This report concerns the measures taken by a number of government institutions to protect IT systems and data that support the infrastructure of the Danish society from unauthorised access, obtained on the basis of domain administrator privileges.
Like all other IT systems, also IT systems that support the provision of essential services to society, can be accessed by users with domain administrator privileges. These privileges represent the highest level of access and control over the institutions’ IT systems and data and they are managed in the so-called Active Directory (AD). Privileges of this nature may also allow circumvention of security measures implemented by the institutions. Depending on the system design of the institution, domain administrator privileges may also give access to essential IT systems and data that are not managed in the AD.
The purpose of the study is to assess whether government institutions follow the recommendations on good IT security practices to protect access to IT systems and data that support the infrastructure of the Danish society. We have therefore examined how the institutions manage and control domain administrator privileges, including how the institutions monitor and log privileged user activity.
The study is based on IT audits performed by Rigsrevisionen during the first half of 2015.
Read the 1st chapter of the report (PDF)