Web Service Security

Discussion in 'ASP .Net Web Services' started by IntraRELY, Feb 10, 2004.

  1. IntraRELY

    IntraRELY Guest

    I have the following web service. I wanted to get some feedback on any
    recommendantions that I can do to make this web service more secure. As you
    can see there is some validation, but wanted to know if this should be
    considered enough. the print_authenticate function tests the username and
    passwords throught the database, but I also want to look for DOS attachs and
    make sure I have the necessary precautions in place. There is also a dataset
    being passed to the web service. If someone has the username and password,
    it would be safe to assume, at least for this app, that they can pass
    anything they want. This is all done through SSL. But my main concern I
    guess right now is for the validation aspect.

    TIA,

    Steve

    <WebMethod()> _
    Public Function test_printUpdate(ByVal dsPrint As dsPrint, ByVal username As
    String, ByVal password As String) As dsChecksPrint
    If username.Length > 30 Or _
    password.Length > 30 Then
    Return Nothing
    Else
    If print_authenticate(username, password) = True Then
    If Not (dsChecksPrint Is Nothing) Then
    daPrint.Update(dsPrint)
    Return dsPrint
    Else
    Return Nothing
    End If
    Else
    Return Nothing
    End If
    End If
    End Function
     
    IntraRELY, Feb 10, 2004
    #1
    1. Advertising

  2. IntraRELY

    [MSFT] Guest

    Hi Steve,

    Thank you for using the community. From the description and the code, I
    found you have consider a lot for the security. The security of .NET Web
    serivce rely on IIS, for example, windows authentication, SSL and IP
    restrict. We can assume IIS is safe enough to a web serivce. I saw you have
    a method print_authenticate in the web service, and it will valid the the
    user from database. If it is a SQL server, you may consider following ways
    for security:

    1. Set the Seb serivce running under special account and only this account
    has permisison to build a connection to the database.
    2. Use IPSec to provide secure communication between the web server and
    database server.
    3. Add a firewall between web server and database server.

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    [MSFT], Feb 10, 2004
    #2
    1. Advertising

  3. IntraRELY

    IntraRELY Guest

    These are considerations we are taking, I was think more from a code level
    and validating the databeing passed to the Web Service. I wanted to know if
    what I was doing is sufficient.

    TIA,

    Steve

    "[MSFT]" <> wrote in message
    news:...
    > Hi Steve,
    >
    > Thank you for using the community. From the description and the code, I
    > found you have consider a lot for the security. The security of .NET Web
    > serivce rely on IIS, for example, windows authentication, SSL and IP
    > restrict. We can assume IIS is safe enough to a web serivce. I saw you

    have
    > a method print_authenticate in the web service, and it will valid the the
    > user from database. If it is a SQL server, you may consider following ways
    > for security:
    >
    > 1. Set the Seb serivce running under special account and only this account
    > has permisison to build a connection to the database.
    > 2. Use IPSec to provide secure communication between the web server and
    > database server.
    > 3. Add a firewall between web server and database server.
    >
    > Luke
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
     
    IntraRELY, Feb 10, 2004
    #3
  4. IntraRELY

    [MSFT] Guest

    Hi Steve,

    Since the web service is built on SSL, I think your design is safe enough.
    A dummy user will be rejected before the print function was executed and
    the user name and password won't get leak out on the internet because of
    SSL.

    Regards,

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    [MSFT], Feb 11, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. hocho888
    Replies:
    1
    Views:
    646
  2. Michael Averstegge
    Replies:
    0
    Views:
    4,242
    Michael Averstegge
    Jan 10, 2006
  3. Mark
    Replies:
    1
    Views:
    329
    bruce barker
    Jan 4, 2007
  4. Not Me
    Replies:
    1
    Views:
    3,191
    Not Me
    Jun 5, 2007
  5. Leo Violette
    Replies:
    0
    Views:
    1,055
    Leo Violette
    Apr 17, 2009
Loading...

Share This Page