Pub. 10 2019 Issue 1

Spring 2019 13 West Virginia Banker c. Require long passwords, which will make them strong- er and more difficult to compromise. 6. No active directory auditing and monitoring. Extend the event log size on the domain controller to maximum and always track changes in the active directory, espe- cially changes to the Domain Administrator groups. Domain Administrator accounts should only be able to log into the domain controller to manage it. Users should not be logging into the domain controller to run management tools, such as active directory, group policy management, DHCP, and the DNS console. However, we understand that in some instances it may not be practical. The bank should consider having a separate user account for each IT staff requiring the access privilege. Also, consider having a separate user account for server administrators who only have access to servers but not the primary domain controller. An audit policy should be configured within group policy to send alerts if any modifica- tions are made to the properties or membership of the Domain Administrator group. Most of the users that have Domain Ad- ministrator access can be provided the level of elevated access needed without being a Domain Administrator. Most service accounts are set to have non-expiring passwords so that the service is not interrupted if the password expires. This condition could allow the service account to be compro- mised and used for malicious intent. Consider implementing the Active Directory Managed Service Accounts, which assists in managing service accounts and the issue of managing the non-expiring passwords. In addition, service accounts should not be Domain Administrator accounts. All service accounts should have passwords that are set to have at least 20+ charac- ter and should be changed on a regular basis. Make sure that a network user account that a vendor users is not also used to run a service on your network. Some Service Account Bad Habits: 1. Having service accounts with passwords that do not expire, 2. Using the same password for all service accounts, 3. Providing service accounts more privileges than needed, and 4. One service account that runs everything. Should a vendor or managed service provider (MSP) have Domain administrator rights? The first question should be what are these vendor or MSP user accounts doing? If the purpose is managing a specific server(s) or workstation(s) then only grant access to those computers. If they are able to reset passwords and work with active directory then they should be provided those privileges on the management tools. Do not give vendors the Domain Administrator credentials and ensure, if they do need this level of access that you create a separate account for each vendor, which can be disabled when not in use. A good practice is to disable a vendor’s account and only enable the account when it is needed which will allow for more monitoring of the activity that is being con- ducted when they are logged in. Do not let a vendor dictate you into to having Domain Administrator privileges, ensure you understand the tasks that the vendor would be perform- ing on your network. While providing user accounts elevated privileges Domain Administrator access may be the easy answer, it may not be the right answer. Ensure to examine Domain Administrator accounts and the level of access for each. You will need to determine what works for your network users to ensure it is functioning prop- erly and securely. Everyone should review the privileged user accounts and assess the level of access each should have on the network.  Trista Cline is a Supervisor of Arnett Carbis Toothman LLP, Certified Public Accountants, in the Charleston, West Virginia office. Ms. Cline has over ten years of experience in information technology audit and security services in the financial institutions industry. In addition, Ms. Cline has extensive experience in database analysis and the use of database analysis tools. Contact Ms. Cline at 800-642-3601 or trista.cline@actcpas.com. Most service accounts are set to have non-expiring passwords so that the service is not interrupted if the password expires. This condition could allow the service account to be compromised and used for malicious intent. Consider implementing the Active Directory Managed Service Accounts, which assists in managing service accounts and the issue of managing the non-expiring passwords.