I am using Umbraco 7.4.2. From a security scan I got the feedback that the default webservices are available and are a potential security risk. Thus, I like to disable them since I'm not using them anyway.
Now from the documentation (https://our.umbraco.org/Documentation/Reference/Config/umbracoSettings/) I understand that using the < webservices > tag in the umbracoSettings I can disable the default webservices. However, if I use that, I get the message "Unrecognized element 'webservices'".
We always lockdown /Umbraco/ to the ip's of our own company and those of the client. By doing that nobody else can go to /Umbraco/ and neither the web services.
Only thing is that you need to have the clients up adresses.
Yes, we were thinking about that too. What we are doing right now is denying all users access to the location umbraco/webservices in the web.config. This does the trick, but I'm still puzzled by the documentation on webservices.
So: make sure to delete umbraco.webservices.dll if you still have that in your bin folder, it's completely obsolete and deleting that dll will remove these webservices completely.
How to disable Umbraco webservices
I am using Umbraco 7.4.2. From a security scan I got the feedback that the default webservices are available and are a potential security risk. Thus, I like to disable them since I'm not using them anyway. Now from the documentation (https://our.umbraco.org/Documentation/Reference/Config/umbracoSettings/) I understand that using the < webservices > tag in the umbracoSettings I can disable the default webservices. However, if I use that, I get the message "Unrecognized element 'webservices'".
Is there another way to disable the webservices?
Hi Klaas,
We always lockdown /Umbraco/ to the ip's of our own company and those of the client. By doing that nobody else can go to /Umbraco/ and neither the web services.
Only thing is that you need to have the clients up adresses.
Jeffrey
Hi Jeffrey,
Yes, we were thinking about that too. What we are doing right now is denying all users access to the location umbraco/webservices in the web.config. This does the trick, but I'm still puzzled by the documentation on webservices.
Thanks, Klaas
Now you no longer have to be puzzled: I removed that part of the documentation.
The Webservices were discontinued and permanently removed in early version of v6 due to security problems (though an updated, secure version is available if you really need them). http://umbraco.com/follow-us/blog-archive/2013/4/29/security-vulnerability-found-immediate-action-recommended.aspx
So: make sure to delete umbraco.webservices.dll if you still have that in your bin folder, it's completely obsolete and deleting that dll will remove these webservices completely.
is working on a reply...