Security Best Practices


Security is an ongoing process, and best practices will obviously change over time. However, you should always keep some basic security principles and ideas in mind when dealing with Team Foundation Server and other servers in general. It is important to note that Team Foundation Server ships out of the box with secure defaults, and you should not modify how Team Foundation Server communicates between its different tiers without good reason.

First, you should never use SQL Server Authentication to connect between Team Foundation Server and the data tier. Nor should you use it to connect between Windows SharePoint Services and the data tier. When using SQL Server Authentication, the username and password are not encrypted as they are sent from one server to another. This could allow someone snooping on your network to access this information. When using Windows integrated authentication, the identity of the IIS application pool is used in the authentication process. As well, when using Windows integrated authentication, a password is never sent over the wire.

Second, you should always make sure your servers are up to date with the latest patches, for both the operating system and any applications that are running on the server. If you have a patch management system in place at your organization, you can easily use that to make sure your servers have the latest updates. Otherwise, you should visit the Windows Update site regularly, to make sure you obtain the latest security updates. In addition, you should visit the Visual Studio Team System Web site at http://msdn.microsoft.com/vstudio/teamsystem to see whether there are any new patches or security updates for Team Foundation Server. You should make use of Microsoft Virtual PC and Virtual Server, to create an image that is identical to your Team Foundation Server setup. This allows you to test any changes or patches before applying those changes to a production environment.

Finally, you should have some system in place for auditing and testing the security settings on your Team Foundation Server. You should monitor the Windows event logs to look for any errors or suspicious activity.

Important

When you create a new Team Foundation Server group, you should thoroughly test the group to make sure it cannot access any areas of the Team Foundation Server for which you have not planned.

Team Foundation Server has a database called TFSActivityLogging, where Team Foundation Server can track the activity against the server. To enable activity logging, you have to turn it on. On the Team Foundation Server, go to Program Files\Microsoft Visual Studio 2005 Team Foundation Server\Web Services and open the web.config file. The <appSettings> tag contains the following key: <add key= " commandLogging" value=" None"/>. To enable activity logging, you need to change the value to one listed in the following table:

Open table as spreadsheet

Value

Which Means

None

No logging

OnError

Log Web methods that encounter errors

ReadWrite

Log Web methods that change the databases

Normal

All of the above, as well as any Web methods that do not change the databases

Lightweight

All of the above, as well as any Web methods that have minimal database access

All

All of the above, as well as any Web method request details if available

After you make the change, commands against the Team Foundation Server will be logged. To query the information in the database, simply open SQL Server Management studio and run queries against the TFSActivityLogging database. In its simplest form, a query could just be:

 select * from tbl_Command 

You can also get more detailed with your queries, as needed. This could be a great source of information concerning how your Team Foundation Server is being used. Be aware, however, that turning on logging will require some resources from your server, so you might see a slight performance decrease.



Professional Team Foundation Server
Professional Team Foundation Server
ISBN: 0471919306
EAN: 2147483647
Year: 2004
Pages: 168

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net