A commitment to user empowerment is at the heart of the Perforce P4 product philosophy. We believe in giving power and control to our users for ultimate configurability. This flexibility enables customers to tailor P4 to their specific workflows, but it also means they are responsible for securing their environment. For these reasons, we strongly recommend assigning the responsibilities of initial server setup, deployment, and ongoing maintenance to an experienced Perforce P4 administrator.
As cybersecurity threats evolve in sophistication and scale, securing your P4 server requires ongoing vigilance. Regular assessment and reinforcement of your infrastructure are essential to protect your team, your assets, and your business. Whether you're managing a single-node system or a complex global deployment, the measures you take to harden your server can significantly impact your organization's defense against attacks.
This blog offers a comprehensive security framework tailored to P4 deployments. Below, we will address five key vulnerability areas, provide detailed configuration recommendations, and share an actionable checklist that your team can implement to protect your intellectual property.
Is your P4 server exposed to the public internet?
Your team can immediately implement the recommended security configurations from the Secure the server section in our official Server Administration Guide.
Potential P4 Vulnerabilities and How to Address Them
P4 is trusted by some of the world’s most security-conscious teams to manage and safeguard their most valuable IP: source code and binary assets. However, like any advanced system, its effectiveness relies heavily on proper configuration and maintenance.
Any server left in a permissive state can create lapses in security hygiene over time, and lead to significant risks. And like any server connected to the internet, you should assume your P4 server will eventually be tested by an attacker.
Through internal testing and collaboration with customers, our team recommends going through the P4 Administrator Security Checklist below, along with familiarizing yourself with five common vulnerabilities that pose risks to your P4 deployments:
- Public Network Exposure
- Over-Permissive Access
- Remote Depots and Code Sharing
- Information Sharing
- Audit Blind Spots
The actionable steps highlighted in the sections below are critical to hardening your P4 server—mitigating risks and securing your overall environment.
Back to topP4 Administrator Security Checklist
Security is never one-size-fits-all, but there are essential steps that every P4 administrator should consider. Use this checklist to assess your current setup and identify gaps you can address immediately.
1. Review Superuser Privileges
- Who currently has super access?
- Do they need it for daily work?
- Is access regularly reviewed and documented?
2. Configure Protections with Least Privilege
- Is p4 protect tailored to your actual team structure?
- Are default permissions overly broad (e.g., write user * * //...)?
- Does a new user start with only the minimum access required?
- Do you have a defined onboarding/offboarding procedure for users with access to your P4 instances?
3. Secure Your Server and Network
- Is your server exposed to the internet or open networks?
- Is your server inside a VPN?
- Is your server behind a firewall to only expose needed ports?
- Have you secured the operating system appropriately (e.g. restricted who can login to the server directly and from where)?
- Have you made sure your p4d service is not running as root user?
- Have you enabled SSL/TLS for encrypted connections?
4. Enable and Monitor Logging
- Are you using structured logs for better visibility and external tooling?
- Do you have a log rotation and retention policy in place?
5. Strengthen Core Server Configurables
- Is your security level set to 4 or higher?
- If your server is part of a multi-server environment, we strongly recommend the value of 4
- If you are using a security level below the recommended value of 4 we additionally suggest making sure that the protections for the remote user are set correctly if you want to use this functionality.
- Learn how to opt-out of access for remote user on security setting of 3 or lower in this documentation: Server Administration Documentation: Remote depots for code drops
- Have you set the following?
- dm.user.noautocreate = 2 (disable user auto-creation)
- dm.user.setinitialpasswd = 0 ((prevent users being created without a password and setting it themselves)
- dm.user.resetpassword = 1 (force new users to reset their password on initial login)
- dm.info.hide = 1 (hide server version info)
- run.users.authorize = 1 (hide user list from unauthenticated users)
- dm.user.hideinvalid = 1 (prevent user probing)
Even if you can’t tackle everything today, consistent progress is key. Regularly reviewing these items will help strengthen your overall position over time.
Remember, security is not a one-and-done process—it’s constantly evolving. The same goes for your team and infrastructure. Staying proactive ensures you’re always ready for the next challenge.
Public Network Exposure
While running P4 behind a firewall or VPN is considered best practice, it’s not always feasible. Whether due to legacy setups, third-party collaboration, or multi-server environments, some servers inevitably are exposed to the public internet.
When servers are exposed, securing data in transit is a base layer protection. Fortunately, the product supports industry standard secure encrypted connections using SSL/TLS, ensuring that data moving between clients and the server is protected from interception or tampering. But it’s important to note: when configured all P4 clients must then connect using secure protocols.
What Can Go Wrong?
Without encryption, data sent between clients and your server can be intercepted, including:
- Credentials submitted via p4 login
- File contents being synced or submitted
- Metadata such as changelists, usernames, file content, etc.
