Thursday, June 10, 2010

Homeland Security gets dinged on their Active Directory security

The Inspector General of Homeland Security just published their findings regarding the security of Active Directory at DHS - “Stronger Security Controls Needed on Active Directory Systems.” You don’t often get to read documents like this especially those that are related to Active Directory so I thought I’d call it out. Below are two paragraphs from the executive summary that more or less tell you exactly what the Inspector General’s concerns were:
Systems within the headquarters’ enterprise Active Directory domain are not fully compliant with the department’s security guidelines, and no mechanism is in place to ensure their level of security. These systems were added to the headquarters domain, from trusted components, before their security configurations were validated. Allowing systems with existing security vulnerabilities into the headquarters domain puts department data at risk of unauthorized access, removal, or destruction.

Also, the department does not have a policy to verify the quality of security configuration on component systems that connect to headquarters. Interconnection security agreements are present for each connection between headquarters and components to secure shared services; however, neither the agreements nor other policy define specific security controls required for connecting systems. Stronger management and technical controls are needed on trusted systems to protect data provided by the department’s enterprise-wide applications.
Some of the specific issues called out include:
  • A default privileged account enabled on a Windows server
  • Missing security patches
  • Local password policy not set to DHS standards
  • A protocol in use that is specifically identified in DHS policy as vulnerable
I don’t want to second guess how difficult a job any enterprise has with respect to enforcing security policy especially an enterprise the size of Homeland Security. I wonder how much, if at all, Microsoft’s Network Access Protection would help? In this report “federation” is mentioned a few times. I’m not sure if the authors really mean federation in the ADFS sense or some other sense but if it is in the ADFS sense you have to wonder how you enforce security policy on federated users. How do you do that?

This report illustrates how difficult it is to enforce a consistent security policy. Yes, there are built-in tools like Group Policy and commercial tools that would help DHS enforce security policy. Yes, you can have written policies. However, at the end of the day, reports like this help to define areas to focus on.

Read the report. Do you have any of the problems that were highlighted? How are you remediating them, or are you?

No comments: