I work with a group that is very adamant on keeping the wsdl and xsd that are associated with our web services as private as possible, and only distributing them to customers on a need to know basis.
My question is this... Is this overkill? I realize that adds anyone layer of obscurity to any potential attacks, but is this really doing much more than adding a layer of security via a super secret parameter set? Or are there other reasons I am missing?
If you want to make it harder for people to use your web services, then you should definitely not provide or host your WSDL and XSD files, or provide any sort of documentation. Beyond that, you're not securing your web services very much.
For your regular customers, this should be fine, but the determined individual will find a way to access your web services. All you can do is make it as hard as possible for them to do so, and that's by using security best-practices.