Minimise Server-to-Server Communication
Servers should reduce interaction with each other to enhance security.
Plain language
Servers should interact with each other as little as possible to keep your business safer. This is important because unnecessary communication between servers can be an entry point for cyber criminals to attack and spread malicious software, risking your data and operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
Servers minimise communications with other servers at the network and file system level.
Why it matters
Excessive server-to-server and file share communication can spread malware rapidly, risking data integrity and disrupting services.
Operational notes
Review and restrict server-to-server network and file share paths; enforce allow-lists in firewalls/ACLs and remove unused ports/shares.
Implementation tips
- IT team should evaluate current server communications: To minimise these interactions, they should map out how often servers talk to each other and identify which communications are essential. This can be done using network monitoring tools that show connections between servers.
- System owners should authorise only necessary connections: They should work with the IT team to determine which server interactions are vital for business operations. This involves reviewing each server's role and ensuring only required interactions are allowed.
- IT team should configure firewall rules: To enforce limited communication, they should set up firewall rules to block all unnecessary traffic between servers. This requires entering specific permissions that define which servers can talk to each other and on what terms.
- Managers should set up regular reviews of server communication: A periodic check, perhaps monthly, should be conducted to ensure server interactions remain necessary and minimal. This involves checking logs and making adjustments based on changes in the business or updates in threats.
- IT team should document changes and reasons: Any change to server communications should be documented clearly, stating the necessity and security implications. This ensures accountability and clarity for future reviews or audits.
Audit / evidence tips
- AskA network diagram highlighting server connections: Request a visual map that shows how servers are currently connected GoodShows only essential paths highlighted and minimal connections between servers
- AskServer communication logs: Request logs showing which servers have communicated with each other over the past month GoodShows regular activity within known essential connections and fewer unexpected interactions
- AskChange records of server interaction settings: Request documentation of any changes made to server communication rules GoodIs a log indicating thoughtful, reviewed changes with appropriate security justification
- AskFirewall rule configuration: Request evidence of the current firewall settings that limit server-to-server interactions GoodShows strict, intentional rules matching business needs
- AskThe last review meeting notes on server communications: Request evidence of the most recent review of server interactions conducted by the IT team or management GoodWill be a concise record of the discussion outlining any changes needed
Cross-framework mappings
How ISM-1479 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 8.21 | ISM-1479 requires servers to minimise communications with other servers at the network and file system level | |
| Annex A 8.22 | ISM-1479 requires servers to minimise communications with other servers at both the network layer and file system level to reduce lateral... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.