TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
The Enterprise-Wide Implementation of Active Directory® Needs Increased Oversight
Reference Number: 2006-20-080
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
Phone Number | 202-927-7037
Email Address | Bonnie.Heald@tigta.treas.gov
Web Site | http://www.tigta.gov
May 9, 2006
MEMORANDUM FOR CHIEF INFORMATION OFFICER
FROM: Michael R. Philips /s/ Michael R. Phillips
Deputy Inspector General for Audit
SUBJECT: Final Audit Report – The Enterprise-Wide Implementation of Active Directory® Needs Increased Oversight (Audit # 200520010)
This report presents the results of our review to determine whether the Internal Revenue Service (IRS) had effectively and securely implemented the Active Directory®-based network and the Windows 2003® Server Operating System.
The IRS is in the process of implementing an Active Directory®-based network and upgrading its computers to the Windows 2003® Server Operating System. Active Directory® is the Microsoft Corporation’s (Microsoft) latest technology for administering and securing computer networks and is a central component of the Windows 2003® Server Operating System. Active Directory® manages the identities and relationships of computing resources that comprise a network, simplifies system administration, and provides easier methods to strengthen and consistently secure computer systems. Because the IRS’ previous network operating system was divided into obsolete and inefficient boundaries, expensive to manage, and difficult to consistently secure, the migration to Active Directory® should result in an upgraded network that can better meet the IRS’ future needs.
The IRS has made significant progress in its Active Directory® implementation; however, increased oversight is needed to ensure the IRS achieves all expected benefits, including more efficient network management and increased security.
The IRS has made significant progress in implementing Active Directory®. Planning began in Fiscal Year 2000, and the IRS expects to complete the migration by December 31, 2006. However, significant risks remain that must be addressed for the IRS to achieve the benefits of Active Directory®. For example, design standards must be enforced. Ideally, all IRS functions could be included within one boundary (called a forest in Active Directory®). However, managers and system administrators, who play a large role in managing current domains and applications, may be reluctant to participate in the IRS Active Directory® forest since they will likely lose autonomous control over the network components. Five Active Directory® forests have already been established, and two IRS organizations have stated a need for additional separate forests. Adding unnecessary separate forests will increase the cost of implementing and maintaining Active Directory® and will make maintaining consistent security controls more difficult. Funding must also be provided to replace outdated computers that cannot support Active Directory®. In addition to the costs of the computers, the IRS is paying Microsoft custom support fees to support its outdated operating systems until the computers are replaced.
The Active Directory® Team did not have sufficient authority to finalize Active Directory® guidance documents, enforce adherence to design and security standards and industry best practices, and ensure the timely and successful migration of Active Directory® IRS-wide. During our review, the IRS formed a new project team with executive leadership that can provide the level of oversight needed to ensure the successful implementation of Active Directory®. Because the new team and leadership are already aware of these implementation issues, we made no recommendations to address these issues.
We also found some of the computers that had been migrated into the new Active Directory®-based network did not meet the IRS’ approved security standards. We reviewed a sample of 53 servers from the 399 that had been migrated to the Active Directory®-based network at the time we initiated our review in July 2005. Over 22 percent did not adequately comply with the IRS’ approved security settings, resulting in vulnerabilities that could be exploited by hackers and disgruntled employees. In some instances, Active Directory® security settings were changed to what the IRS considered stronger settings or to enable the servers to perform a particular role on the network. In both instances, changes were made without obtaining concurrence from the Chief, Mission Assurance and Security Services, and approval from the system owner, as required.
In addition, sufficient oversight was not provided over system administrator accounts. These accounts need to be carefully controlled because they are the most powerful accounts that exist on the network and can perform critical tasks that have major effects on the security, operation, and performance of the network. We found:
We recommended the Chief Information Officer develop a formal process for approving deviations from the IRS’ approved security settings for Active Directory®. When deviations are preferred or needed, concurrence from the Chief, Mission Assurance and Security Services, and approval of the system owner should be requested. We also recommended the Chief Information Officer improve oversight of system administrator accounts during the implementation of Active Directory®. Computers should be periodically reviewed for compliance with requirements. Procedures should be enforced and system administrators held accountable for adhering to these procedures.
