There are several aspects pertaining to secure interaction between a client and a service. Similar to traditional client-server and component-oriented applications, the service needs to authenticate its callers and often also authorize the callers before executing sensitive operations. In addition, regardless of the technology, when securing a service (and its clients) as in any distributed system, you need to secure the messages while en route from the client to the service. Once the messages arrive securely and are authenticated and authorized, the service has a number of options regarding the identity it uses to execute the operation. To these classic security aspects of authentication, authorization, transfer security, and identity management, I add something more abstract, which I call overall security policy: that is, your own personal and your company’s (or customer’s) approach and mindset when it comes to security. This chapter starts by defining the security aspects in the context of WCF and the options available for developers when it comes to utilizing WCF and .NET security. Then, you will see how to secure the canonical and prevailing types of applications. Finally, I will present my declarative security framework that grossly simplifies the need to understand and tweak the many details of WCF security.