2.7 Ensure remote access capabilities for the User-ID service account are forbidden.

Information

Restrict the User-ID service accounts ability to gain remote access into the organization. This capability could be made available through a variety of technologies, such as VPN, Citrix GoToMyPC, or TeamViewer. Remote services that integrate authentication with the organizations Active Directory may unintentionally allow the User-ID service account to gain remote access.
Rationale:
In the event of a compromised User-ID service account, restricting the accounts ability to remotely access resources within the organizations internal network reduces the impact of a service account compromise.

Solution

Remove this account from all groups that might grant remote access to the network, or to any network services or hosts. Remediation is operating-system dependent. For instance, in Windows Active Directory, this account should be removed from any group that grants the account access to VPN or Wireless access. In addition, domain administrative accounts by default have remote desktop (RDP) access to all domain member workstations - this should be explicitly denied for this account.
Default Value:
Not configured

See Also

https://workbench.cisecurity.org/files/2104