To secure Team Foundation Server,\nyou must understand how Team Foundation Server works\nand how it communicates with other Team Foundation\ncomponents. A Team Foundation Server administrator\nshould be familiar with Windows authentication, network protocols and traffic,\nand the structure of the business network on which Team\nFoundation Server is installed, as well as have an understanding of Team Foundation Server groups and permissions.<\/p>\n
Team Foundation Server security\nconcepts can be broken down into three general categories: topology,\nauthentication, and authorization. Topology includes where and how Team Foundation servers are deployed, the network traffic\nthat passes between Team Foundation Server and Team Foundation clients, and the services that need to run\non Team Foundation Server. Authentication includes the\ndetermination of the validity of Team Foundation Server\nusers, groups, and services. Authorization includes the determination of\nwhether valid Team Foundation Server users, groups,\nand services have the appropriate permissions to perform actions. In addition,\nyou must be aware of Team Foundation Server\ndependencies on other components and services in order to optimize the security\nof Team Foundation Server within your network.<\/p>\n
When thinking about Team Foundation Server\nsecurity, it is important to understand the difference between authentication\nand authorization. Authentication\nis the verification of the credentials of a connection attempt from a client,\nserver, or process. Authorization\nis the verification that the connection attempt is allowed. Authorization\nalways occurs after successful authentication. If a connection is not\nauthenticated, it fails before any authorization checking is performed. If\nauthentication of a connection succeeds, a specific action might still be\ndisallowed because the user or group did not have authorization to perform that\naction.<\/p>\n
The first element of Team Foundation\nServer deployment and security is whether the components of your Team Foundation deployment can connect to each other in\norder to communicate. Ideally, you want to enable connections between Team Foundation clients and Team\nFoundation Server, and limit or prevent other connection attempts.<\/p>\n
Team Foundation Server depends on\ncertain ports and services in order to function. These ports can be secured and\nmonitored to meet business security needs. Depending on your Team\nFoundation deployment, you must allow Team Foundation\nServer network traffic to pass between Team Foundation\nclients, Team Foundation application-tier and\ndata-tier servers, Team Foundation Build build\nservers, and remote Team Foundation clients using\nSource Control Proxy. By default, Team Foundation Server\nis configured to use HTTP for its Web services, but you can optionally choose\nto configure and use HTTPS and Secure Socket Layer (SSL) for greater security.\nFor a full list of Team Foundation Server ports and\nservices and how they are used within Team Foundation Server\narchitecture, see Team Foundation Server Security\nArchitecture.\nFor information about Team\nFoundation Server and HTTPS, see Walkthrough:\nSetting up Team Foundation Server with Secure Socket Layer (SSL).<\/p>\n
You can deploy Team Foundation Server\nin an Active Directory domain or in a workgroup. Active Directory provides more\nbuilt-in security features than workgroups, which you can use to help secure\nyour Team Foundation Server deployment. For example,\nyou can configure Active Directory to disallow duplicate computer names, so\nthat a malicious user cannot spoof the computer name with a rogue Team Foundation Server. To mitigate against the same kind of\nthreat in a workgroup, you would have to configure computer certificates. For\nmore information about Team Foundation Server in an\nActive Directory domain, see Managing Team Foundation\nServer in an Active Directory Domain. For more\ninformation about Team Foundation Server in a\nworkgroup, see Managing Team Foundation Server in a\nWorkgroup.\n<\/p>\n
There are some topology constraints on Team\nFoundation Server deployments regardless of whether you deploy Team Foundation Server in a workgroup or a domain. For\nexample, application-tier servers and data-tier servers must be on the same\nnetwork segment with no firewalls between them in order to ensure proper\nfunction. For more information about topologies for Team\nFoundation Server, see Team Foundation Server\nTopologies.<\/p>\n
Team Foundation Server security is\nintegrated with Windows integrated authentication (also known as Windows NT\nChallenge Response) and the security features of Windows Server 2003. Windows\nintegrated authentication is used to authenticate accounts for connections\nbetween Team Foundation clients and Team\nFoundation Server, for Web services on Team Foundation\nServer application-tier and data-tier servers, and for connections\nbetween Team Foundation application-tier servers and\ndata-tier servers themselves. Depending on your network, these users and groups\nmight be specific to a single server or computer, or members of an Active\nDirectory domain.<\/p>\n
You should not configure any SQL database connections\nbetween Team Foundation Server and Windows SharePoint\nServices to use SQL Server Authentication. SQL Server Authentication is less\nsecure, because when you connect to the database, the username and password for\nthe database administrator account are sent from server to server in\nunencrypted format. Windows integrated authentication does not send the\nusername and password, but instead abstracts this information through the IIS\napplication pool and is therefore more secure.<\/p>\n
