Search code examples
.netwindowswcfwcf-bindingwcf-security

How secure is WCF wsHttpBinding's Windows authentication?

I have created WCF and I have used wsHttpBinding and MTOM as message transport with authentcation as "Windows".

Now my service is not current SECURE, its plain HTTP, running on custom port.

Is Windows Authentication of WCF's wsHttpBinding secure? can anyone see the password or guess through network trace?

Environment Information:

  1. Hosted on Internet
  2. No Active Directory, its single server
  3. Connecting from my office with server's admin username and password
  4. On the client side, Password is not mentioned in config file, it is entered at runtime. It works correctly becausing entering wrong credentials returns some sort of security exception as well.
  5. Running .NET 4.0, on custom port 89, currently I have set following configuration in app.config of my custom windows service, I am hosting my WCF inside custom windows service installed as Local Service. I have enabled impersonation on each method.

Here is the app.config

  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="metaAndErrors">
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <dataContractSerializer maxItemsInObjectGraph="2147483647"/>
          <serviceAuthorization impersonateCallerForAllOperations="true"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <services>
      <service name="CustomServiceHost.CustomService"
               behaviorConfiguration="metaAndErrors"
               >
            <endpoint address="" binding="wsHttpBinding"
                  bindingConfiguration="wsHttpLargeBinding"
                  contract="CustomServiceHost.ICustomService"/>
        <endpoint address="mex" binding="mexHttpBinding"
                  contract="IMetadataExchange" />
        <host>
          <baseAddresses>
            <add baseAddress="http://localhost:89/CustomService" />
          </baseAddresses>
        </host>
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding
          name="wsHttpLargeBinding" messageEncoding="Mtom"
          maxReceivedMessageSize="2147483647">
          <readerQuotas maxArrayLength="512000"/>
        </binding>
      </wsHttpBinding>
    </bindings>
  </system.serviceModel>

Following is client configuration done at runtime,

        WSHttpBinding binding = new WSHttpBinding();

        binding.Security.Message.ClientCredentialType 
            = MessageCredentialType.Windows;
        binding.Security.Mode = SecurityMode.Message;

        binding.MessageEncoding = WSMessageEncoding.Mtom;

        binding.ReaderQuotas.MaxArrayLength = 512000;

        CustomServiceClient cc = new CustomServiceClient(
            binding,
            new EndpointAddress(string.Format(
                "http://{0}:89/CustomService", 
                host.ServerHost))
            );

        cc.ClientCredentials.Windows.AllowedImpersonationLevel 
            = System.Security.Principal.TokenImpersonationLevel.Impersonation; 
        cc.ClientCredentials.Windows.ClientCredential 
            = new NetworkCredential(host.Username, host.Password);

Thank you, - Akash

Solution

  • Regarding your question about the passwords: Windows Authentication either uses Kerberos or NTLM and neither protocol transfers passwords in clear text.

    This information is written here: http://msdn.microsoft.com/en-us/library/ff647076.aspx

    You should use Integrated Windows authentication instead of basic authentication because it avoids transmitting user credentials over the network.

    This means you do not need SSL to protect your passwords, but if you have other information that is sensitive (in your service calls) then you should consider to use encryption (e.g. SSL). I did not try this, but it should get you started:

    http://www.codeproject.com/KB/WCF/WCFSSL.aspx

    Another option would be to encrypt the messages (message security instead of transport security). Here is another link that should get you started:

    http://msdn.microsoft.com/en-us/library/ms733137.aspx