What is the "enterprise" best practice for SVN security?

3
votes

(Specifically for VisualSVN.) Should you use SVN authentication or Windows integrated authentication?

Correct if anything here is wrong, but...

The issue with SVN auth is that the administrator basically either has to have the dev come over to type their own password in when their account is created, or they have to create a password for them (so they know the dev's password). But of course, the SVN server admin can access their code anyway because they have full access to the repository itself, so does it matter?

If you're using Windows integrated auth, I believe(?) this means you're giving the devs full access accounts on the SVN server (which I can see anal auditors calling a bad practice depending on what else is running there).

So which type of auth is considered better for a large organization? Does it matter?

1
securitysvnwindows-authenticationvisualsvn-serverspnego

1 Answers

0
votes

Integrated Windows Authentication (IWA) is considered the best practice.

IWA enables Negotiate (SPNEGO) security package. Negotiate selects between Kerberos and NTLM authentication protocols. Please, read the article KB39: Understanding VisualSVN Server Authentication options for more information.

Note that VisualSVN Server uses Windows API for integration with Active Directory. Read the article KB39: Understanding VisualSVN Server Authentication options for a complete overview of the authentication methods available in VisualSVN Server.

If you're using Windows integrated auth, I believe(?) this means you're giving the devs full access accounts on the SVN server (which I can see anal auditors calling a bad practice depending on what else is running there).

No, you do not give endusers full access to the server computer. This would be weird. The purpose of IWA is security.