I created a WCF Service, using http Basic Authentication and SSL. (Temporary certificate in IIS atm)
Here is the relevant configuration.
<services>
<service name="MyNamespace.MyService">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttps"
name="MyEndPoint" contract="MyNamespace.IMyService" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="">
<!-- These will be false when deployed -->
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<!-- This doesn't do anything in IIS -->
<behavior name="CustomUsernameValidatorBehavior">
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="MyNamespace.CustomUserNameValidator" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="basicHttps">
<security mode="Transport">
<transport clientCredentialType="Basic" />
</security>
</binding>
</basicHttpBinding>
</bindings>
Due to the fact I am hosting in IIS, I can't use my customUsernameValidator, and IIS Basic authentication tries the username and password against Windows.
I created a new user, disabled logon locally, and put it in a new group (without rights). The only purpose of the user is to ensure they are allowed to access the service, nothing else. The service will be online, not internal e.g. in an Intranet etc.
My question boils down to this, is there security risks/implications due to the fact I am using a real windows user? What can be done to secure this service/IIS if so?
Should something be done to prevent 'phishing' of information, could they for example try different usernames and passwords to find credentials?
Btw this is a working binding (minus some other endpoints etc.) for WCF using Http Basic Authentication in IIS and SSL. It requires IIS has Basic Authentication installed, as well as a Windows User to authenticate against. I would prefer not to authenticate against a Windows user.
1 WCF Basic Authentication Service The access to the resource in the service to be implemented will be secured using Basic Authentication transport security mechanisms. One of many provided by the Windows Communication Foundation. This kind of mechanism is used in conjunction with HTTPS to provide confidentiality.
The default installation of IIS 7 and later does not include the Basic authentication role service. To use Basic authentication on Internet Information Services (IIS), you must install the role service, disable Anonymous authentication for your Web site or application, and then enable Basic authentication for the site or application.
The following illustration shows a Windows Communication Foundation (WCF) service and client. The server needs a valid X.509 certificate that can be used for Secure Sockets Layer (SSL), and the clients must trust the server’s certificate. Further, the Web service already has an SSL implementation that can be used.
Windows Server 2012 or Windows Server 2012 R2 On the taskbar, click Server Manager. In Server Manager, click the Manage menu, and then click Add Roles and Features. In the Add Roles and Features wizard, click Next. On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Security, and then select Basic Authentication.
IIS 5.0 and below version has IP address disclosure vulnerability if Basic Authentication (with no realm defined) is used. Please have a look at this site: http://www.juniper.net/security/auto/vulnerabilities/vuln1499.html
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With