Microsoft KB Archive/832878

= Microsoft Web services security resources =

Article ID: 832878

Article Last Modified on 4/19/2007

-

APPLIES TO


 * Microsoft Web Services Enhancements for Microsoft .NET 2.0
 * Microsoft Web Services Enhancements for Microsoft .NET 1.1

-



SUMMARY
This article discusses some resources that may help you understand Web services security when you design Web services, implement Web services, and deploy Web services.

This article also discusses configurable values that can help make sure that Web service performance is efficient and that can permit all users to have equal access to a particular Web service. These configurable values can also help protect Web services against particular denial of service conditions.



MORE INFORMATION
Consider security when you design Web services, build Web services, and deploy Web services. You can subject Web services, like Web applications, to spoofing conditions or to denial of service conditions. Visit the following Microsoft Web site for more information about how to prevent these conditions:

http://msdn2.microsoft.com/en-us/security/aa570415.aspx

Denial of service conditions may occur when valid SOAP requests are sent to your Web service, and these SOAP requests cause the application, or the XML parser, or both to perform extensive processing. The denial of service conditions can cause the Web server that receives the SOAP request to become extremely busy. Therefore, your service may not be able to handle other requests efficiently.

The time that the application, or the XML parser, or both spend parsing and processing a SOAP message is frequently based on the size of the message. Therefore, it is a good idea to restrict the size of a message to help avoid denial of service conditions. By default, the maximum permitted message size is 4 MB. It may be appropriate to reduce this size to the maximum size that your application requires. Also, consider reducing the maximum message size for public Web services that accept requests from unauthenticated sources.

You can configure the maximum message size by using the maxRequestLength value on the  element in the Machine.config file. The following code sample shows the default settings from Microsoft .NET Framework version 1.1 of the Machine.config file:  For example, if you want to limit the message size for your Web service to 100 KB, add the following code:

   For more information about ASP.NET Web services security, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/aa302435.aspx

