Checklist: Securing Web Services

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

Improving Web Application Security: Threats and Countermeasures

J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

Microsoft Corporation

Published: June 2003

Applies to:

  • Web Services (.NET Framework version 1.1)

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.

Contents

How to Use This Checklist Design Considerations Development Considerations Administration Considerations

How to Use This Checklist

This checklist is a companion to Chapter 12, "Building Secure Web Services." Use it to help you build and secure your Web services and also as a snapshot of the corresponding chapter.

Design Considerations

Check Description
Ff648304.z02bthcm01(en-us,PandP.10).gif The authentication strategy has been identified.
Ff648304.z02bthcm01(en-us,PandP.10).gif Privacy and integrity requirements of SOAP messages have been considered.
Ff648304.z02bthcm01(en-us,PandP.10).gif Identities that are used for resource access have been identified.
Ff648304.z02bthcm01(en-us,PandP.10).gif Implications of code access security trust levels have been considered.

Development Considerations

Input Validation

Check Description
Ff648304.z02bthcm01(en-us,PandP.10).gif Input to Web methods is constrained and validated for type, length, format, and range.
Ff648304.z02bthcm01(en-us,PandP.10).gif Input data sanitization is only performed in addition to constraining input data.
Ff648304.z02bthcm01(en-us,PandP.10).gif XML input data is validated based on an agreed schema.

Authentication

Check Description
Ff648304.z02bthcm01(en-us,PandP.10).gif Web services that support restricted operations or provide sensitive data support authentication.
Ff648304.z02bthcm01(en-us,PandP.10).gif If plain text credentials are passed in SOAP headers, SOAP messages are only passed over encrypted communication channels, for example, using SSL.
Ff648304.z02bthcm01(en-us,PandP.10).gif Basic authentication is only used over an encrypted communication channel.
Ff648304.z02bthcm01(en-us,PandP.10).gif Authentication mechanisms that use SOAP headers are based on Web Services Security (WS Security) using the Web Services Enhancements WSE).

Authorization

Check Description
Ff648304.z02bthcm01(en-us,PandP.10).gif Web services that support restricted operations or provide sensitive data support authorization.
Ff648304.z02bthcm01(en-us,PandP.10).gif Where appropriate, access to Web service is restricted using URL authorization or file authorization if Windows authentication is used.
Ff648304.z02bthcm01(en-us,PandP.10).gif Where appropriate, access to publicly accessible Web methods is restricted using declarative principle permission demands.

Sensitive Data

Check Description
Ff648304.z02bthcm01(en-us,PandP.10).gif Sensitive data in Web service SOAP messages is encrypted using XML encryption OR messages are only passed over encrypted communication channels (for example, using SSL.)

Parameter Manipulation

Check Description
Ff648304.z02bthcm01(en-us,PandP.10).gif If parameter manipulation is a concern (particularly where messages are routed through multiple intermediary nodes across multiple network links). Messages are digitally signed to ensure that they cannot be tampered with.

Exception Management

Check Description
Ff648304.z02bthcm01(en-us,PandP.10).gif Structured exception handling is used when implementing Web services.
Ff648304.z02bthcm01(en-us,PandP.10).gif Exception details are logged (except for private data, such as passwords).
Ff648304.z02bthcm01(en-us,PandP.10).gif SoapExceptions are thrown and returned to the client using the standard <Fault> SOAP element.
Ff648304.z02bthcm01(en-us,PandP.10).gif If application-level exception handling is required a custom SOAP extension is used.

Auditing and Logging

Check Description
Ff648304.z02bthcm01(en-us,PandP.10).gif The Web service logs transactions and key operations.

Proxy Considerations

Check Description
Ff648304.z02bthcm01(en-us,PandP.10).gif The endpoint address in Web Services Description Language (WSDL) is checked for validity.
Ff648304.z02bthcm01(en-us,PandP.10).gif The URL Behavior property of the Web reference is set to dynamic for added flexibility.

Administration Considerations

Check Description
Ff648304.z02bthcm01(en-us,PandP.10).gif Unnecessary Web service protocols, including HTTP GET and HTTP POST, are disabled.
Ff648304.z02bthcm01(en-us,PandP.10).gif The documentation protocol is disabled if you do not want to support the dynamic generation of WSDL.
Ff648304.z02bthcm01(en-us,PandP.10).gif The Web service runs using a least-privileged process account (configured through the <processModel> element in Machine.config.)

Custom accounts are encrypted by using Aspnet_setref.exe.

Ff648304.z02bthcm01(en-us,PandP.10).gif Tracing is disabled with:
<trace enabled="false" />
Ff648304.z02bthcm01(en-us,PandP.10).gif Debug compilations are disabled with:
<compilation debug="false" explicit="true" defaultLanguage="vb">

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

© Microsoft Corporation. All rights reserved.