1

I'm curious whether there can be any security concern regarding storing WCF binding information in configuration file instead of configuring it from code? I'm thinking of cases when the server hosting the WCF service gets compromised, so the attacker can change the service's configuration to use a less secure binding, hence gaining access to otherwise forbidden data.

Botond Botos
  • 1,202
  • 13
  • 20
  • 1
    [Encrypting and Decrypting Configuration Sections](https://msdn.microsoft.com/en-us/library/zhhddkxy.aspx) – user5226582 Sep 07 '16 at 12:31
  • Thanks for the reference, really great resource. Is something similar available for non-IIS hosted services as well? – Botond Botos Sep 07 '16 at 12:43
  • I don't know of a standard way, but if no one else chimes in you could always do this manually ([link](https://stackoverflow.com/questions/5522879/encrypt-password-in-app-config)) – user5226582 Sep 07 '16 at 12:48
  • I understand where your question is coming from, but wonder if this is a real concern. Changing an existing binding would break the clients using the service, so it probably wouldn't take long to detect the intrusion. One could add a binding though. But what binding would this be? How would this scenario play out? – Captain Sensible Sep 07 '16 at 13:03
  • I'm thinking of a scenario, when the attacker adds an additional endpoint which doesn't use kerberos auth, so data can be retrieved by otherwise unauthorized person. If we had the binding configured from code, it would be much harder to exploit our service. – Botond Botos Sep 07 '16 at 13:21
  • How about supplementing Authentication with Authorization? Maybe you should check that the user making the request is not only authenticated but also authorized to make the call ? It would be very easy to deny an anonymous user access to the service. – Captain Sensible Sep 07 '16 at 13:29
  • Good point, adding authorization based on client identity would provide protection against anonymous access. So, can we say that if a service has client identity based authorization then having WCF service configured using configuration file isn't less secure than doing it from code? – Botond Botos Sep 07 '16 at 17:58
  • For the scenario that you describe above I'd say yes. Put all users that are authorized to use the service in the same group. Check for group membership at the beginning of every service method. Throw an exception when the current user is not in the group. – Captain Sensible Sep 07 '16 at 19:54

0 Answers0