This version of GitHub Enterprise will be discontinued on This version of GitHub Enterprise was discontinued on 2020-08-20. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise. For help with the upgrade, contact GitHub Enterprise support.

Article version: Enterprise Server 2.18

Best practices for user security

Outside of instance-level security measures (SSL, subdomain isolation, configuring a firewall) that a site administrator can implement, there are steps your users can take to help protect your GitHub Enterprise Server instance.

In this article

Did this doc help you?

Enabling two-factor authentication

Two-factor authentication (2FA) is a way of logging in to websites and services that requires a second factor beyond a password for authentication. In GitHub Enterprise Server's case, this second factor is a one time authentication code generated by an application on a user's smartphone. We strongly recommend requiring your users to enable two-factor authentication on their accounts. With two-factor authentication, both a user's password and their smartphone would have to be compromised to allow the account itself to be compromised.

For more information on configuring two-factor authentication, see "About two-factor authentication".

Requiring a password manager

We strongly recommend requiring your users to install and use a password manager--such as LastPass, 1Password, or Keeper--on any computer they use to connect to your GitHub Enterprise Server instance. Doing so ensures that passwords are stronger and much less likely to be compromised or stolen.

Restrict access to teams and repositories

To limit the potential attack surface in the event of a security breach, we strongly recommend only giving users access to teams and repositories that they absolutely need to do their work. Since members with the Owner role can access all teams and repositories in the organization, we strongly recommend keeping this team as small as possible.

For more information on configuring teams and team permissions, see "Permission levels for an organization repository".

Did this doc help you?

Ask a human

Can't find what you're looking for?

Contact us