Re: Prohibiting access to web service resources?

"Peter Olcott" <> wrote in message
news: ...
>I want to build my first web service and I need to know more about
>security.
> (I already posted to microsoft.public.dotnet.framework.aspnet.security
> with no response).
>
> Specifically, I want to make it completely impossible for any outside user
> to have any access to any of the files stored on the web server. This is
> to include any data files, and the web service code. How do I do this?

Every public web server strives to be secure, but that doesn't mean there is
any foolproof way to keep a hacker out. The best you can do is do the best
you can do.

If you were going to host a web service on a Windows web server, you'd most
likely be serving it via IIS. Data files in ASP .NET are typically best
placed in the App_Data folder, which is a folder that IIS knows not to grant
outside access to. Your web.config file (or any file with a .config
extension) is also not served by IIS, and in a production environment, you
wouldn't have your source code (your .vb or .cs files) up on the server
anyway, you'd just have your compiled assembly (.dll), which is also kept in
a protected directory.

So, you really don't have to worry about the sensitive folders and files of
your web service being accessible to the outside world any more than you'd
worry about your entire server being hacked, which is not a .NET issue, but
a server security issue.

-Scott

Scott M.

"Peter Olcott" <> wrote in message
news:qfednY-...
>
> "Scott M." <s-> wrote in message
> news:...
>>
>> "Peter Olcott" <> wrote in message
>> news: ...
>>>I want to build my first web service and I need to know more about
>>>security.
>>> (I already posted to microsoft.public.dotnet.framework.aspnet.security
>>> with no response).
>>>
>>> Specifically, I want to make it completely impossible for any outside
>>> user to have any access to any of the files stored on the web server.
>>> This is to include any data files, and the web service code. How do I do
>>> this?
>>
>> Every public web server strives to be secure, but that doesn't mean there
>> is any foolproof way to keep a hacker out. The best you can do is do
>> the best you can do.
>>
>> If you were going to host a web service on a Windows web server, you'd
>> most likely be serving it via IIS. Data files in ASP .NET are typically
>> best placed in the App_Data folder, which is a folder that IIS knows not
>> to grant outside access to. Your web.config file (or any file with a
>> .config extension) is also not served by IIS, and in a production
>> environment, you wouldn't have your source code (your .vb or .cs files)
>> up on the server anyway, you'd just have your compiled assembly (.dll),
>> which is also kept in a protected directory.
>>
>> So, you really don't have to worry about the sensitive folders and files
>> of your web service being accessible to the outside world any more than
>> you'd worry about your entire server being hacked, which is not a .NET
>> issue, but a server security issue.
>>
>> -Scott
>>
>
> Great how do I make files and folders inaccessible?

Did you not read my message? Your App_Data folder, .dll and .config files
are already protected by IIS. And, you would't publish your source code
files to the production server anyway. There's nothing you need to do to
make this stuff private.

Aside from this, you want to keep the server password private and emply a
strong hardware and software firewall scenario as you would on any
production public server.

-Scott

Scott M.