|Important||This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here.|
Reviewing Security Considerations
Before you deploy Visual Studio Team System for your team or organization, you should review the following security guidelines. These guidelines will allow for your configuration to operate smoothly and consistently, and to also help to protect the integrity of your data.
Enabling Access to Ports Used by Team Foundation Server Components
The various components of Team Foundation Server use different ports to talk with each other. These ports must be unblocked by firewalls for Team Foundation Server to work correctly.
The number of computers that you will have to review depends on the server topology you chose for your installation. For more information, see.
Client Computers and the Team Foundation Application Tier
The client tier consists of the instances of Visual Studio Team System that communicate with Team Foundation Server. This is where developers, testers, architects and managers perform work on their projects and track progress. The Team Foundation Server application tier responds to client requests.
A client must be able to reach port 80 on the application-tier server for reporting and for accessing the project portal. It also must access port 8080 that is the port that is used by the application-tier server for the Web Services that maintain the project on the data-tier server.
The Team Foundation Data Tier
The Team Foundation Server data tier contains the instance of SQL Server that stores the actual project data. This includes all project metadata, all source code files, and all project work products.
The Team Foundation Server application tier communicates by default with the Team Foundation Server data tier using SQL Server TCP port 1443 and UDP port 1444.
For more information about communication between the Team Foundation tiers, see.
A build computer is a computer dedicated to building the latest version of a project managed by Team Foundation Server. For security reasons, the computers on the application and data tiers should never be used as build computers. A client computer on the client tier, however, can safely be used in this capacity.
The Team Foundation Server application tier communicates with the build computers on port 9191, which is the port assigned to .NET Remoting.
There are two basic types of user accounts in Team Foundation Server: Windows users and groups, and Team Foundation Server users and groups. Team Foundation Server users and groups can be either global to the server, or specific to a given project.
For more information about how to configure authentication for the various components of a Team Foundation Server installation, see.
Configuring Server for Workgroup Usage
You can configure Team Foundation Server to run in a workgroup. In this case, users can use local computer accounts to access the server. Teams running their server in a workgroup must co-locate the application and data tiers on the same computer.
Securing File Transfers
File transfers for all source control operations are accomplished using HTTP. All files are stored inside SQL Server. It is assumed that there is sufficient virus protection on the client, and that all files are scanned for viruses on the client.
The only way to remove an infected file from Team Foundation Server, is to directly remove all infected versions from SQL Server. For more information about how to remove infected files, see.
Build Computer Security
The build computer must run under a designated user account assigned to the Build Services group, which has permissions in Team Foundation Server to manage build projects. Both the MSF for Agile Software Development and MSF for CMMI Process Improvement process methodologies pre-define such a group, and pre-configure it with the appropriate permissions. For more information about how to configure build computers, see.
When you configure a build computer, you specify a drop location for the built product. The user account under which the build runs must have permissions to read from and write to this drop location.
Web Service Security
All access to Web Services is secured through Team Foundation Server group permissions and through IIS.