Don,

DSMCAD isn't the only exposure
With DSMCAD on, a help desk person can be working on node DESKTOP1 and cause
files TO BE RESTORED to node PAYROLSERVER.

But even with DSMCAD turned off, I can be on my node DESKTOP1 and do:

dsm -virtualnodename=PAYROLSERVER

I override the password popup with my admin id, and I can restore files from
PAYROLSERVER to MY desktop.
Now I have a copy of the payroll files, and nobody knows it but me.

There is no footprint left on PAYROLSERVER (because its password was not
changed).  The only footprint in the TSM activity log is that the SESSION
STARTED message in the activity log shows a different IP address  (but with
DHCP that may not be a reliable bit of information).

Just wanted to make that clear.

Personally, I would PREFER to see a server audit trail for any TSM access
that is done by overriding the normal password.  But I agree with you that
most site's auditability requirements would be satisfied with having the
admin id displayed in the SESSION STARTED message any time it is used to
override the normal password.

The inability of the TSM administrator to get at information without leaving
a footprint was a SELLING point when we originally bought this software, and
I was NOT happy when they added the "feature" that opened this hole.  But, I
haven't made a lot of noise about it.  I just make sure not too many people
have SYSTEM level access....

Thanks
Wanda







-----Original Message-----
From: DFrance [mailto:DFrance-TSM AT ATT DOT NET]
Sent: Wednesday, March 19, 2003 2:31 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: Client login with admin id and password


Some customers mitigate this security issue by eliminating the DSMCAD
service, as a matter of policy;  that's probably okay for some businesses --
not likely okay for help-desk when supporting desktop users.

A number of requirements are being considered (thru SHARE) along the lines
of better security and/or security-audit;  with Windows, the TSM admin can
do restores (via machine login) using his NT-network ID which is part of the
backup operators group -- without the need for DSMCAD.  Using DSMCAD (ie,
remote-web-client) is where there is no auditability to indicate who
accessed what data... and, this is ALSO the most convenient interface for
remote/help-desk/TSMadmin restore assistance.

We need to better articulate the requirement for the level of audit needed
-- and where it applies -- such as, must there be audit file that shows
every file/directory restored and/or even viewed using alternate/admin ID?

The simplest (and minimal) solution might be to include the admin's ID in
the activity log, at session start time, reflecting "session started for
Node xxx (using admin-ID yyy)".  But this only says who, and when, not what
was accessed/downloaded.  (And, of course, the ENCRYPT option, as Andy
suggests.)

Can you help?


Don France
Technical Architect -- Tivoli Certified Consultant
Tivoli Storage Manager, WinNT/2K, AIX/Unix, OS/390
San Jose, Ca
(408) 257-3037
mailto:don_france AT ayett DOT net (change aye to a for replies)

Professional Association of Contract Employees
(P.A.C.E. -- www.pacepros.com)



-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU]On Behalf Of
Gerhard Rentschler
Sent: Tuesday, March 18, 2003 7:11 AM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: Client login with admin id and password


Hello,
> IMHO, the TSM server really needs to leave better tracks for this type of
> activity.
>
> ..Paul>
that's what I would like to have. In Germany we have a law which requires
that access to data which is related to individuals must be restricted and
logged. That means that on request it should be possible to tell who
accessed the data. With TSM this is not possible. Is it possible to open a
pmr on this ground?
Best regards
Gerhard
---
Gerhard Rentschler            email:g.rentschler AT rus.uni-stuttgart DOT de
Regional Computing Center     tel.   ++49/711/685 5806
University of Stuttgart       fax:   ++49/711/682357
Allmandring 30a
D 70550
Stuttgart
Germany