Microsoft Web services security resources

This article has been archived. It is offered "as is" and will no longer be updated.
This article discusses some resources that may help you understand Web services security when you design Web services, implement Web services, and deploy Web services.

This article also discusses configurable values that can help make sure that Web service performance is efficient and that can permit all users to have equal access to a particular Web service. These configurable values can also help protect Web services against particular denial of service conditions.
More information
Consider security when you design Web services, build Web services, and deploy Web services. You can subject Web services, like Web applications, to spoofing conditions or to denial of service conditions. Visit the following Microsoft Web site for more information about how to prevent these conditions:Denial of service conditions may occur when valid SOAP requests are sent to your Web service, and these SOAP requests cause the application, or the XML parser, or both to perform extensive processing. The denial of service conditions can cause the Web server that receives the SOAP request to become extremely busy. Therefore, your service may not be able to handle other requests efficiently.

The time that the application, or the XML parser, or both spend parsing and processing a SOAP message is frequently based on the size of the message. Therefore, it is a good idea to restrict the size of a message to help avoid denial of service conditions. By default, the maximum permitted message size is 4 MB. It may be appropriate to reduce this size to the maximum size that your application requires. Also, consider reducing the maximum message size for public Web services that accept requests from unauthenticated sources.

You can configure the maximum message size by using the maxRequestLength value on the <httpRuntime> element in the Machine.config file. The following code sample shows the default settings from Microsoft .NET Framework version 1.1 of the Machine.config file:
<httpRuntime executionTimeout="90"             maxRequestLength="4096"             useFullyQualifiedRedirectUrl="false"             minFreeThreads="8"             minLocalRequestFreeThreads="4"             appRequestQueueLimit="100"             enableVersionHeader="true"/>
For example, if you want to limit the message size for your Web service to 100 KB, add the following code:
<system.web>   <!-- 100 KB Max POST size -->   <httpRuntime maxRequestLength="100"/></system.web>
For more information about ASP.NET Web services security, visit the following Microsoft Web site:
For more information, visit the following Microsoft Web sites:
Improving Web application security: threats and countermeasures
Chapter 19 – Securing your ASP.NET application and Web services
Building secure ASP.NET applications: authentication, authorization, and secure communication

Article ID: 832878 - Last Review: 11/01/2013 21:21:00 - Revision: 4.0

Microsoft Web Services Enhancements for Microsoft .NET 1.1

  • kbnosurvey kbarchive kbdevsecurity kbsecurity kbinfo KB832878