Securing a Self Hosted Teamspeak Server

My teamspeak server recently got borked, so nows the perfect time to learn how to properly secure it.

The first step is to enable advanced permissions

Settings > Options
Application > Advanced System Permissions [enable]
Ok

You should now see a much larger tree structure when you view the server permissions. An almost overwhelming amount of permissions are actually available.

General Admin Group

Lets get into the server group permissions window.

Permissions > Server Groups

You should have something that looks very similar to the following:

Lets go ahead and copy the Server Admin groups, by right clicking Server Admin > Copy. Give it a name, I am using General Admin. Leave the two drop downs their default and hit ok.

Locking down group permissions

Now that the General Admin group has been added, lets go ahead and click on it. As the settings are now, a General Admin could break into any channel regardless of the permissions or passwords set on them. This is called the skip flag.

Client > Skip Channel Group Permissions [disable]
Channel > Access > Ignore Channel Passwords [disable]

Now lets change the permission power on the General Admin to have less power than you, the Server Admin group. Lets change their power level to 70 from 75.

Group > Modify > Permission Modify Power [70]
Group > Modify > Group Modify Power [70]
Group > Modify > Group Member Add Power [70]
Group > Modify > Group Member Remove Power [70]

Now the General Admin will be unable to add other people to the General Admin group, nor edit the group’s permissions. The Server Admin group is also safe.

Locking down channel permissions

We have to do similar changes to the channel permissions.

Channel > Channel Permission Modify Power [70]
Channel > Modify > Channel Modify Power [70]
Channel > Delete > Channel Delete Power [70]
Channel > Access > Channel Join Power [70]
Channel > Access > Channel Subscribe Power [70]
Channel > Access > Channel Description View Power [70]

The above permissions protect General Admin from messing with any channels you protect with the power level 71-75. You still want your General Admin to be able to create and edit channels generally however. Change the following permissions to enable that.

Channel > Access > Needed Channel Join Power [70]
Channel > Access > Needed Channel Subscribe Power [70]
Channel > Access > Needed Channel Description View Power [70]

Locking down individual permissions

You can manually change permissions on individuals, these will stick around even after you remove someone from a group. Lets tighen up another attack vector.

Group > Information > View List of Client Permissions [disable]

This single permission disables the entire individual Client Permissions for the General Admin

Kick and Ban permissions

If you don’t want your General Admin to be able to kick each other, change the following permissions.

Client > Admin > Client Kick From Server Power [70]
Client > Admin > Client Kick From Channel Power [70]
Client > Admin > Client Ban From Server Power [70]

Misc Permissions

I disable this permissions and only enable it on an individual basis. This is mainly used by bots.

Client > Modify > Create a QueryServer Account

Guest Permissions

These changes are for all the randos that might join your server and grief everyone. All changes in this section will be on the Guest group.

Whisper and General Griefing

This permission disables the ability to whisper everyone and anyone as long as you are still in the Guest group

Client > Basics > Client Whisper Power [-100]

Conclusion

Now you have a teamspeak server all setup, a General Admin group that can administrate your server without wrecking it on you.