Security http://rickgaribay.net/category/5.aspx Security en-US Rick G. Garibay rickgaribay@hotmail.com Subtext Version 1.9.5.176 New Book on WIF by Sandeep Chanda http://rickgaribay.net/archive/2012/04/27/new-book-on-wif-by-sandeep-chanda.aspx <p><a href="http://www.packtpub.com/microsoft-windows-identity-foundation-cookbook/book"><img style="display: inline; float: right" alt="Microsoft Windows Identity Foundation Cookbook" align="right" src="http://www.packtpub.com/sites/default/files/6204EN%20Microsoft%20Windows%20Identity.jpg" width="194" height="240" /></a>I am very proud to share the release of a brand new book on Windows Identity Foundation by my friend and Neudesic colleague <a href="mailto:sandeep.chanda@neudesic.com">Sandeep Chanda</a>, <a href="http://www.packtpub.com/microsoft-windows-identity-foundation-cookbook/book">“Microsoft Windows Identity Foundation Cookbook”</a></p> <p>I had the privilege of being invited by Sandeep to write the foreword for the book and am honored at the opportunity to be associated with such a tremendous body of work.</p> <p>At Neudesic, we strive to lead our teams and the customers we serve via a continuous feedback loop of best practices and guidance stemming from the collective experience of our consultants in the field over the last decade not only solving difficult software engineering problems through the application of technology, but bending the technology to deliver the desired business outcomes that our clients have partnered with us for.</p> <p>Security is one of those topics that is bigger than any technology set or practice area. As such, the hard hitting, no-nonsense recipes in this book serve as pragmatic guidance for anyone contending with the myriad of forces at play in any modern software solution for which claims-based security is particularly well suited. </p> <p>As I share in the foreword…</p> <blockquote> <p><em>Careful to begin with easy to grasp fundamentals of claims-based security, Sandeep progresses through common WIF programming tasks using examples in ASP.NET and WCF familiar to most .NET developers while covering bleeding edge scenarios including new features exposed in Windows 8 and securing Windows Metro applications. </em></p> <p><em>This book offers a combination of simple, intermediate and advanced scenarios, covering ADFS 2.0 and incorporating web identity providers such as Windows Live ID, Google, Yahoo!, and Facebook with the Azure Service Bus Access Control Service. Also covered are real-world scenarios you are likely to encounter for securing Microsoft SharePoint, SalesForce.com and Microsoft Dynamics CRM.</em></p> <p><em>In addition to providing a hands-on, pragmatic reference that will be immediately valuable to your next project, this book is a reflection of Sandeep’s real-word experience successfully applying these concepts and techniques in the field, the value of which is worth the price of this book alone. </em></p> </blockquote> <p>If you are serious about building claims/identity-aware services and applications on the .NET Framework and want to get started today, this book belongs in your library. </p> <p>More info from Packt Pub: <a title="http://www.packtpub.com/microsoft-windows-identity-foundation-cookbook/book" href="http://www.packtpub.com/microsoft-windows-identity-foundation-cookbook/book">http://www.packtpub.com/microsoft-windows-identity-foundation-cookbook/book</a></p> <p>Purchase on Amazon.com: <a title="http://www.amazon.com/dp/1849686203/?tag=packtpubli-20" href="http://www.amazon.com/dp/1849686203/?tag=packtpubli-20">http://www.amazon.com/dp/1849686203/?tag=packtpubli-20</a></p><img src="http://rickgaribay.net/aggbug/338.aspx" width="1" height="1" /> Rick G. Garibay http://rickgaribay.net/archive/2012/04/27/new-book-on-wif-by-sandeep-chanda.aspx Fri, 27 Apr 2012 23:14:39 GMT http://rickgaribay.net/archive/2012/04/27/new-book-on-wif-by-sandeep-chanda.aspx#feedback http://rickgaribay.net/comments/commentRss/338.aspx http://rickgaribay.net/services/trackbacks/338.aspx SOA Security in 244 Slides http://rickgaribay.net/archive/2010/01/21/soa-security-in-244-slides.aspx <p>This is a really good comprehensive review of SOA security. </p> <div style="text-align: left; width: 425px" id="__ss_1677128"><a style="margin: 12px 0px 3px; display: block; font: 14px helvetica,arial,sans-serif; text-decoration: underline" title="Summer School - Security in SOA" href="http://www.slideshare.net/wso2.org/summer-school-security-in-soa">Summer School - Security in SOA</a><object style="margin:0px" width="425" height="355"><param name="movie" value="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=summer-school-090702235033-phpapp01&amp;stripped_title=summer-school-security-in-soa" /><param name="allowFullScreen" value="true" /><param name="allowScriptAccess" value="always" /><embed src="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=summer-school-090702235033-phpapp01&amp;stripped_title=summer-school-security-in-soa" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="355"></embed></object> <div style="font-family: tahoma,arial; height: 26px; font-size: 11px; padding-top: 2px">View more <a style="text-decoration: underline" href="http://www.slideshare.net/">documents</a> from <a style="text-decoration: underline" href="http://www.slideshare.net/wso2.org">WSO2</a>.</div> </div> <p>Thanks to <a href=" http://larswilhelmsen.com/" target="_blank">Lars Wilhelmsen</a> for sharing and credit goes to <a href="http://blog.facilelogin.com/2009/07/security-in-soa.html" target="_blank">Prabath Siriwardena</a> for putting this great tutorial together. </p><img src="http://rickgaribay.net/aggbug/269.aspx" width="1" height="1" /> Rick G. Garibay http://rickgaribay.net/archive/2010/01/21/soa-security-in-244-slides.aspx Fri, 22 Jan 2010 01:04:02 GMT http://rickgaribay.net/archive/2010/01/21/soa-security-in-244-slides.aspx#feedback http://rickgaribay.net/comments/commentRss/269.aspx http://rickgaribay.net/services/trackbacks/269.aspx Managed Windows NT Services, Application Domains & Principal Policy http://rickgaribay.net/archive/2007/05/10/managed-windows-nt-services-application-domains--principal-policy.aspx <p><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><font color="#ff0000">Update to orginal post:</font> After doing some more research, the actual problem turned out to be that the legacy Windows NT service never specified the WindowsPrincipal and had nothing to do with the Gateway assembly. In fact, it turns out that when you load a class using Activator.CreateInstanceFrom(), the class loads into the same parent application domain. I've updated the solution below appropriately.