The Homeland Security Department's implementation of Microsoft Active Directory allows unsafe systems to connect to the department's network, concludes a newly released inspector general report.

Between September 2009 and January 2010, DHS auditors studied DHS's federated Active Directory, in which policy is centrally formulated but each department component is responsible for managing its own objects.

For applications that require access by users from many components, DHS grants cross-domain trust and requires that enterprise applications conform to a security policy. However, the department doesn't validate or audit those security controls and as a result, insecure systems from Customs and Border Patrol, Immigration and Customs Enforcement and the Science & Technology Directorate have operated on the DHS network.

Among the vulnerabilities auditors found were an enabled default privileged account on a Windows server, missing security patches, and an unidentified protocol already identified as vulnerable.

Adding to the problem is that DHS's Active Directory was designed to just support the headquarters network. Enterprise applications get added through manual procedures and individual validations, processes that the IG notes "have not proven to be effective in maintaining the level of security required on DHS' network."

In the official response to the audit, DHS Chief Information Officer Richard Spires said the department is revising its Active Directory guidance and governance.

For more:
- read DHS OIG report 10-86 (.pdf)

Related Articles:
NIST: Continuous monitoring can lead to false sense of security
House approves FISMA reform
Coast Guard financial system had material weakness