Team Foundation Server Security Concepts

Introduction

To secure Team Foundation Server,
you must understand how Team Foundation Server works
and how it communicates with other Team Foundation
components. A Team Foundation Server administrator
should be familiar with Windows authentication, network protocols and traffic,
and the structure of the business network on which Team
Foundation Server is installed, as well as have an understanding of Team Foundation Server groups and permissions.

Understanding Team Foundation Server Security

Team Foundation Server security
concepts can be broken down into three general categories: topology,
authentication, and authorization. Topology includes where and how Team Foundation servers are deployed, the network traffic
that passes between Team Foundation Server and Team Foundation clients, and the services that need to run
on Team Foundation Server. Authentication includes the
determination of the validity of Team Foundation Server
users, groups, and services. Authorization includes the determination of
whether valid Team Foundation Server users, groups,
and services have the appropriate permissions to perform actions. In addition,
you must be aware of Team Foundation Server
dependencies on other components and services in order to optimize the security
of Team Foundation Server within your network.

When thinking about Team Foundation Server
security, it is important to understand the difference between authentication
and authorization. Authentication
is the verification of the credentials of a connection attempt from a client,
server, or process. Authorization
is the verification that the connection attempt is allowed. Authorization
always occurs after successful authentication. If a connection is not
authenticated, it fails before any authorization checking is performed. If
authentication of a connection succeeds, a specific action might still be
disallowed because the user or group did not have authorization to perform that
action.

Team Foundation Server Topologies, Ports, and Services

The first element of Team Foundation
Server deployment and security is whether the components of your Team Foundation deployment can connect to each other in
order to communicate. Ideally, you want to enable connections between Team Foundation clients and Team
Foundation Server, and limit or prevent other connection attempts.

Team Foundation Server depends on
certain ports and services in order to function. These ports can be secured and
monitored to meet business security needs. Depending on your Team
Foundation deployment, you must allow Team Foundation
Server network traffic to pass between Team Foundation
clients, Team Foundation application-tier and
data-tier servers, Team Foundation Build build
servers, and remote Team Foundation clients using
Source Control Proxy. By default, Team Foundation Server
is configured to use HTTP for its Web services, but you can optionally choose
to configure and use HTTPS and Secure Socket Layer (SSL) for greater security.
For a full list of Team Foundation Server ports and
services and how they are used within Team Foundation Server
architecture, see Team Foundation Server Security
Architecture.
For information about Team
Foundation Server and HTTPS, see Walkthrough:
Setting up Team Foundation Server with Secure Socket Layer (SSL).

You can deploy Team Foundation Server
in an Active Directory domain or in a workgroup. Active Directory provides more
built-in security features than workgroups, which you can use to help secure
your Team Foundation Server deployment. For example,
you can configure Active Directory to disallow duplicate computer names, so
that a malicious user cannot spoof the computer name with a rogue Team Foundation Server. To mitigate against the same kind of
threat in a workgroup, you would have to configure computer certificates. For
more information about Team Foundation Server in an
Active Directory domain, see Managing Team Foundation
Server in an Active Directory Domain. For more
information about Team Foundation Server in a
workgroup, see Managing Team Foundation Server in a
Workgroup.

There are some topology constraints on Team
Foundation Server deployments regardless of whether you deploy Team Foundation Server in a workgroup or a domain. For
example, application-tier servers and data-tier servers must be on the same
network segment with no firewalls between them in order to ensure proper
function. For more information about topologies for Team
Foundation Server, see Team Foundation Server
Topologies.

Authentication

Team Foundation Server security is
integrated with Windows integrated authentication (also known as Windows NT
Challenge Response) and the security features of Windows Server 2003. Windows
integrated authentication is used to authenticate accounts for connections
between Team Foundation clients and Team
Foundation Server, for Web services on Team Foundation
Server application-tier and data-tier servers, and for connections
between Team Foundation application-tier servers and
data-tier servers themselves. Depending on your network, these users and groups
might be specific to a single server or computer, or members of an Active
Directory domain.

You should not configure any SQL database connections
between Team Foundation Server and Windows SharePoint
Services to use SQL Server Authentication. SQL Server Authentication is less
secure, because when you connect to the database, the username and password for
the database administrator account are sent from server to server in
unencrypted format. Windows integrated authentication does not send the
username and password, but instead abstracts this information through the IIS
application pool and is therefore more secure.

Team Foundation Server Authorization

Team Foundation Server
authorization is based on users and groups, and the permissions assigned to
those users and groups. Your specific deployment might require you to configure
users, groups, and permissions on multiple computers and within several
applications. For example, if you want to include reports and project portals
as part of your deployment, you must configure permissions for users and groups
in SQL Reporting Services, Windows SharePoint Services, and within Team Foundation Server. On Team Foundation
Server, permissions can be set on a per-project basis, on a server-wide
basis, and on a classification basis for server-wide groups. For more
information about configuring permissions, see Managing
Permissions.
For more information about Team Foundation Server
users and groups, see Managing Users and Groups.

