2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled

Information

If the integrated (on-device) User-ID Agent is utilized, the Active Directory account for the agent should only be a member of the Event Log Readers group, Distributed COM Users group, and Domain Users group. If the Windows User-ID agent is utilized, the Active Directory account for the agent should only be a member of the Event Log Readers group, Server Operators group, and Domain Users group.

Rationale:

As a principle of least privilege, user accounts should have only minimum necessary permissions. If an attacker compromises a User-ID service account with domain admin rights, the organization is at far greater risk than if the service account were only granted minimum rights.

Impact:

Using accounts with full administrative privileges when those rights are not required is always a bad idea. This is particularly true for service accounts of this type, which in many organizations do not see strong passwords or frequent password changes. In addition, service passwords are stored in the Windows Registry, and are recoverable with the user of appropriate malicious tools. The principal of least privilege means that any compromised accounts of this type have less value to an attacker, and expose fewer assets based on their rights.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Navigate to Active Directory Users and Computers.
Set the service account for the User-ID agent so that it is only a member of the Event Log Readers, Distributed COM Users, and Domain Users (for the integrated, on-device User-ID agent) or the Event Log Readers, Server Operators, and Domain Users groups (for the Windows User-ID agent.)

Default Value:

Not configured

See Also

https://workbench.cisecurity.org/benchmarks/17915

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(2), 800-53|AC-6(5), CSCv7|4.3

Plugin: Palo_Alto

Control ID: 76029a65593ac631d581325332e65999e812d2db832e85918eedb24ab87bab3c