Restrict Database Server Network Access to Localhost
Ensure databases only listen on the local machine if remote connections are not needed, enhancing security.
Plain language
This control is about making sure your database server only talks to the computer it's installed on, unless you specifically need it to accept connections from other machines. It matters because if you leave it open to the whole network, hackers or unauthorised users could access sensitive information stored in the database.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
If only local access to a database is required, networking functionality of database management system applications are disabled or directed to listen solely to the localhost interface.
Why it matters
Allowing database access beyond localhost can expose sensitive data to network attackers, increasing the risk of data breaches.
Operational notes
Regularly confirm the DB binds only to 127.0.0.1/::1 (or networking is disabled) and that no DB port is listening on external interfaces.
Implementation tips
- System administrators should configure the database to listen only on localhost. This means changing the database settings so it only accepts connections from the same machine it runs on. Check your database server's documentation for instructions on limiting connections to localhost.
- IT administrators need to assess if any external access is required for the database. If not, they should disable any networking features of the database that might allow connections from other devices. This can be done by accessing the server configuration settings and adjusting the network interface to localhost only.
- Database administrators should regularly review access logs to ensure no unauthorised connection attempts were made. Logs can be found within the database management interface, and should be checked weekly or monthly for any suspicious activity.
- Security officers should develop a policy for database access. This policy should outline who can request the database be accessible from external machines and under what circumstances. Document the policy and ensure all team members are aware of it.
- Managers should ensure their staff are trained on the importance of securing database access. Arrange for staff to attend a training session on localised database access, explaining the risks of leaving database servers open to the network.
Audit / evidence tips
-
Askthe network configuration file of the database server
Goodsettings showing the database server restricted to local connections only
-
Goodis logs showing only local connections or no unexpected external connection attempts
-
Askpolicy documents regarding database access. Inspect the document to ensure it clearly defines conditions under which external access might be granted
Goodpolicy document lists authorised personnel and scenarios that permit changing access settings
-
Askany change management records relating to database access settings. Review these for proper authorisation and reasoning for any changes to access permissions
Goodchange record has approvals, reasonings, and impacts assessed
Cross-framework mappings
How ISM-1272 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.9 | ISM-1272 requires a specific configuration state for database servers, where the DBMS is set to not accept remote connections unless need... | |
| Annex A 8.20 | ISM-1272 requires organisations to disable database networking or bind the DBMS listener to localhost when remote database access is not ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.