anybody willing to do evil could find a way to have a system connected to the network where he has full access. Some laptop? Even with port security on the switch... just fix the ethernet card mac address :)
Basically, trust your admins to do the right thing, or don't hire them in the first place. On 25 okt. 2011, at 22:43, Ochs, Duane wrote: > I guess that depends on the privs the TSM admin has to your servers. > > In my environment as the Senior TSM admin I have admin privs or root access > to all the machines being backed up. > Which means I could in theory restore data to any server I wanted... however > I could also copy data from one machine to another, in theory. > > For other admins, in our environment, that do not have admin privs they don't > have access to log into machines to configure a restore from another machine. > > FYI: TSM admins could also change the password to a client machine to restore > data anywhere, if they wanted. > > > > -----Original Message----- > From: ADSM: Dist Stor Manager [mailto:[email protected]] On Behalf Of > Hart, Charles A > Sent: Tuesday, October 25, 2011 3:22 PM > To: [email protected] > Subject: Re: Can a TSM server admin purloin client backups? > > Nothing, it's a policy challenge if they has TSM Sys Admin rights. Kind > of like a Cop that sells evidence or takes a bribe, a priest that > protects the young ... at some point you have to trust your admin or > fire them. In my exp a node pw can be overridden with a Sys admin user > and pw. > > Maybe I over simplified the situation. > > > > -----Original Message----- > From: ADSM: Dist Stor Manager [mailto:[email protected]] On Behalf Of > Keith Arbogast > Sent: Tuesday, October 25, 2011 3:07 PM > To: [email protected] > Subject: [ADSM-L] Can a TSM server admin purloin client backups? > > This question came up again here. If a TSM admin with system > authorization knows the client password for a certain TSM node, what > keeps him from restoring files from that node to another server of his > choosing? > > Sorry to resuscitate this old horse. > > With many thanks, > Keith > > This e-mail, including attachments, may include confidential and/or > proprietary information, and may be used only by the person or entity > to which it is addressed. If the reader of this e-mail is not the intended > recipient or his or her authorized agent, the reader is hereby notified > that any dissemination, distribution or copying of this e-mail is > prohibited. If you have received this e-mail in error, please notify the > sender by replying to this message and delete this e-mail immediately. -- Met vriendelijke groeten/Kind Regards, Remco Post [email protected] +31 6 248 21 622
