2.7 Ensure remote access capabilities for the User-ID service account are forbidden.

Information

Restrict the User-ID service account's ability to gain remote access into the organization. This capability could be made available through a variety of technologies, such as VPN, Citrix GoToMyPC, or TeamViewer. Remote services that integrate authentication with the organization's Active Directory may unintentionally allow the User-ID service account to gain remote access.

Rationale:

In the event of a compromised User-ID service account, restricting the account's ability to remotely access resources within the organization's internal network reduces the impact of a service account compromise.

Solution

Remove this account from all groups that might grant remote access to the network, or to any network services or hosts. Remediation is operating-system dependent. For instance, in Windows Active Directory, this account should be removed from any group that grants the account access to VPN or Wireless access. In addition, domain administrative accounts by default have remote desktop (RDP) access to all domain member workstations - this should be explicitly denied for this account.

Default Value:

Not configured

References:

'Best Practices for Securing User-ID Deployments' - https://live.paloaltonetworks.com/docs/DOC-7912

'User-ID Best Practices' - https://live.paloaltonetworks.com/docs/DOC-6591

'PAN-OS Administrator's Guide 9.0 (English) - Configure User Mapping Using the Windows User-ID Agent' - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-windows-user-id-agent.html

'PAN-OS Administrator's Guide 9.0 (English) - Configure User Mapping Using the PAN-OS Integrated User-ID Agent' - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-pan-os-integrated-user-id-agent.html

See Also

https://workbench.cisecurity.org/files/2692