J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

Microsoft Corporation

Published: June 2003

Applies to:

• Web Services (.NET Framework version 1.1)

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.

Contents

How to Use This Checklist
Design Considerations
Development Considerations
Administration Considerations

How to Use This Checklist

This checklist is a companion to Chapter 12, "Building Secure Web Services." Use it to help you build and secure your Web services and also as a snapshot of the corresponding chapter.

Design Considerations

Check	Description
	The authentication strategy has been identified.
	Privacy and integrity requirements of SOAP messages have been considered.
	Identities that are used for resource access have been identified.
	Implications of code access security trust levels have been considered.

Development Considerations

Input Validation

Check	Description
	Input to Web methods is constrained and validated for type, length, format, and range.
	Input data sanitization is only performed in addition to constraining input data.
	XML input data is validated based on an agreed schema.

Authentication

Check	Description
	Web services that support restricted operations or provide sensitive data support authentication.
	If plain text credentials are passed in SOAP headers, SOAP messages are only passed over encrypted communication channels, for example, using SSL.
	Basic authentication is only used over an encrypted communication channel.
	Authentication mechanisms that use SOAP headers are based on Web Services Security (WS Security) using the Web Services Enhancements WSE).

Authorization

Check	Description
	Web services that support restricted operations or provide sensitive data support authorization.
	Where appropriate, access to Web service is restricted using URL authorization or file authorization if Windows authentication is used.
	Where appropriate, access to publicly accessible Web methods is restricted using declarative principle permission demands.

Sensitive Data

Check	Description
	Sensitive data in Web service SOAP messages is encrypted using XML encryption OR messages are only passed over encrypted communication channels (for example, using SSL.)

Parameter Manipulation

Check	Description
	If parameter manipulation is a concern (particularly where messages are routed through multiple intermediary nodes across multiple network links). Messages are digitally signed to ensure that they cannot be tampered with.

Exception Management

Check	Description
	Structured exception handling is used when implementing Web services.
	Exception details are logged (except for private data, such as passwords).
	SoapExceptions are thrown and returned to the client using the standard <Fault> SOAP element.
	If application-level exception handling is required a custom SOAP extension is used.

Auditing and Logging

Check	Description
	The Web service logs transactions and key operations.

Proxy Considerations

Check	Description
	The endpoint address in Web Services Description Language (WSDL) is checked for validity.
	The URL Behavior property of the Web reference is set to dynamic for added flexibility.

Administration Considerations

Check	Description
	Unnecessary Web service protocols, including HTTP GET and HTTP POST, are disabled.
	The documentation protocol is disabled if you do not want to support the dynamic generation of WSDL.
	The Web service runs using a least-privileged process account (configured through the <processModel> element in Machine.config.) Custom accounts are encrypted by using Aspnet_setref.exe.
	Tracing is disabled with: <trace enabled="false" />
	Debug compilations are disabled with: <compilation debug="false" explicit="true" defaultLanguage="vb">