</span></p> <p><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Thanks to <a href="http://www.west-wind.com/weblog/">Rick Strahl</a> for clarifying the Activator.CreateInstanceFrom(), app domain behavior. You can also find an <a href="http://www.code-magazine.com/article.aspx?quickid=0211081&amp;page=1">excellent article</a> by Rick in CoDe magazine that covers this extensively: <font face="Arial"><a href="http://www.code-magazine.com/article.aspx?quickid=0211081&amp;page=1">http://www.code-magazine.com/article.aspx?quickid=0211081&amp;page=1</a></font></span></p> <p><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">- - -</span></p> <p><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"></span><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">I recently ran into a security problem in a somewhat typical scenario for which the specific details I imagine are fairly esoteric because I was unable to find anything relevant on the web or on <a href="http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1556266&amp;SiteID=1">MSDN forums</a>. It is amazing how easy it is to forget (or at least suffer from delayed recall) fundamental aspects of the framework when you are in the thick of it and trying to ship a product!</span></p> <p><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">So, </span><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">I figured I’d post an overview of the scenario and the solution to the problem in hopes of helping anyone else who runs into this.<o:p></o:p></span></p> <p class="MsoNormal"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p><strong>Scenario</strong></o:p></span></p> <p class="MsoNormal"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">A common approach for setting up any kind of automated process is to use a Windows NT service which is continually running, monitoring a queue or database for records/messages that represent events for wich some work should be performed. For example, I can have a Windows NT Service monitor a private queue every 5 seconds, and when a message is available, process it (whatever process means for the given service). <o:p></o:p></span></p> <p class="MsoNormal"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">One option for the processing bit would be to raise and event and delegate the work out to a method that would maintain all of the event handling logic. This handler could reside in a single class within the same assembly as the service, but for obvious reasons this could quickly get unruly and introduce a maintanance nightmare. If every time you need to change the event handling business logic you had to recompile and redeploy the service executable, although you might be building job security, you'd find yourself getting frustrated at best and at worst, you would be tightly coupled to a single assembly making it difficult to leverage this pattern in a more abstract, loosely coupled manner.</span></p> <p class="MsoNormal"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">One possible solution might be</span><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> to apply a typical publish and subscribe pattern where the Windows NT service polls a backing store (or ideally was notified automagically) and when a record (or message) meets a specific criteria fire an event. The event would then be mapped to a delegate which implements the handling of the event. However, to keep the implementation of the handler from being static and hard coded, we could further delegate the implementation of the work to an external component, making the original event handling delegate only worry about the plumbing for dispatching the work to another component. Ideally, this would allow a plug and play approach where assemblies could be "dropped" in and just work. Of course, this would require that the message in a queue has some kind of metadata about the component to execute (such as assembly name, type and URI) and when the event is fired, the handler gets access to this URI and dispatches the call to it. <o:p></o:p></span></p> <p class="MsoNormal"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">This is precisely what the System.Activator class allow you to. If you know the name of the assembly that contains the component you want to call, simply call the CreateInstanceFrom method on the Activator class. The CLR will then probe the local private directory for the assembly name, load it and instantiate an instance of the type. <strong>Figure 1</strong> below summarizes what this might look like.<o:p></o:p></span></p> <p class="MsoNormal"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></span> </p> <p class="MsoNormal" align="center"><img alt="Figure 1" align="absMiddle" src="http://farm1.static.flickr.com/222/492763344_94ccf58a1d.jpg" /></p> <p class="MsoNormal" align="center"><strong><font size="1">Figure 1: Mock Sequence Diagram</font></strong></p> <p class="MsoNormal"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">When the IGateway object is “unwrapped” and made available to the MyNTService Windows NT Service, the service can call a method (or methods) on the instance to do some work. To achieve polymorphism, since the Gateway component that is unwrapped implements the IGateway interface, the service is guaranteed to be able to call a particular method (Execute, in this case). </span></p> <p class="MsoNormal"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Figure 2 (below, right) provides a possible object model that supports this design.