Reputation: 2097
Implement security in an intranet application
I have worked on a desktop application which I have created using the combination of WPF, WCF, EF 4 and SQL Seerver 2008 R2.
Now I have to prepare my software for security audit and I need to know what best I can do for ensuring security parameters in my application. Currently I'm using WCF Service authentication with Active Directory.
To my knowledge following things I can do to make my application more secure:
- Code Obfuscation -- to secure code base
- Can use TDE -- to secure the database and encrypt confidential tables.
- Can use SSL -- to secure communication channel (Any good article on this can helps a lot coz I didn't found any thing good which can explain like how to do this for intranet desktop application)
What else I can do to secure the application. I'm still not clear on how to secure the communication channel between client <--> Server and Server <--> database.
Any help will be greatly appreciated. Thanks..
Upvotes: 2
Views: 503
Answers (1)
Reputation: 42497
Don't waste your time with obfuscation. Good security is transparent. Obfuscation is only useful for protecting intellectual property, and even then that's debatable.
Anyways, it sounds like you want to focus on a few things:
Obtain an SSL server certificate for your application server and also for your SQL Server. If you don't want to spend the money on one, you can create your own PKI or self-signed certificate authority. I wouldn't recommend self-signed for production, and rolling your own PKI shouldn't be taken lightly, either.
Use binding that requires transport security to make your WCF communication use SSL. http://msdn.microsoft.com/en-us/library/ms734679.aspx
http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/b361ee9e-2f37-4ecf-ba8b-96c6d6e6118a
Audit your authentication routines. Are you hashing and salting passwords? Do you audit security events (login, logout, failed attempts)? Do you lock accounts after a certain number of failed attempts? So on and so forth. It would be helpful to work with whomever is auditing you to get a feel for what they will be looking for.
Upvotes: 3
Related Questions
- WCF Service security using Windows or ASP.Net
- Communication between asp.net MVC application and WCF services with windows based security
- WCF security implementation design issue
- How to implement simple WCF security
- WCF dataservice security in a WPF application
- WCF/ASP.NET Authentication
- WCF Intranet Security Configuration
- Need recommendations and help with ASP.NET + WCF + Security
- WCF Security model implementation
- WCF Architecture