4

I have never really used this stack before and I just wanted to make sure that I am thinking along the right lines.

I have a WCF service with Windows authentication for transport security and certificate for message security with one TCP endpoint. My service has the methods to authenticate a plain text username and password, the username is used to retrieve the salt from the database and the given password hashed with that salt and then compared to the password from the database.

In order to authenticate users in my ASP MVC project, I am simply using forms authentication and setting the auth cookie if the WCF service returns http code OK when the username and password is passed from the action to the service.

If I implement necessary security measures such as locking accounts out after x number of unsuccessful requests for authentication to the service, does this serve as sufficient security to lock down my application?

This project is public facing.

Improve this question
1
  • are you using HTTPS? Commented Aug 18, 2016 at 5:37

3 Answers 3

Reset to default
2
+25

There are a variety of factors to consider.

  1. Can the domain for the WCF service be hijacked and DNS re-routed?
  2. How are errors handled in the WCF service. It is possible a OK status could be returned in the event of an error?
  3. Salts are OK but I would recommend something like BCRYPT instead for password storage and validation.

  4. Ensure you have the requireSSL flag set on your forms as well

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

I would highly suggest stepping away from the forms authentication when working with a WCF service or REST service. You can use BASIC authentication and wrap everything really nicely with SSL and it would be much better. A few things to really look at are the following:

  • How do you plan on dealing with brute force attempts.
  • How do you plan on legitmate users locking themselves out.
  • What OSes do you plan on targeting? Are you creating a WCF service for a web
    site or do you plan on utilizing IOS and Android later?

After considering all of the above options, check out the following:

https://msdn.microsoft.com/en-us/library/ff406125.aspx

And when you think you have read enough, read a little more. OWASP best security practices for WCF are an awesome standard, you can even create a checklist from it.

https://www.owasp.org/index.php/WCF_Security_Best_Practices

Improve this answer

Comments

0
  • use HTTPS
  • Add CAPTCHA Code in the MVC project
  • Add time span between retry, limit the retry times
  • do not use plain text, encode it first, even md5 will be better
  • if this in on the internet, you'd better find an expert
Improve this answer

1 Comment

I honestly do not think what you are trying to convey is all that great. Having CAPTCHA for a web service? Oddly redundant especially when migrating to other services and platforms. "If this in on the internet, you'd better find an expert". That is a horribly inaccurate statement. Microsoft has invested millions of dollars into creating amazing libraries, training regimes and tutorials for the average developer to follow to create secure APIs to provide to internet connected devices.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.