IRS management agreed with our recommendations. Requests for deviations will include the recommendation from the Chief, Mission Assurance and Security Services, and approval from the system owner. The IRS will increase oversight of system administrator accounts and enforce procedures for protecting them. Computers will be periodically monitored and system administrators will be held accountable for complying with procedures. Management’s complete response to the draft report is included as Appendix IV.
Copies of this report are also being sent the IRS managers affected by the report recommendations. Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.
In today’s information technology environment, networked computing is essential for organizations to remain effective and efficient. As a result, modern operating systems require a directory service for managing the identities and relationships of the resources that reside on networks. A directory service:
· Stores information about a network’s applications, files, and printers and the people who have access to the network.
· Provides a consistent way to name, describe, access, manage, and secure information about these resources.
· Acts as the main switchboard of the network operating system.
Because a directory service supplies these fundamental network operating system functions, it must be tightly coupled with the operating system controls to ensure the integrity and privacy of the network.
The Internal Revenue Service (IRS) operates a large computer network that includes about 3,000 servers and 110,000 workstations using Windows® operating systems provided by the Microsoft Corporation (Microsoft). Until recently, the IRS network was divided into over 100 domains that were based on obsolete and inefficient organizational boundaries, resulting in high operating costs and inconsistent security controls. The IRS’ domain structure lacked the flexibility, scalability, and power needed to support changes in organizational needs.
In 2000, the IRS began addressing these concerns by planning the deployment of Active Directory®, Microsoft’s latest technology for administering and securing computer networks. In addition to strengthening security, Active Directory® can simplify system administration by providing a single, consistent point to manage users, applications, and devices. It provides users with a single sign-on to network resources and provides system administrators with powerful tools to ensure consistent security controls among desktop users, remote dial-up users, and external e-commerce customers.
Active Directory® is a pervasive technology that affects virtually the entire IRS network. Its implementation is a major undertaking due to the size of the IRS network and the diversity of IRS functions it supports. The IRS is currently in the process of upgrading its computers from the Windows NT® operating system to the Windows 2003® Server Operating System and moving them into the Active Directory®-based network. When we initiated this review in July 2005, the migration was still in process and the IRS had moved 399 servers to the new network. The IRS expects to move all 110,000 workstations in early 2006 and all 3,000 servers by December 31, 2006.
This review was performed at the Active
Directory® Team offices within the Modernization and
Information Technology Services organization’s
End User Equipment and Services organization
The IRS has made significant progress in implementing Active Directory® and is on schedule for migrating user accounts, workstations, and servers into the new network. However, significant risks remain that must be addressed for the IRS to achieve the benefits of Active Directory®, specifically to simplify system administration and strengthen overall security.
For the past several years, a team of about 20 members from the End User Equipment and Services organization has driven the design and deployment of the Active Directory®-based network for most of the IRS. The Active Directory Team developed design documents and implementation plans for the new Active Directory®-based network in accordance with Microsoft recommendations and industry best practices. While the Team has made significant progress, its members advised, and we confirmed, it did not have the cross-functional authority to ensure all IRS entities were working together, including the Modernization and Information Technology Services organization, the Office of Mission Assurance and Security Services, and the IRS business units. The Team did not have the authority to finalize guidance documents, enforce adherence to design and security standards, or ensure timely and successful implementation of Active Directory® IRS-wide.
After we discussed these concerns with lead members of the Active Directory® Team, the IRS formed a new project team with the authority to address Active Directory® design and security issues from an enterprise perspective. The new team is led by the Enterprise Services organization and reports to the Infrastructure Executive Steering Committee. We concur with this approach and believe the Steering Committee can provide the executive-level oversight needed to implement Active Directory®. To achieve the full system administration benefits of Active Directory®, the Steering Committee will need to enforce design standards and provide adequate funding and oversight to keep implementation on schedule. Because the Steering Committee is already aware of these implementation issues, we are making no recommendations to address these issues.
Active Directory® design standards must be enforced
The large and dispersed network used by the IRS often requires time-consuming and redundant system administration. Active Directory® allows the IRS to significantly lower system administration costs by providing a single place to manage users, groups, and network resources, as well as to distribute software and manage desktop configurations. It automatically distributes software to users based on the users’ roles, thus reducing or eliminating multiple contacts the system administrators need to make to employees’ workstations to install and configure software.
