91 Best WCF Security Questions and Answers [Interview Q/A]

Design Considerations Q/A :-

How do you decide on an authentication strategy?	How do you decide on an authorization strategy?
When should you use message security vs transport security?	How do you use Active Directory infrastructure?
What bindings should you use over Internet?	What bindings should you use over Intranet?
When should you impersonate the original caller?	How do you migrate to WCF from a COM, DCOM and WSE application?
How do you migrate to WCF from an ASMX Web service?	What is the difference between resource-based, roles-based, and claims-based authorization?

Auditing and Logging Q/A:-

How do you protect my log files?	What events should be logged in WCF service security?
How do you enable logging and auditing in WCF?	How do you stop my service, if there has been an auditing failure?
How do you log important business events in WCF?	How do you implement log throttling in WCF?
How do you use the health monitoring feature with WCF?	How do you pass user identity information in a message for auditing purpose?

Authentication Q/A :-

How do you decide on a WCF authentication strategy?	When should you use the SQL Server membership provider?
How do you authenticate against Active Directory?	How do you authenticate against a SQL store?
How do you authenticate against a custom store?	How do you protect passwords in user store?
How do you use certificate authentication using X.509 certificates?	What is the authentication scenario for intranet apps?
How do you support authentication for multiple clients?	What is federated security?
How do you send credentials in the message when you are using transport security?	How do you avoid clear-text passwords?

Authorization Q/A :-

How do you decide on an authorization strategy in WCF?	How do you use Windows groups for role authorization in WCF?
How do you restrict access to WCF operations to specific Windows users?	How do you associate roles with a certificate?
What is a service principal name (SPN)?	How do you create a service principal name (SPN)?

Bindings Q/A :-

What is a binding?	What bindings are available in WCF?
Which bindings are best suited for Internet?	Which bindings are best suited for Intranet?
How do you choose an appropriate binding?

Configuration Management Q/A :-

How do you encrypt sensitive data in the WCF configuration file?	How do you run a WCF service with a particular identity?
How do you create a service account for running my WCF service?	When should I use a configuration file versus the WCF object model?
What is a metadata exchange (mex) binding?	How do you keep clients from referencing my service?

Deployment Considerations Q/A :-

What are the additional considerations for using WCF in a Web farm?	How do you configure Active Directory groups and accounts for roles-based authorization checks?
How do you create an X.509 certificate?	When should you use a service principal name (SPN)?
How do I configure a least-privileged account for my service?

Exception Management Q/A :-

How do you implement a global exception handler?	What is a fault contract?
How do you define a fault contract?	How do you avoid sending exception details to the client?

Hosting Q/A :-

How do you configure a least-privileged account to host my service?	When should I host my service in Internet Information Services (IIS)?
When should I host my service in a Windows service?	When should I self-host my service?

Impersonation/Delegation Q/A :-

What are my impersonation options?	What is the difference between impersonation and delegation?
How do you impersonate the original caller for an operation call?	How do you temporarily impersonate the original caller in an operation call?
How do you impersonate a specific (fixed) identity?	What is constrained delegation?
What is protocol transition?	How do you flow the original caller from the ASP.NET client to a WCF service?
What is the difference between declarative and programmatic impersonation?	What is the trusted sub-system model?
When should you flow the original caller to back-end code?	How do you control access to a remote resource based on the original caller's identity?

Input/Data Validation Q/A :-

How do you implement input and data validation in WCF?	What is schema validation?
What is parameter validation?	Should you validate before or after message serialization?
How to protect your services from denial of service (DoS) attacks?	How to protect your services from malicious input attacks?
How to protect your services from malformed messages?

Message Protection Q/A :-

When should you use message security?	When should you use transport security?
How to protect your message when there are intermediaries routing the message?	How to protect your message when there are multiple protocols used during message transit?

Proxy Considerations Q/A :-

When should you use a channel factory?	When do you need to expose a metadata exchange (mex) endpoint for my service?
How do you avoid proxy spoofing?

Sensitive Data Q/A :-

How to protect your sensitive data in configuration files?	How to protect your sensitive data in memory?
How to protect your metadata?	How to protect your sensitive data from being read on the wire?
How to protect your sensitive data from being tampered with on the wire?

Certificates-X.509 Q/A :-

How do you create X.509 certificates?	Do you need to create a certificate signed by the root CA certificate?
How do you use X.509 certificate revocation?

Additional Resources - https://msdn.microsoft.com/en-us/library/ff649839.aspx

I hope you are enjoying with this post! Please share with you friends. Thank you!!