Web service security advice

Hi,

A Few ways:

1) In IIS restrict the website by IP address allowing only machines that run
your code to access the web service.

2) Disallow anonymous authentication in IIS. Restrict acces to your ASMX
file allow only a specific user to access the ASMX file. In your consuming
application use CredentialsCache to pass NT user rights to the web service
when communicating with the server.

3) User certificates. In IIS, disallow anonymouse users...Issue a
certificate to your client machines you wish to give access to... In IIS Map
the cert to an NT user account that has access to the ASMX file. In your
application consuming the web service use WSE 3.0 to pass the cert to the
web service.

4) Kind of weak, but you can have your web methods take a 'security token'
as a parameter. Make the token a Guid. Share the Guid with the server and
the consuming app. Then the consuming app calls the web methods, pass the
Shared Guid. The web method must compare the passed Guid to make sure it is
the correct value, or throw an error. (many places use this... ebay...
amazon... google).

-DS
"huz" <an****************@gmail.comwrote in message
news:e9**********@news2.carnet.hr...

>I need some advice, here is the situation: I have a web service (ASP 2.0)
published on IIS, how can i make that only trusted (my) web applications
consume it, and successfuly block all others???

David Sandor wrote:

Hi,

A Few ways:

1) In IIS restrict the website by IP address allowing only machines
that run your code to access the web service.

2) Disallow anonymous authentication in IIS. Restrict acces to your
ASMX file allow only a specific user to access the ASMX file. In
your consuming application use CredentialsCache to pass NT user
rights to the web service when communicating with the server.

3) User certificates. In IIS, disallow anonymouse users...Issue a
certificate to your client machines you wish to give access to... In
IIS Map the cert to an NT user account that has access to the ASMX
file. In your application consuming the web service use WSE 3.0 to
pass the cert to the web service.

4) Kind of weak, but you can have your web methods take a 'security
token' as a parameter. Make the token a Guid. Share the Guid with
the server and the consuming app. Then the consuming app calls the
web methods, pass the Shared Guid. The web method must compare the
passed Guid to make sure it is the correct value, or throw an error. (many
places use this... ebay... amazon... google).

-DS

Thanks, il try some of that, and see how it works...

>

"huz" <an****************@gmail.comwrote in message
news:e9**********@news2.carnet.hr...

>I need some advice, here is the situation: I have a web service (ASP
2.0) published on IIS, how can i make that only trusted (my) web
applications consume it, and successfuly block all others???