Checklist: Securing Web Services
| Retired Content |
|---|
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan
Microsoft Corporation
Published: June 2003
Applies to:
- Web Services (.NET Framework version 1.1)
See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.
See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.
Contents
How to Use This Checklist Design Considerations Development Considerations Administration Considerations
How to Use This Checklist
This checklist is a companion to Chapter 12, "Building Secure Web Services." Use it to help you build and secure your Web services and also as a snapshot of the corresponding chapter.
Design Considerations
| Check | Description |
|---|---|
 | The authentication strategy has been identified. |
| Privacy and integrity requirements of SOAP messages have been considered. |
| Identities that are used for resource access have been identified. |
| Implications of code access security trust levels have been considered. |
Development Considerations
Input Validation
| Check | Description |
|---|---|
| Input to Web methods is constrained and validated for type, length, format, and range. |
| Input data sanitization is only performed in addition to constraining input data. |
| XML input data is validated based on an agreed schema. |
Authentication
| Check | Description |
|---|---|
| Web services that support restricted operations or provide sensitive data support authentication. |
| If plain text credentials are passed in SOAP headers, SOAP messages are only passed over encrypted communication channels, for example, using SSL. |
| Basic authentication is only used over an encrypted communication channel. |
| Authentication mechanisms that use SOAP headers are based on Web Services Security (WS Security) using the Web Services Enhancements WSE). |
Authorization
| Check | Description |
|---|---|
| Web services that support restricted operations or provide sensitive data support authorization. |
| Where appropriate, access to Web service is restricted using URL authorization or file authorization if Windows authentication is used. |
| Where appropriate, access to publicly accessible Web methods is restricted using declarative principle permission demands. |
Sensitive Data
| Check | Description |
|---|---|
| Sensitive data in Web service SOAP messages is encrypted using XML encryption OR messages are only passed over encrypted communication channels (for example, using SSL.) |
Parameter Manipulation
| Check | Description |
|---|---|
| If parameter manipulation is a concern (particularly where messages are routed through multiple intermediary nodes across multiple network links). Messages are digitally signed to ensure that they cannot be tampered with. |
Exception Management
| Check | Description |
|---|---|
| Structured exception handling is used when implementing Web services. |
| Exception details are logged (except for private data, such as passwords). |
| SoapExceptions are thrown and returned to the client using the standard <Fault> SOAP element. |
| If application-level exception handling is required a custom SOAP extension is used. |
Auditing and Logging
| Check | Description |
|---|---|
| The Web service logs transactions and key operations. |
Proxy Considerations
| Check | Description |
|---|---|
| The endpoint address in Web Services Description Language (WSDL) is checked for validity. |
| The URL Behavior property of the Web reference is set to dynamic for added flexibility. |
Administration Considerations
| Check | Description |
|---|---|
| Unnecessary Web service protocols, including HTTP GET and HTTP POST, are disabled. |
| The documentation protocol is disabled if you do not want to support the dynamic generation of WSDL. |
| The Web service runs using a least-privileged process account (configured through the <processModel> element in Machine.config.)
Custom accounts are encrypted by using Aspnet_setref.exe. |
| Tracing is disabled with:
<trace enabled="false" /> |
| Debug compilations are disabled with:
<compilation debug="false" explicit="true" defaultLanguage="vb"> |
| Retired Content |
|---|
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
