Prevent privileged accounts from accessing unprivileged environments
Ensure privileged accounts can't be used in unsecured setups to limit risk.
Plain language
This control ensures that accounts with special privileges can't be used in unsafe situations. Imagine having a special key to your business; if you use it in a risky area or environment, someone could copy it and use it to break into your business. This control stops privileged accounts from being used in unprotected environments, which can prevent potential security breaches.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.
Why it matters
Using privileged accounts in unsecured environments risks exposing credentials to malware, enabling attackers to escalate access and compromise systems.
Operational notes
Enforce logon restrictions so privileged accounts cannot access unprivileged workstations; review logs and alert on any blocked sign-in attempts.
Implementation tips
- IT team should identify all privileged accounts in the organisation by reviewing user account permissions and categorising them according to their level of access.
- System administrators should configure systems to prevent privileged accounts from logging into unprivileged environments. This can be achieved by setting up access restrictions in the system's access control settings.
- Security officers should regularly review and update policies to ensure they reflect the separation between privileged and unprivileged environments. This can be done by documenting procedures that detail these access restrictions.
- IT security staff should implement a monitoring system to alert when a privileged account attempts to access an unprivileged environment. This could involve setting up alerts within existing security software to track login attempts.
Audit / evidence tips
-
AskAre privileged accounts restricted from logging into unprivileged environments?
-
GoodSystem logs and settings show that privileged accounts are unable to access unprivileged environments, with proper restrictions documented
-
AskIs there documentation explaining how privileged access is controlled and monitored?
-
GoodThere is clear documentation outlining the procedures for managing privileged access, including a list of authorised users and system configurations
Cross-framework mappings
How E8-RA-ML1.7 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.2 | E8-RA-ML1.7 requires a specific restriction: privileged accounts (excluding local administrator accounts) cannot log on to unprivileged o... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.31 | Annex A 8.31 requires development, test and production environments to be separated and secured to prevent inappropriate access and impac... | |
| link Related (1) expand_less | ||
| Annex A 5.15 | Annex A 5.15 requires rules and procedures to control logical access to systems and information based on requirements | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1688 | ISM-1688 requires that unprivileged user accounts cannot log on to privileged operating environments | |
| ISM-1827 | ISM-1827 requires dedicated domain administrator accounts for administering AD DS domain controllers, separated from accounts used to adm... | |
| ISM-1958 | E8-RA-ML1.7 requires privileged accounts (excluding local administrator accounts) cannot logon to unprivileged environments | |
| handshake Supports (5) expand_less | ||
| ISM-0445 | ISM-0445 requires dedicated privileged accounts to be used only for duties requiring privileged access | |
| ISM-1380 | E8-RA-ML1.7 requires preventing privileged accounts (excluding local administrator accounts) from logging on to unprivileged operating en... | |
| ISM-1400 | ISM-1400 requires enforced separation of classified data and personal data when using privately-owned devices to access sensitive systems... | |
| ISM-1649 | E8-RA-ML1.7 requires blocking privileged accounts from logging on to unprivileged operating environments | |
| ISM-1990 | ISM-1990 requires separation between work and personal apps and data on mobile devices to limit data leakage pathways | |
| link Related (1) expand_less | ||
| ISM-1689 | E8-RA-ML1.7 requires that privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.