If a server is publicly accessible and doesn’t enforce encrypted communication, it becomes an easy target for man-in-the-middle attacks, session hijacking, and data leaks. The risks increase significantly in environments where developers are working remotely or from unsecured networks.
Our Recommendation
If your server is accessible over the public internet or semi-trusted internal networks, we strongly recommend your team completes the following:
- Use signed certificates from a trusted authority when possible. While P4 supports self-signed certs, properly signed ones reduce friction and build trust with external collaborators.
- Communicate the change to your team in advance. Once SSL is enabled, all users must update their connection settings and re-autenticate (e.g., from p4 -p hostname:1666 to p4 -p ssl:hostname:1666).
- Enable SSL/TLS encryption for all P4D traffic. This ensures data in transit is protected from eavesdropping or tampering.
- Learn how to set up SSL in our documentation here: Server Administration Documentation: SSL/TLS encrypted connections.
Encryption is a foundational requirement for any modern system exposed to external networks. Setting up SSL in P4 takes only a few minutes, but the protection it provides is long-lasting and essential. Without encrypting your P4 traffic, you expose your system to preventable risks, leaving it vulnerable to potential threats.
Over-Permissive Access
The protections system is the heart of your P4 security model. It governs who can access what across users, groups, and even IP ranges—giving you the flexibility to define granular permissions. Combined with your server’s security level and other configurables, the protections system determines how your system responds to both authenticated and unauthenticated users.
By default, the first user to connect to a newly installed server is granted superuser privileges. This is a necessary step as someone must bootstrap the system. However, one of the most common security oversights, especially in new installations, is failing to update the default protections settings. Often, this means every user in the system has write access to every file, by default.
When combined with misconfigurations like low security levels or user auto-creation, this posture significantly increases the risk of unintended or even malicious access to your system.
What Can Go Wrong?
If no changes are made to the default settings:
- An attacker could create a new user on your server.
- That user might immediately inherit write access to all files.
- In some configurations, this could happen without a password being set.
- From there, it's a short path to data leaks, code tampering, or unauthorized privilege escalation.
Our Recommendations
- Periodically review recommendations outlined in this chapter in the P4 Server Administrator Guide: Secure the server. We strive to keep it up to date, and it’s the single best resource to refresh your memory or make sure you follow the latest security guidelines.
- Remove the default write access granted to all users:
- Remove this line: write user * * //...
- Replace it with group-based permissions tailored to your team structure.
- General tip: Exercise caution when using lines that reference “user *” in protections unless exclusionary. Also, pay attention for global read access—remember that for most attackers, read-only access is sufficient to achieve their objectives.
- You can learn more about setting protections here: Server Administration Documentation: Set protections with p4 protect.
- Set your server’s security level to 4 (or greater). This enforces stronger password rules and access controls.
- For more information on security levels, refer to the following: Command-Line (P4) Reference: Configurables reference.
- Disable automatic user creation by setting: dm.user.noautocreate=2
- This prevents unauthorized users from creating accounts without admin oversight.
- Restrict who can set initial passwords by setting: dm.user.setinitialpasswd=0
- This ensures that only users with super access - who already have a password set - can initialize passwords for new accounts. It helps prevent unauthorized or accidental credential setup.
Think of your protections table as a dynamic, evolving part of your security posture. As your teams grow, new projects spin up, or contractors come and go, your access controls should evolve accordingly. Planning and designing an appropriate structure of repository naming conventions and associated groups and permissions goes a long way to keeping things secure. If in doubt, contact our support and professional services teams.
Remote Depots and Code Sharing
P4 supports cross-server collaboration through remote depots. This feature allows one server to access content from another using a special built-in user called remote. While this can be useful for distributed development or legacy workflows, it is important to consider the associated security implications.
By default, the remote user is granted access based on your protections table. If your protections aren’t explicitly scoped and you are not running in security=4 (or higher) mode, you could inadvertently expose parts of your depot to another server without full authentication in place.
Our Recommendation
- Raise your security level to 4 or higher. This automatically disables the remote user and requires authenticated service users for any cross-server access.
- If you're not using security level 4+, you should explicitly restrict the remote user's access using the protections table.
- For specific steps on how to do this, refer to our documentation: Server Administration Documentation: Remote depots for code drops.
Secure Options for Sharing Content
If you want to share content with external teams or partners, but don’t want them accessing your server directly, consider using Distribution Servers. These allow you to define exactly which data is replicated and accessible, giving you fine-grained control over what others can see. For more information on how to use these servers, refer to our Server Administration Documentation: Distribution Server
Information Exposure
When discussing information exposure, we often think of leaked intellectual property. While that’s a serious risk, it’s rarely the attacker’s first step. Most intrusions begin with reconnaissance: where attackers quietly gather details about your server, users, and configuration to plan a more targeted exploit.
