...
- You are running the latest released TeamCity version and are ready to upgrade to the newly released versions within weeks
- Access to the TeamCity web interface is secured using HTTPS (e.g. with the help a proxying server like NGINX). Best practices for securing web application applications are employed for the TeamCity web interface
It is not possible to access the server using HTTP protocol and there is a single https:// URL which can be used to access the server. Reverse proxy does not strip Referer request header
hidden-data otherwise Referer header can be not present and e.g. build artifacts protection will not work- The TeamCity server machine does not run agents (at least under the user permitted to read the TeamCity server's home directory and TeamCity Data Directory)
- TeamCity server and agents processes are run under limited users with minimal required permissions. Installation directories are readable and writable only by a limited set of OS users. The
conf\buildAgent.propertiesfile and server logs as well as the Data Directory are only readable by OS users who represent administrators of the services, because reading those locations may allow taking over the agent or server respectively. - Guest user and user registration is disabled or roles are reviewed for guest and the All Users group
- TeamCity users with administrative permissions have non-trivial passwords
- If you have external authentication configured (such as LDAP), the built-in authentication module is disabled
- Passwords are not printed into the build log, not stored in build artifacts, nor are they stored in non-password parameters
...