Team Foundation Server Security Concepts
To help secure Team Foundation Server, you must understand how Team Foundation Server works and how it communicates with other Team Foundation components. A Team Foundation Server administrator should be familiar with Windows authentication, network protocols and traffic, and the structure of the business network on which Team Foundation Server is installed. The administrator should also have an understanding of Team Foundation Server groups and permissions.
Understanding Team Foundation Server Security
Team Foundation Server security concepts fall into three general categories: topology, authentication, and authorization. Topology includes where and how Team Foundation servers are deployed, the network traffic that passes between Team Foundation Server and Team Foundation clients, and the services that must run on Team Foundation Server. Authentication includes the determination of the validity of Team Foundation Server users, groups, and services. Authorization includes the determination of whether valid Team Foundation Server users, groups, and services have the appropriate permissions to perform actions. Also, you must consider Team Foundation Server dependencies on other components and services in order to optimize the security of Team Foundation Server in the network.
When you consider Team Foundation Server security, you must understand the difference between authentication and authorization. Authentication is the verification of the credentials of a connection attempt from a client, server, or process. Authorization is the verification that the identity that is attempting to connect has permissions to access the object or method. Authorization always occurs after successful authentication. If a connection is not authenticated, it fails before any authorization checking is performed. If authentication of a connection succeeds, a specific action might still be disallowed because the user or group did not have authorization to perform that action.
Team Foundation Server Topologies, Ports, and Services
The first element of Team Foundation Server deployment and security is whether the components of your Team Foundation deployment can connect to one another in order to communicate. Your goal is to enable connections between Team Foundation clients and Team Foundation Server, and limit or prevent other connection attempts.
Team Foundation Server depends on certain ports and services in order to function. These ports can be secured and monitored to meet business security needs. Depending on your Team Foundation deployment, you must allow for Team Foundation Server network traffic to pass between Team Foundation clients, the servers that host the logical components of the Team Foundation application-tier and data-tiers, Team Foundation Build build computers, and remote Team Foundation clients using Team Foundation Server Proxy. By default, Team Foundation Server is configured to use HTTP for its Web services. For a full list of Team Foundation Server ports and services and how they are used within Team Foundation Server architecture, see Team Foundation Server Security Architecture and Team Foundation Server, HTTPS, and Secure Sockets Layer (SSL).
You can deploy Team Foundation Server in an Active Directory domain or in a workgroup. Active Directory provides more built-in security features than workgroups that you can use to help secure your Team Foundation Server deployment. For example, you can configure Active Directory to disallow duplicate computer names so that a malicious user cannot spoof the computer name with a rogue Team Foundation Server. To reduce the effect of the same kind of threat in a workgroup, you would have to configure computer certificates. For more information about Team Foundation Server in an Active Directory domain, see Managing Team Foundation Server in an Active Directory Domain. For more information about Team Foundation Server in a workgroup, see Managing Team Foundation Server in a Workgroup.
There are some topology constraints on Team Foundation Server deployments regardless of whether you deploy Team Foundation Server in a workgroup or a domain. For more information about topologies for Team Foundation Server, see Team Foundation Server Topologies, Understanding SharePoint Products and Technologies, and Understanding SQL Server and SQL Server Reporting Services.
Team Foundation Server fully supports the use of the Kerberos security protocol. You can configure Team Foundation Serverto support Kerberos for mutual authentication of both the client and the server after you install Team Foundation Server.
Authentication
Team Foundation Server security is integrated with and relies upon Windows integrated authentication and the security features of the Windows operating system. You can use Windows integrated authentication to authenticate accounts for connections between Team Foundation clients and Team Foundation Server, for Web services on the logical Team Foundation Server application-tier and data-tier servers, and for connections between Team Foundation application-tier servers and data-tier servers themselves.
You should not configure any SQL database connections between Team Foundation Server and Windows SharePoint Services to use SQL Server Authentication. SQL Server Authentication is less secure. When you connect to the database, the username and password for the database administrator account are sent from server to server in unencrypted format. Windows integrated authentication does not send the user name and password. Instead, it transfers service account identity information associated with the host Internet Information Services (IIS) application pool to SQL Server using Windows integrated authentication security protocols.
Team Foundation Server Authorization
Team Foundation Server authorization is based on Team Foundation users and groups, and the permissions assigned directly to both those users and groups and permissions those users and groups might inherit by belonging to other Team Foundation Server groups. Team Foundation users and groups can be local users or groups, Active Directory users and groups, or both.
Team Foundation Server is preconfigured with default groups at the server-level and the project-level. You can populate these groups by using individual users. However, for ease of management, you might want to populate these groups by using Active Directory security groups. This method enables you to manage group membership and permissions more efficiently across multiple computers.
Your specific deployment might require that you configure users, groups, and permissions on multiple computers as well as within several applications. For example, if you want to include reports and project portals as part of your deployment, you must configure permissions for users and groups in SQL Reporting Services, Windows SharePoint Services, and within Team Foundation Server. On Team Foundation Server, permissions can be set on a per-project basis and on a server-wide basis. Additionally, certain permissions are granted by default to any user or group added to Team Foundation Server, as that user or group is automatically added to Team Foundation Valid Users. For more information about how to configure permissions, see Managing Permissions. For more information about Team Foundation Server users and groups, see Managing Users and Groups.
