Conduct administrative activities through jump servers
Require admins to use secure jump servers for management tasks.
Plain language
This control requires administrators to perform management tasks through a special type of computer called a jump server. Jump servers add a layer of security by acting like a security checkpoint, ensuring that only authorised administrators can access sensitive systems. Without jump servers, an attacker could potentially gain direct access to important parts of the network, leading to data theft or system damage.
Framework
ASD Essential Eight
Control effect
Proactive
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Administrative activities are conducted through jump servers.
Why it matters
Without jump servers, attackers can exploit direct admin access paths, leading to potential data breaches and network compromise.
Operational notes
Review jump server configuration and logs to confirm only authorised admins access it, and that administrative tasks occur via the jump server rather than direct management access.
Implementation tips
- IT Team: Set up a secure jump server that all administrators must use to access the organisation's main systems. Configure this server to require strong authentication methods, like two-factor authentication, for logging in.
- Security Officer: Ensure that the jump server is secured with proper firewall rules. Only allow connections from specific administrator devices and block all others to prevent unauthorised access.
- System Administrator: Regularly update the jump server with the latest security patches and software updates to protect against vulnerabilities.
- IT Support Team: Train all administrators on how to use the jump server correctly, including login procedures and exiting the server after completing their tasks to maintain security.
Audit / evidence tips
-
AskAre all administrative activities being conducted through a jump server?
-
GoodAccess logs show only authorised access from specific, known administrator accounts, and these accesses align with documented administrative activities
-
AskHow is the jump server secured against unauthorised access?
-
GoodThe firewall settings show restricted access to the jump server, allowing only specific administrator IP addresses
Cross-framework mappings
How E8-RA-ML2.4 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 5.15 | Annex A 5.15 requires organisations to establish and implement access control policies and procedures for information and systems | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-0445 | ISM-0445 requires privileged users to use a dedicated privileged account only when performing privileged duties | |
| ISM-1898 | E8-RA-ML2.4 requires administrative activities to be conducted through jump servers to control and monitor privileged management access | |
| handshake Supports (9) expand_less | ||
| ISM-0616 | ISM-0616 requires administrative activities for gateways to be performed with separation of duties so that no single person can unilatera... | |
| ISM-1422 | ISM-1422 focuses on preventing unauthorised access to software sources, including administrative access | |
| ISM-1509 | E8-RA-ML2.4 requires administrative activities to be conducted through jump servers, which typically concentrates administrative sessions... | |
| ISM-1604 | ISM-1604 requires the administrative interface for the isolation mechanism (e.g | |
| ISM-1731 | ISM-1731 requires that intrusion remediation planning and coordination occur on a system separate to the compromised one to avoid attacke... | |
| ISM-1750 | E8-RA-ML2.4 requires administrative activities to be conducted through jump servers as a controlled choke point for privileged management | |
| ISM-1827 | ISM-1827 requires dedicated domain administrator accounts to administer AD DS domain controllers and prohibits using those accounts to ad... | |
| ISM-1899 | ISM-1899 requires that non-administrative devices cannot initiate connections to administrative infrastructure, limiting direct reachabil... | |
| ISM-1927 | ISM-1927 requires that access to Microsoft identity servers is limited to privileged users who need that access | |
| link Related (1) expand_less | ||
| ISM-1387 | E8-RA-ML2.4 requires administrative activities to be conducted through jump servers to reduce exposure of privileged administration paths | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.