This project is read-only.

How to Secure Your Build Server

- J.D. Meier, Jason Taylor, Alex Mackman, Prashant Bansode

To secure your build server
  1. Deploy build services on a separate server, rather than sharing a server with the Microsoft Visual Studio® 2005 Team Foundation Server (TFS) application-tier or data-tier.
  2. Grant the build process read/write access to the builds directory. Ensure that the account running the build is able to access this directory.
  3. Grant the build process read/write access to the build drop network share. Ensure that the account running the build is able to access this share.
  4. Ensure that the account used to run the team build is a member of the Team Project’s Build Services group.

To improve Team Foundation Server security, you should install the build server on its own computer rather than on the application tier or data tier. Certain deployment or build steps may require elevated privileges; for example, creating a virtual directory to deploy a Web application requires administrative rights on the build server. This means that the Microsoft Windows® account running the build requires these rights. If the build computer is on the application tier, then this could present a security risk. Similarly, if the build computer is on the data tier, the build account could access and change the databases on that tier.

Note: For security reasons, do not add the account running the team build to the SERVER\ Service Accounts group. Members of this group have full administration rights in TFS.

Additional Resources

Last edited Jul 26, 2007 at 6:46 AM by prashantbansode, version 1

Comments

No comments yet.