Team Foundation Server\nauthorization is based on users and groups, and the permissions assigned to\nthose users and groups. Your specific deployment might require you to configure\nusers, groups, and permissions on multiple computers and within several\napplications. For example, if you want to include reports and project portals\nas part of your deployment, you must configure permissions for users and groups\nin SQL Reporting Services, Windows SharePoint Services, and within Team Foundation Server. On Team Foundation\nServer, permissions can be set on a per-project basis, on a server-wide\nbasis, and on a classification basis for server-wide groups. For more\ninformation about configuring permissions, see Managing\nPermissions.\nFor more information about Team Foundation Server\nusers and groups, see Managing Users and Groups.<\/p>\n
In addition to configuring permissions for authorization in Team Foundation Server, you might need authorization within\nSource Code Control and within work items. These permissions are managed\nseparately. For more information about source control permissions, see Source Control Security Rights and Permissions\nand Team Foundation Source Control Overview.\nFor more information about work item customization, see Managing\nWork Items.<\/p>\n
In addition to its own services, Team\nFoundation Server requires certain Windows and other application services\non its application-tier and data-tier servers. The following table details the\nrequired services on application-tier servers.<\/p>\n
| \n Service name<\/p>\n<\/td>\n | \n Description<\/p>\n<\/td>\n<\/tr>\n | ||||||||||||||||||||||||||||||
| \n Application Experience Lookup Service<\/p>\n<\/td>\n | \n This service is part of an infrastructure that provides a\n way to apply fixes to applications to ensure that they run on newly released\n Windows operating systems or service packs. This service must be running for\n the application fixes to work.<\/p>\n<\/td>\n<\/tr>\n | ||||||||||||||||||||||||||||||
| \n Distributed Transaction Coordinator<\/p>\n<\/td>\n | \n This service coordinates transactions that update two or\n more transaction-protected resources, such as databases, message queues, and\n file systems. These transaction-protected resources may be on a single\n computer or distributed across many networked computers.<\/p>\n<\/td>\n<\/tr>\n | ||||||||||||||||||||||||||||||
| \n DNS Client<\/p>\n<\/td>\n | \n This service is used to resolve DNS domain names.<\/p>\n<\/td>\n<\/tr>\n | ||||||||||||||||||||||||||||||
| \n Event Log<\/p>\n<\/td>\n | \n This service records events on the operating system by\n writing to one of three default logs that you can read in Event Viewer: the\n security, application, and system logs.<\/p>\n<\/td>\n<\/tr>\n | ||||||||||||||||||||||||||||||
| \n IIS Admin Service<\/p>\n<\/td>\n | \n This service manages the IIS metabase.<\/p>\n<\/td>\n<\/tr>\n | ||||||||||||||||||||||||||||||
| \n Net Logon<\/p>\n<\/td>\n | \n This service verifies logon requests and controls\n domain-wide replication of the user accounts database.<\/p>\n<\/td>\n<\/tr>\n | ||||||||||||||||||||||||||||||
| \n Network Connections<\/p>\n<\/td>\n | \n This service (also known as the Netman service) manages\n all network connections that are created and configured in Network\n Connections in Control Panel and is responsible for displaying network status\n in the notification area on the desktop.<\/p>\n<\/td>\n<\/tr>\n | ||||||||||||||||||||||||||||||
| \n Network Location Awareness (NLA)<\/p>\n<\/td>\n | \n This service collects and stores network configuration\n information, such as changes to the names and locations of IP addresses and\n domain names.<\/p>\n<\/td>\n<\/tr>\n | ||||||||||||||||||||||||||||||
| \n Remote Procedure Call (RPC)<\/p>\n<\/td>\n | \n This service is a secure inter-process communication (IPC)\n mechanism that enables data exchange and invocation of functionality that\n resides in a different process. That different process can be on the same\n computer, on the local area network (LAN), or across the Internet. The Remote\n Procedure Call service serves as the RPC Endpoint Mapper (EPM) and Service\n Control Manager (SCM).<\/p>\n<\/td>\n<\/tr>\n | ||||||||||||||||||||||||||||||
| \n Security Accounts Manager<\/p>\n<\/td>\n | \n This service maintains user account information, including\n groups to which a user belongs.<\/p>\n<\/td>\n<\/tr>\n | ||||||||||||||||||||||||||||||
| \n Microsoft SharePoint Timer Service<\/p>\n<\/td>\n | \n This service handles scheduled jobs in Windows SharePoint\n Services.<\/p>\n<\/td>\n<\/tr>\n | ||||||||||||||||||||||||||||||
| \n Windows Management Instrumentation<\/p>\n<\/td>\n | \n This service starts and stops the Common Information Model\n (CIM) Object Manager.<\/p>\n<\/td>\n<\/tr>\n | ||||||||||||||||||||||||||||||
| \n Windows Time<\/p>\n<\/td>\n | \n This service (also known as W32Time) synchronizes the date\n and time for all computers running on a Windows Server 2003 network.<\/p>\n<\/td>\n<\/tr>\n | ||||||||||||||||||||||||||||||
| \n World Wide Web Publishing Service<\/p>\n<\/td>\n | \n This service is a user-mode configuration and process\n manager, which manages the IIS components that process HTTP requests and run\n Web applications and periodically checks Web applications to determine if they\n have stopped unexpectedly.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n <\/p>\n The following table details the required services on\ndata-tier servers.<\/p>\n
|