Prevent Script Execution by Unprivileged Users
Prevent users without admin rights from running scripts or commands that could pose security risks.
Plain language
This control is about stopping regular users from running scripts or commands on their computers that could be harmful. Imagine a situation where an employee accidentally runs a malicious script that steals company data or locks files for ransom. By ensuring that only trusted staff can run these types of scripts, you reduce the chance of such security breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningOfficial control statement
Unprivileged users are prevented from running script execution engines, including: - Windows Script Host (cscript.exe and wscript.exe) - PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe) - Command Prompt (cmd.exe) - Windows Management Instrumentation (wmic.exe) - Microsoft Hypertext Markup Language (HTML) Application Host (mshta.exe).
Why it matters
Allowing unprivileged users to run script execution engines could lead to accidental execution of harmful scripts, risking data breaches or ransomware attacks.
Operational notes
Regularly audit and monitor use of script engines (PowerShell, cmd, WSH, wmic, mshta) and application control rules to ensure unprivileged users cannot bypass restrictions.
Implementation tips
- System administrators should configure group policies: Limit who can run script execution programs like PowerShell or Command Prompt by creating group policies. These policies should only allow trusted users, like IT staff, to run these tools.
- IT support should train users: Educate staff on the dangers of running unknown scripts. Use simple examples and scenarios to illustrate potential risks and ensure they understand to ask for help if uncertain.
- Managers should review user permissions: Regularly check who has admin rights and adjust permissions to align with their job needs. Ensure only staff needing script execution abilities have the necessary permissions.
- The IT team should monitor script activity: Use logging tools to keep an eye on when, where, and by whom scripts are run. This helps to spot any unusual activity quickly.
- Procurement should vet software purchases: Before purchasing, confirm software requirements to ensure they do not need script execution tools unless absolutely necessary. This prevents unnecessary security risks.
Audit / evidence tips
-
Askthe group policy settings documentation: Request the policy files that show who can run script execution engines
Goodshows detailed restrictions ensuring only authorised users have access
-
Askscript execution logs: Request output from monitoring tools showing script execution activity
Goodincludes a log without signs of abnormal use by unauthorised users
-
Askuser training records: Review attendance records or training materials to ensure employees have been briefed on script risks
Goodshows recent training sessions and consistent messaging
-
Aska list of users with admin rights: Obtain a report that details who has the rights to execute scripts
Goodshows that only a limited number of users, aligned with their roles, have such access
-
Askprocurement process documentation: Review the criteria used for software purchases to ensure no excessive execution rights are needed
Goodincludes a stringent review process aligning with the control
Cross-framework mappings
How ISM-1491 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.18 | Annex A 8.18 requires restricting and tightly controlling utility programs that can override system and application controls, addressing ... | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-AC-ML1.3 | ISM-1491 requires organisations to prevent unprivileged users from running specific script execution engines (such as PowerShell, cmd.exe... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.