WCF Named Pipe Security and Multiple User Sessions?

Question

I have setup a WPF application that is single instance using a Mutex, this allows for the application to run within each user account if you are using user switching. The appli

Answer 1

This paper on named pipe security discusses the topic in a lot of detail.

In short, if you're not careful you could allow a malicious program running with standard user permission to exploit a pipe to elevate itself to the same privilege level as the named pipe server.

I'm afraid I don't know whether the WCF implementation is secure against this type of attack by default.

Answer 2

Named pipes imply that the communication is point-to-point on the same machine. I believe that it is secured by default, but since communication is never leaving the machine, even on the same network, that security isn't the biggest thing to worry about - at least in regards to the communication between a named pipe component and its consumer.

Check out "Programming WCF Services 2nd Edition" by Juval Lowy. Chapter 10 is all about component security. On page 514, he writes "there is no sense in using Message security over IPC, since with IPC there is always exactly one hop from the client to the service. The chart on that page shows that Transport security is turned on by default for named pipes.

Answer 3

Named pipes in WCF are not accessible from the network and no encryption is required to secure them. However, WCF services are not secure against the attack mentioned by romkyns.

I suggest you read this posts:

Exploring the WCF Named Pipe Binding - Part 1

Exploring the WCF Named Pipe Binding - Part 2

Exploring the WCF Named Pipe Binding - Part 3

Exploring the WCF Named Pipe Binding - Part 4

about the security problems involved.

In short WCF allows ANY process to masquerade itself as the service and:

1. Either simulate the service OR
2. Eavesdrop and tamper data assuming that the rogue process itself connect to the service. However, if the service uses access security to check the identity of the calling user this may not be possible.