爲IPC和遠程訪問驗證WCF

Question

我的GUI應用程序使用WCF的NetNamedPipeBinding控制其姐妹Windows服務。我想阻止其他應用程序冒充我的GUI應用程序並控制我的服務。

是否需要向Windows服務驗證GUI應用程序以防止冒名？
我應該如何去做呢？

---

編輯：遠程計算機也應該能夠考慮到他們的認證（由服務信任）來控制服務，所以我需要添加一個NetTcpBinding端點。任何包含這一點的答案都會有所幫助。

Answer 1

是的，有必要保護WCF頻道以防止冒充。 WCF可以在您指示通信時自動加密通信，但您需要自己處理認證部分。

在WCF中有兩種保護消息的方法（如果您計算可以同時使用兩者的事實，則有三種方法）。有一個很好的高層次解釋here。您可以使用哪種方法取決於我們在討論的綁定（您將針對不同的綁定有不同的選項）。

此外，對於確保服務的每種方法，您都可以在認證憑證類型（每個實體向其他端點證明其身份的實際方式）之間進行選擇。 這取決於綁定以及安全方法。

要查看每個綁定的選項，您可以檢查其Security屬性。該屬性對於每個綁定都是不同的類型（例如NetTcpSecurity）;你可以檢查MSDN或智能感知來找出答案。

從現在開始我將以運輸安全爲例使用NetTcpBinding。

要設置安全性，無論是在服務器和客戶端部分，首先必須創建和打開的通道，例如，之前配置與安全模式和認證類型綁定：

var binding = new NetTcpBinding { /* set props here */ }; 
// TLS security with X.509 certificates 
binding.Security.Mode = SecurityMode.Transport; 
binding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Certificate; 

然後，服務器側（本示例中是特定於上面作出的選擇）：

// Load and set the server certificate 
var serverCertificate = new X509Certificate2(/* parameters here */); 
host.Credentials.ServiceCertificate.Certificate = serverCertificate; 

// You can leave it at that and let Windows validate the client's certificate using 
// the default method (which means that you either need to have added the client's 
// certificate to the server machine's certificate store as "trusted", or rely on chain 
// trust and have the client's certificate signed by a trusted authority. 

// Or, you can use custom validation rules: 
var authentication = host.Credentials.ClientCertificate.Authentication; 
authentication.CertificateValidationMode = X509CertificateValidationMode.Custom; 
authentication.CustomCertificateValidator = new AcceptAnythingCertificateValidator(); 

而在客戶端側（本實施例中也是特定的）：

var clientCertificate = new X509Certificate2(/* parameters here */); 
var factory = new ChannelFactory<IYourServiceInterface>(binding, endpoint); 
factory.Credentials.ClientCertificate.Certificate = clientCertificate; 

// You can leave it at that and let Windows validate the server's certificate using 
// the default method (which means that you either need to have added the server's 
// certificate to the client machine's certificate store as "trusted", or rely on chain 
// trust and have the server's certificate signed by a trusted authority. 

// Or, you can use custom validation rules: 
var authentication = factory.Credentials.ServiceCertificate.Authentication; 
authentication.CertificateValidationMode = X509CertificateValidationMode.Custom; 
authentication.CustomCertificateValidator = new AcceptAnythingCertificateValidator(); 

var channel = factory.CreateChannel(); 

// Your channel is now ready for use! You can also cast to to IClientChannel 
// to expose some more properties.