How can we protect data in VSTS from access via the API?
Context: We have a VSTS account https://blahblahblah.visualtudio.com We have configured it to block outside access by using Azure Premium conditional access and specifying the public IPs of our work network. So interactive access is blocked from clients outside the internal network.
But this does not block Personal Access Tokens (PATs). Nor do I see a setting to disable or block use of PATs. PATs can allow access to most of the data in our VSTS account via the REST API. Without a mechanism like the Azure AD Premium conditional access (whitelist), anyone in the world could access or modify our data by merely stealing a PAT. This seems like a huge security hole to me. Am I missing a control for that vulnerability?
Ideally, we would have a whitelist in VSTS instead of having to rely on Azure AD Premium. then the VSTS service would block both interactive and API calls that did not originate in our designated safe locations. But that does not exist so far as I know.
So, how can we protect our data from users out in the world who might access our account data via the API path and a stolen PAT?
You can disable Basic Authentication and Alternate Credentials, but that will also disable a few features on VSTS (like SSH Git and Git access from some tools that don't support the OAuth workflow).
Personal Access Token cannot be disabled this way unfortunately. Though you could have people limit the scope to their tokens and have them only create limited time tokens.
It's likely that in the future the integration with AAD will be tighter and will be able to check AAD Conditional Access.
Another important note: Once the user has logged on using AAD, they can take their laptop/device with them to another location. As long as the AAD authentication is still valid, they will not be blocked access from the other location. Conditional Access is checked upon login and renewal of the token in the case of VSTS as far as I know.
Right now only due diligence on the side of your users can prevent unauthorized access to your account. Have them treat their PAT the same way as they treat other important secret information. Use short duration PAT's, limit their scope to only what is needed and store them securely, in a Password vault like Lastpass or Keepass.
PS: in a cloud world where machines regularly get new IP addresses assigned and where IPv6 will make it harder to single out groups of machines, pure IP restrictions are not the way to keep your data safe. IP is also one of the things that is relatively easily spoofed or hidden.
- How to run a Trivy scan on Windows?
- Hash Functions which are used and more popular
- So, just what are Windows Atom tables for?
- Use of a broken or risky cryptographic algorithm encryption algorithm. base64EncodedString should not be used
- Mitigating vulnerability in runtime libraries
- What is the meaning of 'self' blob:?
- I need to add new custom ROLE in a symfony 2 to manage the permission in the SONATA Bundle
- Block API access for any other resource except Frontend
- Use of Initialization Vector in openssl_encrypt
- Symfony2 extending DefaultAuthenticationSuccessHandler
- How do I create a self-signed certificate for code signing on Windows?
- .NET Core 2.0 User Secrets and Unit Testing
- How to sign my app as "Identified Apple developer"?
- Does Neo4j AuraDB (GCP managed service) have CMEK support?
- MALICIOUS_CODE EI_EXPOSE_REP Medium
- What TargetName to use when calling InitializeSecurityContext (Negotiate)?
- Spring Boot 3 + Spring Security 6 => 403 Forbidden with "requestMatchers"
- Password hashing, salt and storage of hashed values
- Salt Generation and open source software
- Secure Memory Allocator in C++
- Securing JWT tokens against attackers
- How to deal with a slow SecureRandom generator?
- CryptographicException: Access denied - How to give access on User store?
- Implementing Custom Expression Handling with Spring Security 6
- Restricting access to static files in Django/Nginx
- Does RabbitMQ allow Audit Logging
- Powershell Set-MpPreference -DisableRealtimeMonitoring $true not working correctly
- Why are iframes considered dangerous and a security risk?
- Secure Google Cloud Functions http trigger with auth
- How do I get the currently loggedin Windows account from an ASP.NET page?