IT Infrastructure | The Build Master: Microsofts Software Configuration Management Best Practices

Using your IT department's technologies to provide protection from unauthorized users is a great "free" line of defense for your source code or builds. This defense is free because it is maintained and provided by your IT department and should not come out of your group's budget.

The following is a list of inherited security you can get from your IT department:

Create secured domains and user profiles one-way trusts.
Use Microsoft operations manager (MOM) or similar technology to ensure that everyone has the latest security fixes and firewalls running on his machine.
Limit VPN connections to only company-approved hardware and software.
Limit VPN access to source trees to machines that are members of the proper domain.
Prohibit remote access to source servers to everyone except administrators.
Prohibit Web access or check-ins/check-outs to the source servers.
Turn on and use IPSec Internet Protocol Security, the use of encryption at the network layer protecting and authenticating IP packets between IPSec devices.

If you work with your IT department, you should also be able to automate a lot of security measures, such as these:

The process of granting access to valid users via a Web tool and adding them to the appropriate security group.
The use of group polices to restrict users from running batch jobs using domain credentials, which can be a big security leak. Also, these policies can ensure that only valid users are allowed to access the source control servers.
Running anti-virus programs on your source control servers and protecting them from the outside Web via firewalls, proxy servers, and domain restrictions.
Randomly auditing developer desktops to make sure they are not a security hazard.

I mentioned in Chapter 4, that it is better if your IT department does not maintain your build machines. I still think this should be the case, but rely on your IT department to maintain and control your corporate network, including restricting how users log in remotely or onsite. This is the security area outlined in this section.