Details

Restrict the User-ID service account from interactively logging on to systems in the Active Directory domain.

Rationale:

In the event of a compromised User-ID service account, restricting interactive logins forbids the attacker from utilizing services such as RDP against computers in the Active Directory domain of the organization. This reduces the impact of a User-ID service account compromise.

Solution

Navigate to Active Directory Group Policies.
Set Group Policies to restrict the interactive logon privilege for the User-ID service account.
or
Navigate to Active Directory Managed Service Accounts.
Set Managed Service Accounts to restrict the interactive logon privilege for the User-ID service account.
Default Value:
Not configured

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2104https://workbench.cisecurity.org/files/2104

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Palo_Alto.

References

• 800-53|AC-6
• CSCv6|5
• CSCv6|5.1
• CSCv6|16
• CSCv7|4
• CSCv7|16

Source

• Tenable.com/audits