SINGAPORE: The Auditor-General’s Office (AGO) has flagged weaknesses in the Ministry of Manpower’s (MOM) management of the most privileged operating system (OS) account in its employment pass system.
According to AGO’s Financial Year 2024/25 report released on 9 September 2025, the audit examined MOM’s Work Pass Integrated System–Employment Pass (WINS-EP) covering April 2024 to March 2025.
AGO found lapses that could have compromised the availability and security of the WINS-EP servers.
Inappropriate command granted to administrators
AGO found that a command granted to OS administrators through UNIX OS security software configurations was inappropriate.
The command allowed 24 MOM IT staff and vendor staff to change the password of any account, including the “root” account.
This created a risk that staff could gain full access to the three WINS-EP servers, undermining MOM’s existing safeguards.
MOM has since corrected the configurations, updated internal procedures, and confirmed that no unauthorised changes had been made to the “root” password.
Non-compliance with security guide
Checks revealed that in two out of three WINS-EP servers, the “root” account could be accessed remotely.
MOM’s own security guide requires such logins to occur only through the server console, to reduce risks of external exploits.
MOM attributed this to staff oversight.
The ministry has since restricted logins to the console and introduced independent reviews of any security setting changes.
Improper use of “root” account
AGO also noted instances between March and October 2024 where the “root” account was used for routine tasks such as deleting user accounts and directories.
MOM’s policy restricts such use to emergencies only.
In addition, the password for the “root” account was not changed after each login, despite policy requirements. AGO found three to six instances where the same password was used across multiple logins.
MOM said the actions were neither malicious nor did they compromise security.
A briefing was conducted in March 2025 to remind staff that “root” access should be limited to emergencies and passwords must be changed after every use.
Inadequate review of privileged activities
AGO’s checks found that MOM reviewed only one type of privileged activity between June and October 2024, despite standard operating procedures requiring broader checks.
Activities such as file editing and privilege escalation were not reviewed, reducing the ability to detect unauthorised access.
MOM has since enhanced its review process to cover more categories of privileged activities.
The post AGO flags weaknesses in Ministry of Manpower’s management of privileged operating system account appeared first on The Online Citizen.