Active Directory® uses a hierarchical approach to allow organizations to more easily administer the entire network and to customize administration based on the needs of users. Active Directory® refers to its outermost logical boundary as a forest. A forest is a collection of subsets that share the same Active Directory® configuration and design elements. These subsets are called domains. Domains are used to manage the various populations of users, computers, and other network resources.
A best practice is to create a large “production domain” to hold almost all of an organization’s users and computers. A smaller “root domain” is created to contain a minimal number of powerful administrative accounts and computers. Within domains, smaller subsets called “organizational units” are used to create administrative groupings of users, computers, and printers that can be uniformly managed. Figure 1 depicts the various levels in the Active Directory® hierarchy.
Figure 1: Illustration of a Common Active Directory® Structure
Figure 1 was removed due to its size. To see Figure 1, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.
Ideally, the IRS could maintain one forest, then use domains and organizational units to group objects that have common system settings based on specific needs of the various IRS functions. Separate forests add overhead and are less efficient because they require the creation and maintenance of additional design elements and security components, whereas adding an entity to an existing forest takes advantage of existing design elements and security components.
The Active Directory® Team established the main IRS production forest and provided criteria in accordance with industry best practices for justifying additional forests. IRS entities requesting a separate forest must have stringent security requirements, such as the maintenance of law enforcement data, that require elevated security clearance for system administrators.
To date, the IRS has been successful at limiting the number of forests. Most network resources are included in a single forest with a root domain and one large production domain.
Additional forests have been created for two IRS functions (the Offices of Chief Counsel and Criminal Investigation) and one system (the Integrated Submission and Remittance Processing System) that need greater security and can justify the need for separate forests. A forest was also created for the Integrated Financial System because it was implemented before the IRS was ready to deploy Active Directory® on an enterprise-wide basis. However, this system does not meet the IRS’ criteria for establishing a separate forest; therefore, consideration should be given to bringing it into the IRS’ main production forest to achieve maximum efficiencies and security of IRS operations.
As the implementation of Active Directory® continues, we expect other entities will request separate forests. Managers and system administrators who play a large role in managing current domains and applications may be reluctant to participate in the IRS Active Directory® forest since they will likely lose autonomous control over the network components. For example, two IRS organizations have stated a need for separate Active Directory® forests in addition to the five forests already established. Adding unnecessary separate forests will increase the cost of implementing and maintaining Active Directory® and will make maintaining consistent security controls more difficult.
Funding must be provided to ensure Active Directory® implementation remains on schedule
The IRS must also allocate sufficient funds to achieve the benefits of Active Directory®. Most of the advanced security features offered by Active Directory® cannot be implemented until outdated computer workstations and servers that cannot support Active Directory® are updated or replaced. Salary costs for upgrading or replacing servers and workstations were approximately $5.2 million in Fiscal Year 2005, and an additional $2.4 million is estimated to be spent in Fiscal Year 2006. In addition, the IRS must continue to pay Microsoft to support its outdated operating system. After Microsoft support for the IRS’ current network operating system ended in December 2004, the IRS paid for custom support so it could continue to receive security patches costing about $318,000 through December 2005. Because computers with the old operating system are not expected to be upgraded and migrated into Active Directory® until December 31, 2006, the IRS plans to continue custom support agreements costing $100,000 for each 6-month period those computers are operating. Delays in updating or replacing the outdated workstations and servers will not only postpone the benefits of Active Directory® but also force the IRS to pay additional support costs for its outdated operating system.
We also noted resources and funding for a separate forest to be used as a testing environment had not been sufficient. IRS security standards require testing to be done separately from the production environment. Because the IRS did not fund a separate testing forest, testing was performed in the production forest and in unauthorized test domains that were not compliant with IRS security policies, expensive to maintain, and likely do not represent the production forest. As a result, testing could disrupt the production environment and produce unreliable results.
Strong and consistent security controls are essential to protect the confidentiality, integrity, and availability of sensitive taxpayer data maintained on the IRS network. Active Directory® centralizes system administration and enforces role-based access controls that can be applied to both desktop and remote users. To take advantage of Active Directory® capabilities to strengthen the security of the IRS network, the IRS should ensure security settings on servers are enhanced, system administrator access rights are controlled, system administrator accounts are securely managed, and built-in system administrator accounts are safeguarded.
