Note that since TeamCity 2017.2 the TeamCity Windows installer modifies permisisons of the TeamCity installation directory not to use inheritable permissions and explicitly grants access to the directory to the Administrators user group and the accrount under which the service is configured to run.
It is strongly recommended to restrict permissions to the TeamCity Data Directory in the same way.
Additional security-realted settings
Consider adding the
"teamcity.installation.completed=true" line into the
<TeamCity Home Directory
>\conf\teamcity-startup.properties file - this will prevent the server from creating an administrator user if no such user is found
Project administrator can run arbitrary code on the server: https://youtrack.jetbrains.com/issue/TW-50054 To workaround one can add the following properties: teamcity.hg.customClonePathEnabled=false teamcity.hg.customHgPathEnabled=false teamcity.hg.customConfigEnabled=false teamcity.git.customClonePathEnabled=false teamcity.server.git.executable.path=git //??? teamcity.perforce.customP4Path=p4 teamcity.hubPlugin.export.options.enabled=true //???