VSS Security Tip

  • Article

When talking to my feature team, I often refer
to "VSS security"--which basically consists of user rights and permissions--as
the "the façade". Forget
what you know about tiered development and façade
layers for a moment. I use the word façade
quite literally. The security of a
Visual SourceSafe database is only as good as the security of
the physical folder or share in which it resides.

That being said, one of the easiest things you can do to improve the security
of your VSS installation is to hide the network share(s) containing your
database. You can do this by adding the '$' symbol to the end of
the share name. I've never understood why the Windows team hasn't
added an option like, "Hide this Share on the Network". Maybe they have and
I've just missed it... Anyway, to hide a share from remote users in WindowsXP
and Windows .NET Server:

  1. Right-click the database folder, click Properties, and
    then select the Sharing tab.
  2. Click Do not share this folder and then click
    OK.
  3. Right-click the unshared database folder, click
    Properties, and then select the Sharing tab.
  4. Click Share this folder and in the Share
    name     box, type the name of your share followed by a '$' symbol (e.g.,
    VSSLibrary$), and then click OK.

Of course, if you hide your database
shares, your users won't be able to find them on the network.
Thus, when creating a new database or changing the name of an existing
database share, you must tell your VSS users the exact path to the new database
share so that they can add the database (in this case
\\computername\VSSLibrary) to the list of Available
databases in the Open SourceSafe Database

dialog
box.

We (the royal we) recently published a whitepaper
on the subject of security and Visual SourceSafe.  Kudos to Oded and
Christine for driving that project to fruition.  -Korby

This posting is
provided "AS IS" with no warranties, and confers no rights. Microsoft kann
für die Richtigkeit und Vollständigkeit der Inhalte in dieser Newsgroup keine
Haftung übernehmen. Este mensaje se proporciona "como está" sin garantías
de ninguna clase, y no otorga ningún derecho.