1

I'm setting up a build server using Team Foundation Server (TFS). The drop location needs to be in UNC (e.g. \SERVER\Share$) for some reason known only to MS.

My concern is this. It's a server on the public Internet and the last thing I want is to have someone hack at.
My question

1) Is it possible to fake a UNC to a local directory without actually setting up a share that might be probed/attacked?

2) If I must set up a share...what can I do to secure it beyond hiding it ($), limiting the connections to 1 and setting permission to the specific account that will use it?

The Diamond Z
  • 274
  • 2
  • 8

1 Answers1

2

To your first question, the answer is "yup!" Instead of "C:\Program Files\Path", for example, simply substitute "\\localhost\C$\Program Files\Path"

Using localhost will make it universally local. Of course, if you're intending for that directory to be the same across multiple machines located around the world, you'll still need some method of updating those directories. Something like TortoiseSVN would do the trick, though I'm no expert in software versioning applications.

As for your second question, hiding it is ultimately useless to clients that don't respect the "hidden" share status. Limiting the connections to one could help, but can't be depended on. Remember that both NTFS permissions and share permissions apply when accessing via SMB (UNC paths), so make changes accordingly. It's common to set share permissions to Everyone Read-Write and make the changes within the NTFS file permissions, but I don't know about trusting that to the whole Internet. As always, test it yourself before letting the Internet test it for you.

Jeff McJunkin
  • 1,342
  • 1
  • 8
  • 16