The IRS uses the Terminal Access Controller Access Control System (TACACS ) to administer and configure routers and switches. Users of the TACACS must be authorized by managers. The IRS had authorized 374 accounts for employees and contractors that could be used to access routers and switches to perform system administration duties. Of these, 141 (38 percent) did not have proper authorization to access the TACACS . Authorizations for 86 of the 141 employee and contractor accounts had been provided on some prior date, but the authorizations had expired at the time of our review. However, we could not find that the other 55 employee and contractor accounts had ever been authorized to access the System. We are particularly concerned that 27 of the 55 employees and contractors had accessed the routers and switches to change security configurations.
To authenticate users, the TACACS uses a security application that requires users to enter an account name and password. System administrators had circumvented this control by setting up 34 unauthorized accounts that appear to be shared-user accounts. Any person who knew the passwords to these accounts could change configurations without accountability and with little chance of detection. For this reason, the IRS requires that shared accounts be used only on a limited basis and that they be subjected to special authorization controls. However, during Fiscal Year 2007, 4.4 million (more than 84 percent) of the 5.2 million accesses to the TACACS were made by the 34 user accounts. None of the accounts were properly authorized.
