Home Library Learn Samples Downloads Support Community Forums
MSDN Library
Development Tools and Languages
Visual Studio .NET
Articles and Columns
General Articles
.NET Entity Objects: An Open Source O/R Mapping Toolkit
ATL Server and Visual Studio .NET: Developing High-Performance Web Applications Gets Easier
Creating COM+ PerfMon Counters to Monitor COM+ Data
Creating Control Arrays in Visual Basic .NET and Visual C# .NET
Crystal Reports: Add Professional Quality Reports to Your Application with Visual Studio .NET
Custom Design-time Control Features in Visual Studio .NET
Custom Provider Controls
Debugging: Root Out Elusive Production Bugs with These Effective Techniques
Design-Time Data Tools in Visual Studio .NET
Extending the Visual Studio .NET IDE
Google from Visual Studio .NET
How Visual Studio .NET Generates SQL Statements for Concurrency Control
How to: Lock Down a Visual SourceSafe Database
Testing for Accessibility
Introducing the Visual Studio .NET Lab Series
An Introduction to Code Access Security
Introduction to Visual SourceSafe Database Security
Navigating Multiple Related Tables in an ADO.NET Dataset
A Programmer's Introduction to Visual Studio .NET Whidbey
Migrating EJB Session Beans with the Microsoft Java Language Conversion Assistant 3.0
Migrating Java RMI to Microsoft .NET Interop with the Microsoft Java Language Conversion Assistant 3.0
Migrating Message Driven Beans with the Microsoft Java Language Conversion Assistant 3.0
Rapid Evaluation Methods for Visual Studio .NET
Security Considerations for ClickOnce Deployments
Smart Tags: Simplify UI Development with Custom Designer Actions in Visual Studio
Solution Root: Source Control for Multi-Project Solutions in Visual Studio .NET 2003
Support for Multiple Versions of the Same Component with Visual Studio .NET 2003
Ten Essential Tools: Visual Studio Add-Ins Every Developer Should Download Now
Test: Build Quick and Easy UI Test Automation Suites with Visual Studio .NET
Troubleshooting .NET Interoperability
Using the Emulator in Smart Device Projects
Using Threads
Using P/Invoke to Call Unmanaged APIs from your Managed Classes
Visual Studio .NET: Build Web Applications Faster and Easier Using Web Services and XML
Visual Studio .NET: Building Windows Forms Controls and Components with Rich Design-Time Features, Part 2
Visual Studio .NET: Building Windows Forms Controls and Components with Rich Design-Time Features
Visual Studio .NET Commands for Localized Versions
Visual Studio .NET: Custom Add-Ins Help You Maximize the Productivity of Visual Studio .NET
Visual Studio .NET: Managed Extensions Bring .NET CLR Support to C++
Visual Studio .NET: Top Ten Cool Features of Visual Studio .NET Help You Go From Geek to Guru
Visual Studio 2005 Class Designer
XML Comments: Document Your Code in No Time At All with Macros in Visual Studio
Expand Minimize
3 out of 12 rated this helpful - Rate this topic

How to: Lock Down a Visual SourceSafe Database

Visual Studio .NET 2003
 

Christine Woskett and Oded Ye Shekel
Visual SourceSafe Team
Microsoft Corporation

January 2003

Summary: This article provides step-by-step instructions for securing a Visual SourceSafe database.

This is a two-part article. For more information on security issues that administrators need to address when creating and managing Visual SourceSafe 6.0 and earlier databases, see Introduction to Visual SourceSafe Database Security. (10 printed pages)

Contents

Introduction
Windows Users and Groups
Securing Your Database
Ongoing Security Administration
Security Checklist

Introduction

This information is for any Visual SourceSafe (VSS) user who creates a database, grants other users permissions to access the file share and VSS database, or otherwise manages permissions in the VSS Administrator program.

