ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Client Security

2003-05-30 04:50:01
Subject: Re: Client Security
From: Zlatko Krastev/ACIT <acit AT ATTGLOBAL DOT NET>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Fri, 30 May 2003 00:49:36 +0300 
There also other reasons *not* to create an admin on node registration -
to avoid confusion.
Using passwordaccess=generate the node is recycling its password
regularly. When the admin's password expires the human on next login is
asked to change it. What would be the chance to get it just the same as
generated one - zero.
Misled by same nodename and admin name the sysadmin is confused why he/she
can authenticate through dsmadmc but not through dsmc (if it comes to
that).

Another reason - usually we do not have separate sysadmins for each box.
It is more convinient to have one admin ID with "owner" access to the
nodes under his/her responsibility. Less admins provide both better
manageability and improved security.

Yet another security precaution - accepting too many defaults saves time
at the expense of making you more predictable. Combined with social
engineering, this can significantly lower your protection.

Open registration - I know, I know (and remember the recent thread on
licensing). But being more paranoid and not lazy enough, I prefer closed
registration and the arguments above are applicable for it.

Zlatko Krastev
IT Consultant






"Gill, Geoffrey L." <GEOFFREY.L.GILL AT SAIC DOT COM>
Sent by: "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
21.05.2003 07:03
Please respond to "ADSM: Dist Stor Manager"


        To:     ADSM-L AT VM.MARIST DOT EDU
        cc:
        Subject:        Re: Client Security


>-----Original Message-----
>From: Stapleton, Mark [mailto:stapleto AT BERBEE DOT COM]
>Sent: Tuesday, May 20, 2003 7:17 PM
>To: ADSM-L AT VM.MARIST DOT EDU
>Subject: Re: Client Security

Actually I already know the lecture on passwords. I'm in the midst of
giving
it to a group now.


>> Should Admin users only be those specified and not let the
>> node add one when it is created?
> A node *has* to have an admin ID and password when it is created.

By default TSM will create an administrative user (Nodename) but you can
specify NONE if you want. The reason I asked the question is to try and
see
if anyone might be thinking the same thing I am. If you already know the
node name then all you have to do is guess the password. And as I
mentioned,
I already know the password lecture, but that doesn't mean everyone abides
by it. If an administrative user is assigned to a specific group of
computers and the default is not created then someone has to guess 2
things.
And yes, if it's written down they don't have to guess anything.

My original post question was, is there a best practices document write-up
available someplace. I'm really looking for something that will back up
what
I have decided to put in place without having to drag out the whole
Administrator Guide and thumb through the different areas in case I'm
asked.



Geoff Gill
TSM Administrator
NT Systems Support Engineer
SAIC
E-Mail:   gillg AT saic DOT com
Phone:  (858) 826-4062
Pager:   (877) 905-7154
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Version 3, Release 1, Level 2.90 to Version 5, Release 1, Level 5.0 Migration, Zlatko Krastev/ACIT
Next by Date:  Re: Restoring Domino Agent data to a different platform, Zlatko Krastev/ACIT
Previous by Thread:  Re: Client Security, Gill, Geoffrey L.
Next by Thread:  How to quickly determine the descriptions of archives?, Brazner, Bob
Indexes:  [Date] [Thread] [Top] [All Lists]