Server security settings did not always comply with IRS standards
The IRS has standard security settings for many types of computers. Active Directory® provides new techniques for consistently applying these settings. Computers that need to be similarly secured are placed in a group, called an organizational unit. Customized security settings needed for computers in a particular organizational unit are placed into one or more subsets, called group policy objects. Security settings are consistently applied to all the computers by linking the organizational unit to the corresponding group policy objects. Any computer subsequently added to the organizational unit should automatically receive the appropriate security settings. Deviations from the standard settings must be concurred with by the Chief, Mission Assurance and Security Services, and approved by the system owner.
Because IRS servers have various roles, the Active Directory® Team created an organizational unit for each role. The IRS also created a group policy object containing universal security settings, which are applied to all of its server organizational units, and several specialized group policy objects containing additional settings, which are applied to only specific server organizational units.
In our sample of 53 servers moved to the Active Directory®-based network, 12 (22.6 percent) did not adequately comply with the IRS’ approved settings. Six servers did not adequately comply because the organizational unit in which they were located was not linked to a group policy object. The Active Directory® Team deleted this organizational unit from the Active Directory® before our audit had been completed. Five servers were in organizational units linked to two group policy objects that did not adequately comply with the IRS’ approved set of security settings. For example, on the 5 servers, we tested the configurations for 12 user rights that we considered sensitive and found an average of 10 unapproved user rights. Lastly, one server failed to meet standards because it had a high-risk vulnerability, the lack of antivirus protection.
Some noncompliant settings in group policy objects can be attributed to human error by those implementing the settings. Other noncompliant settings were made because the Active Directory® Team purposely created settings it considered stronger than the IRS’ approved settings or to enable the server to perform a specific function. In both cases, changes to the settings were made without obtaining concurrence from the Chief, Mission Assurance and Security Services, and approval from the system owner, as required. We also noted written instructions for building and configuring Windows 2003® servers had not been prepared by the End User Equipment and Services organization before the servers were put into operation. These instructions may have improved the compliance rate of the settings used for the servers.
The use of unapproved security settings may create vulnerabilities for hackers or disgruntled employees to exploit. At a minimum, system administrators using unapproved settings diminish the capability of Active Directory® to ensure approved security controls are consistently implemented throughout the IRS network.
Sufficient oversight was not provided over system administrator accounts and access rights
The IRS requires employees to be provided only the access rights they need to carry out their responsibilities. System administrator accounts are especially powerful. Employees assigned to these accounts can make changes to the directory service, control directory-wide security settings, and install software. We found that, during the transition to Active Directory®, system administrator access was not adequately controlled, unnecessary system administrator accounts were established on servers, and built-in system administrator accounts were not being adequately safeguarded.
System administrator access was not adequately controlled. Industry best practices recommend keeping the membership of system administrator groups to the absolute minimum necessary to support the organization and limiting system administrator rights to only those needed by the individuals in the groups. Prior to implementation of Active Directory®, employees who may have needed only limited system administrator rights to carry out their responsibilities were assigned to system administrator groups with full system administrator capabilities because the previous operating system could not customize system administrator groups. For example, during a recent audit we found that employees were given full system administrator rights on 34 percent of the computers we tested just to obtain certain needed system administrator rights. Active Directory® offers improved controls by creating system administrator groups whose rights can be customized to the needs of the employees in the groups.
During this review, the IRS began to create system administrator groups whose rights were customized. For example, a group was created with full system administrator rights, but the employees in the group could access only computers they were assigned to manage. Another group was created with limited system administrator rights to manage user accounts throughout the domain. The IRS is still developing criteria for granting system administrator access into Active Directory® based on the employees’ job roles and determining approval paths for the various levels of access.
The process of reviewing and revising old rights and the establishment of centrally managed system administrator groups are expected to be a multiyear project and require buy-in from the various IRS business units. To expedite the implementation of Active Directory®, the IRS decided to use the same access rights (including system administrator rights) from the previous operating system regardless of whether the employees still needed all the rights in their groups. However, the risk of an employee accidentally or inappropriately accessing data or disrupting computer operations will be elevated until customized system administrator groups are established that limit users to only the rights they need.
