Introduction
To secure Team Foundation Server, you must understand how Team Foundation Server works and how it communicates with other Team Foundation components. A Team Foundation Server administrator should be familiar with Windows authentication, network protocols and traffic, and the structure of the business network on which Team Foundation Server is installed, as well as have an understanding of Team Foundation Server groups and permissions.
Understanding Team Foundation Server Security
Team Foundation Server security concepts can be broken down into three general categories: topology, authentication, and authorization. Topology includes where and how Team Foundation servers are deployed, the network traffic that passes between Team Foundation Server and Team Foundation clients, and the services that need to run on Team Foundation Server. Authentication includes the determination of the validity of Team Foundation Server users, groups, and services. Authorization includes the determination of whether valid Team Foundation Server users, groups, and services have the appropriate permissions to perform actions. In addition, you must be aware of Team Foundation Server dependencies on other components and services in order to optimize the security of Team Foundation Server within your network.
When thinking about Team Foundation Server security, it is important to understand the difference between authentication and authorization. Authentication is the verification of the credentials of a connection attempt from a client, server, or process. Authorization is the verification that the connection attempt is allowed. Authorization always occurs after successful authentication. If a connection is not authenticated, it fails before any authorization checking is performed. If authentication of a connection succeeds, a specific action might still be disallowed because the user or group did not have authorization to perform that action.
Team Foundation Server Topologies, Ports, and Services
The first element of Team Foundation Server deployment and security is whether the components of your Team Foundation deployment can connect to each other in order to communicate. Ideally, you want to enable connections between Team Foundation clients and Team Foundation Server, and limit or prevent other connection attempts.
Team Foundation Server depends on certain ports and services in order to function. These ports can be secured and monitored to meet business security needs. Depending on your Team Foundation deployment, you must allow Team Foundation Server network traffic to pass between Team Foundation clients, Team Foundation application-tier and data-tier servers, Team Foundation Build build servers, and remote Team Foundation clients using Source Control Proxy. By default, Team Foundation Server is configured to use HTTP for its Web services, but you can optionally choose to configure and use HTTPS and Secure Socket Layer (SSL) for greater security. For a full list of Team Foundation Server ports and services and how they are used within Team Foundation Server architecture, see Team Foundation Server Security Architecture. For information about Team Foundation Server and HTTPS, see Walkthrough: Setting up Team Foundation Server with Secure Socket Layer (SSL).
You can deploy Team Foundation Server in an Active Directory domain or in a workgroup. Active Directory provides more built-in security features than workgroups, which you can use to help secure your Team Foundation Server deployment. For example, you can configure Active Directory to disallow duplicate computer names, so that a malicious user cannot spoof the computer name with a rogue Team Foundation Server. To mitigate against the same kind of threat in a workgroup, you would have to configure computer certificates. For more information about Team Foundation Server in an Active Directory domain, see Managing Team Foundation Server in an Active Directory Domain. For more information about Team Foundation Server in a workgroup, see Managing Team Foundation Server in a Workgroup.
There are some topology constraints on Team Foundation Server deployments regardless of whether you deploy Team Foundation Server in a workgroup or a domain. For example, application-tier servers and data-tier servers must be on the same network segment with no firewalls between them in order to ensure proper function. For more information about topologies for Team Foundation Server, see Team Foundation Server Topologies.
Authentication
Team Foundation Server security is integrated with Windows integrated authentication (also known as Windows NT Challenge Response) and the security features of Windows Server 2003. Windows integrated authentication is used to authenticate accounts for connections between Team Foundation clients and Team Foundation Server, for Web services on Team Foundation Server application-tier and data-tier servers, and for connections between Team Foundation application-tier servers and data-tier servers themselves. Depending on your network, these users and groups might be specific to a single server or computer, or members of an Active Directory domain.
You should not configure any SQL database connections between Team Foundation Server and Windows SharePoint Services to use SQL Server Authentication. SQL Server Authentication is less secure, because when you connect to the database, the username and password for the database administrator account are sent from server to server in unencrypted format. Windows integrated authentication does not send the username and password, but instead abstracts this information through the IIS application pool and is therefore more secure.
Team Foundation Server Authorization
Team Foundation Server authorization is based on users and groups, and the permissions assigned to those users and groups. Your specific deployment might require you to configure users, groups, and permissions on multiple computers and within several applications. For example, if you want to include reports and project portals as part of your deployment, you must configure permissions for users and groups in SQL Reporting Services, Windows SharePoint Services, and within Team Foundation Server. On Team Foundation Server, permissions can be set on a per-project basis, on a server-wide basis, and on a classification basis for server-wide groups. For more information about configuring permissions, see Managing Permissions. For more information about Team Foundation Server users and groups, see Managing Users and Groups.
In addition to configuring permissions for authorization in Team Foundation Server, you might need authorization within Source Code Control and within work items. These permissions are managed separately. For more information about source control permissions, see Source Control Security Rights and Permissions and Team Foundation Source Control Overview. For more information about work item customization, see Managing Work Items.
