How to: Disable Protocol Support for Web Services

This topic is specific to a legacy technology. XML Web services and XML Web service clients should now be created using Windows Communication Foundation.

To help reduce the risk of inadvertent invocation of a Web service, you should disable protocol support when it is not required. You can disable protocol support for the whole machine or for individual Web applications.

To disable HTTP-GET and HTTP-POST protocols for the whole machine

  1. Open the Machine.config file in a text editor. (The default installation places Machine.config in the \Config subdirectory of the installation root.)

  2. Comment out the lines within the webServices section that add support for HTTP-GET and HTTP-POST, if they exist. After doing so, the webServices section should look like the following:

          <add name="HttpSoap"/> 
             <!-- <add name="HttpPost"/> --> 
             <!-- <add name="HttpGet"/>  -->
          <add name="Documentation"/>
          <add name="HttpPostLocalhost"/>
  3. Save Machine.config.

    This configuration change takes effect on the next request to a Web service hosted on that machine.

To disable support for a protocol for an individual Web application

  1. Open the Web.config file in the root directory of the Web application in a text editor. (If a Web.config file does not exist, create one.)

  2. Modify the webServices section of Web.config to explicitly remove the protocol setting. The following example explicitly removes the HTTP-POST and HTTP-GET protocols:

           <remove name="HttpPost" />
           <remove name="HttpGet" />
  3. Save Web.config.

    This configuration change takes effect on the next request to a Web service hosted by the Web application.

See Also


How to: Disable the Service Help Page for a Web Service


Configuration Options for XML Web Services Created Using ASP.NET
Deploying XML Web Services

Other Resources

XML Web Services Using ASP.NET