SOAP Security

Other versions of this page are also available for the following:

Windows Mobile Not SupportedWindows Embedded CE Supported


SOAP can be deployed on a client, a server, or both. The security issues vary depending on the method of deployment, but deploying SOAP as a service poses the greatest security risk. When deployed as a service SOAP uses the Windows Embedded CE Web server to manage and receive connections from the network. As a result many of the threats to SOAP are similar to those of the Web server and can be mitigated in some of the same ways.

Best Practices

Use Secure Sockets Layer (SSL)

SSL protocol helps to protect data from packet sniffing by anyone with physical access to the network. For more information, see SSL Support for the Web Server.

The SOAP service address is a URL to a virtual root on the Web server. Consequently, this URL virtual root can be a secure address requiring a certificate on the client to authenticate the client to the server as well as to set up a secure channel to help protect the data transferred between the client and the server.

Because the SOAP service is defined by the developer, it can include additional techniques to verify or validate the user, such as the requirement to pass credentials to a method before other methods can be called.

Use authentication

Use the Web server NTLM and/or Basic authentication mechanism to help limit access to known users only. You can set the option in the Web Server HKEY_LOCAL_MACHINE\COMM\HTTPD registry key. For specific security information, see the Security Note in Base Registry Settings. For more information about authentication, see Web Server Authentication and Permissions.

Use user access lists

Carefully choose your virtual roots and help limit access to only the appropriate files by providing appropriate user access lists when configuring the Web server. Anonymous users with access to the virtual root may be able to access files and directories within that virtual root. You can set the options in Web server HKEY_LOCAL_MACHINE\Comm\HTTPD\VROOTS registry key. For specific security information, see the Security Note in Virtual Path Settings.

See also Web Server Authentication and Permissions.

Remove or disable sample ISAPIs and other development tools when you create the release run-time image

Some sample ISAPIs that you include in your device may allow unauthorized users to access your system resources or protected data. Many of the samples provided are for development and debugging purposes only and pose a significant security risk if deployed on a public network.

Default Registry Settings

You should be aware of the registry settings that impact security. The registry settings documentation contains Security Note entries with information about security issues.

For registry information, see SOAP Registry Settings and Web Server Registry Settings.

See Also


Other Resources

SOAP Toolkit