Networker

Re: [Networker] NetWorker security

2003-03-03 12:50:46
Subject: Re: [Networker] NetWorker security
From: Davina Treiber <treiber AT HOTPOP DOT COM>
To: NETWORKER AT LISTMAIL.TEMPLE DOT EDU
Date: Mon, 3 Mar 2003 12:50:52 -0500
On Mon, 3 Mar 2003 09:35:02 -0800, Byron Servies <bservies AT PACANG DOT COM>
wrote:

>On March 03, 2003 at 12:17, Lilian Feng wrote:
>> Chris,
>> Thank you for your advices.
>> We have tried many times to monitor the traffic
>> on the TCP/UDP ports. What we found was that the
>> ports used by nwadmin are mixed up the backup ports.
>> When we blocked the ports in the NetWorker server
>> used to respond nwadmin,  we found it also blocked
>> the backup traffic from clients.
>
>Hi,
>
>The only way to prevent nwadmin (or nsradmin, or any
>program that implements the necessary protocols)  from
>viewing the configuration of a NetWorker server is to
>remove it from the machine.

I was going to suggest this, but of course it is difficult to enforce.
Firstly you need to take the trouble to remove the nwadmin, winadmin, and
nsradmin binaries from every client. You also need to make sure that there
are no copies available anywhere on a network share. Then you need to
prevent a determined user from re-installing it, so you probably need to
disable all floppy drives, cd-rom drives, and all access to the Internet.
Realistically it is not possible to technically prevent this, perhaps the
only way is to remove the binaries then prohibit users from installing
them, perhaps with the threat of disciplinary action. It does seem a bit of
an overkill.

Taking a step back, it is fairly easy for users to view NetWorker
configuration, but what is the harm? Unless they have administrator access
they cannot make changes or do any damage. Following the updates detailed
in TB367, they should not be able to see who is in the administrator list
(6.1.3 and above) and should not be able to gain unauthorised access either.

--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listmail.temple DOT edu or visit the list's Web site at
http://listmail.temple.edu/archives/networker.html where you can
also view and post messages to the list.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=

<Prev in Thread] Current Thread [Next in Thread>