First setup the server normally. Changing the base path as described in the section called “Using repository aliases” can be very convenient. The command should run as the user that owns the repository (not root). Use the RunAsUser setting for this.

On Unix systems setting a the Chroot variable is recommended also.

To lock down the access to the repository by default set the AclMode setting in the CVSROOT/config to 'normal'. This will stop anyone accessing the any file unless they are specifically granted access by an access control entry

On a secure system it is recommended that pserver is not used, as it sends its passwords in a trivially decryptable form. On Windows systems use encrypted SSPI, and on Unix ssh is recommended.