</span></p> <p class="MsoNormal"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">The purpose of the Gateway class is to serve as wrapper around a component/service call while maintaining location transparency. This can thought of as a "super proxy" and is really just the classic Service Gateway/Service Agent pattern. The MyNTService Windows NT Service  has no idea if the component is local to the machine or process or somewhere out in the cloud. <img alt="" hspace="8" align="right" vspace="8" src="http://farm1.static.flickr.com/202/492763346_41226f5269.jpg" />With this flexibility comes significant power in being able to make decisions on distribution in a post-deployment manner. <o:p></o:p></span></p> <p class="MsoNormal"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">As the saying goes “<em>with great power comes great responsibility</em>”. Looking again at the sequence diagram in <strong>Figure 1</strong>, two important things need to be considered.<o:p></o:p></span></p> <p class="MsoNormal"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">First, this scenario demonstrates WS-I Profle interop between a WCF service and a managed Windows NT Service running on .NET 1.1 CLR (pretty cool huh?). </span></p> <p class="MsoNormal"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Second, between every call in the sequence is an authentication and authorization boundary. Though impractical, the Gateway component could ensure that only the identity of the Windows account running the MyNTService Windows NT Service can call it’s Execute method. More importantly, however, the Gateway should flow the identity of the Windows account running the MyNTService Windows NT Service process to the WCF service that is out in the cloud so that the WCF service can authenticate and authorize the call. Pretty simple,right?</span></p> <p class="MsoNormal"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><strong><o:p>Problem</o:p></strong></span></p> <p class="MsoNormal"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Well, one of the things that may not be overly apparent is that the assembly in which the Gateway type that implements the IGateway interface resides will actually load in the same application domain that exists within the host NT service process. The MyNTService Windows NT Service knows NOTHING about the Gateway component (other than that it implements a standard interface). When an instance of the Gateway component is activated, we want to run in the security context of the parent process (of the MyNTService Windows NT Service ), however if the host application domain has not specifically set the the Principal Policy, the component will execute with no security context, or to be a bit more technical, will load using the default UnauthenticatedPrincipal enumeration flag. This basically means that the principal under which the MyNTService Windows NT Service is running will not be attached to the thread on which the Gateway component runs. <span style="mso-spacerun: yes"> </span>In fact, as the MSDN documentation for the System.Security.Principal.PrincipalPolicy enumeration states “Specifies how principal and identity objects should be created for an application domain. The default is <strong>UnauthenticatedPrincipal</strong>.”.</span></p> <p class="MsoNormal"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><strong>Solution<o:p></o:p></strong></span></o:p></span></p> <p><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Those keen to the default behavior regarding application domains and Windows Principals already know where this is going, but for those who aren’t sure, stay with me. <o:p></o:p></span></p> <p><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Although the MyNTService Windows NT Service was running as a fixed domain account, the WCF service requires transport level authentication and uses role-based authorization to ensure the caller (MyNTService) is authorized. However, </span><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">calls from the MyNTService Windows NT Service via the Gateway were failing with <span style="COLOR: black"><strong>"The request failed with HTTP status 401: Authorization Required."</strong> </span></span></p> <p><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><span style="COLOR: black">I triple checked IIS security settings. My unit tests worked just fine. My test harness also worked and even browsing to the service’s metadata page was working. For some reason, the Gateway was calling the WCF service in a seamingly anonymous manner. This threw me for a loop for a couple of days.<o:p></o:p></span></span></p> <p><span style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial">Then, a few days ago, while in the shower (I get many of my “light-bulb on” moments in the shower or in my dreams for some odd reason) the solution hit me like a thunderbolt! The Gateway assembly was being loaded without an authenticated principal, and hence the solution was simple, sweet and elegant:<o:p></o:p></span></p> <p><span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">AppDomain.CurrentDomain.SetPrincipalPolicy(System.Security.Principal.PrincipalPolicy.WindowsPrincipal);</span></p> <p><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Now the Gateway took on the identity of the Windows AD account that was running the Windows NT Service process and was able to authenticate to and be authorized by the WCF service.