Geek Answers Handbook

Protecting Named Pipes Used by WCF

I am new to both WCF and named pipes.

I need a way to communicate securely between a UI application and a Windows service on the same computer. Here's what I need: - The client user interface needs to send (push) various types of messages to the Windows service. - Requirements for the client client interface will receive various types of messages from the service (pressed or pulled out).

(the message here is simply structured serialized data).

Now all this exchange should take place only through an authorized user account (which may differ from the service account). So I was thinking of an ACLing named pipe for both the service account and the user.

However, the named pipe only supports streams. I have several types of messages that need to be exchanged over a named pipe, which means that I need to define them and serialize / deserialize them.

To get around this, I thought about using WCF (for serialization and RPC support) on named pipes. Also host the WCF service in the Windows service.

Question 1) Is this a good approach? I hesitate to use http or tcp below WCF, since the connection should remain inside the machine.

Question 2) If and how can I use the ACL named pipe that WCF will use? Is this something I can control? I feel that ACLing in the name tube with specific SIDs provides me with better security rather than implementing an authentication scheme between the client and server.

Thanks for any pointers, suggestions! Samir

+5
3

1) , . .

2) , , , ACL , WCF NetNamedPipe. Microsoft, ACL, .

a AclSecuredNamedPipeBinding CustomBinding AclSecuredNamedPipeTransportBindingElement NamedPipeTransportBindingElement. SecurityIdentifier:

internal List<SecurityIdentifier> AllowedUsers { get { return _allowedUsers; } }
private List<SecurityIdentifier> _allowedUsers = new List<SecurityIdentifier>();

BuildChannelListener<TChannel>(BindingContext) -method AllowedUsers:

public override IChannelListener<TChannel> BuildChannelListener<TChannel>(BindingContext context)
{
  private static Type namedPipeChannelListenerType 
          = Type.GetType("System.ServiceModel.Channels.NamedPipeChannelListener, System.ServiceModel", false);
  IChannelListener<TChannel> listener = base.BuildChannelListener<TChannel>(context);
  PropertyInfo p = namedPipeChannelListenerType.GetProperty(
          "AllowedUsers", BindingFlags.Instance|BindingFlags.NonPublic);
  p.SetValue(listener, _allowedUsers, null);
  return listener;
}

, " ", .

+8

: WCF - 3 -

+3

, "Chris Disson", . " StudentService. ". ,

AclSecuredNamedPipeBinding binding = new AclSecuredNamedPipeBinding();
SecurityIdentifier allowedGroup = (SecurityIdentifier)(new 
NTAccount("NPServiceUsers").Translate(typeof(SecurityIdentifier)));
binding.AddUserOrGroup(allowedGroup);
studentServiceHost = new ServiceHost(typeof(StudentService.StudentService));
Uri httpBaseAddress = new 
Uri("net.pipe://localhost/ServiceHost/ServiceHost");

studentServiceHost.AddServiceEndpoint(
typeof(StudentService.IStudentService),binding, httpBaseAddress); 
studentServiceHost.Open();

nTAccount "NPServiceUsers" "", .

" ObjectentService Object, ."

studentService - , IStudentService.

public class StudentService : IStudentService
{
public void DoWork()
{
}
}
0
source

More articles:


All Articles