如何保护Windows窗体应用程序访问的Windows Azure中运行的WCF服务的安全
[英]How to secure a WCF service running in Windows Azure that is accessed by a a Windows Forms Application
问题描述
Folks, 
伙计们,
We are developing an application that is part a downloadable WinForms application that connects to a set of Azure-hosted WCF services. 我们正在开发一个应用程序,该应用程序是可下载的WinForms应用程序的一部分,该应用程序连接到一组由Azure托管的WCF服务。
Our main issue now is how to properly secure these services to prevent DoS attacks and other security issues. 现在,我们的主要问题是如何正确保护这些服务,以防止DoS攻击和其他安全问题。
The WinForms applications will be installed on end users PCs anywhere in the world (they will be able to download this from our website) so we have no control of what the end users does to our application. WinForms应用程序将安装在全球任何地方的最终用户PC上(他们将能够从我们的网站上下载该文件),因此我们无法控制最终用户对我们的应用程序执行的操作。
We have already secured the application as much as possible but we know nothing is unbreakable. 我们已经尽可能地保护了应用程序的安全,但是我们知道没有任何坚不可摧的。 Our main goal now is to make sure methods of these web services are only called by our application and that we can defend ourselves against attacks. 现在,我们的主要目标是确保这些Web服务的方法仅由我们的应用程序调用,并且我们可以防御攻击。
We found a best practice white paper from Microsoft stating that for some scenarios we have we could use the GateKeeper scenario (like for storage). 我们找到了Microsoft的最佳实践白皮书,指出在某些情况下我们可以使用GateKeeper情况(例如用于存储)。 We do not have selected anything yet for our queues. 我们还没有为队列选择任何内容。
Another issue is how to best control authentication from our WinForms app to the services in the cloud. 另一个问题是如何最好地控制从WinForms应用程序到云服务的身份验证。
Has anybody here developed or worked on any similar projects and would like to share some ideas? 这里有没有人开发或从事过任何类似的项目并想分享一些想法?
Cheers, 干杯,
2 个解决方案
解决方案1
1 2012-06-27 01:36:48
Our main goal now is to make sure methods of these web services are only called by our application and that we can defend ourselves against attacks.
replace that with: Our main goal now is to make sure methods of these web services are only called by our application OR that we can defend ourselves against attacks. 将其替换为:现在,我们的主要目标是确保这些Web服务的方法仅由我们的应用程序调用, 或者确保我们可以防御攻击。
That's a bit more realistic :) There is simply no way to guarantee that the service would be called from the clients, unless you absolutely trust them and start issuing certs for them. 这有点现实:)除非您绝对信任他们并开始为他们签发证书,否则根本无法保证将从客户端调用该服务。 (Which they will lose, their pc will be hacked, etc) (他们将丢失,其个人计算机将被黑客入侵,等等)
If you want to secure the service you have to prepare for every possible attack scenario, unless you can rule them out with 100% certain. 如果要保护服务安全,则必须为每种可能的攻击情况做好准备,除非可以100%确定地将其排除。
解决方案2
0 已采纳 2012-06-28 23:05:04
This question has already been asked again and again. 这个问题已经被反复问过。 If a web service is hosted on any server which has a public IP, the only way you can block the client is to authenticate them first and if authentication goes well, they can use the method and if failed they can not use. 如果Web服务托管在具有公共IP的任何服务器上,则阻止客户端的唯一方法是先对它们进行身份验证,如果身份验证通过,则可以使用该方法,如果失败,则不能使用。 Authentication and authorization is the key for any service which is hosted on internet otherwise keep the service private. 身份验证和授权是Internet上托管的任何服务的关键,否则将服务保持私有。
And to authenticate a WCF service there are pattern & practices are already available and it seems you have already taken care of that. 为了验证WCF服务,已经提供了一些模式和实践,看来您已经做好了准备。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.