Enforce Unique Accounts for Server Administration
Administrators must use unique accounts to manage each server application.
Plain language
Each administrator needs to have their own account when managing software on servers. This is important because if everyone shares the same account, you can't track who made changes. Mistakes or malicious actions can then go undetected, putting the entire server at risk by making it hard to figure out who did what.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Unique privileged user accounts are used for administering individual server applications.
Why it matters
Without unique admin accounts, tracing changes is difficult, increasing the risk of undetected malicious actions and operational disruptions.
Operational notes
Regularly audit privileged accounts to confirm each administrator uses a unique account per server application, and alert on any shared credentials or concurrent logons.
Implementation tips
- The IT team should create individual accounts for each system administrator on every server. This can be done by accessing the server management console and setting up separate login credentials for each person responsible for administration tasks.
- System owners should regularly review the list of accounts with access to their servers. Schedule monthly checks to ensure every account listed belongs to a current staff member and remove any accounts for people who have left the organisation.
- Managers should educate admins on secure account management. Organise a training session on why it's important to avoid sharing accounts, how to create strong passwords, and the importance of changing passwords regularly.
- The IT department should set up a process for onboarding and offboarding administrators. This involves establishing a checklist that guides creating or removing accounts when administrators join or leave the organisation.
- Protection measures like password policies should be implemented by the IT team. Use settings that enforce strong passwords and regular password changes, thus reducing the risk of unauthorised access due to weak or old passwords.
Audit / evidence tips
- AskA list of all current system administrators GoodOutcome is seeing that every administrator has a distinct account name aligning with their actual name
- GoodOutcome shows recent account audits with minimal inactive accounts
- AskLogs that show account activity on server applications. Check to see if the logs can specify which admin made changes GoodResult displays logs that clearly tie actions to specific, named accounts
- GoodIncludes up-to-date records showing that all current admins received training
- AskTo see the password policy applied to admin accounts. Examine if it includes requirements for password complexity and periodic changes GoodResult shows an active policy ensuring strong, regularly updated passwords
Cross-framework mappings
How ISM-1263 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.2 | ISM-1263 requires unique privileged user accounts to be used for administering individual server applications | |
| handshake Supports (2) expand_less | ||
| Annex A 5.16 | ISM-1263 requires unique privileged user accounts to be used for administering individual server applications | |
| Annex A 5.18 | ISM-1263 requires unique privileged user accounts to be used for administering individual server applications | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RA-ML1.2 | E8-RA-ML1.2 requires a dedicated privileged account be used only for duties requiring privileged access | |
| handshake Supports (1) expand_less | ||
| E8-RA-ML3.1 | E8-RA-ML3.1 requires privileged access to be limited to only what is necessary for duties | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.