Team Foundation Server Security Concepts

To help secure Team Foundation Server, you must understand how Team Foundation Server works and how it communicates with other Team Foundation components. A Team Foundation Server administrator should be familiar with Windows authentication, network protocols and traffic, and the structure of the business network on which Team Foundation Server is installed. The administrator should also have an understanding of Team Foundation Server groups and permissions.

Understanding Team Foundation Server Security

Team Foundation Server security concepts fall into three general categories: topology, authentication, and authorization. Topology includes information about the following:

  • Where and how Team Foundation servers are deployed

  • Network traffic that passes between Team Foundation Server and Team Foundation clients

  • Services that must run on Team Foundation Server

Authentication determines the validity of Team Foundation Server users, groups, and services. Authorization determines whether valid Team Foundation Server users, groups, and services have the appropriate permissions to perform actions. Moreover, you must consider Team Foundation Server dependencies on other components and services in order to optimize the security of Team Foundation Server in the network.

When you consider Team Foundation Server security, you must understand the difference between authentication and authorization. Authentication is the verification of the credentials of a connection attempt from a client, server, or process. Authorization is the verification that the connection attempt is allowed. Authorization always occurs after successful authentication. If a connection is not authenticated, it fails before there is any authorization check. If authentication of a connection succeeds, a specific action might still be disallowed because the user or group did not have authorization to perform that action.

Team Foundation Server Topologies, Ports, and Services

The first element of Team Foundation Server deployment and security is whether the components of your Team Foundation deployment can connect to one another in order to communicate. It is your responsibility to enable connections between Team Foundation clients and Team Foundation Server, and try to limit or prevent other connection attempts.

Team Foundation Server depends on certain ports and services in order to function. These ports can be secured and monitored to meet business security needs. Depending on your Team Foundation deployment, you must allow for Team Foundation Server network traffic to pass between Team Foundation clients, Team Foundation application-tier and data-tier servers, Team Foundation Build build computers, and remote Team Foundation clients using Team Foundation Server Proxy. By default, Team Foundation Server is configured to use HTTP for its Web services. For a full list of Team Foundation Server ports and services and how they are used within Team Foundation Server architecture, see Team Foundation Server Security Architecture.

Important

If you configure Team Foundation Server to use any customized ports, such as HTTPS and SSL, you will not be able to install any service packs for Team Foundation Server after making those changes. Installation of service packs will fail. You must reconfigure Team Foundation Server to its default settings before you can apply service packs for Team Foundation Server.

You can deploy Team Foundation Server in an Active Directory domain or in a workgroup. Active Directory provides more built-in security features than workgroups that you can use to help secure your Team Foundation Server deployment. For example, you can configure Active Directory to disallow duplicate computer names so that a malicious user cannot spoof the computer name with a rogue Team Foundation Server. To reduce the effect of the same kind of threat in a workgroup, you would have to configure computer certificates. For more information about Team Foundation Server in an Active Directory domain, see Managing Team Foundation Server in an Active Directory Domain. For more information about Team Foundation Server in a workgroup, see Managing Team Foundation Server in a Workgroup.

Whether you deploy Team Foundation Server in a workgroup or a domain, there are some topology constraints on Team Foundation Server deployments. For more information about topologies for Team Foundation Server, see Team Foundation Server Topologies.

Authentication

Team Foundation Server security is integrated with Windows integrated authentication and the security features of Windows Server 2003. Windows integrated authentication is used to authenticate the following:

  • Accounts for connections between Team Foundation clients and Team Foundation Server

  • Web services on Team Foundation Server application-tier and data-tier servers

  • Connections between Team Foundation application-tier servers and data-tier servers themselves

You should not configure any SQL database connections between Team Foundation Server and Windows SharePoint Services to use SQL Server Authentication. SQL Server Authentication is less secure. When you use SQL Server Authentication to connect to the database, the system sends the username and password for the database administrator account from server to server in an unencrypted format. Windows integrated authentication does not send the username and password. Instead, it abstracts this information through the IIS application pool. This makes it more secure.

Team Foundation Server Authorization

Team Foundation Server authorization is based on Team Foundation users and groups. The permissions can be assigned directly to both those users and groups. Permissions may also be inherited by belonging to other Team Foundation Server groups. Team Foundation users and groups can be local users or groups, Active Directory users and groups, or both.

Team Foundation Server is preconfigured with default groups at the server level and the project level. You can choose to populate these groups by using individual users. However, for ease of management, consider populating these groups by using Active Directory security groups. In this manner, you can more easily manage group membership and permissions across multiple computers.

Your specific deployment might require that you configure users, groups, and permissions on multiple computers and within several applications. For example, if you want to include reports and project portals as part of your deployment, you must configure permissions for users and groups in SQL Reporting Services, Windows SharePoint Services, and within Team Foundation Server. On Team Foundation Server, permissions can be set on a per-project basis and on a server-wide basis. Additionally, certain permissions are granted by default to any user or group added to Team Foundation Server. A new user or group is added automatically to Team Foundation Valid Users. For more information about how to configure permissions, see Managing Permissions. For more information about Team Foundation Server users and groups, see Managing Users and Groups.

