Web Service Security

[IntraRELY]

I have the following web service. I wanted to get some feedback on any
recommendantions that I can do to make this web service more secure. As you
can see there is some validation, but wanted to know if this should be
considered enough. the print_authenticate function tests the username and
passwords throught the database, but I also want to look for DOS attachs and
make sure I have the necessary precautions in place. There is also a dataset
being passed to the web service. If someone has the username and password,
it would be safe to assume, at least for this app, that they can pass
anything they want. This is all done through SSL. But my main concern I
guess right now is for the validation aspect.

TIA,

Steve

<WebMethod()> _
Public Function test_printUpdate(ByVal dsPrint As dsPrint, ByVal username As
String, ByVal password As String) As dsChecksPrint
If username.Length > 30 Or _
password.Length > 30 Then
Return Nothing
Else
If print_authenticate(username, password) = True Then
If Not (dsChecksPrint Is Nothing) Then
daPrint.Update(dsPrint)
Return dsPrint
Else
Return Nothing
End If
Else
Return Nothing
End If
End If
End Function

 

[[MSFT]]

Hi Steve,

Thank you for using the community. From the description and the code, I
found you have consider a lot for the security. The security of .NET Web
serivce rely on IIS, for example, windows authentication, SSL and IP
restrict. We can assume IIS is safe enough to a web serivce. I saw you have
a method print_authenticate in the web service, and it will valid the the
user from database. If it is a SQL server, you may consider following ways
for security:

1. Set the Seb serivce running under special account and only this account
has permisison to build a connection to the database.
2. Use IPSec to provide secure communication between the web server and
database server.
3. Add a firewall between web server and database server.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[IntraRELY]

These are considerations we are taking, I was think more from a code level
and validating the databeing passed to the Web Service. I wanted to know if
what I was doing is sufficient.

TIA,

Steve

 

[[MSFT]]

Hi Steve,

Since the web service is built on SSL, I think your design is safe enough.
A dummy user will be rejected before the print function was executed and
the user name and password won't get leak out on the internet because of
SSL.

Regards,

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)