Secure Server Applications by Changing Default Credentials
Change or remove default user accounts and passwords in server apps to enhance security from the start.
Plain language
This control is about changing the default usernames and passwords on your server applications. It matters because hackers often know these defaults and can easily gain access to your system if they aren't changed, leading to potential data breaches or outages.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Default user accounts or credentials for server applications, including for any pre-configured user accounts, are changed, disabled or removed during initial setup.
Why it matters
If default accounts or passwords remain, attackers can log in easily, take over the server application and access or alter sensitive data.
Operational notes
During install, change/disable/remove all default and pre-configured accounts; routinely scan apps for default logins and rotate credentials after upgrades.
Implementation tips
- The IT team should identify all new server applications installed. This means keeping a list of all software that runs on your servers. By doing this, they'll know where to focus their efforts when changing passwords.
- IT administrators must change default credentials during the first setup. They should replace these with strong, unique passwords by using a password manager that generates and stores them securely.
- System owners should validate the removal of unnecessary default user accounts. They can do this by checking the user account settings in each application and ensuring only essential accounts remain.
- Managers should enforce a policy for regular reviews of server credentials. They can set up reminders in their calendar to check with IT every six months, ensuring that no default accounts have been re-enabled.
- Procurement officers should work closely with suppliers to ensure new applications come with guidance on securing user accounts. They can ask for documentation that specifies how to change defaults as part of the purchase agreement.
Audit / evidence tips
- AskA list of all server applications in use: Request the most current inventory list GoodWill confirm no defaults remain and will cite unique, stronger credentials in use
- AskTo see the password policy document: Request the IT team's written guidelines on password creation GoodSign is if it follows recommendations from trusted sources like the Australian Cyber Security Centre (ACSC)
- AskAccess records from recent server audits: Examine reports from recent walkthroughs or scans GoodIncludes no unresolved issues concerning default credentials
- GoodShows that default passwords are replaced with secure ones
- AskDocumented secure setup procedures: Request the step-by-step guides followed by IT GoodIs a clear, dated checklist showing adherence to best practices
Cross-framework mappings
How ISM-1260 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1260 requires default server application accounts and credentials to be changed, disabled or removed as part of initial setup | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.