Export (0) Print
Expand All

Checklist: Securing Web Services

 

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

Improving Web Application Security: Threats and Countermeasures

J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

Microsoft Corporation

Published: June 2003

Applies to:

  • Web Services (.NET Framework version 1.1)

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.

Contents

How to Use This Checklist Design Considerations Development Considerations Administration Considerations

How to Use This Checklist

This checklist is a companion to Chapter 12, "Building Secure Web Services." Use it to help you build and secure your Web services and also as a snapshot of the corresponding chapter.

Design Considerations

CheckDescription
Ff648304.z02bthcm01(en-us,PandP.10).gifThe authentication strategy has been identified.
Ff648304.z02bthcm01(en-us,PandP.10).gifPrivacy and integrity requirements of SOAP messages have been considered.
Ff648304.z02bthcm01(en-us,PandP.10).gifIdentities that are used for resource access have been identified.
Ff648304.z02bthcm01(en-us,PandP.10).gifImplications of code access security trust levels have been considered.

Development Considerations

Input Validation

CheckDescription
Ff648304.z02bthcm01(en-us,PandP.10).gifInput to Web methods is constrained and validated for type, length, format, and range.
Ff648304.z02bthcm01(en-us,PandP.10).gifInput data sanitization is only performed in addition to constraining input data.
Ff648304.z02bthcm01(en-us,PandP.10).gifXML input data is validated based on an agreed schema.

Authentication

CheckDescription
Ff648304.z02bthcm01(en-us,PandP.10).gifWeb services that support restricted operations or provide sensitive data support authentication.
Ff648304.z02bthcm01(en-us,PandP.10).gifIf plain text credentials are passed in SOAP headers, SOAP messages are only passed over encrypted communication channels, for example, using SSL.
Ff648304.z02bthcm01(en-us,PandP.10).gifBasic authentication is only used over an encrypted communication channel.
Ff648304.z02bthcm01(en-us,PandP.10).gifAuthentication mechanisms that use SOAP headers are based on Web Services Security (WS Security) using the Web Services Enhancements WSE).

Authorization

CheckDescription
Ff648304.z02bthcm01(en-us,PandP.10).gifWeb services that support restricted operations or provide sensitive data support authorization.
Ff648304.z02bthcm01(en-us,PandP.10).gifWhere appropriate, access to Web service is restricted using URL authorization or file authorization if Windows authentication is used.
Ff648304.z02bthcm01(en-us,PandP.10).gifWhere appropriate, access to publicly accessible Web methods is restricted using declarative principle permission demands.

Sensitive Data

CheckDescription
Ff648304.z02bthcm01(en-us,PandP.10).gifSensitive data in Web service SOAP messages is encrypted using XML encryption OR messages are only passed over encrypted communication channels (for example, using SSL.)

Parameter Manipulation

CheckDescription
Ff648304.z02bthcm01(en-us,PandP.10).gifIf parameter manipulation is a concern (particularly where messages are routed through multiple intermediary nodes across multiple network links). Messages are digitally signed to ensure that they cannot be tampered with.

Exception Management

CheckDescription
Ff648304.z02bthcm01(en-us,PandP.10).gifStructured exception handling is used when implementing Web services.
Ff648304.z02bthcm01(en-us,PandP.10).gifException details are logged (except for private data, such as passwords).
Ff648304.z02bthcm01(en-us,PandP.10).gifSoapExceptions are thrown and returned to the client using the standard <Fault> SOAP element.
Ff648304.z02bthcm01(en-us,PandP.10).gifIf application-level exception handling is required a custom SOAP extension is used.

Auditing and Logging

CheckDescription
Ff648304.z02bthcm01(en-us,PandP.10).gifThe Web service logs transactions and key operations.

Proxy Considerations

CheckDescription
Ff648304.z02bthcm01(en-us,PandP.10).gifThe endpoint address in Web Services Description Language (WSDL) is checked for validity.
Ff648304.z02bthcm01(en-us,PandP.10).gifThe URL Behavior property of the Web reference is set to dynamic for added flexibility.

Administration Considerations

CheckDescription
Ff648304.z02bthcm01(en-us,PandP.10).gifUnnecessary Web service protocols, including HTTP GET and HTTP POST, are disabled.
Ff648304.z02bthcm01(en-us,PandP.10).gifThe documentation protocol is disabled if you do not want to support the dynamic generation of WSDL.
Ff648304.z02bthcm01(en-us,PandP.10).gifThe Web service runs using a least-privileged process account (configured through the <processModel> element in Machine.config.)

Custom accounts are encrypted by using Aspnet_setref.exe.

Ff648304.z02bthcm01(en-us,PandP.10).gifTracing is disabled with:
<trace enabled="false" />
Ff648304.z02bthcm01(en-us,PandP.10).gifDebug compilations are disabled with:
<compilation debug="false" explicit="true" defaultLanguage="vb">

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Show:
© 2014 Microsoft