First, use the procedures in Securing Your Database to create two groups of VSS users and grant them appropriate permissions for the VSS database and program folders. Then, as people join or leave your teams, use the procedures in Ongoing Security Administration to add or delete individual VSS users. Whether you are installing VSS and creating a database for the first time or you have an existing VSS installation, follow these instructions and review the Additional Considerations in Introduction to VSS Database Security to secure VSS and your database. When you have locked down your database, use the checklist to verify that it is secure before you inform your VSS users that VSS is ready to use.

To secure a Visual SourceSafe (VSS) database and the files that control and administer VSS, you need to use Windows security permissions to restrict access. By following the procedures described here, you will lock down your database so that:

  • Only members of the VSS database administrators group for the VSS Windows folders can perform administrator tasks, including running Analyze and restoring archived VSS files and projects.
  • All VSS administrators and VSS users can continue to work with VSS in the same way that they did before you secured VSS.
  • People who are not VSS users will not have access permissions for the network share where VSS is located, and therefore will not have access to the database.

Locking down the database does not provide the following:

  • Project-level security. You can use the VSS Administrator program to set rights and assignments for specific VSS projects or individual VSS users but all VSS users must be granted the same permissions for the Windows folders. Therefore, all VSS users, regardless of their project-level rights as specified using the VSS Administrator program, can access the shared folders and have full control over all VSS data but not the files that control and administer the program and database. Do not use the shared database to store files that contain sensitive information, for example, payroll information or legal documents.
  • Read-only VSS users. If you want to limit certain VSS users to only be able to read files in the VSS database, it is recommended that you do not make those people VSS users but instead create a shadow folder and give them access to it.

Windows Users and Groups

The VSS Administrator program provides tools for managing your VSS users by specifying access rights for individual VSS users or individual VSS projects in the VSS database, but to truly secure your database you must use Windows integrated security to restrict access to the VSS folders by setting sharing and security permissions for those folders.

In Windows, you can create groups of users; by adding a Windows user to a group, you give the user all the permissions and user rights assigned to that group. A Windows user who is using a computer that is connected to a network can access the programs and files on the computer, as well as programs and files located on the network, depending on account restrictions determined by the network administrator. By combining Windows users in a group, an administrator can grant the same permissions to all the users, which simplifies the administrative tasks. The information about which Windows users or groups have permissions to access or modify a resource or file is contained in the Access Control List (ACL) for that resource or file. For more information about access control, see the Windows Help.

To lock down your VSS database, you need to create two groups of Windows users: a group for VSS administrators and a group for VSS users.

Securing Your Database

To be able to lock down your database using the procedures described here, your database must be installed on an NT file system (NTFS), which is available on Windows NT 4.0, Windows 2000, Windows XP, and later. On NTFS, you can grant permissions for individual files and folders; the file allocation table (FAT) file system applies the same permissions to an entire share. To share folders, you must be a Windows Administrator for the computer.

Note   If you move a database, the Windows permissions are not moved. You must lock down your database again in the new location.

Creating the Windows User Groups

Organizing your users into Windows groups simplifies and speeds up your administrative tasks. You need to create two groups of Windows users: a group for administrators and a group for VSS users. For example, create groups named VSS_DB1_Admin and VSS_DB1_User. Administrators can use the VSS Administrator program to manage VSS users, set project options for all VSS users and projects, and perform maintenance activities. VSS users can work with VSS using VSS Explorer or the command line and can customize VSS by using the SourceSafe Options dialog box or by editing the Ss.ini file that is located in each Users/username folder.

Note   The VSS user name Admin is the only VSS user name that can be used to log on to the VSS Administrator program. All members of the VSS_DB1_Admin group must log on using the VSS user name Admin and the associated password.

All VSS users must be granted the same Windows permissions for the VSS folders, with additional individual permissions for the appropriate Users/username folder. If you want to limit certain VSS users to only be able to read files in the VSS database, it is recommended that you do not make them VSS users and members of the VSS_DB1_Users group but instead create a shadow folder and give them access to it. For information about shadow folders, see Create Shadow Folders.

Security Note   All VSS users have access to the VSS folders and can delete essential information from the database.

