# Thursday, February 17, 2005
WSE Policy Advisor

Microsoft Research in Cambridge have released the WSE Policy Advisor for Microsoft Web Services Enhancements (WSE) 2.0.  The Policy Advisor is an an unsupported tool that acts as a security diagnosis tool for WSE2 policy files (think of it as an FxCop for web service security policy files).  It analyses the policy file for common security vulnerabilities, provides a description on the risk and remedial advice.  It can be launched as a stand alone application or from the policy tab of the WSE Settings Visual Studio add in.  If you are intersted in WSE 2.0 and Policy then  download the Policy Advisor and run it against the sample files that ship with WSE 2.0 and send the research team feedback.

I've been a fan of using policy files to secure web services with WSE for a long time.  As Clemens says, authoring a policy file by hand is pushing things too far.  In combination with the WSE Settings add-in the Policy Advisor provides a great service for anyone wanting to understand and apply policy files, without having to get too focused on the XML angle brackets. The help file contains a list of all the problems the Policy Advisor can detect and is an excellent learning resource if you want to learn about the purpose of many of the policy elements.  For example:

This policy accepts messages with unauthenticated or elements. (Alarm)
Risk: The message is authenticated, but authentication does not cover and . Those elements are often used to implement replay protection, and should thus be authenticated. Otherwise, an attacker may intercept a message and generate a series of slightly different messages that will be accepted as distinct, genuine messages from the original sender. (The risk may be mitigated if the transport provides integrity protection, or if the recipient implements replay protection using other authenticated elements.)
Advice: Insert wse:Timestamp() and wsp:Header(wsa:MessageID) in the element in the assertion.

It also has warnings about the evil that using unencrypted UsernameTokens, though I'd highlight Keith Brown's excellent MSDN article on Securing the Username Tokens with WSE 2.0 as the best source of guidance in this area.

Here's how the tool integrates with the WSE Settings Visual Studio addin:

Below is a screenshot of the report that the Policy Advisor produces, in this case it is reporting against the secure conversation sample that ships with WSE 2.0.  The top part of the window describes the report, the bottom tree view highlights all of the issues found and the relevant policy for each problem.

.NET | Indigo | Web Services
posted on Thursday, February 17, 2005 9:27:29 PM (GMT Standard Time, UTC+00:00)  #   
Related posts:
Office Server 2007: Can it help me write less code?
Server-side Excel: changing the face of financial apps?
Ray Ozzie: Services Disruption and the need for 'Client Server Service Synergy'
DDD3: Deadline for speaker submissions extended until Monday
DDD III on Sat 3 June: Call for Speakers!
I can see clearly now: NUnitAddin and NCoverBrowser
 Tracked by:
"Home Insurance" (Home Insurance) [Trackback]
"Baccarat" (Baccarat) [Trackback]
"Slot Machines" (Slot Machines) [Trackback]
"Homeowner Insurance" (Homeowner Insurance) [Trackback]
"wildsexy lingerie girls" (wildsexy lingerie girls ) [Trackback]
"domain names search and hosting" (domain names search and hosting ) [Trackback]
"mac-laptop computer" (mac-laptop computer) [Trackback]
"disney-magic cruise ships" (disney-magic cruise ships ) [Trackback]
"comunedi prato carnico" (comunedi prato carnico ) [Trackback]
"House Insurance" (House Insurance) [Trackback]
"Internet Roulette" (Internet Roulette) [Trackback]
"when find out sex of baby" (when find out sex of baby ) [Trackback]
"Online Roulette" (Online Roulette) [Trackback]
"Homeowners Insurence" (Homeowners Insurence) [Trackback]

Page rendered at Friday, March 12, 2010 2:34:37 AM (GMT Standard Time, UTC+00:00)