Page 10 - Password administration review-Guilford ES
P. 10

Emergency Services:  Password Administration Review



                                                                              rehired as part-time employees. We
                                                                              subsequently obtained a report of all
                                                                              ES employees and noted the
                                                                              employees were identified by HR as
                                                                              part-time. Therefore, no exceptions
                                                                              were noted.
                                                                          •  1 or 4% of the terminated users was
                                                                              found in the current listing of active
                                                                              users in Active Directory. Per inquiry
                                                                              with ES Technical Support
                                                                              Administrators, the user was in the 30-
                                                                              day grace period of maintaining
                                                                              access before being rehired. Thus, per
                                                                              policy the user maintains access
                                                                              within the system before being
                                                                              processed by HR.


          Test  We examined all     428 accounts were examined for        Of the 428 accounts examined,
            #4  accounts in the     compliance of password resets         •  45 or ~10% were disabled in the
                 guilford-es.com    within 180 days and identified            system. Note these accounts were
                 domain and         accounts that are not in compliance.      excluded for test purposes as the users
                 identified any                                               of these accounts have no access to
                 accounts that are   Passwords Reset                          the system.
                 not in compliance                                        •  382 or ~89% were enabled and were
                 with the                                                     in compliance indicating the
                 maximum                                                      user/account has reset their password
                 password age of                                              within 180 days.
                 180 days.                                                •  1 or ~1% was found to never have a

                                                                              password set. The account was
                                                                              confirmed to be a decoy account. Per
                                                                              inquiry with ES Technical Services
                                                                              Administrators, the account is a fake
                                                                              administrator account with no logon
                                                                              privileges. It is monitored for lockouts.


          Test  We reviewed all     Reviewed the administrative access    •  Of the 7 domain administrators, 4
            #5  administrative      accounts and noted a total of 7           were service accounts and 3 were user
                 accounts           domain administrators and 1               accounts. The user accounts belong to
                 including the      enterprise administrator. Note these      the ES Technical Services
                 enterprise and     are built-in groups in Active             Administrators. We noted this as
                 domain             Directory that have been granted          appropriate.
                 administrators to   various levels of rights in the      •  The 1 enterprise administrator is a
                 ensure the         domain and/or from full                   service account for administering the
                 administrators     administrative rights.  Every


                                                                                                            9
   5   6   7   8   9   10   11