</span></p> <p><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">You can find more info on principal policy and application domain behavior here: <font face="Arial"><a href="http://msdn2.microsoft.com/en-us/library/90395801.aspx">http://msdn2.microsoft.com/en-us/library/90395801.aspx</a></font></span></p> <p class="MsoNormal" align="center"><strong><font size="1"></font></strong></p><img src="http://rickgaribay.net/aggbug/133.aspx" width="1" height="1" /> Rick G. Garibay - The more I learn, the less I kno http://rickgaribay.net/archive/2007/05/10/managed-windows-nt-services-application-domains--principal-policy.aspx Thu, 10 May 2007 17:34:58 GMT http://rickgaribay.net/archive/2007/05/10/managed-windows-nt-services-application-domains--principal-policy.aspx#feedback 2 http://rickgaribay.net/comments/commentRss/133.aspx http://rickgaribay.net/services/trackbacks/133.aspx Recipe: WCF basicHttpBinding with Windows Authentication http://rickgaribay.net/archive/2007/04/04/recipe-wcf-basichttpbinding-with-windows-authentication.aspx <p>With ASMX web services, a popular way to secure the service within an intranet scenario such that it authenticates and authorizes callers is to configure the cient with a fixed identity. The fixed identity would then flow to the service and the service would authenticate using Windows authentication. Within the service, you can then authorize the caller in the web.config and/or using PrincipalPermissions and Principal.IsInRole checks.</p> <p>This is an elegantly simply approach for doing the right thing from a security perspective, so how is this accomplished in WCF?</p> <p>In Juval Lowy's excellent book "Programming WCF Services", he asserts, and I agree that security is one of the most granular and complex aspects of WCF. There are several reasons for this, but primarily I believe it is due to the fact that various aspects and scenarios can be addressed that either fell beyond the reach of traditional ASMX services (WSE not withstanding) as well as the fact that there really isn't a least common denominator when it comes to transport. This means that a service can be deployed to an IIS environment for invocation strictly over HTTP/HTTPS or as a WAS or self-hosted application using TCPIP or MSMQ.</p> <p>Although your searches on Google and the MSDN groups may not prove fruitful, it turns out it is quite simple to implement the basicHttpBinding with Windows Authentication, or, more academically known as the trusted subsystem model. Be warned that MSDN and othe resources regard the basicHttpBinding as a red-headed-step-child and this is obvious by the sheer lack of attention this still very relevant configuration gets in various literature. How soon we forget that just a year or so ago, unless you rolled WSE, you were doing the equivelent of basicHttpBinding!</p> <p>Don't get me wrong, if your deployment scenario allows for it, I strongly encourage you to explore the more robust bindings, but if you are supporting non-WCF clients in an intranet IIS scenario, then this recipe is for you. </p> <p>In the web.config for the service:</p> <p>1. Set the SecurityMode to TransportCredentialsOnly:</p> <p>  </p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&lt;</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">bindings</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;<o:p></o:p></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">      </span>&lt;</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">basicHttpBinding</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;<o:p></o:p></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">          </span>&lt;</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">binding</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"> </span><span style="FONT-SIZE: 10pt; COLOR: red; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">name</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">="My</span><span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="COLOR: blue">Binding</span>"<span style="COLOR: blue">&gt;<o:p></o:p></span></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">            <font style="BACKGROUND-COLOR: #c0c0c0">  </font></span><font style="BACKGROUND-COLOR: #c0c0c0">&lt;</font></span><font style="BACKGROUND-COLOR: #c0c0c0"><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">security</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"> </span><span style="FONT-SIZE: 10pt; COLOR: red; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">mode</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">=</span><span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">"<span style="COLOR: blue">TransportCredentialOnly</span>"<span style="COLOR: blue">&gt;<o:p></o:p></span></span></font></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">                  </span>&lt;</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">transport</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"> </span><span style="FONT-SIZE: 10pt; COLOR: red; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">clientCredentialType</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">=</span><span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">"<span style="COLOR: blue">Windows</span>"<span style="COLOR: blue"> /&gt;<o:p></o:p></span></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">              </span>&lt;/</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">security</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;<o:p></o:p></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">          </span>&lt;/</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">binding</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;<o:p></o:p></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">      </span>&lt;/</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">basicHttpBinding</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;<o:p></o:p></span></p> <p class="MsoNormal"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">  </span>&lt;/</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">bindings</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;</span></p> <p dir="ltr"><font size="2">2. In the Transport element, set the ClientCredentialType to Windows:</font></p> <p dir="ltr"><font color="#0000ff" size="2">  </font></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&lt;</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">bindings</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;<o:p></o:p></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">      </span>&lt;</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">basicHttpBinding</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;<o:p></o:p></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">          </span>&lt;</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">binding</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"> </span><span style="FONT-SIZE: 10pt; COLOR: red; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">name</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">=</span><span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">"<span style="COLOR: blue">My<span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="COLOR: blue">Binding</span></span></span>"<span style="COLOR: blue">&gt;<o:p></o:p></span></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">              </span>&lt;</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">security</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"> </span><span style="FONT-SIZE: 10pt; COLOR: red; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">mode</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">=</span><span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">"<span style="COLOR: blue">TransportCredentialOnly</span>"<span style="COLOR: blue">&gt;<o:p></o:p></span></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">                <font style="BACKGROUND-COLOR: #c0c0c0">  </font></span><font style="BACKGROUND-COLOR: #c0c0c0">&lt;</font></span><font style="BACKGROUND-COLOR: #c0c0c0"><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">transport</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"> </span><span style="FONT-SIZE: 10pt; COLOR: red; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">clientCredentialType</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">=</span><span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">"<span style="COLOR: blue">Windows</span>"<span style="COLOR: blue"> /&gt;<o:p></o:p></span></span></font></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">              </span>&lt;/</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">security</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;<o:p></o:p></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">          </span>&lt;/</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">binding</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;<o:p></o:p></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">      </span>&lt;/</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">basicHttpBinding</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;<o:p></o:p></span></p> <p class="MsoNormal"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">  </span>&lt;/</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">bindings</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;</span></p> <p dir="ltr"><font color="#000000" size="2">3. The Bindings element should resemble the following:</font></p> <p dir="ltr">  </p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&lt;</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">bindings</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;<o:p></o:p></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">      </span>&lt;</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">basicHttpBinding</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;<o:p></o:p></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">          </span>&lt;</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">binding</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"> </span><span style="FONT-SIZE: 10pt; COLOR: red; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">name</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">=</span><span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">"<span style="COLOR: blue">My<span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="COLOR: blue">Binding</span></span></span>"<span style="COLOR: blue">&gt;<o:p></o:p></span></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">              </span>&lt;</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">security</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"> </span><span style="FONT-SIZE: 10pt; COLOR: red; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">mode</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">=</span><span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">"<span style="COLOR: blue">TransportCredentialOnly</span>"<span style="COLOR: blue">&gt;<o:p></o:p></span></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">                  </span>&lt;</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">transport</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"> </span><span style="FONT-SIZE: 10pt; COLOR: red; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">clientCredentialType</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">=</span><span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">"<span style="COLOR: blue">Windows</span>"<span style="COLOR: blue"> /&gt;<o:p></o:p></span></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">              </span>&lt;/</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">security</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;<o:p></o:p></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">          </span>&lt;/</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">binding</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;<o:p></o:p></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">      </span>&lt;/</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">basicHttpBinding</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;<o:p></o:p></span></p> <p class="MsoNormal"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-spacerun: yes">  </span>&lt;/</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">bindings</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;</span></p> <p dir="ltr"><font color="#0000ff" size="2"><font color="#000000">4. Be sure to set the BindingConfiguration for each Endpoint in the Service element to the name of the BindingConfiguration.