WCF configuration file's protection with ACL

Question

in this MSDN article about WCF Configuration Schema theres a warning saying:

You should protect WCF configuration sections in your application configuration files (app.config) with appropriate Access Control Lists (ACL) to prevent any potential security threats. For example, you should make sure that only the appropriate people can access or modify the security settings on application bindings, or the service model section of the configuration file for a service.

And that's exactly what I need for my WCF services but I can't find much information in how to achieve this type of protection.

Can someone please provide me any examples in how to protect WCF configuration file's sections with Access Control Lists (ACLs) or point me more info about this subject?

Thanks in advance.

Answer 1

This quote can be about encrypting WCF configuration sections (not the whole system.ServiceModel section group, though) and controlling ACL to key container.

MSDN + Some blog post + Somewhat related StackOverFlow discussion

From different articles it seems that this approach is IIS specific, but you can do the same without IIS. Basically you encrypt section with RsaProtectedConfigurationProvider for example and specify Key name, that is defined in machine level key storage.

---

ACL is a default Windows system of controlling permissions for securable objects. Each file is a security object, app.config also. And every file has an ACL. When you open security tab in File Properties - it is a GUI for ACL.

You can modify using several ways:

• Default File Properties widow (security tab).
• icacls tool
• PowerShell commands
• Active Directory policies, if you have and control the domain