SOAP can be deployed on a client, a server, or both. The security issues vary depending on the method of deployment, but deploying SOAP as a service poses the greatest security risk. When deployed as a service SOAP uses the Windows Embedded CE Web server to manage and receive connections from the network. As a result many of the threats to SOAP are similar to those of the Web server and can be mitigated in some of the same ways.
SSL protocol helps to protect data from packet sniffing by anyone with physical access to the network. For more information, see SSL Support for the Web Server.
The SOAP service address is a URL to a virtual root on the Web server. Consequently, this URL virtual root can be a secure address requiring a certificate on the client to authenticate the client to the server as well as to set up a secure channel to help protect the data transferred between the client and the server.
Because the SOAP service is defined by the developer, it can include additional techniques to verify or validate the user, such as the requirement to pass credentials to a method before other methods can be called.
Use the Web server NTLM and/or Basic authentication mechanism to help limit access to known users only. You can set the option in the Web Server HKEY_LOCAL_MACHINE\COMM\HTTPD registry key. For specific security information, see the Security Note in Base Registry Settings. For more information about authentication, see Web Server Authentication and Permissions.
Carefully choose your virtual roots and help limit access to only the appropriate files by providing appropriate user access lists when configuring the Web server. Anonymous users with access to the virtual root may be able to access files and directories within that virtual root. You can set the options in Web server HKEY_LOCAL_MACHINE\Comm\HTTPD\VROOTS registry key. For specific security information, see the Security Note in Virtual Path Settings.