Re: Encryption - logging
Don't forget if that is the desire that the web gui runs under the local system account (in windows land) and it may have the ability to restore another users file to a different location. So you may not want to use the TSM web client feature on that particular server. Henrik Wahlstedt <[EMAIL PROTECTED]> wrote: Thanks for the answer and good point, btw it´s not my file, it is some HR data... The customer is worried about who can restore data/alter the logs if we are able to produce them etc etc. //Henrik -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED] On Behalf Of Allen S. Rout Sent: 16. august 2006 16:29 To: ADSM-L@VM.MARIST.EDU Subject: Re: Encryption - logging >> On Wed, 16 Aug 2006 14:44:59 +0200, Henrik Wahlstedt said: > So my questions are: Is the possible to do automated encrypted backups > but limit the restore functionality to thoose who knows encryption > password? The only people who can restore are people who can log into your machine, and they can only restore files they can write. I'm confused about why I shouldn't be able to restore one of my files. I'm poking that question because it feels like you're asking TSM to enforce a security restriction you haven't been able to enforce locally on the box. Trying to prevent [EMAIL PROTECTED] from restoring something sounds like a tall order. > How do I monitor restores on the TSM server in good way. I haven't found a happy method. Consider, the logging there could be Really Extensive. I don't want to list somebody's 3-million filenames in my TSM serverlog. - Allen S. Rout --- The information contained in this message may be CONFIDENTIAL and is intended for the addressee only. Any unauthorised use, dissemination of the information or copying of this message is prohibited. If you are not the addressee, please notify the sender immediately by return e-mail and delete this message. Thank you. - Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.
Re: Encryption - logging
Thanks for the answer and good point, btw it´s not my file, it is some HR data... The customer is worried about who can restore data/alter the logs if we are able to produce them etc etc. //Henrik -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED] On Behalf Of Allen S. Rout Sent: 16. august 2006 16:29 To: ADSM-L@VM.MARIST.EDU Subject: Re: Encryption - logging >> On Wed, 16 Aug 2006 14:44:59 +0200, Henrik Wahlstedt <[EMAIL PROTECTED]> >> said: > So my questions are: Is the possible to do automated encrypted backups > but limit the restore functionality to thoose who knows encryption > password? The only people who can restore are people who can log into your machine, and they can only restore files they can write. I'm confused about why I shouldn't be able to restore one of my files. I'm poking that question because it feels like you're asking TSM to enforce a security restriction you haven't been able to enforce locally on the box. Trying to prevent [EMAIL PROTECTED] from restoring something sounds like a tall order. > How do I monitor restores on the TSM server in good way. I haven't found a happy method. Consider, the logging there could be Really Extensive. I don't want to list somebody's 3-million filenames in my TSM serverlog. - Allen S. Rout --- The information contained in this message may be CONFIDENTIAL and is intended for the addressee only. Any unauthorised use, dissemination of the information or copying of this message is prohibited. If you are not the addressee, please notify the sender immediately by return e-mail and delete this message. Thank you.
Re: Encryption - logging
>> On Wed, 16 Aug 2006 14:44:59 +0200, Henrik Wahlstedt <[EMAIL PROTECTED]> >> said: > So my questions are: Is the possible to do automated encrypted > backups but limit the restore functionality to thoose who knows > encryption password? The only people who can restore are people who can log into your machine, and they can only restore files they can write. I'm confused about why I shouldn't be able to restore one of my files. I'm poking that question because it feels like you're asking TSM to enforce a security restriction you haven't been able to enforce locally on the box. Trying to prevent [EMAIL PROTECTED] from restoring something sounds like a tall order. > How do I monitor restores on the TSM server in good way. I haven't found a happy method. Consider, the logging there could be Really Extensive. I don't want to list somebody's 3-million filenames in my TSM serverlog. - Allen S. Rout
Encryption - logging
Hi, I got one odd request today.. TSM client 5.3.4.0/w2k3. Server 5.3.2.1/AIX If I encypt my backups the password is either saved in the registry or supplied from an operator during backup. And if I want to restict the possibilities for users to do restores without knowing the encryption password I cant save it in the registry, can I? If I save the encryption password in registry I can monitor restores on my TSM server, right? So, if I start a restore locally on my PC, dsmc -virtualnodename=XYZ -tcps=TSM and use my admin ID/PW as login credentials. And, restore \\XYZ\c$\cmdcons\* c:\temp\test\ -subdir=y On TSM server tsm: >q act begint=14:15 s=XYZ 16-08-2006 14:16:17 ANR0406I Session 563702 started for node XYZ (WinNT) (Tcp/Ip pc-391662.client.statoil.net(2251)). (SESSION: 563702) tsm: >q restore f=d Sess Restore Elapsed Node Name Filespace FSID File Spec Number State Minutes Name -- --- --- - --- -- 563,70 Active2 XYZ \\XYZ\c$ 1 \CMDCONS\** Other queries like q act with s=restore, XYZ, my ID or Tcp/Ip doesnt give me anything. I miss a couple of things that should be logged... So my questions are: Is the possible to do automated encrypted backups but limit the restore functionality to thoose who knows encryption password? How do I monitor restores on the TSM server in good way. Since the above is not sufficient? (Accounting records??) Thanks Henrik --- The information contained in this message may be CONFIDENTIAL and is intended for the addressee only. Any unauthorised use, dissemination of the information or copying of this message is prohibited. If you are not the addressee, please notify the sender immediately by return e-mail and delete this message. Thank you.