Don, DSMCAD isn't the only exposure With DSMCAD on, a help desk person can be working on node DESKTOP1 and cause files TO BE RESTORED to node PAYROLSERVER.
But even with DSMCAD turned off, I can be on my node DESKTOP1 and do: dsm -virtualnodename=PAYROLSERVER I override the password popup with my admin id, and I can restore files from PAYROLSERVER to MY desktop. Now I have a copy of the payroll files, and nobody knows it but me. There is no footprint left on PAYROLSERVER (because its password was not changed). The only footprint in the TSM activity log is that the SESSION STARTED message in the activity log shows a different IP address (but with DHCP that may not be a reliable bit of information). Just wanted to make that clear. Personally, I would PREFER to see a server audit trail for any TSM access that is done by overriding the normal password. But I agree with you that most site's auditability requirements would be satisfied with having the admin id displayed in the SESSION STARTED message any time it is used to override the normal password. The inability of the TSM administrator to get at information without leaving a footprint was a SELLING point when we originally bought this software, and I was NOT happy when they added the "feature" that opened this hole. But, I haven't made a lot of noise about it. I just make sure not too many people have SYSTEM level access.... Thanks Wanda -----Original Message----- From: DFrance [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 19, 2003 2:31 PM To: [EMAIL PROTECTED] Subject: Re: Client login with admin id and password Some customers mitigate this security issue by eliminating the DSMCAD service, as a matter of policy; that's probably okay for some businesses -- not likely okay for help-desk when supporting desktop users. A number of requirements are being considered (thru SHARE) along the lines of better security and/or security-audit; with Windows, the TSM admin can do restores (via machine login) using his NT-network ID which is part of the backup operators group -- without the need for DSMCAD. Using DSMCAD (ie, remote-web-client) is where there is no auditability to indicate who accessed what data... and, this is ALSO the most convenient interface for remote/help-desk/TSMadmin restore assistance. We need to better articulate the requirement for the level of audit needed -- and where it applies -- such as, must there be audit file that shows every file/directory restored and/or even viewed using alternate/admin ID? The simplest (and minimal) solution might be to include the admin's ID in the activity log, at session start time, reflecting "session started for Node xxx (using admin-ID yyy)". But this only says who, and when, not what was accessed/downloaded. (And, of course, the ENCRYPT option, as Andy suggests.) Can you help? Don France Technical Architect -- Tivoli Certified Consultant Tivoli Storage Manager, WinNT/2K, AIX/Unix, OS/390 San Jose, Ca (408) 257-3037 mailto:[EMAIL PROTECTED] (change aye to a for replies) Professional Association of Contract Employees (P.A.C.E. -- www.pacepros.com) -----Original Message----- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED] Behalf Of Gerhard Rentschler Sent: Tuesday, March 18, 2003 7:11 AM To: [EMAIL PROTECTED] Subject: Re: Client login with admin id and password Hello, > IMHO, the TSM server really needs to leave better tracks for this type of > activity. > > ..Paul> that's what I would like to have. In Germany we have a law which requires that access to data which is related to individuals must be restricted and logged. That means that on request it should be possible to tell who accessed the data. With TSM this is not possible. Is it possible to open a pmr on this ground? Best regards Gerhard --- Gerhard Rentschler email:[EMAIL PROTECTED] Regional Computing Center tel. ++49/711/685 5806 University of Stuttgart fax: ++49/711/682357 Allmandring 30a D 70550 Stuttgart Germany
