Skip to content
Control Stack logo Control Stack
ISM-1260 ASD Information Security Manual (ISM)

Secure Server Applications by Changing Default Credentials

Change or remove default user accounts and passwords in server apps to enhance security from the start.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGuidelines for system hardeningcredentialsapplication security

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

May 2025

✏️ Control Stack last updated

19 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Server application hardening

Topic

Hardening Server Application Configurations
Official control statement
Default user accounts or credentials for server applications, including for any pre-configured user accounts, are changed, disabled or removed during initial setup.

Source: ASD Information Security Manual (ISM)

Plain language

This control is about changing the default usernames and passwords on your server applications. It matters because hackers often know these defaults and can easily gain access to your system if they aren't changed, leading to potential data breaches or outages.

Why it matters

If default accounts or passwords remain, attackers can log in easily, take over the server application and access or alter sensitive data.

Operational notes

During install, change/disable/remove all default and pre-configured accounts; routinely scan apps for default logins and rotate credentials after upgrades.

Implementation tips

  • The IT team should identify all new server applications installed. This means keeping a list of all software that runs on your servers. By doing this, they'll know where to focus their efforts when changing passwords.
  • IT administrators must change default credentials during the first setup. They should replace these with strong, unique passwords by using a password manager that generates and stores them securely.
  • System owners should validate the removal of unnecessary default user accounts. They can do this by checking the user account settings in each application and ensuring only essential accounts remain.
  • Managers should enforce a policy for regular reviews of server credentials. They can set up reminders in their calendar to check with IT every six months, ensuring that no default accounts have been re-enabled.
  • Procurement officers should work closely with suppliers to ensure new applications come with guidance on securing user accounts. They can ask for documentation that specifies how to change defaults as part of the purchase agreement.

Audit / evidence tips

  • Ask: a list of all server applications in use: Request the most current inventory list

    Good: will confirm no defaults remain and will cite unique, stronger credentials in use

  • Ask: to see the password policy document: Request the IT team's written guidelines on password creation

    Good: sign is if it follows recommendations from trusted sources like the Australian Cyber Security Centre (ACSC)

  • Ask: access records from recent server audits: Examine reports from recent walkthroughs or scans

    Good: includes no unresolved issues concerning default credentials

  • Good: shows that default passwords are replaced with secure ones

  • Ask: documented secure setup procedures: Request the step-by-step guides followed by IT

    Good: is a clear, dated checklist showing adherence to best practices

Cross-framework mappings

How ISM-1260 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (1)
Annex A 8.9 ISM-1260 requires default server application accounts and credentials to be changed, disabled or removed as part of initial setup

Mapping detail

Mapping

Direction

Controls