Here are a couple of things that I have read or heard in the past, but I needed them again this last week. Therefore, I thought I'd blog them so I know where to find them next time.
1) Disable the ability to request WSDL definitions from ASP.NET web services. Typically this is done by typing "?wsdl" after the web service (http://…webservice.asmx?wsdl). You may want to turn this off in a production environment. To do so, add the following to your web.config:
<webServices>
<protocols>
<remove name="Documentation" />
</protocols>
</webServices>
2) The <deployment retail=”true”/> Switch in Maching.config
From ScottGu's blog:
"If you are a server administrator and want to ensure that no one accidentally deploys an ASP.NET application in production with the <compilation debug=”true”/> switch enabled within the application’s web.config file, one trick you can use with ASP.NET V2.0 is to take advantage of the <deployment> section within your machine.config file.
"Specifically, by setting this within your machine.config file:
<configuration>
<system.web>
<deployment retail=”true”/>
</system.web>
</configuration>
"You will disable the <compilation debug=”true”/> switch, disable the ability to output trace output in a page, and turn off the ability to show detailed error messages remotely. Note that these last two items are security best practices you really want to follow (otherwise hackers can learn a lot more about the internals of your application than you should show them).
"Setting this switch to true is probably a best practice that any company with formal production servers should follow to ensure that an application always runs with the best possible performance and no security information leakages. There isn’t a ton of documentation on this switch – but you can learn a little more about it here."