Microsoft Web services security resources

Article translations Article translations
Article ID: 832878 - View products that this article applies to.
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

Summary

This article discusses some resources that may help you understand Web services security when you design Web services, implement Web services, and deploy Web services.

This article also discusses configurable values that can help make sure that Web service performance is efficient and that can permit all users to have equal access to a particular Web service. These configurable values can also help protect Web services against particular denial of service conditions.

More information

Consider security when you design Web services, build Web services, and deploy Web services. You can subject Web services, like Web applications, to spoofing conditions or to denial of service conditions. Visit the following Microsoft Web site for more information about how to prevent these conditions:
http://msdn2.microsoft.com/en-us/security/aa570415.aspx
Denial of service conditions may occur when valid SOAP requests are sent to your Web service, and these SOAP requests cause the application, or the XML parser, or both to perform extensive processing. The denial of service conditions can cause the Web server that receives the SOAP request to become extremely busy. Therefore, your service may not be able to handle other requests efficiently.

The time that the application, or the XML parser, or both spend parsing and processing a SOAP message is frequently based on the size of the message. Therefore, it is a good idea to restrict the size of a message to help avoid denial of service conditions. By default, the maximum permitted message size is 4 MB. It may be appropriate to reduce this size to the maximum size that your application requires. Also, consider reducing the maximum message size for public Web services that accept requests from unauthenticated sources.

You can configure the maximum message size by using the maxRequestLength value on the <httpRuntime> element in the Machine.config file. The following code sample shows the default settings from Microsoft .NET Framework version 1.1 of the Machine.config file:
<httpRuntime executionTimeout="90"
             maxRequestLength="4096"
             useFullyQualifiedRedirectUrl="false"
             minFreeThreads="8"
             minLocalRequestFreeThreads="4"
             appRequestQueueLimit="100"
             enableVersionHeader="true"/>
For example, if you want to limit the message size for your Web service to 100 KB, add the following code:
<system.web>
   <!-- 100 KB Max POST size -->
   <httpRuntime maxRequestLength="100"/>
</system.web>
For more information about ASP.NET Web services security, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/aa302435.aspx

References

For more information, visit the following Microsoft Web sites:
Web services security
http://msdn2.microsoft.com/en-us/security/aa570415.aspx
Improving Web application security: threats and countermeasures
http://msdn2.microsoft.com/en-us/library/ms994921.aspx
Chapter 19 – Securing your ASP.NET application and Web services
http://msdn2.microsoft.com/en-us/library/aa302435.aspx#c19618429_030
Building secure ASP.NET applications: authentication, authorization, and secure communication
http://msdn2.microsoft.com/en-us/library/aa302415.aspx

Properties

Article ID: 832878 - Last Review: November 1, 2013 - Revision: 4.0
Applies to
  • Microsoft Web Services Enhancements for Microsoft .NET 1.1
Keywords: 
kbnosurvey kbarchive kbdevsecurity kbsecurity kbinfo KB832878

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com