Select Computer Security Controls of the
Office of Community Oriented Policing Services
Network Computer System

Report No. 00-26
September 2000
Office of the Inspector General

Presidential Directive Decision 63, "Critical Infrastructure Protection," dated May 22, 1998, sets a goal of reliable, interconnected, and secure information system infrastructures by the year 2003 and requires the Federal Government to serve as a model to the rest of the country for attaining infrastructure protection. For Fiscal Year (FY) 1998, the Attorney General reported computer security to the President as a material weakness for various Department components, and in June 1999 declared computer security a top priority for the Department of Justice.

In order to test and report on the extent of computer security vulnerabilities at Department components, the Office of the Inspector General is performing a series of computer security reviews. This report focuses on the Office of Community Oriented Policing Services (COPS). The primary activity of the COPS Office is awarding grants directly to law enforcement agencies across the United States and its territories. The COPS Office uses a network computer system to manage the approval and administration of grant requests.

Our objective was to determine whether adequate computer security controls were in place to protect the COPS network from unauthorized use, loss, or modification. For our review of the COPS network, we used commercial-off-the-shelf software to conduct security tests on the primary domain controller server, the computer that authenticates logon requests for the COPS network. We reviewed all 404 user accounts that existed at the time of our fieldwork. We reviewed the areas of password management, logon management, account integrity management, system auditing management, and remote access service management. We identified both favorable and unfavorable outcomes in the areas reviewed.

We identified favorable security control outcomes such as the use of unique passwords and the use of the "Account Lockout" option, denying access to users or intruders after three unsuccessful logon attempts. We identified unfavorable security control outcomes as detailed below. Our review of the COPS network disclosed that computer security controls were not adequate to protect the COPS network operating system from unauthorized use, loss, or modification. Specifically, our review disclosed the following security vulnerabilities:

• The security software guessed 132 user passwords; 102 user passwords never expired and 8 user passwords could not be changed, permitting the users to keep the same passwords indefinitely; the server was set to allow passwords less than the Department's required minimum length of 8 characters; and the server's minimum password age setting was low, exposing information to unauthorized use, loss, or modification.

• Sixty-seven user accounts were never accessed. Another 48 user accounts were not accessed for more than 30 days. In our judgment, user accounts not accessed are administrative burdens and increase the number of system access points available to unauthorized users.

• The server did not display any warning banner. As a result, users logging into the server were not notified of the rules of conduct on the system.

• The last user identification was not hidden on the server logon dialog box, revealing half of the user name/password security combination intended to protect the account from unauthorized access.

• The Administrator account had the Windows NT default user name "Administrator," making the account easily identifiable to intruders.

• One group account had an advanced user right, increasing the risk of improper access to system resources.

• Three user accounts were missing the user's full name or did not have a naming convention that clearly identified the user, increasing the complexity of tracing system events to specific user accounts.

• The server allowed the security event log to be overwritten and did not halt the system when the security event log was full, risking the loss of audit trail information.

The above vulnerabilities as well as the non-vulnerable areas found are detailed in the Findings and Recommendations section of the report. Our objective, scope, and methodology are contained in Appendix I. We provided our test results to the COPS Network Administration Division immediately at the conclusion of our on-site test work in order for management to plan and take corrective actions.