</font></font></p> <p dir="ltr"><font color="#0000ff" size="2"><font color="#000000">5. I'm getting lazy, so I won't go into PrincipalPermission code in this initial version. I'll instead demonstrate the brute force apporach which if nothing else will ensure that not just any client can call your service. Add the allow/deny elements to the Authorization element in the system.web element section:</font></font></p> <font color="#0000ff" size="2"><font color="#0000ff" size="2"> <p>   </p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-tab-count: 1">      </span>&lt;</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">system.web</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;<o:p></o:p></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-tab-count: 2">            </span><font style="BACKGROUND-COLOR: #c0c0c0">&lt;</font></span><font style="BACKGROUND-COLOR: #c0c0c0"><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">authentication</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"> </span><span style="FONT-SIZE: 10pt; COLOR: red; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">mode</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">=</span><span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">"<span style="COLOR: blue">Windows</span>"<span style="COLOR: blue">/&gt;<o:p></o:p></span></span></font></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-tab-count: 2">            </span>&lt;</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">authorization</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;<o:p></o:p></span></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-tab-count: 3">                 <font style="BACKGROUND-COLOR: #c0c0c0"> </font></span><font style="BACKGROUND-COLOR: #c0c0c0">&lt;</font></span><font style="BACKGROUND-COLOR: #c0c0c0"><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">allow</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"> </span><span style="FONT-SIZE: 10pt; COLOR: red; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">roles</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">=</span><span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">"<span style="COLOR: blue">.\Developers</span>"<span style="COLOR: blue">/&gt;<o:p></o:p></span></span></font></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-tab-count: 3">                 <font style="BACKGROUND-COLOR: #c0c0c0"> </font></span><font style="BACKGROUND-COLOR: #c0c0c0">&lt;</font></span><font style="BACKGROUND-COLOR: #c0c0c0"><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">allow</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"> </span><span style="FONT-SIZE: 10pt; COLOR: red; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">users</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">=</span><span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">"<span style="COLOR: blue">DOMAIN\ServiceAccount</span>"<span style="COLOR: blue">/&gt;<o:p></o:p></span></span></font></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-tab-count: 3">                 <font style="BACKGROUND-COLOR: #c0c0c0"> </font></span><font style="BACKGROUND-COLOR: #c0c0c0">&lt;</font></span><font style="BACKGROUND-COLOR: #c0c0c0"><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">deny</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"> </span><span style="FONT-SIZE: 10pt; COLOR: red; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">users</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">=</span><span style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">"<span style="COLOR: blue">*</span>"<span style="COLOR: blue">/&gt;<o:p></o:p></span></span></font></p> <p class="MsoNormal" style="mso-layout-grid-align: none"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-tab-count: 2">            </span>&lt;/</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">authorization</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;<o:p></o:p></span></p> <p class="MsoNormal"><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><span style="mso-tab-count: 1">      </span>&lt;/</span><span style="FONT-SIZE: 10pt; COLOR: #a31515; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">system.web</span><span style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">&gt;</span></p> <p><font color="#0000ff" size="2"><font color="#000000">6. Naturally, these bidnings need to jive with IIS. What this essentially means is that the virtual application hosting your WCF service will need to be configured to use Windows Integrated authentication. Be sure to remove Anonymous Access.</font></font></p> <p><font color="#0000ff" size="2"><font color="#000000">On the client side, svcutil will generate the corresponding client elements to match that of the service. The assumption here, of course is that if the client is an ASP.NET application, it must be configured to run as a fixed identity. This is accomplished by changing the processModel element in the machine.config (IIS 5) or creating an application pool and assigning a fixed identity (not NETWORK SERVICE). If using a Windows client, the credentials of the actual user will be passed downstream.</font></font></p> </font></font> <p><font color="#0000ff" size="2"><font color="#000000">As I get more time, I'll update this recipe with more detail, including the role-based Principal code so that the operations/methods themselves can be secured at a more granular level. For now, this should get most of you on the right track and hopefully save you some time.