The FDIC’s Security Controls Over Microsoft Windows Active Directory

The Office of Inspector General of the Federal Deposit Insurance Corporation (FDIC) has issued its report on The FDIC’s Security Controls Over Microsoft Windows Active Directory.

It is important for the FDIC to ensure that only individuals with a business need are allowed access to its many systems that contain sensitive information. The FDIC uses Active Directory (AD) to centrally manage user identification, authentication, and authorization.  AD infrastructure is an attractive target for attackers because the same functionality that grants legitimate users access to systems and data can be hijacked by malicious actors for nefarious purposes.

We performed an audit to assess the effectiveness of controls for securing and managing the Windows AD to protect the FDIC’s network, systems, and data.  We engaged the professional services firm of Cotton & Company Assurance and Advisory, LLC (Cotton) to conduct this audit.

The FDIC had not fully established and implemented effective controls for securing and managing the Windows AD to protect the FDIC’s network, systems, and data in 7 of the 12 areas we assessed.  The FDIC needed to improve controls in the following areas:

1.  Password Management:  We identified weaknesses in how the FDIC managed passwords and password changes.  In addition, multiple privileged users (a) reused their passwords; (b) shared their passwords across multiple accounts; and (c) did not change their passwords for over a year.

2.  Account Configuration:  Privileged accounts were configured with excessive privileges.  Such privileges were not justified as necessary and could allow attackers to inflict significant damage if these accounts were compromised.

3.  Access Management:  The FDIC account deletion setting did not remove over 900 users after they exceeded the required thresholds related to account inactivity.  In addition, the FDIC suspended its automated account inactivity setting for a month in late 2021 without compensating controls.

4.  Privileged Account Management:  Three FDIC users held privileged access for almost a year after the access was no longer required for their positions.

5.  Windows Operating System Maintenance:  Several servers and a workstation were running unsupported versions of the Windows or Windows Server Operating System.

6.  AD Policies and Procedures:  The AD Operations Manual included inaccurate information about the FDIC’s implementation of Active Directory.

7.  Audit Logging and Monitoring:  The FDIC did not enable performance monitoring on two domain controllers supporting its AD infrastructure.

The FDIC’s ineffective AD security controls could pose significant risks to FDIC data and systems.  In addition, the cumulative impact of these weaknesses could result in an attacker covertly obtaining administrative privileges to the FDIC’s AD, potentially allowing the attacker to obtain, manipulate, or delete data across the network, causing serious damage to the FDIC and its mission and reputation.  Moreover, account misconfigurations by the FDIC may provide FDIC employees and contractors unnecessary elevated privileges on the FDIC’s network.

We found that the FDIC had effective controls in the remaining five control areas we assessed related to configuration management, contingency planning, patch management, vulnerability remediation, and defining key AD points of contact.

We made 15 recommendations to address the AD security control weaknesses in the 7 areas listed above.  The FDIC concurred with all recommendations.