Prevent privileged accounts from accessing internet, email, and web services
Block admin accounts from internet and email to enhance security.
Plain language
This control ensures that users with special access to your computer systems, known as privileged accounts, can't use the internet, email, or visit websites. This matters because without these restrictions, a hacker could take over these accounts and access sensitive information or cause harm to your business.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Privileged accounts (excluding those explicitly authorised to access online services) are prevented from accessing the internet, email and web services.
Why it matters
Admin account internet access can lead to credential theft via phishing, risking total organisational compromise.
Operational notes
Regularly audit privileged accounts and enforce blocks on web, email and internet access, allowing only explicitly authorised exceptions.
Implementation tips
- The IT team should create a list of all privileged accounts in the organisation and review which ones truly need internet access.
- The system administrator should configure the network firewall to block internet access for privileged accounts, except for those specifically authorised.
- Security officers should conduct regular reviews of privileged accounts to ensure compliance with internet access restrictions and update authorisations as roles change.
- The IT team should set up alerts for any attempts by privileged accounts to access internet services, using network monitoring tools.
Audit / evidence tips
-
AskHow are privileged accounts prevented from accessing the internet, email, and websites?
-
GoodThe firewall rules should clearly show blocks for internet traffic for all privileged accounts except those with explicit authorisation
-
AskWhich privileged accounts have been authorised to access the internet and why?
-
GoodA limited list with clear, justified reasons for access and records of formal approvals
Cross-framework mappings
How E8-RA-ML1.3 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.2 | E8-RA-ML1.3 requires a specific restriction: privileged accounts are prevented from accessing internet, email and web services except whe... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.20 | E8-RA-ML1.3 requires privileged accounts to be blocked from internet, email and web services, typically enforced through network controls... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-0874 | ISM-0874 requires mobile devices and desktop computers to access the internet via a VPN connection to the organisation’s internet gateway... | |
| ISM-1883 | E8-RA-ML1.3 requires blocking privileged accounts from accessing the internet, email, and web services unless explicitly authorised | |
| handshake Supports (5) expand_less | ||
| ISM-0258 | ISM-0258 requires organisations to define and maintain rules for how web access is used, including who may access web services and under ... | |
| ISM-0445 | ISM-0445 requires privileged users to have a dedicated privileged account used solely for privileged duties | |
| ISM-0963 | E8-RA-ML1.3 requires preventing privileged accounts from accessing internet, email and web services except where authorised | |
| ISM-1380 | ISM-1380 mandates the use of separate environments for privileged activities, whereas E8-RA-ML1.3 supports this separation indirectly by ... | |
| ISM-1385 | E8-RA-ML1.3 requires privileged accounts to be prevented from accessing internet, email, and web services, reducing compromise pathways | |
| link Related (1) expand_less | ||
| ISM-1175 | E8-RA-ML1.3 requires privileged accounts (except those explicitly authorised) to be prevented from accessing the internet, email, and web... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.