Article ID: 815150 - Last Review: May 13, 2007 - Revision: 3.5

HOW TO: Limit the Web Services Protocols that a Server Permits

View products that this article applies to.

On This Page

Expand all | Collapse all

SUMMARY

This step-by-step article describes how to limit the protocols that a Web service supports.

XML–based Web services exchange XML documents to communicate. This exchange can occur across any type of application-layer protocol. By default, ASP.NET Web services are exposed through four different protocols: HttpSoap, HttpPost, HttpGet, and Documentation. In many cases, only a subset of these four protocols is required. For example, Web services typically use only the HttpSoap protocol for communications. In these circumstances, if you remove the unused protocols, you increase the security of the application by decreasing the attack surface. This article describes how to disable Web services protocols that are used to communicate with an ASP.NET application.

Back to the top

Disable Web Services Protocols

To disable a Web Services protocol for an ASP.NET application, follow these steps:
  1. Open the Web.config file in a text editor (such as Notepad). The Web.config file is located in the root folder of you Web service application.
  2. Add the <webServices> configuration element under the <system.web> element.
  3. In the <webServices> element, add the <protocols> configuration element.
  4. In the <protocols> element, add a <remove> element for each default protocol that you want to disable.
  5. In each of the <remove> elements that you created in step 4, set the name attribute to the name of a protocol that you want to disable.
  6. By default, the HttpPost, HttpSoap, HttpGet, and Documentation protocols are enabled. The following example of the <webServices> configuration element disables all default protocols except HttpSoap: 
    <webServices>
    <protocols>
        <remove name="HttpPost"/> 
        <remove name="HttpGet"/> 
        <remove name="Documentation"/> 
    </protocols>
</webServices>
  7. Save the Web.config file. The Web service will restart automatically, and will return error messages for all requests that are in disabled protocols.
Back to the top

REFERENCES

For more information, visit the following Microsoft Web sites:
http://msdn2.microsoft.com/en-us/library/aa719558(VS.71).aspx (http://msdn2.microsoft.com/en-us/library/aa719558(VS.71).aspx)
http://msdn2.microsoft.com/en-us/library/ackhksh7(vs.71).aspx (http://msdn2.microsoft.com/en-us/library/ackhksh7(vs.71).aspx)
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
815179  (http://support.microsoft.com/kb/815179/EN-US/ ) HOW TO: Create the Web.config File for an ASP.NET Application
815178  (http://support.microsoft.com/kb/815178/EN-US/ ) HOW TO: Edit the Configuration of an ASP.NET Application
818014  (http://support.microsoft.com/kb/818014/ ) HOW TO: Secure Applications That Are Built on the .NET Framework
Back to the top
APPLIES TO
  • Microsoft ASP.NET 1.0
  • Microsoft ASP.NET 1.1
  • Microsoft Web Services (included with the .NET Framework) 1.0
  • Microsoft Web Services Enhancements for Microsoft .NET 1.1
Back to the top
Keywords: 
kbwebforms kbwebservices kbconfig kbhowtomaster KB815150
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations