Monday, November 24, 2008

Impersonation without Windows Authentication

How to Impersonate the Original Caller without Windows Authentication

When using non-windows authentication like Certificate Authentication or username authentication, if you need to impersonate the original caller (if it has windows account) or a service account you have following 2 options

1. Using the S4U Kerberos extensions - For this you must grant your process account the "Act as part of the operating system" user right.
2. Using the LogonUser windows API - this needs to have access to the user credentials (username and password) - which increases the security risk of maintaining the user credentials in WCF Service.

Note: S4U Kerberos extensions places your process within the trusted computing base (TCB) of the Web server, which makes your Web server process very highly privileged. Where possible, you should avoid this approach because an attacker who manages to inject code and compromise your Web application will have unrestricted capabilities on the local computer.

Tuesday, November 18, 2008

Disabling Discovery

Microsoft WCF 3.5: How to Stop Clients from Referencing Your Service

If you want block clients from accessing the WSDL of your service you should remove all metadata exchange endpoints and set the httpGetEnabled and httpsGetEnabled attributes to false.

If the metadata is exposed, unwanted clients will be able to generate proxy files (e.g. using SvcUtil.exe) and inspect potentially sensitive methods and parameters offered by the service.

To stop your clients from referencing your service, stop your service from publishing its metadata. To do this, remove all the Mex endpoints from your service configuration and configure HttpGetEnabled and HttpsGetEnabled to false in the ServiceBehavior section as shown below:

serviceMetadata httpGetEnabled="False" httpsGetEnabled="False"