2.6 Ensure that the User-ID service account does not have interactive logon rights

Information

Restrict the User-ID service account from interactively logging on to systems in the Active Directory domain.
Rationale:
In the event of a compromised User-ID service account, restricting interactive logins forbids the attacker from utilizing services such as RDP against computers in the Active Directory domain of the organization. This reduces the impact of a User-ID service account compromise.

NOTE: Nessus has not performed this check. The Active Directory LDAP type does not appear to be used. This check is included for informational purposes

Solution

Navigate to Active Directory Group Policies.
Set Group Policies to restrict the interactive logon privilege for the User-ID service account.
or
Navigate to Active Directory Managed Service Accounts.
Set Managed Service Accounts to restrict the interactive logon privilege for the User-ID service account.
Default Value:
Not configured

See Also

https://workbench.cisecurity.org/files/1780

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|5

Plugin: Palo_Alto

Control ID: 58f5ccdd2a1b46f33ee9bbee958c005ffade592d6289ef20f1c51c9868cacf84