2.6 Ensure that the User-ID service account does not have interactive logon rights

Information

Restrict the User-ID service account from interactively logging on to systems in the Active Directory domain.
Rationale:
In the event of a compromised User-ID service account, restricting interactive logins forbids the attacker from utilizing services such as RDP against computers in the Active Directory domain of the organization. This reduces the impact of a User-ID service account compromise.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Navigate to Active Directory Group Policies.
Set Group Policies to restrict the interactive logon privilege for the User-ID service account.
or
Navigate to Active Directory Managed Service Accounts.
Set Managed Service Accounts to restrict the interactive logon privilege for the User-ID service account.
Default Value:
Not configured

See Also

https://workbench.cisecurity.org/files/1664

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|5

Plugin: Palo_Alto

Control ID: 87d941db7ae16097b1a8310e1957d45f927ae15fc6b660ef47415f2e0ca8610b