Limit Server Application User Account Privileges
Server applications have restricted user account access to the server's file system.
Plain language
Limiting server applications' user account privileges means ensuring that the software running on your server has access only to what it absolutely needs. This is important because if these applications have too much access, they can be exploited by hackers to reach sensitive data, which could lead to data breaches or business disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
The user accounts under which server applications run have limited access to their underlying server's file system.
Why it matters
Excessive application access can lead to data breaches, as compromised apps can exploit unneeded privileges to access sensitive files.
Operational notes
Audit server app run accounts; remove write/admin rights and restrict file paths to only what the app needs. Recheck after updates or config changes.
Implementation tips
- IT team: Conduct a review of all server applications to identify what system resources they truly need to function. Make a list of necessary files and tools each application requires and verify that they don't have access to anything else.
- System administrator: Set up restricted accounts for each server application that only grant the minimum privileges necessary for operation. Use the list made by the IT team to adjust permissions in the server's user account settings.
-
Look atattempts by applications to access files or directories they shouldn't
- Business manager: Work with the IT team to understand potential risks associated with server applications running with excessive privileges. Attend briefings to learn about the security posture and any incidents that occur.
- HR department: Ensure that security training includes guidance on the importance of limiting privileges, making employees aware of how privilege misuse can lead to security breaches.
Audit / evidence tips
-
Askaccess control lists for server applications: Request the documents showing what specific files and folders each application can access
GoodLists show limited access to essential files only, with no unexplained or broad permissions
-
Aska report on server application access reviews: Request documentation of regular reviews of application privileges
GoodUp-to-date records with actions taken to adjust permissions based on review findings
-
Askserver log records: Request to see logs that track file access attempts by server applications
GoodLogs show consistent monitoring with no successful unauthorised access
-
Aska security training curriculum: Request details of employee training sessions that mention privilege limitations
GoodTraining materials that explain risks and procedures for limiting application access
-
Askthe risk assessment report for server applications: Request documentation evaluating the risk associated with excessive privileges
GoodComprehensive assessments with clear action steps to address privilege issues
Cross-framework mappings
How ISM-1250 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.15 | ISM-1250 requires organisations to implement least-privilege file system permissions for server application accounts | |
| Annex A 8.3 | ISM-1250 addresses access control by limiting what server application user accounts can do on the server’s file system | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.2 | Annex A 8.2 requires privileged access rights to be restricted and managed to ensure elevated capabilities are tightly controlled | |
E8
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| E8-RA-ML3.1 | E8-RA-ML3.1 requires limiting privileged access so users and services only have what they need to perform duties | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.