No interactive logon to service accounts
Demonstrate that service accounts are technically prevented from interactive logon and that no unauthorized interactive sessions using service accounts have occurred.
Description
What this control does
This control prevents service accounts from being used for interactive logon sessions such as Remote Desktop Protocol (RDP), console login, or Remote PowerShell. Service accounts are designed to run automated processes and applications without human interaction. By blocking interactive logon rights, organizations reduce the risk of credential exposure, lateral movement, and privilege escalation that can occur when these high-privilege accounts are used interactively. Implementation typically involves denying the 'Allow log on locally' and 'Allow log on through Remote Desktop Services' user rights to service accounts via Group Policy or local security policy.
Control objective
What auditing this proves
Demonstrate that service accounts are technically prevented from interactive logon and that no unauthorized interactive sessions using service accounts have occurred.
Associated risks
Risks this control addresses
- Lateral movement by attackers who compromise service account credentials and use them to authenticate interactively to multiple systems
- Privilege escalation through interactive sessions that allow attackers to run arbitrary tools and commands with service account privileges
- Credential theft via memory scraping tools (e.g., Mimikatz) when service account credentials are exposed in interactive logon sessions
- Unauthorized access to sensitive systems when service accounts with broad permissions are used for interactive activities outside their intended scope
- Audit trail obfuscation because interactive use of service accounts masks the true human identity behind administrative actions
- Compliance violations when high-privilege accounts are used without proper accountability and session monitoring controls
- Persistence mechanisms established by adversaries who leverage interactive service account sessions to install backdoors or scheduled tasks
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all service accounts in the environment, including domain service accounts, managed service accounts (MSAs), group managed service accounts (gMSAs), and local service accounts
- Review Group Policy Objects (GPOs) and local security policies to identify 'Deny log on locally' and 'Deny log on through Remote Desktop Services' user rights assignments applicable to service accounts
- Export and examine the effective user rights assignments on a sample of representative systems including domain controllers, application servers, and database servers
- Query Active Directory for service accounts and verify their UserAccountControl attributes do not permit interactive logon where technically enforceable
- Review authentication logs (Windows Security Event IDs 4624, 4625) for the past 90 days filtering for logon types 2 (interactive), 10 (RemoteInteractive/RDP), and 3 (network with interactive tools) associated with service account identities
- Test interactive logon prevention by attempting to authenticate with a sample service account via RDP and console logon in a controlled test environment
- Interview system administrators to confirm procedures exist for provisioning service accounts with interactive logon restrictions by default
- Review exception documentation and approval records for any service accounts legitimately requiring interactive logon capabilities
Where this control is tested