How do I protect my WCF service?

Question

I've created a WCF service and I've hosted on a server. So, for example, I have my svc files here: www.mydomain.com/services/myservice.svc.

When I navigate to this page, I am presented with the service page. What worries me, is that the public may be able to access this and do bad things to my database, which is he purpose of the WCF service.

Is this generally a problem? is it, infact, secure? And if not how can I make sure that is safe? I've got the directory permissions set to 711.

Can someone advise me please.

Thanks

Marc.

Answer 1

Hi,

The simplest way to secure your service is by applying windows authentication to your WCF.

Here is the link..

http://www.codeproject.com/KB/WCF/WCFBasicHttpBinding.aspx

 

If you still want more on security..refer this link

 

http://msdn.microsoft.com/en-us/library/ms734736.aspx

 

Thanks,

Prabhas

---

Please mark posts as answers/helpful if it answers your question

Answer 2

You need to decide who are your clients and how you want to identify them.

One option can be you authenticate clients using a username/password and protect the connection using ssl. This is good if the connection is over the internet. An example is here:

http://msdn.microsoft.com/en-us/library/ff648840.aspx

But definitely take a look at the links Prabhas sent as there are various ways to protect the connection and you need to decide which fits your scenario.

Follow me on Twitter

Answer 3

Thanks for the links and the information guys. So, I spent several hours implementing SSL security on my WCF service, which is to be used in a Silverlight project. After a few headaches, I managed to get the thing working. Then I realised afterwards, I am unable to use SSL since my accessing client runs on http. And, as I understand it, you are unable to do http->https using a client access policy. I'd be grateful if someone can confirm this.

My question now is, if I decide not to use SSL for my WCF service, is this dangerously unsafe? I've looked into other solutions - the obvious one of removing metadata, restricting access to the service to www.mydomain.com (via client access policy), and a couple of others which I've yet to look into.

Am I really playing with fire by not using SSL?

Answer 4

Yes, not using ssl is dangerous. Assuming the service is on a public network anyone (in theory) can see what the clients send. Restricting access to a certain IP can only prevent hackers from sending false request, but they can still see the legitimate client requests.

As for the http-->https upgrade you better ask in the Silverlight forums.

---

http://webservices20.blogspot.com/
WCF Security, Interoperability And Performance Blog

Answer 5

Hi Marc,

What do you mean as a "service page"? There is no such thing.

Client shoud get the metadata with URL as "www.mydomain.com/services/myservice.svc?wsdl" or you can send the metadata files to the clients by email for example.

You can secure the service if you don't publish the metadata endpoint (the "mex" endpoint). In this case the intruders cannot create the requests for your service.

---

Leonid Ganeline [BizTalk MVP] Biztalkien blog

Answer 6

Hi Leonid,

What I mean by "service page" is the window contents you are presented with when opening www.mydomain/myservice.svc in a web browser. Sorry if that was an innacurate description - I'm new to WCF :)

And yes, I've since removed metadata from the service since going live.

There's one more question I'd like to ask and then I should be able to wrap up this thread. Since I can't use SSL, would my service be made more secure by doing my own encryption. That is, I'd encrpy a string which is sent from the client application to the WCF service (where it would be decrypted) and vice-versa when returning information?

Answer 7

Marc,

You could use message-based security. The only drawback with that is it is "point-to-point" meaning that the message is only secured going from one endpoint to another. So if you have some intermediary in between your service and a client messages will only be secured for one hop. You can, of course, configure the intermediary to use message-based security as well, it's just a little more configuration work.  For more information about message-based security see the following: http://msdn.microsoft.com/en-us/library/ms733137(VS.90).aspx, http://msdn.microsoft.com/en-us/library/ms789036.aspx

I hope this is helpful,

Michael Green
WCF Documentation Team

Answer 8

Hi Michael, Thanks for the response. As I stated earlier, I'm unable to use SSL. The reaon being, WCF service is consumed by a client application, which will be presented on the web using http. And I have absolutely no control over this. Cheers.

Answer 9

Marc,

You can use Message-based security without SSL. Message based security secures your messages prior to sending them to the transport channel. So you can send secured messages over HTTP. Please let me know if you have any further questions.

Thanks,

Michael Green
WCF Documentation Team