6
votes

I created a WCF Service, using http Basic Authentication and SSL. (Temporary certificate in IIS atm)

Here is the relevant configuration.

<services>
  <service name="MyNamespace.MyService">
    <endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttps"
      name="MyEndPoint" contract="MyNamespace.IMyService" />
  </service>
</services>
<behaviors>
  <serviceBehaviors>
    <behavior name="">
      <!-- These will be false when deployed -->
      <serviceMetadata httpsGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" />
    </behavior>
    <!-- This doesn't do anything in IIS -->
    <behavior name="CustomUsernameValidatorBehavior">
      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="Custom"
          customUserNamePasswordValidatorType="MyNamespace.CustomUserNameValidator" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>
<bindings>
  <basicHttpBinding>
    <binding name="basicHttps">
      <security mode="Transport">
        <transport clientCredentialType="Basic" />
      </security>
    </binding>
  </basicHttpBinding>
</bindings>

Due to the fact I am hosting in IIS, I can't use my customUsernameValidator, and IIS Basic authentication tries the username and password against Windows.

I created a new user, disabled logon locally, and put it in a new group (without rights). The only purpose of the user is to ensure they are allowed to access the service, nothing else. The service will be online, not internal e.g. in an Intranet etc.

My question boils down to this, is there security risks/implications due to the fact I am using a real windows user? What can be done to secure this service/IIS if so?

Should something be done to prevent 'phishing' of information, could they for example try different usernames and passwords to find credentials?

Btw this is a working binding (minus some other endpoints etc.) for WCF using Http Basic Authentication in IIS and SSL. It requires IIS has Basic Authentication installed, as well as a Windows User to authenticate against. I would prefer not to authenticate against a Windows user.

1
I have hosted two WCF webservices one on IIS6 and IIS7 and was able to use the custom name validator but I was using wshttps binding I believe instead. I have this link bookmarked from when I set it up hopefully it helps. codeproject.com/Articles/96028/…vikingben
Thanks for the link. Now that I think about it there will be non-WCF clients connecting. I have to check if wsHTTPBinding is appropiate, but the link looks interesting.lko
I've used clients ranging from ajax calls in web applications to straight up java clients and had no issues. Good luck and if you need more info on configurations let me know. What I've found is the configuration is the hardest part. I have one setup I use to validate incoming requests as well as an inspector class to log all soap requests to the service.vikingben
Here is another link that may be useful. Link It's a http module that let's you perform custom authentication for basic authentication. I used it a while back and it worked great.Dennis

1 Answers

1
votes

IIS 5.0 and below version has IP address disclosure vulnerability if Basic Authentication (with no realm defined) is used. Please have a look at this site: http://www.juniper.net/security/auto/vulnerabilities/vuln1499.html