Extract from the report to the Public Accounts Committee on the access to IT systems that support the provision of essential services to the Danish society Read full summary in English
The report is focused on the significant risk that is associated with inadequate management and control of domain administrator privileges, which makes it possible for unauthorized persons to obtain access to the IT systems and data of the institutions. Rigsrevisionen has not examined for what specific purposes unauthorized access to the institutions’ systems and data can be used.
- The study revealed a number of weaknesses in the management and control of domain administrator privileges in all six institutions. Rigsrevisionen would like to highlight the fact that the institutions have not adequately limited the number of domain administrator privileges.
- Rigsrevisionen would like to highlight the fact that the institutions have not changed non-personal passwords annually, and the majority of these passwords are up to seven years old. A few of the passwords have not been changed since the late 1990s.
- The study showed that the use of domain administrator privileges was inadequately logged; for instance, individuals with domain administrator privileges had the option to delete the log. In one case, they could also change data in the log. A trusted IT employee has the option to delete the log either by using his own administrator account or by using a system or service account with domain administrator privileges. Furthermore, a hacker, who e.g. has hacked an account with domain administrator privileges, can also delete log files, which can impede an investigation of security incidents.
- The study revealed that five of the institutions are not reviewing their log files regularly, which reduces their chances of detecting and resolving abuse of domain administrator privileges and IT security breaches.