For information about creating and working with groups of Windows users, see the Windows Help.

To create the administrator and VSS user groups

  1. Create two Windows user groups on your VSS database server, for example, VSS_DB1_Admin and VSS_DB1_User.

    If there is a second database on the same server, create two more groups, for example, VSS_DB2_Admin and VSS_DB2_User.

  2. Add each user from the VSS user list to one of the groups.
  3. Restart the VSS server.

Removing the Everyone Group from the Share

If a shared database was created during VSS setup or by using the VSS Administrator tool, the database files and folders were installed in the VSS database folder. When you shared that database folder, the Everyone group of Windows users was added to the share. It is recommended that you remove the Everyone group.

Security Note   Windows users might log on to the computer where the VSS database is located and access the VSS folders directly instead of accessing the shared database folder. Review the permissions for the VSS folders and prevent unauthorized users from accessing the folders.

To remove the Everyone Group from the Share

  1. Using Windows Explorer, navigate to the VSS database folder (the folder that contains the Srcsafe.ini file for the database), and then select the folder.
  2. On the File menu, click Properties, and then click the Sharing tab.
  3. Select Share this folder.
  4. Type a new Share name if you do not want to use the default.
  5. Click Permissions.
  6. If the Group or user names box contains Everyone, click Remove and then click OK.
  7. Click Add.
  8. In the Select Users, Computers, or Groups dialog box, click Locations.
  9. Find and click the Location that contains the VSS_DB1_Admin and VSS_DB1_User groups, and then click OK.

    The Location is the name of the computer that contains the VSS_DB1_Admin and VSS_DB1_User groups.

  10. Add the groups VSS_DB1_Admin and VSS_DB1_User to the Enter the object names to select box.
  11. Click OK to add the groups to the Group or user names box on the Share Permissions tab.
  12. Select the group VSS_DB1_Admin, and then select the Allow check box for Full Control.
  13. Select the group VSS_DB1_User, and then select the Allow check box for Change.

Adding and Granting Permissions for the VSS Groups

You are going to add the two VSS groups to the database folder, remove inherited permissions for all other users and groups, and grant the two VSS groups appropriate permissions for the database folder and other VSS folders. To be able to add and grant permissions using the procedures described here, your database must be installed on an NT file system (NTFS) because on NTFS you can grant permissions for individual files and folders; the file allocation table (FAT) file system applies the same permissions to an entire share. To share folders, you must be a Windows Administrator for the computer.

To add the VSS groups to the database folder

  1. Using Windows Explorer, navigate to the VSS database folder, and then select the folder.
  2. On the File menu, click Properties, and then click the Security tab.
  3. Click Add.
  4. In the Select Users, Computers, or Groups dialog box, click Locations.
  5. Find and click the Location that contains the VSS_DB1_Admin and VSS_DB1_User groups, and then click OK.

    The Location is the name of the computer that contains the VSS_DB1_Admin and VSS_DB1_User groups.

  6. Add the groups VSS_DB1_Admin and VSS_DB1_User to the Enter the object names to select box.
  7. Click OK to add the groups to the Group or user names box on the Security tab.
  8. Select the group VSS_DB1_Admin, and then select the Allow check box for Full Control.
  9. Select the group VSS_DB1_User, and then select only the Allow check boxes for List Folder Contents and Read.

To ensure that only the permissions that you explicitly defined for the two VSS groups will apply to the folder, you are going to remove the inherited permissions that were previously applied from the parent folder.

To remove inherited permissions from the database folder

  1. Click Advanced.
  2. On the Permissions tab, clear the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here. check box.
  3. Click Remove.
  4. On the Permissions tab, click OK.

    Only the groups VSS_DB1_Admin and VSS_DB1_User are listed in the Group or user names box.

The group for VSS database administrators (for example, VSS_DB1_Admin) needs Full Control permissions for all VSS folders, but the group for VSS users should be granted more restrictive permissions. In the VSS database folder, there is a Users folder that contains a folder for each VSS user. You must grant Read and Write permissions for each VSS user to the corresponding Users/username folder.

