CODEWITHSUNDEEP
authenticationtfstfs-sdk
Sat
Sat

Reputation: 161

TFS 2010 Security

I know of a TFS 2010 server which i can connect to just by creating a TfsConfigurationServer, without setting any credentials.

TfsConfigurationServer configurationServer = new TfsConfigurationServer(new Uri("address"))

After connecting, I am able to retrieve all the team project collection and corresponding team projects. Isn't this a security vulnerability? I am not sure as I am new to TFS api.

Will every TFS server allow to list the team projects like this? If this is a vulnerability how to fix it?

Upvotes: 0

Views: 220

Answers (1)

Edward Thomson
Edward Thomson

Reputation: 78743

It's probably not that you're not using any credentials, it's that you're not explicitly specifying any credentials. In this case, your logged-in user credentials will be used and you will be logged in without needing to type your username and password.

One of three things is probably happening:

  1. You are logged in to your workstation as a domain user. The TFS server you're connecting to is joined to a domain with a trust relationship to the domain that you're logged in to. Your domain user has appropriate permissions to connect and query the list of team project collections.

  2. There is no trust relationship between your computer and the TFS server, but you have an identical username/password configuration on your workstation on the server. (Ie, you're using "shadow accounts" or "mirrored local accounts".) Your user on the TFS server has appropriate permissions to connect and query the list of team project collections.

  3. You have credentials saved for this host in Windows Credential Manager. Those credentials have appropriate permissions to connect and query the list of team project collections.

If one of these two things is not true, you would instead need to provide explicit username/password credentials to an account that has permissions to connect and query the list of team project collections.

It may be possible to turn on anonymous access in IIS and allow guest users access to list the project collections in TFS, but I don't know of anybody having done this. I've never tested this scenario myself.

In any case, if you're looking at a server that has this functionality enabled, it is indeed not the norm.

Upvotes: 2

Related Questions