There also other reasons *not* to create an admin on node registration -
to avoid confusion.
Using passwordaccess=generate the node is recycling its password
regularly. When the admin's password expires the human on next login is
asked to change it. What would be the chance to get it just the same as
generated one - zero.
Misled by same nodename and admin name the sysadmin is confused why he/she
can authenticate through dsmadmc but not through dsmc (if it comes to
that).
Another reason - usually we do not have separate sysadmins for each box.
It is more convinient to have one admin ID with "owner" access to the
nodes under his/her responsibility. Less admins provide both better
manageability and improved security.
Yet another security precaution - accepting too many defaults saves time
at the expense of making you more predictable. Combined with social
engineering, this can significantly lower your protection.
Open registration - I know, I know (and remember the recent thread on
licensing). But being more paranoid and not lazy enough, I prefer closed
registration and the arguments above are applicable for it.
Zlatko Krastev
IT Consultant
"Gill, Geoffrey L." <[EMAIL PROTECTED]>
Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]>
21.05.2003 07:03
Please respond to "ADSM: Dist Stor Manager"
To: [EMAIL PROTECTED]
cc:
Subject: Re: Client Security
>-----Original Message-----
>From: Stapleton, Mark [mailto:[EMAIL PROTECTED]
>Sent: Tuesday, May 20, 2003 7:17 PM
>To: [EMAIL PROTECTED]
>Subject: Re: Client Security
Actually I already know the lecture on passwords. I'm in the midst of
giving
it to a group now.
>> Should Admin users only be those specified and not let the
>> node add one when it is created?
> A node *has* to have an admin ID and password when it is created.
By default TSM will create an administrative user (Nodename) but you can
specify NONE if you want. The reason I asked the question is to try and
see
if anyone might be thinking the same thing I am. If you already know the
node name then all you have to do is guess the password. And as I
mentioned,
I already know the password lecture, but that doesn't mean everyone abides
by it. If an administrative user is assigned to a specific group of
computers and the default is not created then someone has to guess 2
things.
And yes, if it's written down they don't have to guess anything.
My original post question was, is there a best practices document write-up
available someplace. I'm really looking for something that will back up
what
I have decided to put in place without having to drag out the whole
Administrator Guide and thumb through the different areas in case I'm
asked.
Geoff Gill
TSM Administrator
NT Systems Support Engineer
SAIC
E-Mail: [EMAIL PROTECTED]
Phone: (858) 826-4062
Pager: (877) 905-7154