Team Foundation Server Dependencies
In addition to its own services, Team Foundation Server requires certain Windows and other application services on its application-tier and data-tier servers. The following table details the required services on application-tier servers.
Service name |
Description |
Application Experience Lookup Service |
This service is part of an infrastructure that provides a way to apply fixes to applications to ensure that they run on newly released Windows operating systems or service packs. This service must be running for the application fixes to work. |
Distributed Transaction Coordinator |
This service coordinates transactions that update two or more transaction-protected resources, such as databases, message queues, and file systems. These transaction-protected resources may be on a single computer or distributed across many networked computers. |
DNS Client |
This service is used to resolve DNS domain names. |
Event Log |
This service records events on the operating system by writing to one of three default logs that you can read in Event Viewer: the security, application, and system logs. |
IIS Admin Service |
This service manages the IIS metabase. |
Net Logon |
This service verifies logon requests and controls domain-wide replication of the user accounts database. |
Network Connections |
This service (also known as the Netman service) manages all network connections that are created and configured in Network Connections in Control Panel and is responsible for displaying network status in the notification area on the desktop. |
Network Location Awareness (NLA) |
This service collects and stores network configuration information, such as changes to the names and locations of IP addresses and domain names. |
Remote Procedure Call (RPC) |
This service is a secure inter-process communication (IPC) mechanism that enables data exchange and invocation of functionality that resides in a different process. That different process can be on the same computer, on the local area network (LAN), or across the Internet. The Remote Procedure Call service serves as the RPC Endpoint Mapper (EPM) and Service Control Manager (SCM). |
Security Accounts Manager |
This service maintains user account information, including groups to which a user belongs. |
Microsoft SharePoint Timer Service |
This service handles scheduled jobs in Windows SharePoint Services. |
Windows Management Instrumentation |
This service starts and stops the Common Information Model (CIM) Object Manager. |
Windows Time |
This service (also known as W32Time) synchronizes the date and time for all computers running on a Windows Server 2003 network. |
World Wide Web Publishing Service |
This service is a user-mode configuration and process manager, which manages the IIS components that process HTTP requests and run Web applications and periodically checks Web applications to determine if they have stopped unexpectedly. |
The following table details the required services on data-tier servers.
Service name |
Description |
SQL Analysis Server (MSSQLSERVER) |
This service creates and manages OLAP cubes and data mining models. |
Application Experience Lookup Service |
This service is part of an infrastructure that provides a way to apply fixes to applications to ensure that they run on newly released Windows operating systems or service packs. This service needs to be running for the application fixes to work. |
Distributed Transaction Coordinator |
This service coordinates transactions that update two or more transaction-protected resources, such as databases, message queues, and file systems. These transaction-protected resources may be on a single computer or distributed across many networked computers. |
DNS Client |
This service is used to resolve DNS domain names. |
Event Log |
This service records events on the operating system by writing to one of three default logs that you can read in Event Viewer: the security, application, and system logs. |
Net Logon |
This service verifies logon requests and controls domain-wide replication of the user accounts database. |
Network Connections |
This service (also known as the Netman service) manages all network connections that are created and configured in Network Connections in Control Panel and is responsible for displaying network status in the notification area on the desktop. |
Network Location Awareness (NLA) |
This service collects and stores network configuration information, such as changes to the names and locations of IP addresses and domain names. |
Remote Procedure Call (RPC) |
This service is a secure inter-process communication (IPC) mechanism that enables data exchange and invocation of functionality that resides in a different process. That different process can be on the same computer, on the local area network (LAN), or across the Internet. The Remote Procedure Call service serves as the RPC Endpoint Mapper (EPM) and Service Control Manager (SCM). |
Report Server (MSSSQLSERVER) |
This service handles Simple Object Access Protocol (SOAP) and URL requests, processes reports, provides snapshot and report cache management, and supports and enforces security policies and authorization. |
Security Accounts Manager |
This service maintains user account information, including groups to which a user belongs. |
Microsoft SharePoint Timer Service |
This service handles scheduled jobs in Windows SharePoint Services. |
Windows Management Instrumentation |
This service starts and stops the Common Information Model (CIM) Object Manager. |
Windows Time |
This service (also known as W32Time) synchronizes the date and time for all computers running on a Windows Server 2003 network. |
For more information about services and how they interact with Team Foundation Server architecture, see Team Foundation Server Security Architecture.
See Also
Team Foundation Server Security Architecture
Walkthrough: Setting up Team Foundation Server with Secure Socket Layer (SSL)
Managing Team Foundation Server in an Active Directory Domain
Managing Team Foundation Server in a Workgroup
Managing Permissions
Managing Users and Groups
Source Control Security Rights and Permissions
Team Foundation Source Control Overview
Managing Work Items
0 comments