Unprivileged accounts restricted from logging into privileged environments
Ensure that non-admin accounts cannot access admin-level systems.
Plain language
This control ensures that regular users can't access systems where important administrative tasks are done. Imagine if a regular worker accidentally deleted important files or changed system settings. By restricting access, we prevent potential mistakes and protect the organisation from intentional harm.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Unprivileged accounts cannot logon to privileged operating environments.
Why it matters
If unprivileged users can log on to privileged environments, attackers can pivot to admin sessions, elevating access and causing outages.
Operational notes
Audit logon rights on privileged hosts (servers/admin workstations) and allow only admin accounts; deny standard users via GPO/PAM.
Implementation tips
- IT team: Identify which computers and systems are used for administrative tasks and separate them from normal user environments.
- System administrator: Create separate accounts for users with administration duties, ensuring they use these only for admin tasks.
- Security officer: Regularly review user accounts to ensure no unprivileged accounts have access to privileged environments.
- IT team: Implement network policies that block unprivileged accounts from logging into sensitive computers or servers.
Audit / evidence tips
-
AskHow do you prevent unprivileged accounts from accessing admin environments?
-
GoodConfigurations clearly restrict unprivileged accounts from admin systems
-
AskAre there regular checks ensuring compliance with this separation?
-
GoodDocumented evidence showing routine checks with no instances of breach
Cross-framework mappings
How E8-RA-ML1.6 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.15 | E8-RA-ML1.6 requires a specific access control outcome: unprivileged accounts cannot logon to privileged operating environments | |
| handshake Supports (2) expand_less | ||
| Annex A 8.22 | E8-RA-ML1.6 requires that unprivileged accounts cannot logon to privileged operating environments | |
| Annex A 8.31 | Annex A 8.31 requires development, testing and production environments to be separated and secured | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1380 | E8-RA-ML1.6 requires that unprivileged accounts are prevented from logging on to privileged operating environments | |
| ISM-1689 | E8-RA-ML1.6 requires that unprivileged accounts cannot logon to privileged operating environments | |
| ISM-1958 | E8-RA-ML1.6 requires preventing unprivileged accounts from logging on to privileged operating environments | |
| handshake Supports (5) expand_less | ||
| ISM-1387 | E8-RA-ML1.6 requires that unprivileged accounts are prevented from logging on to privileged operating environments | |
| ISM-1400 | ISM-1400 requires enforced separation of classified data and personal data when privately-owned devices are used to access OFFICIAL: Sens... | |
| ISM-1687 | E8-RA-ML1.6 requires that unprivileged accounts cannot logon to privileged operating environments | |
| ISM-1927 | E8-RA-ML1.6 requires that unprivileged accounts cannot logon to privileged operating environments | |
| ISM-1990 | ISM-1990 addresses segregation of work and personal apps/data on mobile devices to prevent inappropriate access or data mixing | |
| link Related (1) expand_less | ||
| ISM-1688 | E8-RA-ML1.6 requires that unprivileged accounts are prevented from logging on to privileged operating environments | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.