To grant permissions to the VSS groups

  1. Grant the following permissions for the two groups for the VSS database folder:
    VSS_DB1_Admin Full Control
    VSS_DB1_Users Read and List Folder Contents
  2. Select the Data folder, and for VSS_DB1_Users set the permissions to Modify.
  3. Select the Temp folder, and for VSS_DB1_Users set the permissions to Modify.
  4. For each Users/username folder, add the Windows user who will use the corresponding VSS login, for example, add Domain\BenSmith to Users\BenSmith. Set that user's permissions for that folder to Modify.
  5. If you want your VSS users to run NetSetup, select the file NetSetup.msi and for VSS_DB1_Users set the permissions to Execute.

Ongoing Security Administration

As people join or leave your teams, you will need to add or delete individual users by using the VSS Administrator program and Windows permissions.

Adding VSS Users to an Existing Database

All new users must be added to the VSS user list by using the VSS Administrator program then added to one of the Windows groups (such as VSS_DB1_Admin or VSS_DB1_User) and assigned permissions for the corresponding Users/username folder.

When you create a VSS database, the VSS user name Admin is created automatically and cannot be deleted. Admin is the only VSS user name that can be used to log on to the VSS Administrator program and only members of the VSS_DB1_Admin group have appropriate permissions to run the VSS Administrator program. Therefore, all members of the VSS_DB1_Admin group must log on using the VSS user name Admin and the associated password.

To add VSS administrator users

  1. Select the required database using the VSS Administrator program. For more information, see Open a VSS Database.
  2. On the Users menu in the VSS Administrator program, click Add User.
  3. Enter the user's name in the User name box.

    User names can be up to 31 characters long, cannot begin or end with a space, and cannot include any punctuation.

  4. Enter the user's password in the Password box.

    Passwords can be up to 15 characters long, and can contain any characters. Do not enter a password if the user will be logged on automatically using the network name.

  5. Click OK.
  6. Add the corresponding Windows user to the Windows group VSS_DB1_Admin.

    For information about adding users to a Windows group, see the Windows Help.

All VSS users must be added to the VSS_DB1_Users group and therefore granted the same Windows permissions for the VSS folders, with additional individual permissions for the appropriate Users\username folder. You can use the Rights and Assignments commands in the VSS Administrator program to manage your VSS users by specifying access rights for individual VSS users or individual VSS projects in the VSS database that apply when a user is working with VSS Explorer.

To add VSS users

  1. Select the required database using the VSS Administrator program. For more information, see Open a VSS Database.
  2. On the Users menu in the VSS Administrator program, click Add User.
  3. Enter the user's name in the User name box.

    User names can be up to 31 characters long, cannot begin or end with a space, and cannot include any punctuation.

  4. Enter the user's password in the Password box.

    Passwords can be up to 15 characters long, and can contain any characters.

  5. To give the user read-only rights, select the Read only check box.
    Note   If you select the Read only check box, the user has read-only access to files in the VSS database when working with VSS Explorer but has the same Windows permissions as all other VSS users for the VSS folders. If you want the user to be a read-only VSS user, see To add read-only VSS users.
  6. Click OK.
  7. Add the user to the Windows group VSS_DB1_Users.
  8. Grant the user Modify permissions for the appropriate Users\username folder.

To add read-only VSS users

All VSS users must be granted the same Windows permissions for the VSS folders, with additional individual permissions for the appropriate Users\username folder. If you want to limit certain VSS users to only be able to read files in the VSS database, it is recommended that you do not make them VSS users and members of the VSS_DB1_Users group but instead create a shadow folder and give them access to it. For information about shadow folders, see Create Shadow Folders.

Security Note   All VSS users have access to the VSS folders and can delete essential information from the database.

Deleting VSS Users

To prevent access, you must delete the user from the VSS user list, delete the user from one of the VSS Windows groups, and delete permissions for any files and folders associated with VSS such as shadow folders for projects.

