Team Foundation Server for IT Professionals - Security: Part 1

  • Article

My name is Jean-Luc David and I’m a Team System MVP. Damir has graciously given me the opportunity to post a series of blogs on Team Foundation Server for IT Pros. The topic is of particular interest to me because I’ve written a book on Team System. (Shameless plug: Professional Visual Studio 2005 Team System by WROX Press – coming to a bookstore near you and Amazon.com).

Visual Studio 2005 Team System is a software development lifecycle suite to help architects, developers, testers and project managers build software quickly and reliably. Peripherally, since Team System targets software developers, the last thing you would think about is the administrator or IT Professional. However, once you install the program you’ll soon realize that there is a great deal to be configured and administered. Here is a short list of the products that need to be supported in Team System:

  • Visual Studio 2005
  • Team Foundation Server
  • Team Foundation Server Proxy
  • Test Agent and Controller
  • Team Foundation Build
  • Team Explorer
  • SQL Server 2005
  • Windows SharePoint Services
  • SQL Server Reporting Services
  • Microsoft Office 2003
  • Internet Information Server 6.0
  • Windows Server 2003

Team Foundation Server is an important component of Team System, providing access to features such as version control, a SharePoint team portal, build engine, workflow management and reports. The client portion of the product (which includes the Team Editions for Software Architects, Developers and Testers and the Team Suite) is subject to standard desktop security and privileges. In this blog post, we’ll focus on Team Foundation Server security.

One of the requirements for installation is the creation of three user accounts: TFSSETUP, TFSREPORT and TFSSERVICE. There are two installation types: workgroup and domain. If you install in workgroup mode, you have to create the accounts on the Windows Server 2003 box. TFSSETUP must be an administrator account. TFSSERVICE is primarily used as the logon account by Team Foundation Server Windows services. TFSREPORTS is used by SQL Server Reporting Services to administer the data sources. TFSSERVICE and TFSREPORT must not be administrator accounts, are used as application pool identities and must have the “log on locally” rights on the server. If you look at the Microsoft Forums (https://forums.microsoft.com), you’ll come to realize that the majority of issues that come up during installation are due to the misconfiguration of these core user accounts. I can vouch for this from my experience with clients.

For the whole scoop on these accounts, please refer to the Visual Studio Team Foundation Server Installation Guide (TFSInstall.chm) found on the Team Foundation Server media.

What is the security structure of Team Foundation Server? Team Foundation Server (also affectionately called TFS) has a layered approach to security. If you configure your security correctly and effectively, you will be able to consolidate and administer your users from one area (as opposed to all over the place). Team Foundation Server security can be looked at from this perspective:

  • Platform: This refers to Active Directory security in domain mode and Windows Server 2003 security in workgroup mode
  • Server: Security settings in Team Foundation Server
  • Project: Security settings in a Team Project
  • Feature: Granular security settings in various features such as version control, work item Areas and Iterations, build security and more
  • Portal and Report security: This is the odd features in the bunch. SharePoint Services and Reporting Services security must be configured separately.

In my next blog post, I’ll outline how you can consolidate the security from all these layers for easier and effective administration. You might be wondering - why am I so interested and passionate about these topics. Well first of all, I am currently writing a book which tackles a lot of these topics. Although I am a developer, I certainly haven’t forgotten about my IT Pro roots. Cheers!

 

--------------------------------------------------

 

Jean-Luc David is a Toronto-based software developer, lecturer, consultant and author. He is also President and Founder of the Toronto Windows Server User Group (https://www.twsug.com). He started several years ago as an IT Pro working as tech support and server admin for several companies in the GTA. Jean-Luc has recently been volunteering his time providing technical resources to the Oshawa French community centre (COFRD). He received the Microsoft Team System MVP award last October for his work within the technical community. Jean-Luc can be reached at jl@twsug.com. His blog is accessible at: https://weblogs.asp.net/jld/.