2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled

Information

If the integrated (on-device) User-ID Agent is utilized, the Active Directory account for the agent should only be a member of the Event Log Readers group, Distributed COM Users group, and Domain Users group. If the Windows User-ID agent is utilized, the Active Directory account for the agent should only be a member of the Event Log Readers group, Server Operators group, and Domain Users group.
Rationale:
As a principle of least privilege, user accounts should have only minimum necessary permissions. If an attacker compromises a User-ID service account with domain admin rights, the organization is at far greater risk than if the service account were only granted minimum rights.

NOTE: Nessus has not performed this check. The Active Directory LDAP type does not appear to be used. This check is included for informational purposes

Solution

Navigate to Active Directory Users and Computers.
Set the service account for the User-ID agent so that it is only a member of the Event Log Readers, Distributed COM Users, and Domain Users (for the integrated, on-device User-ID agent) or the Event Log Readers, Server Operators, and Domain Users groups (for the Windows User-ID agent.)
Default Value:
Not configured

See Also

https://workbench.cisecurity.org/files/1664

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|9

Plugin: Palo_Alto

Control ID: 56ae9c390cd4ee05043d2f7e9384f10ff20a17316a9ef2c81ad1cd579acb8317