Note   You cannot delete the VSS user name Admin.

To delete VSS administrator users

  1. Select the User from the user list in the VSS Administrator program.
  2. On the Users menu, click Delete User.

    VSS displays a warning box asking, "Are you sure you want to delete?"

  3. Click OK.

    The Users/username folder for this user, which contains the Ss.ini file, is deleted.

  4. Delete the user from the Windows group VSS_DB1_Admin.
  5. Delete any shadow folders created by that administrator that are no longer needed.

    The locations of shadow folders are in Srcsafe.ini: look for Shadow = shadow folder.

  6. If the administrator has permissions on the following folders and files, delete those permissions.

    The locations of the folders and file are in Srcsafe.ini.

    • Shadow folders (Shadow = shadow folder)
    • Web deployment folders (Deploy_Path = folder)
    • Journal file (Journal_File = filename).
  7. If the administrator deployed Web projects to a remote location, reached through File Transfer Protocol (FTP), consider changing the password associated with the deployment path. For information, see Web Projects Options Tab.

When you delete a VSS user, the corresponding Users/username folder, which contains the Ss.ini file, is deleted automatically.

To delete VSS users

  1. Select the User from the user list in the VSS Administrator program.
  2. On the Users menu, click Delete User.

    VSS displays a warning box asking, "Are you sure you want to delete?"

  3. Click OK.
  4. Delete the user from the Windows user group VSS_DB1_Users.
  5. If the Windows user has permissions on the following folders and files, delete the user's permissions.

    The locations of the folders and file are in Srcsafe.ini.

    • Shadow folders (Shadow = shadow folder)
    • Web deployment folders (Deploy_Path = folder)
    • Journal file (Journal_File = filename).
  6. If the VSS user deployed Web projects to a remote location, reached through File Transfer Protocol (FTP), consider changing the password associated with the deployment path. For information, see Web Projects Options Tab.

To delete read-only VSS users

If, as recommended, the read-only VSS user has permissions for only the shadow folder, remove that user's share permissions for the shadow folder.

Managing Project Rights and User Assignments Using the VSS Administrator Program

You can manage VSS users by using the Rights and Assignments commands in the VSS Administrator program to set rights for individual users, newly added users, and projects, and you can edit a user's attributes so that the user is read-only or read-write. However, all users must be granted the same permissions for the Windows folders to be able to run VSS so do not change a user's permissions for the Windows folders when you change project rights or user assignments in VSS.

Checklist

Before you inform your VSS users that VSS is ready to use, make sure you have secured the database and VSS installation. Check for the following:

  • The Everyone group of Windows users has been removed from the VSS database folder.
  • Only the VSS groups and users have permissions for the VSS folders; no other groups or users are listed on the Security tab for the VSS database folder for the database and therefore have inherited permissions.
  • Two groups of Windows users have been created for VSS: administrators and VSS users.
  • The permissions granted for the VSS folders, and inherited by subfolders, have been set correctly:
    Windows Folder or File Administrators VSS Users
    VSS database folder Full Control Read

    List Folder Contents
    Data Full Control (inherited) Modify
    Temp Full Control (inherited) Modify
    Users/username Full Control (inherited) Modify
    NetSetup.msi Full Control (inherited) Execute
  • If some VSS users require only read access to items in the VSS database, those users have been granted permissions to access the shadow folder for the project but are not in the group of VSS users.
  • Folders that should be accessed by only administrators have had permissions for the group of VSS users removed.
  • The Additional Considerations in Introduction to VSS Database Security have been reviewed and implemented as selected.
  • Documents that contain sensitive or confidential information that should not be available to all users of the VSS database have been removed.
  • The VSS database administrator has prepared instructions that include the procedures for adding and deleting VSS users so that the database security is maintained.

See Also

Introduction to VSS Database Security | Create Shadow Folders | Access Rights

Did you find this helpful?
(1500 characters remaining)
© 2013 Microsoft. All rights reserved.