Enable Remote Credential Guard functionality
Prevent admin credentials from being exposed during remote logins.
Plain language
Remote Credential Guard stops hackers from stealing your password when you log in to work computers from far away. Without it, a hacker could pretend to be you and do things like transfer money or delete important files.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Remote Credential Guard functionality is enabled.
Why it matters
Without Remote Credential Guard, credentials can be exposed during RDP sign-in, enabling lateral movement and privilege escalation.
Operational notes
Regularly confirm Remote Credential Guard is enabled for all RDP connections via Group Policy and test with representative admin accounts.
Implementation tips
- System administrators should enable Remote Credential Guard on all computers that users access remotely by updating security settings in the Group Policy Editor.
- IT teams should ensure all Windows systems are running the latest supported version, which includes Credential Guard features, by scheduling regular software updates.
- Security officers should educate employees on the importance of Remote Credential Guard by providing training sessions and documentation.
- IT support should test remote login processes after implementing Remote Credential Guard to ensure there is no disruption to user services.
Audit / evidence tips
-
AskHave you enabled Remote Credential Guard on systems used for remote access?
-
GoodAll relevant systems have Remote Credential Guard enabled, as shown by a specific Group Policy setting
-
AskHow often are updates and configurations reviewed to protect remote login credentials?
-
GoodRegular updates are applied, and configurations are reviewed every six months, with logs to support this practice
Cross-framework mappings
How E8-RA-ML3.7 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 6.7 | E8-RA-ML3.7 requires Remote Credential Guard to be enabled to prevent administrator credentials being exposed during remote logons | |
| handshake Supports (1) expand_less | ||
| Annex A 5.17 | Annex A 5.17 requires controlled allocation and management of authentication information and appropriate handling guidance | |
| link Related (1) expand_less | ||
| Annex A 5.15 | Annex A 5.15 requires rules and procedures to control logical access to systems and associated assets | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1686 | ISM-1686 requires enabling Credential Guard to protect credentials on endpoints from unauthorised access | |
| handshake Supports (4) expand_less | ||
| ISM-1590 | ISM-1590 requires organisations to change credentials when compromise is suspected or when credentials are exposed in the clear over netw... | |
| ISM-1749 | ISM-1749 requires cached credentials to be limited to a single previous logon, primarily reducing offline/endpoint credential reuse after... | |
| ISM-1861 | E8-RA-ML3.7 requires Remote Credential Guard to be enabled to prevent administrator credentials being exposed during remote logons | |
| ISM-1896 | ISM-1896 requires memory integrity functionality to be enabled to protect credentials from being accessed or altered in memory | |
| link Related (1) expand_less | ||
| ISM-1897 | ISM-1897 requires that Remote Credential Guard functionality is enabled to protect credentials during remote authentication | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.