I am wanting ideas on how to secure a webservice. Basically we have a software activations webservice that applications we create talk to to verify the user's licence key and activate the software. However if anyone were to discover the web address to the service (which isnt really that hard seeing .net stores it in a plain text config file) they would be able to interact with our activations server.
I guess in a situation where you know that the service will only be visible from a few locations you could lock IIS down to a few IP Addresses but in this situation we are expecting connections from anywhere.
Can anyone offer some advice?