John:

Your opinion is valid. There are many shops that haven't crafted a
complete plan to access the resources on their servers.

LMTCPB is designed only to stop commands from a classic command line
interface. We are in agreement that it is useless for anything else. As
you have pointed out it is possible to execute remote commands on the
local server (including executing commands against 127.0.0.1) to get
around the limitations imposed by LMTCPB. 

I have three basic problems with LMTCPB and commands. 
1) It's obsolete in that it hasn't been updated to check commands in
newer interfaces. [limited scope]
2) It's checked after the user has already been determined to have
object authority to the command.
3) It's difficult to find the LMTCPB "violations". They aren't placed in
the system audit journal. [more obsolescence]

When used in the environment for which it was designed, LMTCPB can be a
tool of last resort to stop some undesired activity. You need to look
hard to find out that LMTCPB is doing anything of value on your system.
The information is in the joblog. But it also can interfere with desired
activity, requiring a bunch of work-arounds. 

Anyway, let's talk about the Inventory Master. 

By giving a user *CHANGE rights to the master file, you give them rights
to the file in all interfaces. The user can get at the file through
EDTF/DFU or Excel, as well as the expected application interfaces. 

I would use adopted authority for access through the expected
application interfaces and use proxy commands to limit the use of EDTF
or DFU to well-defined views of the data, then take away the data rights
to the file. The object authority is still checked on the remote server
interfaces. If you need access to the file from one or more remote
servers, you can use exit programs to give you this authority.

Database administration is bunch of landmines. How you implement your
security plan can have a significant impact on performance. I prefer to
start out with a simple plan (then resist all efforts to make it more
complex).

Phil Ashe
NetIQ (A division of Attachmate)
1233 West Loop South, Suite 1800 | Houston, TX 77027 USA
713.418.5279 phone
phil.ashe@xxxxxxxxxxxxxx
www.netiq.com 


 

Phil, 

Would you care for a little open and spirited debate?

<snip>

sure!


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.