ISM-1491 policy ASD Information Security Manual (ISM)

Prevent Script Execution by Unprivileged Users

Prevent users without admin rights from running scripts or commands that could pose security risks.

Preventative NC OS P ASD Information Security ManualGuidelines for system hardening least privilege access control

record_voice_over

Plain language

This control is about stopping regular users from running scripts or commands on their computers that could be harmful. Imagine a situation where an employee accidentally runs a malicious script that steals company data or locks files for ransom. By ensuring that only trusted staff can run these types of scripts, you reduce the chance of such security breaches.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Feb 2022

Control Stack last updated

19 May 2026

E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Operating system hardening

Topic

Hardening Operating System Configurations

Official control statement

Unprivileged users are prevented from running script execution engines, including: - Windows Script Host (cscript.exe and wscript.exe) - PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe) - Command Prompt (cmd.exe) - Windows Management Instrumentation (wmic.exe) - Microsoft Hypertext Markup Language (HTML) Application Host (mshta.exe).

policy ASD Information Security Manual (ISM) ISM-1491

priority_high

Why it matters

Allowing unprivileged users to run script execution engines could lead to accidental execution of harmful scripts, risking data breaches or ransomware attacks.

settings

Operational notes

Regularly audit and monitor use of script engines (PowerShell, cmd, WSH, wmic, mshta) and application control rules to ensure unprivileged users cannot bypass restrictions.

02 - Implement

build

Implementation tips

System administrators should configure group policies: Limit who can run script execution programs like PowerShell or Command Prompt by creating group policies. These policies should only allow trusted users, like IT staff, to run these tools.
IT support should train users: Educate staff on the dangers of running unknown scripts. Use simple examples and scenarios to illustrate potential risks and ensure they understand to ask for help if uncertain.
Managers should review user permissions: Regularly check who has admin rights and adjust permissions to align with their job needs. Ensure only staff needing script execution abilities have the necessary permissions.
The IT team should monitor script activity: Use logging tools to keep an eye on when, where, and by whom scripts are run. This helps to spot any unusual activity quickly.
Procurement should vet software purchases: Before purchasing, confirm software requirements to ensure they do not need script execution tools unless absolutely necessary. This prevents unnecessary security risks.

03 - Audit

fact_check

Audit / evidence tips

AskThe group policy settings documentation: Request the policy files that show who can run script execution engines GoodShows detailed restrictions ensuring only authorised users have access
AskScript execution logs: Request output from monitoring tools showing script execution activity GoodIncludes a log without signs of abnormal use by unauthorised users
AskUser training records: Review attendance records or training materials to ensure employees have been briefed on script risks GoodShows recent training sessions and consistent messaging
AskA list of users with admin rights: Obtain a report that details who has the rights to execute scripts GoodShows that only a limited number of users, aligned with their roles, have such access
AskProcurement process documentation: Review the criteria used for software purchases to ensure no excessive execution rights are needed GoodIncludes a stringent review process aligning with the control

04 - Mappings

link

Cross-framework mappings

How ISM-1491 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
sync_alt Partially overlaps (1) expand_less
Annex A 8.18	Annex A 8.18 requires restricting and tightly controlling utility programs that can override system and application controls, addressing ...

E8

Control	Notes	Details
layers Partially meets (1) expand_less
E8-AC-ML1.3	ISM-1491 requires organisations to prevent unprivileged users from running specific script execution engines (such as PowerShell, cmd.exe...

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.