Change Default OS User Accounts During Setup
Change or disable default OS user accounts during setup to enhance security.
Plain language
When you first set up a new computer or server, it often comes with a default user account that everyone knows about. If you don't change or remove this account, a hacker can easily break in and take over your system without much effort.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningOfficial control statement
Default user accounts or credentials for operating systems, including for any pre-configured user accounts, are changed, disabled or removed during initial setup.
Why it matters
If default OS accounts/credentials remain unchanged, attackers can guess or reuse known defaults to gain unauthorised access, leading to compromise and data loss.
Operational notes
During build and after major upgrades, confirm all default or pre-configured OS accounts are renamed, disabled or removed, and that any default passwords are changed.
Implementation tips
- The IT team should identify all default user accounts during initial setup. They can do this by reviewing the operating system's installation guide or documentation that lists these accounts.
- System owners should ensure default passwords for any initial accounts are changed immediately. They can do this by setting a unique, strong password that includes a mix of letters, numbers, and symbols.
- Managers should collaborate with IT to disable unused default accounts. The IT team can perform this by accessing user account settings and setting accounts that aren't needed to 'disabled' status.
- Procurement teams should check with vendors if there's an option to pre-customise operating systems without default accounts. They can do this by having conversations during the purchasing process to ensure secure system configurations are available.
- The IT team should create a checklist for initial system setups that includes removing or disabling all unnecessary default accounts. This checklist should be reviewed and updated regularly as part of standard procedure.
Audit / evidence tips
-
Aska list of user accounts from the operating system used: Request a document or report showing all current user accounts set up after initial installation
GoodNo default accounts are active, or their initial credentials have been changed
-
GoodClearly noted changes or actions with dates and responsible person's name
-
Askhow they handle default user accounts during new installations
GoodThey describe specific actions taken and procedures followed
-
GoodThe IT staff disables or changes default accounts following documented procedure
-
Askif there are regular audits or checks in place for the systems post-setup
GoodRegularly scheduled reviews documented with outcomes and actions taken
Cross-framework mappings
How ISM-0383 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-0383 requires default operating system user accounts and credentials (including pre-configured accounts) to be changed, disabled or r... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.17 | Annex A 5.17 requires a controlled process for allocating and managing authentication information, including secure handling expectations... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.