Prevent anonymous access to hosted WCF service

We can stop non authorized users access to our hosted WCF services by applying some sort of techniques. WCF doesn't provide us any direct On and Off mechanism for valid and invalid access. If we have published our WCF services with metadata, enough information is there to access our services(if we have not implemented security). We can restrict to anonymous access in following ways-

  1. By applying Authentication on our Services
  2. By not publishing metadata with services and distributing manually
  3. By restricting IPs except to valid one to access server that has hosted our WCF service

The simplest and easiest approach is the last one i.e. allowing trusted IPs access to server machine that has hosted our WCF services. In this approach, we restrict access to our services by doing some hardware or let’s say networking level settings and this can be done by networking expert in few minutes. Wonder? Yes, you are right it has nothing to do with WCF and a kind of JUGAD. We stop anonymous access to server where we have hosted our WCF service. There are known IPs that have access to these servers.

If you wish to opt the second option to stop anonymous access by hiding your metadata then you have to manually distribute your metadata information in WSDL and XSD files with your valid clients. Since you are hiding metadata, anonymous user will not find any information on browsing services to access it. But keep in mind that still guessing is there and this is the bad thing of this approach. To disable metadata exchange, we need to remove <serviceMetada> behaviour along with “mex” endpoint detail of our service. This removal will make our service invisibile (no detailed information will be available with service). Refer : How to: Use Transport Security and Message Credentials

We can easily analyze that hiding of Metadata of service is not secured but just a try to make it invisible from decent users. And still chances are there to be revealed by some bad but expert users. Hiding but not provide any security can be a threat from guess work or expert bad users and if once unveiled, internet user can see or use it.

So, the best approach is to apply authentication on our services. It can be done by disabling anonymous access in IIS with some IIS configuration setting changes to use Authentication level -> required. A relevant setting in our config file is also required under binding configuration. Ex-

<Security mode=”Transport”>
       <transport clientCredentialType="…" />

clientCredentialType can have following values:Basic , Certificate , Digest , None , Ntlm and Windows .Basic level is enough to provide much security to stop anonymous access. You can refer MSDN : How to: Set the Security Mode

Also, instead of using default mexHttpBinding we need to set appropriate mex binding. If we are using Basic, clientCredentialType then we should use basic mex binding. For implementing custom metadata refer MSDN : Custom Secure Metadata Endpoint