Besides configuring permissions for authorization in Team Foundation Server, you might need authorization within source code control and within work items. These permissions are managed separately at the command line, but are integrated as part of the Team Explorer interface. For more information about source control permissions, see Team Foundation Version Control. For more information about work item customization, see Working with Team Foundation Work Items.
Team Foundation Server Dependencies
Besides its own services, Team Foundation Server requires certain Windows and other application services on its application-tier and data-tier servers. The following table details the required services on servers that host the logical Team Foundation application-tier.
Service name |
Description |
---|---|
Application Experience Lookup Service |
This service is part of an infrastructure that lets you apply fixes to applications to make sure that they run on newly released Windows operating systems or service packs. This service must be running for the application fixes to work. |
Distributed Transaction Coordinator |
This service coordinates transactions that update two or more transaction-protected resources, such as databases, message queues, and file systems. These transaction-protected resources may be on a single computer or distributed across many networked computers. |
DNS Client |
This service is used to resolve DNS domain names. |
Event Log |
This service records events on the operating system by writing to one of three default logs that you can read in Event Viewer: the security, application, and system logs. |
IIS Admin Service |
This service manages the IIS metabase. |
Net Logon |
This service verifies logon requests and controls domain-wide replication of the user accounts database. |
Network Connections |
This service (also known as the NetMan service) manages all network connections that are created and configured in Network Connections in Control Panel and is responsible for displaying network status in the notification area on the desktop. |
Network Location Awareness (NLA) |
This service collects and stores network configuration information, such as changes to the names and locations of IP addresses and domain names. |
Remote Procedure Call (RPC) |
This service is a secure inter-process communication (IPC) mechanism that enables data exchange and invocation of functionality that resides in a different process. That different process can be on the same computer, on the local area network (LAN), or across the Internet. The Remote Procedure Call service serves as the RPC Endpoint Mapper (EPM) and Service Control Manager (SCM). |
Report Server (MSSSQLSERVER) |
This service handles Simple Object Access Protocol (SOAP) and URL requests, processes reports, provides snapshot and report cache management, and supports and enforces security policies and authorization. |
Security Accounts Manager |
This service maintains user account information that includes groups to which a user belongs. |
Windows Management Instrumentation |
This service starts and stops the Common Information Model (CIM) Object Manager. |
Windows Time |
This service (also known as W32Time) synchronizes the date and time for all computers that are running on a Windows Server 2003 network. |
World Wide Web Publishing Service |
This service is a user-mode configuration and process manager that manages the IIS components that process HTTP requests and run Web applications and periodically checks Web applications to determine whether they have stopped unexpectedly. |
The following table details the required services on servers that host the logical Team Foundation data-tier.
Service name |
Description |
---|---|
Application Experience Lookup Service |
This service is part of an infrastructure that lets you apply fixes to applications to make sure that they run on newly released Windows operating systems or service packs. This service must be running for the application fixes to work. |
Distributed Transaction Coordinator |
This service coordinates transactions that update two or more transaction-protected resources, such as databases, message queues, and file systems. These transaction-protected resources may be on a single computer or distributed across many networked computers. |
DNS Client |
This service is used to resolve DNS domain names. |
Event Log |
This service records events on the operating system by writing to one of three default logs that you can read in Event Viewer: the security, application, and system logs. |
Net Logon |
This service verifies logon requests and controls domain-wide replication of the user accounts database. |
Network Connections |
This service (also known as the NetMan service) manages all network connections that are created and configured in Network Connections in Control Panel and is responsible for displaying network status in the notification area on the desktop. |
Network Location Awareness (NLA) |
This service collects and stores network configuration information, such as changes to the names and locations of IP addresses and domain names. |
Remote Procedure Call (RPC) |
This service is a secure inter-process communication (IPC) mechanism that enables data exchange and invocation of functionality that resides in a different process. That different process can be on the same computer, on the local area network (LAN), or across the Internet. The Remote Procedure Call service serves as the RPC Endpoint Mapper (EPM) and Service Control Manager (SCM). |
Security Accounts Manager |
This service maintains user account information that includes groups to which a user belongs. |
SQL Analysis Server (MSSQLSERVER) |
This service creates and manages OLAP cubes and data mining models. |
SQL Server FullText Search (MSSQLSERVER) |
This service creates full text indexes on content and enables full text search on work items. |
Windows Management Instrumentation |
This service starts and stops the Common Information Model (CIM) Object Manager. |
Windows Time |
This service (also known as W32Time) synchronizes the date and time for all computers that are running on a Windows Server 2003 network. |
See Also
Concepts
Team Foundation Server Security Architecture
Managing Team Foundation Server in a Workgroup
Team Foundation Version Control
Working with Team Foundation Work Items
Other Resources
Managing Team Foundation Server in an Active Directory Domain