ABSTRACT

This service does not use an authorization control.

EXPLANATION

When a client calls a particular WCF service, WCF provides various authorization schemes that verify that the caller has permission to execute the service method on the server. If authorization controls are not enabled for WCF services, an authenticated user can achieve priviliege escalation.


Example 1: The following configuration instructs WCF to not check the authorization level of the client when executing the service:


<behaviors>
<serviceBehaviors>
<behavior>
...
<serviceAuthorization principalPermissionMode="None" />
</behavior>
</serviceBehaviors>
</behaviors>

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A10 Insecure Configuration Management

[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A9 Insecure Communications

[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A9 Insufficient Transport Layer Protection

[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[5] Dominick Baier and Christian Weyer Authorization in WCF-Based Services Microsoft Developer Network (MSDN)

[6] Microsoft Authorizing Access to Operations Microsoft Developer Network (MSDN)

[7] Standards Mapping - FIPS200 - (FISMA) CM, SC

[8] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 264

[9] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authentication

[10] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Porous Defenses - CWE ID 311

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 4.1, Requirement 6.5.10

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 4.1, Requirement 6.5.4