2.6 Ensure that the User-ID service account does not have interactive logon rights

Information

Restrict the User-ID service account from interactively logging on to systems in the Active Directory domain.

Rationale:

In the event of a compromised User-ID service account, restricting interactive logins forbids the attacker from utilizing services such as RDP against computers in the Active Directory domain of the organization. This reduces the impact of a User-ID service account compromise.

Solution

Navigate to Active Directory Group Policies.
Set Group Policies to restrict the interactive logon privilege for the User-ID service account.
or
Navigate to Active Directory Managed Service Accounts.
Set Managed Service Accounts to restrict the interactive logon privilege for the User-ID service account.

Default Value:

Not configured

See Also

https://workbench.cisecurity.org/benchmarks/8826

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|4

Plugin: Palo_Alto

Control ID: 05a03d2259c15120cd2abb77f302f077228dc9fb09e0d041e0cf12662ea882ba