Fortunately, P4 provides several configurables that can dramatically limit what unauthenticated users are able to see. By limiting visibility early on, you can make it far more challenging for attackers to gain a foothold in your system.
What Can Go Wrong?
If left in their default state, certain server responses can reveal more than you intend. For example:
- An attacker could learn your P4 server version, aiding targeted attacks.
- They might enumerate valid usernames in your organization.
- They could use login feedback to confirm if an account exists or is mistyped.
If left unguarded, this seemingly harmless information (i.e., server information, error messages, username validation) can quickly snowball into a privilege escalation path.
Our Recommendation
To reduce your server's exposure to reconnaissance and passive scanning, we recommend setting the following configurables:
- Hide sensitive information about your server from unauthorized users:
- dm.info.hide=1
- This prevents unauthenticated users from accessing general information about your server – like its name and license status.
- Please note: this setting goes hand in hand with your security level – we strongly recommend security=4(or higher).
- Prevent access to user lists without authentication:
- run.users.authorize=1
- This stops anonymous users from seeing a list of users already in the system- reducing the surface area for credential stuffing or username targeting.
- Hide error details when login attempts use invalid usernames:
- dm.user.hideinvalid=1
- This prevents attackers from confirming whether a given username exists based on the server’s response.
These settings won’t stop a determined attacker on their own, but they will slow them down, deny them useful feedback, and force them to work harder. That’s often enough to make your server a less attractive target. By incorporating these measures, you create an essential layer in your defense-in-depth strategy. The goal is to minimize noise, reduce visibility to outsiders, and maintain full functionality for your trusted users.
Audit Blind Spots
Auditing is one of the most frequently overlooked aspects of system security. Without comprehensive logging and proactive alerting, suspicious behavior can slip by unnoticed. In many cases, organizations only become aware of a breach after the damage is done. This often stems from a lack of visibility—either because critical events weren’t logged, or because existing logs weren’t actively monitored and reviewed.
Some of the most common blind spots include:
- No monitoring of failed login attempts
- Lack of audit trails for changes to p4 protect or superuser groups
- Infrequent or inconsistent review of access logs and user activity
What Can Go Wrong?
Without effective audit log monitoring, your team can face the following threats:
- An attacker may attempt to brute-force a user account - and no one will know.
- A rogue or compromised admin could change protections or group membership without trace.
- Unauthorized access might go unnoticed until files are modified or exfiltrated.
These gaps not only delay the detection of threats but also make incident response and forensic investigations more complex when things go wrong.
Our Recommendation
P4 offers several layers of logging to help close these gaps:
- Consider utilizing structured logs for more detailed, parsable information.
- Structured logs are ideal for integrating with SIEM tools, dashboards, or custom alerting systems. With releases later than P4 2024.2, the OpenTelemetry Protocol can be leveraged to quickly deliver the logs to the appropriate systems.
- To learn about structured logging, you can refer to the following documentation:
- Command-Line (P4) Reference Guide: Structured logs (including information for how to export your logs)
- Command-Line (P4) Reference Guide: p4 logexport
- Regularly review changes to your protections table (p4 protect), superuser group memberships and changes to specs in the spec depot, if you are using one.
- You can read more about spec depot here: Server Administration Documentation: Spec depot.
- Automate log rotation and retention strategies as part of your infrastructure planning. Log files grow over time, and unmanaged growth can impact performance or disk usage.
By setting up and managing the right logs today, you gain the visibility needed to detect and respond to potential issues quickly and confidently. Security isn’t just about preventing problems; it’s about spotting and addressing them when they arise.
Back to topStrengthening Security with Perforce
Trust in your team is essential, but even the most reliable teams face growing threats in today’s digital landscape. Version control systems like P4 are becoming prime targets in supply chain attacks, where unnoticed misconfigurations or default settings can lead to serious consequences.
Your P4 repository contains intellectual property which is of great value to you and your customers. It is also of great potential value to hackers and bad actors.
The good news is that these risks are manageable. With thoughtful configuration, regular audits, and a commitment to ongoing maintenance, you can ensure your P4 server is a strong link in your software supply chain.
At Perforce, we view security as a shared responsibility. That’s why we’re committed to:
- Actively engaging with external security researchers. Their findings help us identify real-world issues early and improve the security posture of the product for everyone.
- Continually improving our documentation and defaults. IBased on recent feedback, we’ve strengthened our recommendations and refined our security guidance to help customers harden their environments more effectively.
- Promoting transparency and education. This blog, along with other initiatives, reflects our commitment to sharing knowledge and fostering industry-wide improvements.
Security isn’t a one-time setup; it’s a living, shared responsibility. By working together, we can continue to raise the bar and build a safer digital future.