The Internal Revenue Service’s oversight of Active Directory — the Microsoft service that combines authentication, authorization and directory management — failed to meet established standards, according to a June 27 Treasury Inspector General for Tax Administration report.

“TIGTA previously recommended that the IRS establish an agencywide Active Directory governing body that finalizes and enforces forest design criteria, develops standards, oversees trusts and ensures that unauthorized forests or domains are not implemented. Although the IRS agreed to this recommendation, the governing body created in May 2013 is not providing agencywide Active Directory oversight,” the report said. “Security weaknesses in Active Directory could allow unauthorized personnel to gain access to critical IRS servers, applications and account management.

Members of the Active Directory Technical Advisory Board told investigators that they did not know how many active “forests” — the largest collection of objects within an Active Director Network — existed within IRS. And when the Criminal Investigation division upgraded its functional forest in April 2017, officials could produce no evidence that the board had been made aware of the change.

“Based on the results of our review, the ADTAB did not meet the basic requirements of its charter. The ADTAB does not provide adequate governance or oversight of the IRS AD architecture,” the report said.

In the process of reviewing Active Directory oversight, the TIGTA also found that Criminal Investigation computer rooms lacked physical security controls, such as designating those rooms “Limited Areas,” enforcing two-factor authentication to access the area, safeguarding lock combinations to the rooms, maintaining accessible fire extinguishers and maintaining emergency power.

And while the Criminal Investigation computer rooms had adequate vulnerability scanning, the division continued to use an outdated application to validate security requirements. That application found that all CI domain controllers failed scans, but data owners were not given feedback on how to fix problems the application found.

The CI also failed to remove the accounts of inactive users in a timely manner, leaving their systems vulnerable to exploitation.

“Attackers frequently discover and exploit legitimate but inactive user accounts to impersonate legitimate users, thereby making discovery of attacker behavior difficult for IRS network monitoring tools. Terminated contractor and employee accounts have often been misused in this way. This places CI’s sensitive data at risk for loss, manipulation and other unauthorized access,” the report said.

The TIGTA gave the IRS 10 recommendations for improving Active Directory oversight and resolving physical and digital vulnerabilities in the Criminal Investigation computer rooms, and the agency agreed with all of them.