If you are still using TFS 2012, TFS 2013's inclusion of Release Management for Visual Studio 2013 is a compelling reason to upgrade.  Previously, we've been able to automate deployment processes off the back of TFS Build Events - which has been fine for development and test environments, but often falls short when we want to automate deployment into UAT or production - where environments are governed and locked down.

RM allows you to define paths that represent your stages from development to production, and run specific actions to deploy your application at each stage.  For an overview of what RM is capable of start here: http://www.visualstudio.com/explore/release-management-vs and to get started with using it begin here: http://www.visualstudio.com/en-us/get-started/manage-your-release-vs

Now one scenario you might want to implement is to lock down configuration parameters for different environments (or stages) within RM eg. Allow developers to still change parameters within the development stage, but not within QA or Prod.  Thankfully, RM has a granular security model built right in, whereby you define groups based on restrictions you want to enforce: http://msdn.microsoft.com/en-us/library/dn594436.aspx#control_access

In the below example, I configure RM security to allow the "Ops Team" permission to change the parameters of actions only within the "Dev" stage only as per:

To achieve this, the Everyone group within RM was setup as:

And the Release Template was setup with the following security:

I then ensured that my developer (Julia in this example) was a member of only the "Ops Team"

I then tweaked the "Ops Team" security, removing the "All Stages" and adding in on the "Dev" stage:

So, to sum up, the security of environments is controlled by the Group Security Stages (as per the above screenshot).  Release Management improves the process of managing the release of your applications, deploying your application to specific environments and managing the steps in the process with approvals for each step - whilst at the same time allowing you fine grained security along the way.