Those smart guys in Microsoft Patterns and Practices have released the BETA version of their WCF Security guide.  The guide, Improving Web Services Security: Scenarios and Implementation Guidance for WCF, is our Microsoft playbook for Windows Communication Foundation (WCF /"Indigo".)  It shows you how to build secure services using WCF.  It's a compendium of proven practices, product team recommendations, and insights from the field.  It includes end-to-end application scenarios (Web applications / Smart Clients), as well as step-by-step How Tos.  Most importantly it frames out the Web services security space and shows you how to be effective with WCF.

patterns & practices Improving Web Services Security: Scenarios and Implementation Guidance for WCF

(Forewords by Nicholas Allen and Rockford Lhotka.)

Download the Guide

· Guide Download: http://www.codeplex.com/WCFSecurityGuide

Contents at a Glance

· Part I - Security Fundamentals for Web Services gives you a quick overview of fundamental security concepts as they relate to services, service-oriented design, and Service-Oriented Architecture (SOA.)

· Part II - WCF Security Fundamentals gives you a firm foundation in key WCF security concepts, with special attention on authentication, authorization, and secure communication, as well as WCF binding configurations.

· Part III - Intranet Application Scenarios shows you a set of end-to-end Intranet application scenarios that you can use to jumpstart your application architecture designs with a focus on authentication, authorization, and communication from a WCF perspective for your intranet.

· Part IV - Internet Application Scenarios shows a set of end-to-end Internet application scenarios that you can use to jumpstart your application architecture design for the Internet.

Chapters

· Ch 01 - Security Fundamentals for Web Services

· Ch 02 - Threats and Countermeasures for Web Services

· Ch 03 - Security Design Guidelines for Web Services

· Ch 04 - WCF Security Fundamentals

· Ch 05 - Authentication, Authorization and Identities in WCF

· Ch 06 - Impersonation and Delegation in WCF

· Ch 07 - Message and Transport Security in WCF

· Ch 08 - WCF Bindings Fundamentals

· Ch 09 - Intranet – Web to Remote WCF Using Transport Security (Original Caller, TCP)

· Ch 10 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem,HTTP)

· Ch 11 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem TCP)

· Ch 12 - Intranet – Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)

· Ch 13 - Internet – WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)

· Ch 14 - Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)

· Ch 15 - Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

Reference

· WCF Security Checklist

· WCF Security Guidelines

· WCF Security Practices at a Glance

· WCF Questions and Answers (Q&A)

· How Tos

· WCF Security Resources

External Contributors/Reviewers

· Andy Eunson; Anil John; Anu Rajendra; Brandon Bohling; Chaitanya Bijwe; Daniel Root; David P. Romig, Sr.; Dennis Rea; Kevin Lam; Michele Bustamante; Parameswaran Vaideeswaran; Rockford Lotka; Rudolph Araujo; Santosh Bejugam

Microsoft Contributors / Reviewers

· Alik Levin; Brandon Blazer; Brent Schmaltz; Curt Smith; David Bradley; Dmitri Ossipov; Don Smith; Jan Alexander; Jason Hogg; Jason Pang; John Steer; Marc Goodner; Mark Fussell; Martin Gudgin; Martin Petersen-Frey; Mike de Libero; Mohammad Al-Sabt; Nobuyuki Akama; Ralph Squillace; Richard Lewis; Rick Saling; Rohit Sharma; Scott Mason; Sidd Shenoy; Sidney Higa; Stuart Kwan; Suwat Chitphakdibodin; T.R. Vishwanath; Todd Kutzke; Todd West; Vijay Gajjala; Vittorio Bertocci; Wenlong Dong; Yann Christensen; Yavor Georgiev

More Information

· Guide site: http://www.codeplex.com/WCFSecurityGuide

· Project Site (Online KB): http://www.codeplex.com/WCFSecurity

· Project updates at J.D. Meier’s blog: http://blogs.msdn.com/jmeier