What are risks related to providing external access to TFS - security

In our company we use TFS for issues tracking. For now we are thinking to create a new project and made it accessible outside from company network for one customer (we will create a separate user for that).
The biggest concern here is that we will create external access and it became potentially hackable.
Could you please share own experience for this case?
Do you know any useful information to read about TFS security that is related to access from outside network.
Thanks a lot. Any thoughts are welcome!

While you can technically put SSL on the TFS Web Services, the general best practice is to:
1) Require use of Team Explorer over a VPN connection
or
2) Implement Team System Web Access
Other thoughts would be to setup a tfs instance with a hosted tfs provider and then do some automation to provide work item replication. Do you intend the customer to be read only or will they update and submit?

Related

Visual studio online IP restriction in VM not working

I want to provide/restrict access to resources based on IP from my google cloud vm to prevent my dev team downloading/uploading the code to public drives.
Everything is working fine up to now.But I want to provide access to Visual studio online TFS with my outlook account.
I created visual studio online account for Version control.
URL: https://eschooltest.visualstudio.com
Region: Canada Central
I came to know vs online IPs are published every wednesday and downloaded from the below url and added these canada central Ips to Google Firewall system with allow access.
https://www.visualstudio.com/team-services/support/ip-addresses-used-hosted-build/
But still I am not able to access vs url.I pinged this url from command prompt and found the ip is 13.107.6.175 which is not present in the canada central IP list and also not present in the whole ip list of all regions.
Can someone help to achieve the requirement? OR please let me know if there is an elegant way of doing this.
if this is not possible with VS online, I am planning to set up TFS express in another VM to prevent leaking of my code to outside world though this is cumbersome.
EDIT:
1. Why this ip is not present in the Published xml?
VSTS does not offer any type of IP-based filter — so you can't do like in SQL Azure, in which you add and/or remove IPs that can access the service on Azure. About this area take a look at thie blog: Prevent users from accessing the VSTS out of the workplace
You should take a look at the official tutorial how to Manage conditional access to VSTS
Conditional access offers simple ways to help secure resources for
VSTS accounts backed by an Azure Active Directory (AAD) tenant.
Conditional access policies like multi-factor authentication can help
protect against the risk of compromised credentials and help keep your
organization's data safe. For example, in addition to requiring
credentials, you can have a policy that only devices connected to a
corporate network can gain access.

Azure - Access to non-administrator users

We're using Azure to maintain our development and QA servers.
One of the needs we have now, is to provide our QA members access to update web.config file on the server, which can be achieved via Visual Studio Server's Explorer (with the right configuration).
The problem is that you need a user with a subscription as a co-administrator within Azure (at least as far as I managed to understand), but obviously we'd like to allow our QA members only to maintain the files, with limited access via Visual Studio.
Is there any way to do it?
Following Brendan advice, I've granted the QA members FTP access. This should do the job for now, until Microsoft will come up with something better :)
Thanks Brendan!

Why do I need to create Mutiple SSPs

Why do I need to create Multiple SSPs in MOSS?
My manager (sharepoint administrator) asked me to create another SSP which he wanted to use for TOP Management users. He didnt tell me what was the reason for it.
I was wondering what all scenarios we need to create Multiple SSPs. Any ideas?
Very vague question, please add more info!
And as a general answer, you don't need to, the concept is to share the services under the SSP between multiple web applications, what scenario do you have to need to create more than one?
Edit after question update:
An SSP host the services that will be used ( consumed ) by any associated Web applications. These services include :
Profiles
Audiences
Business Data Catalog Connections
Search and Indexing
Single Sign On
Excel Services
Usage Reporting
Source
So if your manager won't actually have something special on any of those services, I don't see a reason to do it. We had a customer once that needed the entire mysite and profiles customized, so we created a SSP just for that one web application.

Sharepoint deployment with Exchange 2007

I am planning to deploy a single-server Exchange 2007 configuration and I'd like to also start using Sharepoint for collaboration - what would the recommended deployment scenario be to accomplish this [Sharepoint will also run on its own server] to allow use of OWA + Sharepoint sites both as public resources as well as common space for document sharing etc., from inside and outside the LAN?
I am just trying to visualize but what I would like to do is:
1) Run an internal Exchange 2007 server
2) Run an internal Sharepoint 2007 server
3) Have a server which is NAT'd to the outside (for OWA and Sharepoint access) running the Exchange 2007 CAS role <- but I'm not too sure if this is needed, however I basically want to expose my OWA and Sharepoint services using a single [external] IP.
I hope I am making myself clear - I'd just like some guidance regarding the recommended configuration for what I explained above.
I'm not clear on a couple things. Specifically what you mean when you say you want to allow the use of SharePoint sites both as public resources as well as a common space for document sharing.
I take this to mean 1 of 2 scenarios (a) you want your internal users to be able to access SharePoint document libraries once they have logged in successfully to OWA. or
(b) You want to make the sites available to the public in some type of extranet scenario.
Option B opens up a whole lot of unanswered questions re: authentication as well as licensing. Hoping this is not what you want to do.
Option A - a little simpler - I can only talk generally as my experience is SP only - and this really is (as I understand it) more of an Exchange configuration issue. I believe you have to involve an ISA server for the OWA deployment. Connection to SP is pretty straightforward and well documented in TechNet.
What you get is access to the document libraries on SP sites that they user has access to. It's not the full SP site. But 90% of the time, that is sufficient.
My other piece of information is that, in order to do this - your end users must be accessing OWA via IE. Any other browser will pull up OWA "lite" which doesn't support the connection from OWA to SP.
If I'm way off, please post more details, and we can try again.

Tips on setting up internet facing WSS 3.0 site without Active Directory

We're trying to setup an internet facing WSS 3.0 site without Active Directory. We have a single WFE and a single SQL Server (2005). The WFE will be outside our DMZ.
We've successfully created the Central Admin site with a local admin account on the WFE and a separate account on the SQL server for the database, but we're stuck on setting up the WSS search capability.
I couldn't seem to get things to work when using Central Admin to start the WSS Search service. I'm thinking I'll need to use stsadm -spsearch to set up the WSS search manually, rather than using the menus in Central Admin.
Does anyone have any tips and/or resources they recommend?
You want to setup your WSS3 site using Forms Based AUthentication, with an ASP.Net SQL Membership Provider and backend database.
Microsoft have a very nice guide on MSDN.
I followed this guide when attempting something similar. This explains how to allow forms based and AD authentication on the same site but you could just follow the parts that explain how to setup forms based.
This also includes changing the web.config file for central administration so that it can access the SQL database used to store users for forms based authentication.
It is very easy to follow.
We're looking for the same... rather we have a separate AD for our DMZ, however, for the extranet, would like to use it without AD accounts. May I ask what you've come up with so far?
Have seen posts talking about local machine accounts, but we do have 2 app servers and realize the maintenance involved to keep them in sync if we use local machine acounts. Swore I saw a 3rd party tool that would allow user's to be added into their own db and managed through their web-part/portal but can't seem to find it now.

Resources