The FDIC's Security Controls Over Microsoft Windows Active Directory

Provide additional training to emphasize password requirements for privileged account users and communicate the effect of poor password practices, including those identified in this report.

Develop and implement controls to monitor and track password usage for privileged users and domain administrators to mitigate insecure password practices.

Approve and maintain Secure Baseline Configuration Guide deviations for accounts in the identified domain, as appropriate.

Develop and implement policies and procedures to automate the password creation and management process for privileged Active Directory accounts.

Remove unnecessary elevated domain privileges for accounts across all FDIC domains.

Develop and implement permission settings and configurations for privileged accounts that are aligned with the principle of least privilege.

Develop and implement monitoring mechanisms to regularly review privileged account settings and configurations and remediate any misconfigured accounts.

Identify inactive user accounts and disable or delete them in accordance with FDIC policy.

Design and implement mitigating controls to address occurrences where the automated inactivity setting is inoperable.

Develop and implement a process to regularly evaluate the roles to determine whether they are still needed or duplicative of other roles.

Develop and implement a process to reconcile conflicting certification determinations for duplicative roles.

Update and implement procedures to proactively update or replace operating systems before vendor support ends.

Issue a current, updated Active Directory Operations Manual.

Develop and implement procedures to regularly update the Active Directory Operations Manual to reflect the current structure and practices.

Develop and implement a process to monitor all domain controllers and ensure that any exceptions are addressed timely.