Besides configuring permissions for authorization in Team Foundation Server, you might need authorization within source code control and within work items. You can manage these permissions separately at the command line, but they are integrated as part of the Team Explorer interface. For more information about source control permissions, see Source Control Security Rights and Permissions and Team Foundation Source Control. For more information about work item customization, see Managing Team Foundation Work Items.

Team Foundation Server Dependencies

Besides its own services, Team Foundation Server requires certain Windows services and other application services on its application-tier and data-tier servers. The following table details the required services on application-tier servers.

Service name Description

Application Experience Lookup Service

Provides part of an infrastructure that lets you apply fixes to applications to make sure that they run on newly released Windows operating systems or service packs. This service must be running for the application fixes to work.

Distributed Transaction Coordinator

Coordinates transactions that update two or more transaction-protected resources, such as databases, message queues, and file systems. These transaction-protected resources may be on a single computer or distributed across many networked computers.

DNS Client

Used to resolve DNS domain names.

Event Log

Records events on the operating system by writing to one of three default logs that you can read in Event Viewer: the security, application, and system logs.

IIS Admin Service

Manages the IIS metabase.

Net Logon

Verifies logon requests and controls domain-wide replication of the user accounts database.

Network Connections

Manages all network connections that are created and configured in Network Connections in Control Panel. Also known as the NetMan service, it is responsible for displaying network status in the notification area on the desktop.

Network Location Awareness (NLA)

Collects and stores network configuration information such as changes to the names and locations of IP addresses and domain names.

Remote Procedure Call (RPC)

Provides a secure inter-process communication (IPC) mechanism that enables data exchange and invocation of functionality that resides in a different process. The different process can be on the same computer, on the local area network (LAN), or across the Internet. The Remote Procedure Call service serves as the RPC Endpoint Mapper (EPM) and Service Control Manager (SCM).

Report Server (MSSSQLSERVER)

Handles Simple Object Access Protocol (SOAP) and URL requests, processes reports, provides snapshot and report cache management, and supports and enforces security policies and authorization.

Security Accounts Manager

Maintains user account information that includes groups to which a user belongs.

Microsoft SharePoint Timer Service

Handles scheduled jobs in Windows SharePoint Services.

Windows Management Instrumentation

Starts and stops the Common Information Model (CIM) Object Manager.

Windows Time

Synchronizes the date and time for all computers that are running on a Windows Server 2003 network. It is also known as W32Time.

World Wide Web Publishing Service

Provides a user-mode configuration and process manager that manages the IIS components that process HTTP requests, run Web applications, and periodically check Web applications to determine whether they have stopped unexpectedly.

The following table details the required services on data-tier servers.

Service name Description

Application Experience Lookup Service

This service is part of an infrastructure that lets you apply fixes to applications to make sure that they run on newly released Windows operating systems or service packs. This service must be running for the application fixes to work.

Distributed Transaction Coordinator

Coordinates transactions that update two or more transaction-protected resources, such as databases, message queues, and file systems. These resources may be on a single computer or distributed across many networked computers.

DNS Client

Used to resolve DNS domain names.

Event Log

Records events on the operating system by writing to one of three default logs that you can read in Event Viewer: the security, application, and system logs.

Microsoft SharePoint Timer Service

Handles scheduled jobs in Windows SharePoint Services.

Net Logon

Verifies logon requests and controls domain-wide replication of the user accounts database.

Network Connections

Manages all network connections that are created and configured in Network Connections in Control Panel. Also known as the NetMan service, it displays the network status in the notification area on the desktop.

Network Location Awareness (NLA)

Collects and stores network configuration information such as changes to the names and locations of IP addresses and domain names.

Remote Procedure Call (RPC)

Provides a secure inter-process communication (IPC) mechanism that enables data exchange and the invocation of functionality residing in a different process. That different process can be on the same computer, on the local area network (LAN), or across the Internet. The Remote Procedure Call service serves as the RPC Endpoint Mapper (EPM) and Service Control Manager (SCM).

Security Accounts Manager

Maintains user account information that includes groups to which a user belongs.

SQL Analysis Server (MSSQLSERVER)

Creates and manages OLAP cubes and data mining models.

SQL Server Browser

Provides SQL Server connection information to client computers.

SQL Server FullText Search (MSSQLSERVER)

Creates full text indexes on content and enables full text search on work items.

Windows Management Instrumentation

Starts and stops the Common Information Model (CIM) Object Manager.

Windows Time

Synchronizes the date and time for all computers that are running on a Windows Server 2003 network. It is also known as W32Time.

See Also

Concepts

Team Foundation Server Security Architecture
Managing Team Foundation Server in a Workgroup
Source Control Security Rights and Permissions
Team Foundation Source Control
Managing Team Foundation Work Items

Other Resources

Managing Team Foundation Server in an Active Directory Domain
Managing Permissions
Managing Users and Groups