[cvsnt] Advice on preferred protocol for internet deployment of CVSNT

Luigi D. Sandon mailbox at sandon.it
Thu Mar 8 09:06:38 GMT 2007

> They have a hosted web server that's reasonably well backed up and on a
> The project sponsor is concerned about theft of his source code, and

I won't host a repository on the same machine acting as a web server, if 
concerned about code theft. A web server opens an attack surface - you can 
harden the CVS protocol as you like, but if the web server or a web 
application is compromised, and the attacker gains access to the file system 
with enough privileges, your code could be gone anyway.

>adding a domain controller or joining the server into an existing domain
>have been ruled out for paranoia reasons.

May be correct. Usually is better that machines in perimeter networks (i.e. 
DMZs) are not part of a domain in internal networks - many ports have to be 
opened in a firewall to make AD work, and a compromised machine may have 
access to too many domain resources - anyway they become a bridgehead for 
further attacks. Usually they have their own domain, or are configured as 
standalone servers. In Windows 2000 and 2003, the domain *is not* a security 
boundary. The forest is.

> They also have 3 people who need access to this repository

Given the small number of people needing access, IMHO you don't need a 
public machine. I would put the repository on a machine in the company's 
internal network and use a VPN to access it. On the Internet side the CVS 
protocol used is irrelevant, the VPN itself encrypts the transmission.


More information about the cvsnt mailing list