anybody willing to do evil could find a way to have a system connected to the
network where he has full access. Some laptop? Even with port security on the
switch... just fix the ethernet card mac address :)
Basically, trust your admins to do the right thing, or don't hire them in the
first place.
On 25 okt. 2011, at 22:43, Ochs, Duane wrote:
> I guess that depends on the privs the TSM admin has to your servers.
>
> In my environment as the Senior TSM admin I have admin privs or root access
> to all the machines being backed up.
> Which means I could in theory restore data to any server I wanted... however
> I could also copy data from one machine to another, in theory.
>
> For other admins, in our environment, that do not have admin privs they don't
> have access to log into machines to configure a restore from another machine.
>
> FYI: TSM admins could also change the password to a client machine to restore
> data anywhere, if they wanted.
>
>
>
> -----Original Message-----
> From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf
> Of Hart, Charles A
> Sent: Tuesday, October 25, 2011 3:22 PM
> To: ADSM-L AT VM.MARIST DOT EDU
> Subject: Re: Can a TSM server admin purloin client backups?
>
> Nothing, it's a policy challenge if they has TSM Sys Admin rights. Kind
> of like a Cop that sells evidence or takes a bribe, a priest that
> protects the young ... at some point you have to trust your admin or
> fire them. In my exp a node pw can be overridden with a Sys admin user
> and pw.
>
> Maybe I over simplified the situation.
>
>
>
> -----Original Message-----
> From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf
> Of
> Keith Arbogast
> Sent: Tuesday, October 25, 2011 3:07 PM
> To: ADSM-L AT VM.MARIST DOT EDU
> Subject: [ADSM-L] Can a TSM server admin purloin client backups?
>
> This question came up again here. If a TSM admin with system
> authorization knows the client password for a certain TSM node, what
> keeps him from restoring files from that node to another server of his
> choosing?
>
> Sorry to resuscitate this old horse.
>
> With many thanks,
> Keith
>
> This e-mail, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or entity
> to which it is addressed. If the reader of this e-mail is not the intended
> recipient or his or her authorized agent, the reader is hereby notified
> that any dissemination, distribution or copying of this e-mail is
> prohibited. If you have received this e-mail in error, please notify the
> sender by replying to this message and delete this e-mail immediately.
--
Met vriendelijke groeten/Kind Regards,
Remco Post
r.post AT plcs DOT nl
+31 6 248 21 622
|