How do I build a secure webservice with .Net?

Question

I need to build a simple webservice to get data in and out of a HR System over the Internet (it's a hosted solution). I am using IIS and ASP.Net with .Net 2.0.

Having looked into it, there are several ways of making the webservice secure - I am after some advice on which method to choose, with some views on pros and cons.

These are the methods I am aware of:

SoapHeaders over SSL

Post the UID/PWD in a Soap header and implement a SOAP extension (link).
Pretty straightforward to implement and should be quite secure over SSL. This is by far my preferred option due to the relative simplicity. Also, for historical reasons, I will need to consume the webservice from VBScript of all things, so the ability to just deal with simple SOAP is a bonus. However, are there any caveats? Am I going to have clients complaining this is a security risk?

Using WCF with TransportWithMessageCredential

I found a lot of old articles referring to WS and if I am not misstaken, this is what is now provided in WCF? This Microsoft link has a primer.
If I understand it correctly, this uses certificate-based security between client and server for authentication. Is this correct or have I got it completely wrong?
I suspect this will be a much bigger job, at least implementation wise. Also, I won't be able to access the Webservice directly from VBScript, so will have to write a dll it call call and then deploy that locally - correct?
Is this even available in .Net 2.0?

Other methods

• I could disallow anonymous access to the asmx file and use rely on IIS to do authentication through challenge/response. This is actually practical in my scenario but feels very inelegant (and no idea how to make that work from VBScript either).
• Passing in a UID to the method call is a poor cousin of the SoapHeader so I won't use that.

I would be very grateful for any advice on the best approach to this problem. If anyone has a good argument why Soap Headers are secure then I would love to hear it, as that seems like the simplest to use, as long as it is "secure enough".

Answer 1

I´ve had this issue last week and I choosed SOAP with SSL. I also combinded that with as MD5 encrypted key of the data. This aplies of course only if you are "owner" of both server and client.

Answer 2

You should strongly consider using IIS and Windows to provide the authentication. IIS can map incoming requests to an AD user (NTLM, Certificates, Kerberos, etc.). From there, you'll have a WindowsPrincipal you can use to demand that the user is in a group. If you don't mind compiling the group name into the code, you can even use the PrincipalPermissionAttribute on your service methods so it'd be completely declarative.

By using Windows, you get the platform to deal with all the security issues. Passwords won't be transmitted in plain text, nor will you need to create and specify your own challenge/response type system (yuck). Different clients could authenticate in different ways (require certificates for some, allow NTLM for others).

Finally, you'll end up with less code since you can use Windows to manage the users and the .NET Framework to enforce security checks.

Edit:

Maybe you think securing the ASMX is hacky because that's the only step you're looking at? I'd agree! A webservice that only depends that you've denied anonymous sounds very weak indeed. The webservice code itself should demand group membership after the authentication is done. That way if you misconfigure the server, you've made it inaccessible, not insecure.

Answer 3

WCF is the way to go. It offers many possible security solutions, some standards-based and interoperable, some .NET or Windows specific.

A quick search on 'WCF security' will give you lots of resources but I suggest you start with this article: 'Fundamentals of WCF Security' by Michele Leroux Bustamante.

Answer 4

You can also try 2 way SSL with IIS, this will let you make sure that the client is who they say they are, encrypt the data over the line, and also run the web service as different users based on the cert that is provided.

Answer 5

Use WCF. It requires .NET 3.0 or above (just as well use 3.5 SP1), but that's just .NET 2.0 with a couple of service packs and some new assemblies, so it's safe.

I recommend against ever again using ASMX web services for new development, unless there's no choice.

You may have read about "WSE" or "Web Service Extensions". These are obsolete, and were a series of extensions to ASMX web services to implement the WS-* set of protocols. From this, Microsoft learned that the ASMX platform wasn't extensible enough, and therefore created WCF (Windows Communication Foundation). Avoid WSE like the plague.