We have a web service that is exposed on the internet but is only used by our client application. The client uses SSL to connect to the server and we are using WS-Security to provide authorization. Even so, I wanted to prevent someone from viewing the interface of the service by going to the default WSDL generated by ASP.Net (http://domain/Service.asmx?WSDL).
It turns out that this is actually pretty easy to do. I found documentation on it related to Visual Studio Team System Application Designer, but that page mentions that it makes a change to a service's web.config file. The answer is to remove the "Documentation" protocol from the <webServices>, <protocols> section of the config file. I chose to do it by using a <remove> directive in the service's web.config file, but you could also do it in the machine.config file to affect the whole server. The nice thing about this solution is that I can leave it enabled on our development server so that Visual Studio can auto-generate the client proxy, but it won't be exposed at all on the production site.
Here's my change:
<webServices>
<protocols>
<remove name="Documentation" />
</protocols>
</webServices>