On Friday, a security researcher unveiled a new attack vector against ASP.NET applications.  You can read more about it on Scott's blog or on the Microsoft Security Advisory.  Because TFS is based on ASP.NET, it is affected by the vulnerability.  The ASP.NET team is working hard on a fix and assures me a patch will be available soon.  In the mean time, they have recommended a set of configuration/application changes that can be made to eliminate the vulnerability.  Unfortunately, the provided steps don't work on all aspects of TFS (in part due to the level of ASP.NET behvior customization we have done).

To provide you an avenue to protect your TFS server, we have put together a document on changes you can make to your various ASP.NET based TFS components.  The changes are not complicated but they aren't as simple as changing a configuration setting either.  Further, some of the changes will make your TFS installation unserviceable (future patches from us won't appliy properly) so you will need to undo these changes as soon as the "real" patch from the ASP.NET team has been applied.  Given all of this, you will need to make your own assessment about the cost/risk/benefit equation of trying to take these steps.

Numerous components of TFS and related services are affected by this vulnerability, including:

  • TFS Web Services
  • Team Web Access
  • TFS Proxy
  • Sharepoint
  • Reporting Services

The document I have attached to this post covers all of these cases except Reporting Services.  The SQL team has not yet published a set of changes to work around the vulnerability in Reporting Services.  The attached document includes the necessary changes for TFS 2010, TFS 2008 and TFS 2005.  The link to the Sharepoint changes is only referenced in the TFS 2010 section but you should look at it no matter which version of TFS you are using.  Also the TFS 2005 section does not include a section on the Proxy because it is the same as in the TFS 2008 section.

We're very sorry for the concern and difficulty this causes.  As I mentioned above, the ASP.NET team will be producing a more seamless fix very soon.

Brian