Disable Unneeded OS Accounts and Services
Remove or turn off unnecessary user accounts and services on operating systems to improve security.
Plain language
This control is about shutting down or removing user accounts and services on computer systems that aren't needed. Doing this helps protect your business from hackers who might use these unused accounts or services to break into your systems and cause trouble, like stealing information or disrupting your operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningOfficial control statement
Unneeded user accounts, components, services and functionality of operating systems are disabled or removed.
Why it matters
Leaving unused OS accounts or services enabled creates unnecessary entry points, increasing the likelihood of privilege misuse, compromise and outages.
Operational notes
Regularly review OS accounts and running services; disable or remove default, unused or legacy items, and verify only required services start at boot to minimise attack surface.
Implementation tips
- System owners should review all user accounts on their systems: Go through your system’s user list carefully and flag any accounts that are no longer in use, such as accounts of former employees. Ensure these accounts are removed or deactivated promptly.
- IT teams should assess all services running on operating systems: Check what services your system is currently using and identify any that are redundant. For those not needed, disable them to ensure they cannot be exploited.
- Managers should coordinate with HR to update IT departments about staff changes: Work together to ensure that when someone leaves the organisation, their access is revoked immediately. Create a quick checklist for HR to notify IT of staff departures as part of the exit process.
- IT security staff should periodically audit system configurations: Schedule regular checks of system accounts and active services every few months. Use a simple log or checklist to track which accounts and services have been deactivated since the last check.
- System administrators should enable service logging: For system services that are essential, ensure logging is enabled to quickly detect and respond to any suspicious activity. Regularly review these logs to spot and resolve potential issues early.
Audit / evidence tips
-
Aska list of current user accounts: Request a report or spreadsheet detailing all user accounts active in the system
Goodshows only current staff and necessary service accounts
-
Goodincludes recent entries and clear authorisation details
-
Aska report of active system services: Check the list of services running on the system
Goodonly lists services essential for operations and nothing extraneous
-
Askhow regularly they review and remove unnecessary accounts
Goodincludes a specific frequency for reviews and clarity on who performs the checks and how access is terminated
-
Goodshows documented actions taken following the review
Cross-framework mappings
How ISM-0380 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-0380 requires unneeded operating system user accounts, components, services and functionality to be disabled or removed to reduce att... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.16 | Annex A 5.16 requires managing identities across creation, change, review and deactivation, including ensuring accounts are retired when ... | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| E8-AH-ML1.1 | E8-AH-ML1.1 requires Internet Explorer 11 to be disabled or removed to reduce exposure to a legacy, vulnerable browser | |
| E8-AH-ML3.2 | E8-AH-ML3.2 requires organisations to disable or remove Windows PowerShell 2.0 as a specific hardening action | |
| E8-AH-ML3.3 | E8-AH-ML3.3 requires PowerShell to be configured to use Constrained Language Mode, restricting available functionality to reduce attack t... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.