Unnecessary system administrator accounts were established on servers. The IRS requires system administrator accounts to be created in centrally managed groups rather than on individual servers. Creating system administrator accounts on servers poses two problems. First, controls over accounts created on servers may be weaker than controls on accounts created centrally. Accounts on servers are governed by control settings on the servers, whereas accounts created in centrally controlled groups are governed by group policy objects. Because it is much more difficult to maintain consistent settings on individual servers than in group policy objects, the risk of security weaknesses increases. Second, finding and deleting accounts on servers for employees who change positions or leave the IRS can be a nearly impossible task in a large network because each server has to be checked. As a result, accounts that should be deleted may be overlooked and can be targeted for misuse by persons attempting to gain unauthorized access to the system. When accounts are created in a centrally controlled group, the group account is placed on the servers the group needs to access. When an employee no longer needs access to the servers, the employee just has to be removed from the central group.
We found system administrators had established system administrator accounts on 26 (49 percent) of the 53 servers we sampled. Sixty-eight system administrator accounts belonging to 27 system administrators had been directly created on these servers. Some of the accounts had been needed temporarily, while the servers were being prepared to be migrated into the Active Directory®-based network, but were not subsequently removed. Five (18.5 percent) of the 27 system administrators also had duplicate system administrator accounts that had been centrally created. As a result, the risk that system administrator accounts could be misused was increased.
Built-in system administrator accounts are not being adequately safeguarded. Every server is provided a built-in system administrator account named Administrator that was created as part of Microsoft’s design of the operating system. Its purpose is to have an account that can be used if problems prevent system administrators from using their centrally created accounts. To prevent unauthorized persons from recognizing and using these accounts, the IRS requires system administrators to rename the accounts.
On 30 (57 percent) of the 53 servers we reviewed, system administrators had not sufficiently disguised the built-in accounts. The new names on the 30 servers still allowed these accounts to be identified as regular system administrator accounts. Even if the new names had fully disguised the accounts, the built-in system administrator accounts were readily apparent on all 53 sampled servers because, directly next to the account names, there were descriptions labeling them as built-in system administrator accounts. To fully disguise these powerful accounts, the descriptions should also be changed. Because these powerful accounts, unlike regular system administrator accounts, do not lock up after several unsuccessful attempts are made to guess the password, they could be the target of persons who are attempting to gain unauthorized access to the system or disrupt computer operations.
For the latter two issues, the Chief Information Officer has not provided sufficient oversight over system administrators to ensure they comply with procedures and best practices during the transition to Active Directory®. We are confident the Infrastructure Executive Steering Committee will provide the oversight and direction necessary to ensure consistent standards for administrative access are applied as soon as possible.
The Chief Information Officer should:
Recommendation 1: Formalize the approval process for distributing security settings in Active Directory® and ensure IRS standards are met. If deviations are suggested, concurrence from the Chief, Mission Assurance and Security Services, and approval from the system owner should be obtained.
Management’s Response: IRS management agreed with this recommendation. The Associate Chief Information Officer, End User Equipment and Services, will formalize the approval process for distributing security settings to Active Directory® using the policies and procedures currently in place for current systems and applications. Requests for deviations will include the recommendation from the Chief, Mission Assurance and Security Services, and approval from the system owner.
Recommendation 2: Increase oversight of system administrator accounts and access rights during the transition to Active Directory®, enforce the IRS procedures that prohibit the creation of system administrator accounts on individual servers and require built-in system administrator accounts to be properly disguised, and periodically monitor computers for compliance and hold system administrators accountable for complying with these procedures.
Management’s Response: IRS management agreed with this recommendation. The Associate Chief Information Officer, End User Equipment and Services, will increase and improve oversight of system administrator accounts during the transition to Active Directory® and review employees with Active Directory® system administrator rights. The Associate Chief Information Officer, End User Equipment and Services, will also enforce prohibitions on the system administrator accounts on individual servers, require built-in system administrator accounts to be properly disguised, monitor computers monthly for compliance, and hold system administrators accountable for complying with requirements.
The overall objective of this review was to determine whether the Internal Revenue Service (IRS) had effectively and securely implemented the Active Directory®-based network and the Windows 2003® Server Operating System. To accomplish this objective, we:
I. Determined whether the IRS had effectively and securely created and implemented the structural components of Windows 2003® and Active Directory®.
