Apply Strict Server Application Hardening Guidelines
Servers are secured using the most restrictive guidance from ASD and vendors to protect against vulnerabilities.
Plain language
This control is about strengthening the security of server applications by following strict guidelines to reduce the risk of cyber attacks. If server applications are not properly secured, they can be vulnerable to hackers, potentially leading to data breaches and serious disruptions to your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Server applications are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.
Why it matters
Without strict server application hardening (ASD/vendor baselines), default settings and weak services may be exploited, enabling unauthorised access or outages.
Operational notes
Maintain ASD and vendor hardening baselines for each server app; review updates and, where guidance conflicts, implement the most restrictive settings.
Implementation tips
- The IT team should gather hardening guidelines from both the Australian Signals Directorate and the application vendors. This involves visiting the respective websites and downloading the latest guidance documents or security bulletins.
- The system administrator should review these guidelines to identify any conflicting recommendations. This can be done by creating a comparison list and deciding which guidance to follow, prioritising the stricter set of rules.
- The IT manager should ensure that these hardening measures are applied to each server application. This involves updating configurations as per the guidelines and checking that no recommended security settings are missed.
- IT staff should conduct regular training sessions for everyone involved in server management. These sessions ensure all personnel are aware of the importance of adhering to the strict guidelines and know how to implement them effectively.
- The business owner should allocate resources for regular secutiry audits of the server applications to ensure continued compliance with the strictest hardening guidelines. This ensures that security configurations are up-to-date and effective.
Audit / evidence tips
-
Askthe documented record of the hardening guidelines used: Request a list showing both the Australian Signals Directorate and vendor guidelines consulted
Goodis an up-to-date list with notes on the decisions made for each conflict
-
Askconfiguration settings documentation: Review the settings applied to each server application against the list of guidelines
Gooda document verifying compliance with no skipped steps
-
Asktraining records for IT staff: Look into attendance records and training material to ensure sessions cover the security guidelines comprehensively
Goodcomprehensive coverage of the guidelines and 100% attendance by relevant staff
-
Asksecurity audit reports: Ensure audits cover whether server applications are compliant with the strictest guidelines
Goodincludes a passed audit with clear notes on each guideline checked
-
Askthe change logs for server application configurations: Check if changes align with the strictest guidelines and when they were implemented
Goodincludes regular updates with documented rationale for each change
Cross-framework mappings
How ISM-1246 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.8 | Annex A 8.8 supports ISM-1246 by establishing governance to identify, assess, and treat technical vulnerabilities, which encourages apply... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| link Related (3) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.