DOCX

Scenario_Frame_-_WCF_Security_-_v19

By Teresa Russell,2014-01-16 17:08
11 views 0
Scenario_Frame_-_WCF_Security_-_v19v,v19,frame,WCF,Frame

Categories

    ; Auditing and logging

    ; Authentication

    ; Authorization

    ; Cryptography

    ; Deployment Considerations

    ; Exception Management

    ; Impersonation and Delegation

    ; Input Validation

    ; Message Security

    ; Proxy

    ; Sensitive Data

    ; Session Management

    ; Transport Security

    Auditing and logging

    Scenario Personas Priority Configure service to enable authentication auditing Administrator

    Developer Configure service to enable authorization auditing Administrator

    Developer Configure service to enable transport level logging Administrator

    Developer Configure service to enable message level logging Administrator

    Developer Configure service to enable logging with filters Administrator

    Developer Configure service to enable tracing with different levels of Administrator information Developer Enable performance counters to monitor denial of service Administrator conditions Developer Configure service to enable WMI provider Administrator

    Developer View log and trace files for auditing purposes Administrator Authentication

    Scenario Personas Priority Configure service with NTLM authentication Administrator

    Developer Configure service with basic authentication Administrator

    Developer Configure service with digest authentication Administrator

    Developer

    Configure service with windows authentication Administrator

    Developer

    Configure service with issue token authentication Administrator

    Developer

    Configure service with username/password authentication Administrator

    Developer

    Configure service with no credentials Administrator

    Developer

    Configure service with certificate authentication Administrator

    Developer

    Pass service certificate via secure session negotiation Administrator

    Developer

    Pass NTLM credentials via secure session negotiation Administrator

    Developer

    Implement custom credential validation Developer Authorization

    Scenario Personas Priority Configure service to use a Windows provider to authorize Administrator users Developer

    Configure service to use an ASP.NET role provider Administrator

    Developer

    Configure service to use a custom authorization provider Administrator

    Developer

    Configure service to use custom security policies Administrator

    Developer

    Mark an operation contract with security demands Developer attribute

    Perform authorization based on a programmatically verified Developer claim

    Cryptography

    Scenario Personas Priority Implement custom binding with cryptographic algorithms Developer for encrypting/signing messages

    Implement custom binding to sign message without Developer encryption

    Implement custom binding to encrypt message without Developer signing

    Deployment Considerations

    Scenario Personas Priority Host service in IIS for HTTP(s) communication Administrator

    Developer

    Host service in Windows Activation server (WAS) for TCP Administrator communication Developer Host service in Windows Activation server (WAS) for Administrator HTTP(s) communication Developer Self-host service in windows service for HTTP(s) Developer communication

    Self-host service in windows service for TCP communication Developer Host service with least privilege account Administrator

    Developer Host service in medium trust Administrator

    Developer Configure certificate in IIS to enable SSL in a virtual directory Administrator hosting service Developer Configure certificate to enable SSL in a self hosted service Administrator

    Developer Configure certificate on a client local store for message Administrator encryption and authentication Developer Configure partner public key certificates in local store for Administrator authorization Developer Configure IIS for authentication Administrator Store encryption keys in a secure location Administrator

    Developer Encrypt all or part of a web configuration file Administrator

    Developer Map certificates with accounts in active directory Administrator

    Developer Configure Active Directory groups and accounts for role-Administrator based authorization checks Developer Configure Cardspace accounts Administrator

    Developer Configure Security Token Service (STS) Administrator

    Developer Configure MSMQ accounts and security Administrator

    Developer Exception Management

    Scenario Personas Priority Design fault contracts to allow services to declare known Developer faults for each operation

    Design service with exceptions handling that will not Developer divulge information to the client

    Enable debugging behavior to allow debug information to Administrator be propagated to the client Developer Clients handle exceptions in stateful services Developer Design operations to catch exceptions and communicate Developer failures to client

    Implement a global exception handler Developer Impersonation and Delegation

     Scenario Personas Priority Configure service to run under security principal name to Administrator allow client to authenticate Developer Configure service to use certificate on the local store to Administrator allow client to authenticate Developer Configure service to allow impersonation of clients with Administrator windows credentials Developer Set operation contract attribute to allow impersonation Developer when enabled via service behavior

    Flow identities in message from intermediary for Developer authentication/delegation/auditing

    Configure impersonation to retrieve identities from security Developer context

    Input Validation

    Scenario Personas Priority Validate messages with custom schema inspectors Developer Validate messages with custom message inspectors Developer Message Security

    Scenario Personas Priority Credentials are sent in message over https Administrator

    Developer Credentials are sent in message over http Administrator

    Developer Credentials are sent in message over TCP Administrator

    Developer Sensitive data is sent in message over https Administrator

    Developer Sensitive data is sent in message over http Administrator

    Developer Sensitive data is sent in message over TCP Administrator

    Developer Configure message security to support communication via Administrator intermediaries Developer Configure message security to support partial signing of a Administrator message Developer Configure message security to support partial encryption of Administrator a message Developer Proxy

    Scenario Personas Priority

    Proxy is generated from service metadata over HTTP(S) Developer Client is configured to use certificate for authentication and Developer message security.

    Proxy is generated from service metadata over TCP Developer Proxy is generated from service metadata over MSMQ Developer Service operations invocation administratively - Client Developer authenticates with service providing credentials

    Service operations invocation administratively - Client calls Developer service anonymously

    Service operations invocation programmatically - Client Developer authenticates with service providing credentials

    Service operations invocation programmatically - Client Developer calls service anonymously

    Client is invoked via client factory to improve performance Developer Sensitive Data

    Scenario Personas Priority

    Administrator Configure service for message encryption to protect

    Developer message confidentiality and integrity with certificates

    Configure service for message encryption to protect Administrator message confidentiality and integrity with Kerberos tickets Developer

    Design service to protect parts of the message with partial Developer encryption

    Configure service to secure metadata in an endpoint to be Administrator consumed by service clients Developer

    Configure service to use transport security Administrator

    Developer

    Configure service to change the default message encryption Developer algorithm

    Session Management

    Scenario Personas Priority Configure message throttling to avoid denial of service Administrator attacks Developer

    Design services per session mode Administrator

    Developer

    Configure memory limits to avoid denial of service attacks Administrator

    Developer

    Configure service for reliable messaging with reliable Administrator session and ordering of messages Developer

    Implement structured exception handling and state Developer management to avoid state corruption

Transport Security

    Scenario Personas Priority Credentials are sent in transport over https Administrator

    Developer Sensitive data is sent in transport over https Administrator

    Developer Configure transport security for end point communication Administrator with no intermediaries Developer Configure transport security for improved performance Administrator over message security Developer

Report this document

For any questions or suggestions please email
cust-service@docsford.com