Re: Client login with admin id and password
2003-03-19 15:41:52
Some customers mitigate this security issue by eliminating the DSMCAD service,
as a matter of policy; that's probably okay for some businesses -- not likely
okay for help-desk when supporting desktop users.
A number of requirements are being considered (thru SHARE) along the lines of
better security and/or security-audit; with Windows, the TSM admin can do
restores (via machine login) using his NT-network ID which is part of the
backup operators group -- without the need for DSMCAD. Using DSMCAD (ie,
remote-web-client) is where there is no auditability to indicate who accessed
what data... and, this is ALSO the most convenient interface for
remote/help-desk/TSMadmin restore assistance.
We need to better articulate the requirement for the level of audit needed --
and where it applies -- such as, must there be audit file that shows every
file/directory restored and/or even viewed using alternate/admin ID?
The simplest (and minimal) solution might be to include the admin's ID in the
activity log, at session start time, reflecting "session started for Node xxx
(using admin-ID yyy)". But this only says who, and when, not what was
accessed/downloaded. (And, of course, the ENCRYPT option, as Andy suggests.)
Can you help?
Don France
Technical Architect -- Tivoli Certified Consultant
Tivoli Storage Manager, WinNT/2K, AIX/Unix, OS/390
San Jose, Ca
(408) 257-3037
mailto:don_france AT ayett DOT net (change aye to a for replies)
Professional Association of Contract Employees
(P.A.C.E. -- www.pacepros.com)
-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU]On Behalf Of
Gerhard Rentschler
Sent: Tuesday, March 18, 2003 7:11 AM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: Client login with admin id and password
Hello,
> IMHO, the TSM server really needs to leave better tracks for this type of
> activity.
>
> ..Paul>
that's what I would like to have. In Germany we have a law which requires
that access to data which is related to individuals must be restricted and
logged. That means that on request it should be possible to tell who
accessed the data. With TSM this is not possible. Is it possible to open a
pmr on this ground?
Best regards
Gerhard
---
Gerhard Rentschler email:g.rentschler AT rus.uni-stuttgart DOT de
Regional Computing Center tel. ++49/711/685 5806
University of Stuttgart fax: ++49/711/682357
Allmandring 30a
D 70550
Stuttgart
Germany
|
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Client login with admin id and password, (continued)
- Re: Client login with admin id and password, Cook, Dwight E
- Re: Client login with admin id and password, Andrew Raibeck
- Re: Client login with admin id and password, Prather, Wanda
- Re: Client login with admin id and password, Cook, Dwight E
- Re: Client login with admin id and password, Paul Zarnowski
- Re: Client login with admin id and password, Zlatko Krastev/ACIT
- Re: Client login with admin id and password, Baines, Paul
- Re: Client login with admin id and password, Paul Zarnowski
- Re: Client login with admin id and password, Andrew Raibeck
- Re: Client login with admin id and password, Prather, Wanda
- Re: Client login with admin id and password, Andrew Raibeck
- Re: Client login with admin id and password, Prather, Wanda
- Re: Client login with admin id and password, Rushforth, Tim
- Re: Client login with admin id and password, Prather, Wanda
- Re: Client login with admin id and password, Baines, Paul
|
|
|