</font></font></p> <p><font color="#0000ff" size="2"></font></p> <p> </p><img src="http://rickgaribay.net/aggbug/102.aspx" width="1" height="1" /> Rick G. Garibay - The more I learn, the less I kno http://rickgaribay.net/archive/2007/04/04/recipe-wcf-basichttpbinding-with-windows-authentication.aspx Wed, 04 Apr 2007 23:20:51 GMT http://rickgaribay.net/archive/2007/04/04/recipe-wcf-basichttpbinding-with-windows-authentication.aspx#feedback 23 http://rickgaribay.net/comments/commentRss/102.aspx http://rickgaribay.net/services/trackbacks/102.aspx Chronicles of a Least Privilege Developer - Day 14 http://rickgaribay.net/archive/2007/01/18/Chronicles-of-a-Least-Privilege-Developer--Day-1-4.aspx <div><font face="Tahoma" size="2"><span class="521262918-18012007">Well, its been two weeks since I started working under a least privileged account and I thought I'd report in.</span></font></div> <div><font face="Tahoma" size="2"><span class="521262918-18012007"></span></font> </div> <div><font face="Tahoma" size="2"><span class="521262918-18012007">It would be dishonest to not fess up that sometime last week, Tuesday, I think, I added my account to the Administrator group because I was seeing some really strange insert and update behavior in SQL Server. Having exhausted all rationale, I thought that it might have something to do with my account. Not the case (and it is still a mystery), but the truth is that I kind of left if alone until this morning, when I removed myself once again.</span></font></div> <div><font face="Tahoma" size="2"><span class="521262918-18012007"></span></font> </div> <div><font face="Tahoma" size="2"><span class="521262918-18012007">I did do my homework though and am providing the latest list of issues and resolutions (along with some unresolved) from the last couple of weeks. I will continue off of the previous list, highlighting new items in <font color="#339966">green</font> and unresolved problems in <font color="#ff0000">red</font>.</span></font></div> <div><font face="Tahoma" size="2"><span class="521262918-18012007"></span></font></div> <div><font face="Tahoma" size="2"><span class="521262918-18012007"></span></font></div> <div><font face="Tahoma" size="2"><span class="521262918-18012007"></span></font></div> <div><font face="Tahoma" size="2"><span class="521262918-18012007"></span></font></div> <div><font face="Tahoma" size="2"><span class="521262918-18012007"></span></font></div> <div><font face="Tahoma" size="2"><span class="521262918-18012007"> <table style="WIDTH: 663px; HEIGHT: 223px" cellspacing="1" cellpadding="1" width="663" summary="" border="1"> <tbody> <tr> <td>#</td> <td>Issue</td> <td>Solution</td> </tr> <tr> <td><font color="#ff0000">1</font></td> <td><font color="#ff0000">Access denied to date/time on taskbar. Although  I use Outlook, and carry an analog planner (you know the paper kind), I like using the calendar on the task bar to find dates.</font></td> <td><font color="#ff0000">No solution found.</font></td> </tr> <tr> <td>2</td> <td>Could not run Virtual PC because it was "Ready Only" or "In Use". Well, not exactly. Apparently, you must be an admin to run VPC. </td> <td>Right click Start &gt; Programs.Microsoft Virtual PC, select Run As and enter highly privileged credential. </td> </tr> <tr> <td>3</td> <td>Access denied when starting/stopping SQL Server on SQL Server Service Manager from taskbar. </td> <td>Right click Start &gt; Adminstrative Tools &gt; Computer Management, select Run As and enter highly privileged credential. Expand Services, stop/start MSSQLSERVER service.</td> </tr> <tr> <td><font color="#339966"> 4.</font></td> <td><font color="#339966">Cannot add System Variables to My Computer </font></td> <td><font color="#339966"> No solution found. Had to log off, log on as admin, make the change and log back on as standard user.</font></td> </tr> </tbody> </table> <p> <font face="Tahoma" size="2"><span class="521262918-18012007">As you can see, what I find myself having to do (which is annoying) is logging out of my session, logging in as admin, making a change, logging out, and logging back in as a standard user. Yes, it sucks but hey, it costs to live right?</span></font></p> <p><font face="Tahoma" size="2"><span class="521262918-18012007">P.S. It would be nice for Microsoft to provide a UAC update for Windows XP that would allow you to switch/impersonate in a more seamless manner. Fast User Switching would even be better, but it is not available on domain PCs.</span></font></p> </span></font></div><img src="http://rickgaribay.net/aggbug/73.aspx" width="1" height="1" /> Rick G. Garibay http://rickgaribay.net/archive/2007/01/18/Chronicles-of-a-Least-Privilege-Developer--Day-1-4.aspx Thu, 18 Jan 2007 14:34:52 GMT http://rickgaribay.net/archive/2007/01/18/Chronicles-of-a-Least-Privilege-Developer--Day-1-4.aspx#feedback http://rickgaribay.net/comments/commentRss/73.aspx http://rickgaribay.net/services/trackbacks/73.aspx Chronicles of a Least Privilege Developer - Day 1 http://rickgaribay.net/archive/2007/01/04/Least-Privilege--Day-1.aspx <p>Well, my work day si winding down and I must say that so far, I haven't had any issues that were significant that I couldn't work around.</p> <p>Below are the issues, and solutions I encountered today.</p> <p> </p> <table style="WIDTH: 663px; HEIGHT: 223px" cellspacing="1" cellpadding="1" width="663" summary="" border="1"> <tbody> <tr> <td>#</td> <td>Issue</td> <td>Solution</td> </tr> <tr> <td>1</td> <td>Access denied to date/time on taskbar. Although  I use Outlook, and carry an analog planner (you know the paper kind), I like using the calendar on the task bar to find dates.</td> <td>No solution found.</td> </tr> <tr> <td>2</td> <td>Could not run Virtual PC because it was "Ready Only" or "In Use". Well, not exactly. Apparently, you must be an admin to run VPC. </td> <td>Right click Start &gt; Programs.Microsoft Virtual PC, select Run As and enter highly privileged credential. </td> </tr> <tr> <td>3</td> <td>Access denied when starting/stopping SQL Server on SQL Server Service Manager from taskbar. </td> <td>Right click Start &gt; Adminstrative Tools &gt; Computer Management, select Run As and enter highly privileged credential. Expand Services, stop/start MSSQLSERVER service.</td> </tr> <tr> <td> </td> <td> </td> <td> </td> </tr> </tbody> </table> <p>All in all, not a bad day. Productivity was only minimally hampered.