U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Breadcrumb

The FDIC's Security Controls Over Microsoft Windows Active Directory

View Summary Announcement

Report Information

Publish Date
Report sub-type
Audit Report
Report Number
AUD-23-002
Questioned Costs
$0
Funds for Better Use
$0
Video
The FDIC's Security Controls Over Microsoft Windows Active Directory

Unimplemented Recommendations

Provide additional training to emphasize password requirements for privileged account users and communicate the effect of poor password practices, including those identified in this report.

Develop and implement controls to monitor and track password usage for privileged users and domain administrators to mitigate insecure password practices.

Approve and maintain Secure Baseline Configuration Guide deviations for accounts in the identified domain, as appropriate.

Develop and implement policies and procedures to automate the password creation and management process for privileged Active Directory accounts.

Identify inactive user accounts and disable or delete them in accordance with FDIC policy.

Design and implement mitigating controls to address occurrences where the automated inactivity setting is inoperable.

Develop and implement a process to regularly evaluate the roles to determine whether they are still needed or duplicative of other roles.

Develop and implement a process to reconcile conflicting certification determinations for duplicative roles.

Update and implement procedures to proactively update or replace operating systems before vendor support ends.

Develop and implement a process to monitor all domain controllers and ensure that any exceptions are addressed timely.