HOW TO: Disable the Documentation Protocol for ASP.NET Web Services (815149)


The information in this article applies to:

  • Microsoft ASP.NET (included with the .NET Framework) 1.0
  • Microsoft Web Services (included with the .NET Framework) 1.0
  • Microsoft ASP.NET (included with the .NET Framework 1.1)
  • Microsoft Web Services (included with the .NET Framework 1.1)

IN THIS TASK

This step-by-step article describes how to disable the documentation protocol for ASP.NET Web services.

ASP.NET Web services facilitate the development of Web services clients by automatically generating documentation that describes how to communicate with the Web service. Web services that have the documentation protocol enabled generate an HTML-formatted page when a browser request is received. This HTML-formatted page describes the following information:
  • The operations that are supported
  • The parameters that each operation accepts
  • The type of data that should be passed in those parameters
The documentation protocol also generates an XML-formatted Web Services Description Language (WSDL) file. This file is designed to allow applications to understand how to structure requests to the Web service.

This information can be very useful to developers, especially developers who create clients for public Web services. However, revealing detailed information about the functionality of private Web services increases the risk that the Web service will be misused by a malicious attacker. The Documentation protocol always describes all functions and parameters of a Web service - even if only a subset of those functions are intended to be publicly accessible.

back to the top

Removing the Documentation Protocol

To disable the Documentation Web services protocol for an ASP.NET application, follow these steps:
  1. Open the Web.config file from the web application's root directory in a text editor (for example, Notepad). If the Web.config file does not exist, create a Web.config file for the ASP.NET Application.
  2. Add the webServices configuration element to the system.web element in the Web.config file.
  3. In the webServices element, add the protocols configuration element.
  4. In the protocols element, add the remove name="Documentation"/ element.

    The following example shows the webServices configuration element added to a Web.config file to disable the automatic generation of browser-friendly documentation: 
    <webServices>
    <protocols>
        <remove name="Documentation"/> 
    </protocols>
</webServices>
  5. Save the Web.config file.
back to the top

REFERENCES

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

315736 HOW TO: Secure an ASP.NET Application by Using Windows Security

315588 HOW TO: Secure an ASP.NET Application Using Client-Side Certificates

815179 How To: Create the Web.config File for an ASP.NET Application.

815178 HOW TO: Edit the Configuration of an ASP.NET Application

818014 HOW TO: Secure Applications That Are Built on the .NET Framework

back to the top
Modification Type:MajorLast Reviewed:8/18/2003
Keywords:kbBrowse kbWebServer kbWebForms kbWebServices kbConfig kbHOWTOmaster KB815149 kbAudITPRO
©2003 Microsoft Corporation. All rights reserved.