Office of Audit
ACTIVE DIRECTORY OVERSIGHT NEEDS IMPROVEMENT
Final Report issued on February 5, 2020.
Highlights of Reference Number: 2020-20-006 to the Commissioner of Internal Revenue.
IMPACT ON TAXPAYERS
Microsoft® Active Directory is a Windows domain service that blends authentication, authorization, and directory technologies to create enterprise security boundaries that are highly scalable. Security weaknesses in the Active Directory could allow unauthorized access to critical IRS servers, applications, and account management. Without adequately protecting Active Directory domain controllers, the IRS cannot ensure that sensitive taxpayer information is protected.
WHY TIGTA DID THE AUDIT
This audit was initiated to review the Active Directory Technical Advisory Board’s effectiveness in implementing our previous recommendations and to evaluate the effectiveness and efficiency of the Integrated Submission and Remittance Processing (ISRP) Active Directory implementation.
WHAT TIGTA FOUND
TIGTA previously recommended that the IRS review the scope of the Active Directory Technical Advisory Board’s defined oversight responsibilities and update the existing charter to ensure that all individual forest owners are appropriately represented on the Active Directory Technical Advisory Board. The IRS implemented our previous recommendations.
TIGTA’s review of the ISRP’s implementation of the Active Directory found that computer rooms containing ISRP domain controllers lacked physical security and environmental controls. TIGTA identified 15 physical security violations related to Limited Areas, multifactor authentication, fire safety and suppression, and emergency power shutoff.
The ISRP Active Directory architecture lacks necessary logical security controls. For example, the IRS did not previously use credentials while performing vulnerability scans on ISRP domain controllers. When the IRS performed vulnerability scans using credentials at our request, the scans reported a 312 percent increase in the vulnerabilities identified. The IRS is also using an outdated application to perform security compliance checks.
Further, the IRS improperly configured ISRP service and business role accounts. As a result, TIGTA found more than 16,000 policy violations. Finally, the IRS inappropriately assigned business role accounts to an administrator group, resulting in those accounts having unnecessary elevated privileges.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Chief Information Officer should ensure that computer rooms are immediately updated to comply with agency and Federal requirements; physically separate the submission processing equipment from the ISRP domain controllers; prioritize computer room upgrades to ensure access via multifactor authentication; establish a process to review monthly vulnerability scan reports for credentialed scans; ensure that credentialed scans are regularly completed; ensure that ISRP domain controllers with critical and high vulnerabilities are properly remediated; ensure that compliance checker applications use up-to-date guidelines; ensure that all ISRP business role accounts and service accounts are in compliance with agency requirements; and ensure that system administrators have only one privileged account with domain administrator privileges.
The IRS agreed with all of our recommendations. The IRS plans to update computer rooms housing ISRP domain controllers to comply with physical security requirements; review vulnerability scans and verify credentialed vulnerability scans are conducted; remediate critical and high vulnerabilities; monitor device configurations; properly configure business role accounts; and review administrator groups and remove duplicate accounts.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
Phone Number / 202-622-6500
E-mail Address / TIGTACommunications@tigta.treas.gov
Website / https://www.treasury.gov/tigta