</p><img src="http://rickgaribay.net/aggbug/71.aspx" width="1" height="1" /> Rick G. Garibay http://rickgaribay.net/archive/2007/01/04/Least-Privilege--Day-1.aspx Thu, 04 Jan 2007 21:13:03 GMT http://rickgaribay.net/archive/2007/01/04/Least-Privilege--Day-1.aspx#feedback http://rickgaribay.net/comments/commentRss/71.aspx http://rickgaribay.net/services/trackbacks/71.aspx Chronicles of a Least Privilege Developer - Ground Zero http://rickgaribay.net/archive/2007/01/04/Least-Privilege--Ground-Zero.aspx <p><span style="FONT-SIZE: 9pt; FONT-FAMILY: Arial">I usually don’t do new years resolutions because I think that they are absurd. This year, however, I am going to make a concerted effort to take a more active role towards security besides giving talks on the topic. I am going to eat my own dog food and… say it, come on you can do it, get it out… apply the principle of least privilege to my daily computing both at work and at home &lt;/exhale&gt;.<o:p></o:p></span></p> <p><span style="FONT-SIZE: 9pt; FONT-FAMILY: Arial">The principle of least privilege is a security philosophy that is applied on software and systems to ensure that only the rights, or actions necessary are available to a given user- no more and no less.<o:p></o:p></span></p> <p><span style="FONT-SIZE: 9pt; FONT-FAMILY: Arial">In the Windows world, there are really only two extremes- users and administrators. It is quite common, especially in my line of work, to work as an administrator. Working as an administrator is the antithesis of least privilege, because as an admin, I have rights to all objects and permission by default. This is undesirable for a number of reasons:<o:p></o:p></span></p> <p class="MsoNormal" style="MARGIN-LEFT: 0.5in; TEXT-INDENT: -0.25in; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto; mso-list: l0 level1 lfo1; tab-stops: list .5in"><span style="FONT-SIZE: 9pt; FONT-FAMILY: Arial; mso-fareast-font-family: Arial"><span style="mso-list: Ignore">1.<span style="FONT: 7pt 'Times New Roman'">       </span></span></span><span style="FONT-SIZE: 9pt; FONT-FAMILY: Arial">As a developer, working as an administrator hides the deployment-time realities that inevitably exists on client sites and target servers. It is very unlikely that users and applications are running as administrators (at least they shouldn't be), so developing software as an administrator is really setting one self up for future problems.<o:p></o:p></span></p> <p class="MsoNormal" style="MARGIN-LEFT: 0.5in; TEXT-INDENT: -0.25in; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto; mso-list: l0 level1 lfo1; tab-stops: list .5in"><span style="FONT-SIZE: 9pt; FONT-FAMILY: Arial; mso-fareast-font-family: Arial"><span style="mso-list: Ignore">2.<span style="FONT: 7pt 'Times New Roman'">       </span></span></span><span style="FONT-SIZE: 9pt; FONT-FAMILY: Arial">Any malicious software or scripts that run on a machine while you are logged in as an administrator also run as an administrator- with unlimited privileges. One need only look to the world famous viruses that wreaked havoc on systems everywhere costing businesses millions. I LOVE YOU and MELISSA ring a bell?<o:p></o:p></span></p> <p><span style="FONT-SIZE: 9pt; FONT-FAMILY: Arial">So, having made this oath, I have removed my domain account at work from the local Administrators group, effectively making it a regular user account. I then created a separate, "highly privileged" account with the word "admin" appended to the end of my regular user name. Since I spend the better part of my days in Visual Studio, I also added my regular user account to the VS Debuggers and VS Developers local groups for reasons that are too involved to go over here.<o:p></o:p></span></p> <p><span style="FONT-SIZE: 9pt; FONT-FAMILY: Arial">Starting today, I will log in with my regular user account and post back with my findings, problems and workarounds. If working under least privilege proves tenable, perhaps I can entice you folks in the community to follow suit.<o:p></o:p></span></p> <p><span style="FONT-SIZE: 9pt; FONT-FAMILY: Arial">Here's to a safe and secure new year!<o:p></o:p></span></p> <p><strong style="mso-bidi-font-weight: normal"><span style="FONT-SIZE: 9pt; FONT-FAMILY: Arial">Side Note:<o:p></o:p></span></strong></p> <p><span style="FONT-SIZE: 9pt; FONT-FAMILY: Arial">Windows Vista, the newest Windows release, applies the principle of least privilege out of the box through a technique, or feature called UAC which stands for User Account Control. UAC prompts users to explicitly opt-in to actions taken- before they happen- so that malicious code can't do harm to the system without the user's consent. Sure, this is a bit patronizing (picture grandma clicking "Yes"), but it is a step in the right direction. But this is only one feature of UAC. UAC also enforces the principle of least privilege by running the current user as a regular user. If the user interacts with objects that require escalated privileges, <st1:place w:st="on">Vista</st1:place> prompts the user for the credentials to a highly privileged account. This is the automated functional equivalent of ...Run As in Windows 2000 and Windows XP.<o:p></o:p></span></p> <p><span style="FONT-SIZE: 9pt; FONT-FAMILY: Arial">One day, when I get an extra, say, 8 hours to play, I can’t wait to get the latest release bits installed. Until then, I’ll keep hammering on with Windows XP and Windows Server 2003.<o:p></o:p></span></p> <p><span style="FONT-SIZE: 9pt; FONT-FAMILY: Arial"><o:p> </o:p></span></p> <p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"><o:p> </o:p></p><img src="http://rickgaribay.net/aggbug/70.aspx" width="1" height="1" /> Rick G. Garibay http://rickgaribay.net/archive/2007/01/04/Least-Privilege--Ground-Zero.aspx Thu, 04 Jan 2007 19:45:10 GMT http://rickgaribay.net/archive/2007/01/04/Least-Privilege--Ground-Zero.aspx#feedback http://rickgaribay.net/comments/commentRss/70.aspx http://rickgaribay.net/services/trackbacks/70.aspx