How to: Disable Protocol Support for Web Services
This topic is specific to a legacy technology. XML Web services and XML Web service clients should now be created using Windows Communication Foundation.
To help reduce the risk of inadvertent invocation of a Web service, you should disable protocol support when it is not required. You can disable protocol support for the whole machine or for individual Web applications.
To disable HTTP-GET and HTTP-POST protocols for the whole machine
Open the Machine.config file in a text editor. (The default installation places Machine.config in the \Config subdirectory of the installation root.)
Comment out the lines within the
webServicessection that add support for HTTP-GET and HTTP-POST, if they exist. After doing so, the
webServicessection should look like the following:
<webServices> <protocols> <add name="HttpSoap"/> <!-- <add name="HttpPost"/> --> <!-- <add name="HttpGet"/> --> <add name="Documentation"/> <add name="HttpPostLocalhost"/> </protocols> </webServices>
This configuration change takes effect on the next request to a Web service hosted on that machine.
To disable support for a protocol for an individual Web application
Open the Web.config file in the root directory of the Web application in a text editor. (If a Web.config file does not exist, create one.)
webServicessection of Web.config to explicitly remove the protocol setting. The following example explicitly removes the HTTP-POST and HTTP-GET protocols:
<webServices> <protocols> <remove name="HttpPost" /> <remove name="HttpGet" /> </protocols> </webServices>
This configuration change takes effect on the next request to a Web service hosted by the Web application.