2.7 Ensure remote access capabilities for the User-ID service account are forbidden.


Restrict the User-ID service account's ability to gain remote access into the organization. This capability could be made available through a variety of technologies, such as VPN, Citrix GoToMyPC, or TeamViewer. Remote services that integrate authentication with the organization's Active Directory may unintentionally allow the User-ID service account to gain remote access.
In the event of a compromised User-ID service account, restricting the account's ability to remotely access resources within the organization's internal network reduces the impact of a service account compromise.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


Remove this account from all groups that might grant remote access to the network, or to any network services or hosts. Remediation is operating-system dependent. For instance, in Windows Active Directory, this account should be removed from any group that grants the account access to VPN or Wireless access. In addition, domain administrative accounts by default have remote desktop (RDP) access to all domain member workstations - this should be explicitly denied for this account.
Default Value:
Not configured

See Also


Item Details


References: 800-53|AC-6, CSCv6|16

Plugin: Palo_Alto

Control ID: 3671993cafd730a25277cd300f15aeabfac7510d5bbb4d2b4a5d99b63eb806a0