tfED STA/.
*.	U.S. Environmental Protection Agency	11-P-0597
f ftJL \	Office of Inspector General	September 9,2011
\	I
^	At a Glance
Why We Did This Review
The U.S. Environmental Protection
Agency (EPA), Office of Inspector
General, conducted this audit to
identify vulnerabilities associated
with EPA's directory service
system authentication and
authorization servers, and provide
the results to the appropriate EPA
officials who can then promptly
remediate and/or document planned
actions to resolve the identified
vulnerabilities. This audit was
conducted in support of the audit of
EPA's implementation of its
directory service system.
A directory service provides a
centralized location to store
information about the users,
computers, and other equipment on
a network, and provides integrated
services that are used to manage
network users, services, and
devices. EPA uses a commercial-
off-the-shelf product for its
directory service system. This
directory service system is
implemented using multiple
servers, which EPA has placed in
various locations on its network to
provide enterprise-wide
authentication and authorization.
For further information,
contact our Office of Congressional,
Public Affairs and Management at
(202) 566-2391.
Catalyst for Improving the Environment
Results of Technical Vulnerability Assessment:
EPA's Directory Service System Authentication
and Authorization Servers
What We Found
Vulnerability testing of EPA's directory service system authentication and
authorization servers conducted in March 2011 identified authentication and
authorization servers with numerous high-risk and medium-risk
vulnerabilities. The Office of Inspector General met with EPA information
security personnel to discuss the findings. If not resolved, these
vulnerabilities could expose EPA's assets to unauthorized access and
potentially harm the Agency's network.
What We Recommend
We recommend that the Director, Enterprise Desktop Services Division,
Office of Environmental Information:
	Provide the Office of Inspector General a status update for all
identified high-risk and medium-risk vulnerability findings
contained in this report.
	Create plans of action and milestones in the Agency's Automated
Security Self-Evaluation and Remediation Tracking system for all
vulnerabilities that cannot be corrected within 30 days of this report.
	Perform a technical vulnerability assessment test of all Agency
directory service system authentication and authorization servers
within 60 days to confirm completion of remediation activities.
The full report is not available to the public due to the sensitive nature of its
technical findings.