I created a WCF service using http Basic Authentication and SSL. (Temporary certificate in IIS atm)
Here is the corresponding configuration.
<services> <service name="MyNamespace.MyService"> <endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttps" name="MyEndPoint" contract="MyNamespace.IMyService" /> </service> </services> <behaviors> <serviceBehaviors> <behavior name=""> <serviceMetadata httpsGetEnabled="true" /> <serviceDebug includeExceptionDetailInFaults="true" /> </behavior> <behavior name="CustomUsernameValidatorBehavior"> <serviceCredentials> <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyNamespace.CustomUserNameValidator" /> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> <bindings> <basicHttpBinding> <binding name="basicHttps"> <security mode="Transport"> <transport clientCredentialType="Basic" /> </security> </binding> </basicHttpBinding> </bindings>
Due to the fact that I host in IIS, I cannot use my customUsernameValidator, and IIS Basic authentication checks the username and password on Windows.
I created a new user, disabled the logon locally and placed him in a new group (without permissions). The goal of the user only is to provide them access to the service, and nothing more. The service will be online, not inside, for example. Intranet, etc.
My question boils down to this, are there any security risks / consequences due to the fact that I am using a real Windows user? What can be done to protect this service / IIS, if so?
Should they do something to prevent phishing of information, could they, for example, try different usernames and passwords to search for credentials?
Btw is a working binding (minus some other endpoints, etc.) for WCF using Http Basic Authentication in IIS and SSL. This requires IIS to set up basic authentication as well as a Windows user for authentication. I would prefer not to authenticate with a Windows user.
source share