The U.S. Postal Service uses Microsoft’s Active Directory (AD) to control access to more than 192,000 information resources managed by 183 domains on the Postal Service information technology (IT) network. Users can access systems and services through AD once they enter a user name and password.
Administrators use AD to set up and manage user accounts, computers, policies, and permissions. Within AD, domains manage user accounts, including groups of users and computers with similar requirements. Effective management of AD allows organizations to adequately secure and protect critical information resources from accidental or intentional unauthorized use.
Fifteen AD domains manage the majority of the Postal Service IT network. Management reviews these domains periodically to comply with the Sarbanes-Oxley Act and Payment Card Industry Data Security Standards. We judgmentally selected and analyzed five of the 168 domains that are not regularly reviewed. We chose these five domains because they support a large number of servers and workstations.
Our objective was to determine whether selected domains were configured and managed in accordance with policy and industry best practices.
What the OIG Found
Postal Service management did not appropriately configure and manage the five domains we reviewed. We found that up to 40 percent of the security settings we reviewed for each domain did not fully comply with Postal Service security standards. In addition, we found 15 of 75 security settings within AD (20 percent) were not consistent with Microsoft’s best practices. For example, we determined the Postal Service [redacted] security standard has a “maximum password age” of [redacted] days, while Microsoft recommends a “maximum password age” of 30 to 90 days to ensure an attacker has limited time to crack a password.
Management also did not appropriately manage privileged accounts for three of the five domains we reviewed. Specifically, two shared administrator accounts existed on one domain and two [redacted] accounts on two domains were [redacted] required by policy. Further, management allowed administrators for three of the five domains to use accounts with [redacted] and did not require domain administrators for four of the five domains to change account passwords at least every 30 days as required by policy.
The domains were not properly configured because administrators were unaware of the applicable Postal Service security standards or did not have access to them.
Administrators also did not have a schedule to periodically review the standards to ensure compliance.
Without the proper security controls and requirements over domains, the Postal Service is at an increased risk of unauthorized users gaining access to its resources.
What the OIG Recommended
We recommended management provide domain administrators access to current security standards and ensure administrators configure servers running AD to comply with applicable requirements. We also recommended domain administrators comply with Handbook AS-805, Information Security, to manage AD privileged accounts, including , [redacted] removing accounts, [redacted], and changing administrative account passwords. Finally, we recommended the Corporate Information Security Office update Postal Service security standards and align them with best practices where appropriate.
Read Full Report