Information
Restrict the User-ID service account from interactively logging on to systems in the Active Directory domain.
Rationale:
In the event of a compromised User-ID service account, restricting interactive logins forbids the attacker from utilizing services such as RDP against computers in the Active Directory domain of the organization. This reduces the impact of a User-ID service account compromise.
NOTE: Nessus has not performed this check. The Active Directory LDAP type does not appear to be used. This check is included for informational purposes
Solution
Navigate to Active Directory Group Policies.
Set Group Policies to restrict the interactive logon privilege for the User-ID service account.
or
Navigate to Active Directory Managed Service Accounts.
Set Managed Service Accounts to restrict the interactive logon privilege for the User-ID service account.
Default Value:
Not configured