2.6 Ensure that the User-ID service account does not have interactive logon rights

Information

Restrict the User-ID service account from interactively logging on to systems in the Active Directory domain.
Rationale:
In the event of a compromised User-ID service account, restricting interactive logins forbids the attacker from utilizing services such as RDP against computers in the Active Directory domain of the organization. This reduces the impact of a User-ID service account compromise.

Solution

Navigate to Active Directory Group Policies.
Set Group Policies to restrict the interactive logon privilege for the User-ID service account.
or
Navigate to Active Directory Managed Service Accounts.
Set Managed Service Accounts to restrict the interactive logon privilege for the User-ID service account.
Default Value:
Not configured

See Also

https://workbench.cisecurity.org/files/2104