NOAA Inadequately Managed Its Active Directories That Support Critical Missions

For our final report on the audit of the National Oceanic and Atmospheric Administration’s (NOAA’s) management of its Active Directories, our audit objective was to determine whether NOAA has adequately managed its Active Directories to protect mission critical systems and data. To address this objective, we utilized a specialized Active Directory assessment tool and evaluated fundamental security practices, relationships, and configurations to determine whether any deficiencies existed within each Active Directory. Overall, we found that NOAA inadequately managed its Active Directories. Specifically, we found the following: I. excessive privileges could increase the risk of a successful compromise; II. inadequately managed accounts provided more opportunities for cyberattacks; and III. end-of-life operating systems were vulnerable to security exploitation.