Windows Form (Length: 2:15 - Size: 1MB) Video: How To - Use basicHttpBinding with Certificate Authentication from Windows Forms (Length: 2:38 - Size: 1.1MB) Video: How To - Use netTcpBinding with Windows Authentication and Message Security (Length: 1:55 - Size: 1.5 MB) Video: How To - Use SQL Role Provider with Username Authentication in WCF calling from Windows Forms (Length: 3:28 - Size: 1.8MB) Video: How To - Use WsHttpBinding with Certificate Authentication with Message Security (Length: 1:01 - Size: 757KB) Video: How To - Use WsHttpBinding with Windows Authentication with Message Security (Length: 1:41 - Size: 781kb) Video: How To - Create and Install temporary Certificates in WCF for Transport Security during Development (Length: 3:45 - Size: 2.3MB) Video: How To - Create and Install temporary Certificates in WCF for Message Security during Development (Length: 3:40 - Size: 2.3MB) Intranet - Web App to Remote WCF to SQL Server Read More...
|
-
How do I use username credentials with IPSec? I'm told that I need to turn on security but my connection is already secure. WCF only permits username tokens to be transmitted over a binding that's secure. If a username and password are transmitted without some way of obscuring their values, then that essentially allows anyone that can read the message to steal those credentials. There are many meanings that could be applied to the word secure, but in this case the definition of secure is only that the binding promises to protect the data that's transmitted by providing confidentiality. IPSec is a way to provide security that's external to service. It can be used together with a binding that doesn’t ordinarily provide security, but the binding has no way of knowing that its security has been upgraded. The mechanism for making security promises on a binding is ISecurityCapabilities. This interface defines the supported protection levels for transmitting messages as well as various other security properties. When security is externally provided, you can use this interface to pretend like the binding is more secure than it really is so that the security capabilities match the actual environment. When using IPSec, requests and responses can be confidential and tamper-proof. This corresponds to a protection level of EncryptAndSign. This is implemented by wrapping the channel to provide a custom set of security capabilities from GetProperty. You'll want to get the ISecurityCapabilities from the underlying channel and then take the maximum of those capabilities together with the capabilities of your external security. Next time: The Pipe DACL Read More...
|
-
I'm trying to connect to a service on the same machine using Windows credentials and getting an authentication error. I can connect to the service from other machines. I can also connect to the service if I set up an endpoint that listens on the loopback address. What's going on here? These symptoms suggest that the client on the local machine is being rejected by a security check in Windows on the loopback address. This check prevents you from connecting on a loopback address unless the service was specifically configured to listen on the loopback address. The reason for this check is to stop a security attack called a reflection attack. A reflection attack redirects a security challenge back to the same machine in hopes of getting the machine to answer its own challenge. Since the security check is in Windows rather than in WCF you shouldn't expect a simple knob on your service to fix this. However, you can try configuring the client with a user principal name for the service. Having a UPN helps you pass the check because in some cases it allows Windows to recognize that an attack is not taking place. For help configuring Windows, including some workarounds that I'm not sure I'd recommend, check out this KB article related to the loopback check . Next time: Why Ordering is Ignored Read More...
|
|
|
|