B. Reviewed the adequacy of general security controls used to connect to and access Active Directory®.
C. Determined whether Active Directory® system administrators had received adequate training.
D. Reviewed the progress and status of Active Directory® features the IRS had not yet implemented.
E. Reviewed the progress and status of computing resources the IRS had not yet brought into the Active Directory®-based network.
II. Determined whether computers residing in the Active Directory®-based network were configured with strong security settings.
A. Reviewed the IRS’ security standards to determine whether all computer security controls had been addressed.
B. Evaluated the procedures and methods the IRS uses to install security settings onto computers and test computers for compliance with security standards.
C. Selected a judgmental sample of 53 servers from the universe of 399 servers the IRS had moved into the Active Directory®-based network when we initiated this review in July 2005. We tested the 53 servers to determine whether strong computer security controls had been implemented through Active Directory®. Since servers with different server roles (for example, file servers, print servers, and domain controller servers) have different security configurations, we judgmentally selected about 5 servers from each of the 12 server roles. Some server roles had a population of fewer than five servers. Judgmental samples were used because we were not planning to project the results against the entire universe.
D. Used the IRS’ configuration-checking computer program to assess the adequacy of computer-based controls on the 53 sampled servers.
E. Reviewed the purpose, necessity, and security of groups and accounts that had been created directly on the 53 sampled servers.
III. Determined whether the IRS had effectively used organizational units and group policy objects to ensure its computers met computer security standards.
A. Reviewed documentation on the IRS’ organizational units and group policy objects.
B. Analyzed security weakness identified in the 53 sampled servers and determined whether group policy objects had been correctly configured.
C. Assessed the IRS’ plans for continued progress in implementing organizational units and group policy objects.
Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)
Steve Mullins, Director
Gerald Horn, Audit Manager
Myron Gulley, Acting Audit Manager
Richard Borst, Senior Auditor
Mary Jankowski, Senior Auditor
Jody Kitazono, Senior Auditor
Stasha Smith, Senior Auditor
Office of the Commissioner – Attn: Chief of Staff C
Deputy Commissioner for Operations Support OS
Chief Counsel CC
National Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk Analysis RAS:O
Office of Management Controls OS:CFO:AR:M
Chief Information Officer OS:CIO
The response was removed due to its size. To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.
 The forest is the outermost boundary of Active Directory®.
 Domains are groups of computers on a network that are administered as a unit with common rules and procedures.
 Servers are computers that carry out specific functions. For example, file servers store files, print servers manage printers, and network servers manage network traffic.
 Servers are computers that carry out specific functions. For example, file servers store files, print servers manage printers, and network servers manage network traffic.
 Domains are groups of computers on a network that are administered as a unit with common rules and procedures.
 Scalability is a term that refers to how well a system can adapt to increased demands. A scalable network can start with a few computers and network devices and can easily expand to thousands. Scalability means an organization will not outgrow its system.
 The Modernization and Information Technology Services organization leads the delivery of IRS information technology solutions to meet enterprise-wide customer needs by providing information technology systems, products, services, and support.
 The End User Equipment and Services organization is a part of the IRS Modernization and Information Technology Services organization and provides end user computer products, services, and support to IRS functions.
 The Office of Mission Assurance and Security Services is a service and support organization that assists the IRS operating divisions in maintaining secure facilities, technology, and data.
 The Enterprise Services organization is a part of the Modernization and Information Technology Services organization and manages common information technology functions and services performed across the IRS.
 The Infrastructure Executive Steering Committee oversees the technological infrastructure for building modernized systems.
 The Integrated Submission and Remittance Processing System processes paper returns and payments submitted by taxpayers.
 The Integrated Financial System gives the IRS timely and easier access to accurate and consistent financial data, resulting in improved decision making and management.
 User rights are tasks a user is permitted to perform on a computer or network. User rights determine who can log on to a system and the tasks they are permitted to perform. For example, a user can be given the right to change a system’s time or access a system’s security logs.
 Secure Configurations Are Initially Established on Employee Computers, but Enhancements Could Ensure Security Is Strengthened After Implementation (Reference Number 2006-20-031, dated February 2006).
 The forest is the outermost logical boundary of Active Directory®.
 A domain is a group of computers on a network that are administered as a unit with common rules and procedures.
 Group policy objects contain security settings which are applied to corresponding groups of computers.