Many methods of securing Web applications and Web services are available. You can use the built-in features of IIS, you can use options available through the ASP.NET Framework, and with either one you can use secure sockets to ensure transmissions that are not easily readable. The following subsections will give you an overview of each of these mechanisms before you learn how to set up the different options using ASP.NET and IIS.
Using Secure Sockets Layer (SSL)
If you wish to ensure that all transmissions between the client and the server are encrypted, you can choose to use Secure Sockets Layer (SSL). Be aware that although this technique ensures that no one can view the data going across the connection, it will slow the performance of your Web site.
To set up SSL on a Web site, you will need to obtain a secure server certification through VeriSign or other certification authority. See the IIS online help for more information on how to secure a Web site using SSL.
One way you might secure the Web Service is through IIS properties. Simply select a Web site in IIS and open the Properties dialog box. Then select the Directory Security tab and click the Edit button in the Anonymous Access and Authentication control section (see Figure 31.1).
Figure 31.1. Click the Edit button to change the security for this Web site.
Clicking the Edit button displays the dialog box shown in Figure 31.2 (this dialog may look slightly different, depending on your version of IIS).
Figure 31.2. Choose an authentication method for your Web site from this dialog box in IIS Administrator.
You can change settings in Web.config files to secure individual Web sites. The <authentication> and <authorization> XML tags in this file manage the corresponding features. When using a Web Service, you can set the authentication element to either Windows or None. (You can't use Forms, because Web Services provide no user interface, so you can't redirect to a specific page and force a user to log in.)