Web browser security settings locked down to users
Users should not be able to change web browser security settings.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Proactive
🛠️ E8 mitigation strategy
Application hardening
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML1
Web browser security settings cannot be changed by users.
Source: ASD Essential Eight
Plain language
This control means that regular users shouldn't be able to change the security settings in their web browsers. It's important because if people can alter security settings, they might accidentally or intentionally make the browser less secure, leaving the business open to hackers and viruses.
Why it matters
Allowing users to modify browser security settings increases risk of data breaches and malware, undermining central security controls.
Operational notes
Use GPO/MDM-enforced browser policies to lock security settings. Regularly audit policy compliance and block local overrides to prevent unauthorised changes.
Implementation tips
- IT team should set web browser security settings by using group policies, which are rules set from a central location for managing users' computers.
- System administrator should ensure that all web browsers are updated to the latest version as these come with more robust security features that are not easily changed.
- Security officer should review and document the security settings of all browsers to make sure they match the organisation’s security policy.
- IT team should disable features like Java and pop-up windows in browsers because these can be commonly exploited by attackers.
- System administrator should lock down email attachments that could change browser settings and enforce training for employees not to download suspicious files.
Audit / evidence tips
-
Ask: Are users able to change web browser security settings?
-
Good: All browser security settings are managed centrally, and users cannot change them without administrative access
-
Ask: Are browser security settings regularly reviewed for compliance?
-
Good: Regular audits are performed and documented, confirming that security settings remain in place as intended
Cross-framework mappings
How E8-AH-ML1.4 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (3) | ||
| ISM-0382 | ISM-0382 requires that unprivileged users cannot uninstall or disable approved applications | |
| ISM-1235 | E8-AH-ML1.4 requires that web browser security settings cannot be changed by users | |
| ISM-1748 | ISM-1748 requires that users cannot change security settings in their email clients | |
| Supports (3) | ||
| ISM-1412 | E8-AH-ML1.4 requires that web browser security settings cannot be changed by users | |
| ISM-1486 | ISM-1486 requires that web browsers do not process Java from the internet | |
| ISM-1584 | E8-AH-ML1.4 requires that users cannot change web browser security settings | |
| Related (1) | ||
| ISM-1585 | E8-AH-ML1.4 requires that web browser security settings are locked down so users cannot change them | |