In addition to configuring permissions for authorization in Team Foundation Server, you might need authorization within
Source Code Control and within work items. These permissions are managed
separately. For more information about source control permissions, see Source Control Security Rights and Permissions
and Team Foundation Source Control Overview.
For more information about work item customization, see Managing
Work Items.

Team Foundation Server Dependencies

In addition to its own services, Team
Foundation Server requires certain Windows and other application services
on its application-tier and data-tier servers. The following table details the
required services on application-tier servers.

Service name

Description

Application Experience Lookup Service

This service is part of an infrastructure that provides a
way to apply fixes to applications to ensure that they run on newly released
Windows operating systems or service packs. This service must be running for
the application fixes to work.

Distributed Transaction Coordinator

This service coordinates transactions that update two or
more transaction-protected resources, such as databases, message queues, and
file systems. These transaction-protected resources may be on a single
computer or distributed across many networked computers.

DNS Client

This service is used to resolve DNS domain names.

Event Log

This service records events on the operating system by
writing to one of three default logs that you can read in Event Viewer: the
security, application, and system logs.

IIS Admin Service

This service manages the IIS metabase.

Net Logon

This service verifies logon requests and controls
domain-wide replication of the user accounts database.

Network Connections

This service (also known as the Netman service) manages
all network connections that are created and configured in Network
Connections in Control Panel and is responsible for displaying network status
in the notification area on the desktop.

Network Location Awareness (NLA)

This service collects and stores network configuration
information, such as changes to the names and locations of IP addresses and
domain names.

Remote Procedure Call (RPC)

This service is a secure inter-process communication (IPC)
mechanism that enables data exchange and invocation of functionality that
resides in a different process. That different process can be on the same
computer, on the local area network (LAN), or across the Internet. The Remote
Procedure Call service serves as the RPC Endpoint Mapper (EPM) and Service
Control Manager (SCM).

Security Accounts Manager

This service maintains user account information, including
groups to which a user belongs.

Microsoft SharePoint Timer Service

This service handles scheduled jobs in Windows SharePoint
Services.

Windows Management Instrumentation

This service starts and stops the Common Information Model
(CIM) Object Manager.

Windows Time

This service (also known as W32Time) synchronizes the date
and time for all computers running on a Windows Server 2003 network.

World Wide Web Publishing Service

This service is a user-mode configuration and process
manager, which manages the IIS components that process HTTP requests and run
Web applications and periodically checks Web applications to determine if they
have stopped unexpectedly.

 

The following table details the required services on
data-tier servers.

Service name

Description

SQL Analysis Server (MSSQLSERVER)

This service creates and manages OLAP cubes and data
mining models.

Application Experience Lookup Service

This service is part of an infrastructure that provides a
way to apply fixes to applications to ensure that they run on newly released
Windows operating systems or service packs. This service needs to be running
for the application fixes to work.

Distributed Transaction Coordinator

This service coordinates transactions that update two or
more transaction-protected resources, such as databases, message queues, and
file systems. These transaction-protected resources may be on a single
computer or distributed across many networked computers.

DNS Client

This service is used to resolve DNS domain names.

Event Log

This service records events on the operating system by
writing to one of three default logs that you can read in Event Viewer: the
security, application, and system logs.

Net Logon

This service verifies logon requests and controls
domain-wide replication of the user accounts database.

Network Connections

This service (also known as the Netman service) manages
all network connections that are created and configured in Network
Connections in Control Panel and is responsible for displaying network status
in the notification area on the desktop.

Network Location Awareness (NLA)

This service collects and stores network configuration
information, such as changes to the names and locations of IP addresses and
domain names.

Remote Procedure Call (RPC)

This service is a secure inter-process communication (IPC)
mechanism that enables data exchange and invocation of functionality that
resides in a different process. That different process can be on the same
computer, on the local area network (LAN), or across the Internet. The Remote
Procedure Call service serves as the RPC Endpoint Mapper (EPM) and Service
Control Manager (SCM).

Report Server (MSSSQLSERVER)

This service handles Simple Object Access Protocol (SOAP)
and URL requests, processes reports, provides snapshot and report cache
management, and supports and enforces security policies and authorization.

Security Accounts Manager

This service maintains user account information, including
groups to which a user belongs.

Microsoft SharePoint Timer Service

This service handles scheduled jobs in Windows SharePoint
Services.

Windows Management Instrumentation

This service starts and stops the Common Information Model
(CIM) Object Manager.

Windows Time

This service (also known as W32Time) synchronizes the date
and time for all computers running on a Windows Server 2003 network.

 

For more information about services and how they interact
with Team Foundation Server architecture, see Team Foundation Server Security Architecture.

See Also

Team Foundation Server Security
Architecture

Walkthrough: Setting up Team Foundation
Server with Secure Socket Layer (SSL)

Managing Team Foundation Server in an
Active Directory Domain

Managing Team Foundation Server in a
Workgroup

Managing Permissions

Managing Users and Groups

Source Control Security Rights and
Permissions

Team Foundation Source Control Overview

Managing Work Items

1