Microsoft Web services security resources (832878)


The information in this article applies to:

  • Microsoft Web Services (included with the .NET Framework) 1.0
  • Microsoft Web Services (included with the .NET Framework 1.1)

SUMMARY

This article discusses some resources that may help you understand Web services security when you design Web services, implement Web services, and deploy Web services.

This article also discusses configurable values that can help make sure that Web service performance is efficient and that can permit all users to have equal access to a particular Web service. These configurable values can also help protect Web services against particular denial of service conditions.

MORE INFORMATION

Consider security when you design Web services, build Web services, and deploy Web services. You can subject Web services, like Web applications, to spoofing conditions or to denial of service conditions. Visit the following Microsoft Web site for more information about how to prevent these conditions:

http://msdn.microsoft.com/security/securecode/webservices/default.aspx

Denial of service conditions may occur when valid SOAP requests are sent to your Web service, and these SOAP requests cause the application, or the XML parser, or both to perform extensive processing. The denial of service conditions can cause the Web server that receives the SOAP request to become extremely busy. Therefore, your service may not be able to handle other requests efficiently.

The time that the application, or the XML parser, or both spend parsing and processing a SOAP message is frequently based on the size of the message. Therefore, it is a good idea to restrict the size of a message to help avoid denial of service conditions. By default, the maximum permitted message size is 4 MB. It may be appropriate to reduce this size to the maximum size that your application requires. Also, consider reducing the maximum message size for public Web services that accept requests from unauthenticated sources.

You can configure the maximum message size by using the maxRequestLength value on the <httpRuntime> element in the Machine.config file. The following code sample shows the default settings from Microsoft .NET Framework version 1.1 of the Machine.config file:
<httpRuntime executionTimeout="90"
             maxRequestLength="4096"
             useFullyQualifiedRedirectUrl="false"
             minFreeThreads="8"
             minLocalRequestFreeThreads="4"
             appRequestQueueLimit="100"
             enableVersionHeader="true"/>
For example, if you want to limit the message size for your Web service to 100 KB, add the following code:
<system.web>
   <!-- 100 KB Max POST size -->
   <httpRuntime maxRequestLength="100"/>
</system.web>
For more information about ASP.NET Web services security, visit the following Microsoft Web site:

http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnnetsec/html/THCMCh19.asp

REFERENCES

For more information, visit the following Microsoft Web sites:

Web services security
http://msdn.microsoft.com/security/securecode/webservices/default.aspx

Improving Web application security: threats and countermeasures
http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnnetsec/html/ThreatCounter.asp

Chapter 19 - Securing your ASP.NET application and Web services
http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnnetsec/html/THCMCh19.asp#c19618429_030

Building secure ASP.NET applications: authentication, authorization, and secure communication
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp?frame=true

Modification Type:MinorLast Reviewed:7/11/2005
Keywords:kbDevSecurity kbSecurity kbinfo KB832878 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.