I assume you're progamming in ASP.NET.
1. Require SSL for the site so that basic auth credentials are always
protected.
2. Do not allow Anonymous access
3. Disable debug messages through web.config
4. Most importantly, validate (ON THE SERVER) every parameter passed to the
web methods to protect against field overflows, SQL injection, and
cross-site scription.
5. Flow the context of the requesting user through end to end, do not allow
a privileged component to execute requests on behalf of a user.
The IIS and ASP.NET infrastructure will provide the auth and ACL security
you need. It's up to your developers to design the WS so they properly
validate and cannot be abused.
After doing Webapp security assessments for many years, the application
layer continues to be the biggest security problem.
regards,
Chris
[quoted text, click to view] "Leneise44" <Leneise44@discussions.microsoft.com> wrote in message
news:49DC98D3-684C-4EBD-8902-AE531FD9F885@microsoft.com...
>A healthcare company plans to secure calls to webservices using a
>combination
> of SSL, XML firewall(between iis aspx server and web services server) and
> using basic authentication. We plan to migrate our ldap users from our
> integrated security into the basic authenticatino on the local iis web
> server. There will be another firewall limiting traffic using IPSEC
> between
> the web and our iis server. My question: Will this be sufficient security
> to
> protect our web services? Certificates are ruled out, our users will not
> respond to these and someone can just sit at the box and log in. The xml
> firewall is securing the calls between the iis server and web services
> server. I'm trying to avoid having to write complex, custom code within
> the
> webservices layer using WSA 2.0 and tokens etc...The IT staff here is very
> basic and cannot maintain and administer complex code. Any and all
> comments
> appreciated. Thank you for your insight.
