Prevent Unauthorised Changes to Security Settings
Ensure non-admin users cannot change or disable security settings on operating systems.
Plain language
This control is about making sure that everyday users can't mess with important security settings on their computers. It matters because if anyone could change these settings, they might accidentally or intentionally turn off protections that keep your data safe and secure.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningOfficial control statement
Unprivileged users are prevented from bypassing, disabling or modifying security functionality of operating systems.
Why it matters
If unprivileged users can change OS security settings, protections may be disabled, enabling malware execution or unauthorised access.
Operational notes
Restrict OS security setting changes to admins via GPO/MDM, and monitor/audit events for attempts to disable or bypass controls.
Implementation tips
- The IT team should set user permissions: They need to configure computers so that only authorised administrators can change system security settings. This can be done by setting up accounts for regular users with restrictions in the system settings.
- Managers should check user roles: They need to ensure employees have the correct level of access for their job. They can liaise with IT to understand which roles need more, or fewer, permissions.
- System owners should organise regular checks: They should work with IT to periodically review and confirm that no unauthorised changes have been made to system settings by running system audits.
- HR, in conjunction with IT, should run training sessions: Explain to staff why they should not attempt to change security settings, and clarify the potential risks involved. Conduct training during onboarding and as part of regular security awareness programmes.
- Procurement teams should evaluate software before purchase: Ensure that any new systems or software bought for the company have the capability to limit changes to security settings by regular users. They can include these requirements in procurement checklists.
Audit / evidence tips
-
Aska user access control list: Request a document that shows which employees have administrative privileges
Goodlist will show only a few trusted administrators with these privileges
-
Askpolicy documents on user roles: Request written policies that outline roles and access levels. Check that roles are clearly defined with restrictions on changing security settings
Goodpolicy explains the role structure and security measure responsibilities
-
Asksystem audit logs: Request a recent log of security changes on key systems. Check entries to see if unauthorised users have altered settings. Good logs will show that only authorised users made changes and all entries are properly documented
-
Askcontent from security awareness sessions. Check that materials include information about the risks of changing security settings. Good training resources will explain risks in relatable terms and show completion records for staff
-
Askprocurement documents: Request samples of requirement checklists used in software purchases. Check for criteria related to locking down security settings. Good documents include notes on the ability to restrict user access to security configurations
Cross-framework mappings
How ISM-1584 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.18 | ISM-1584 ensures that unprivileged users are prevented from bypassing, disabling or modifying operating system security functionality | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (4) expand_less | ||
| E8-AH-ML1.4 | E8-AH-ML1.4 requires that users cannot change web browser security settings | |
| E8-RM-ML1.4 | E8-RM-ML1.4 requires that Microsoft Office macro security settings cannot be changed by users | |
| E8-AH-ML3.2 | E8-AH-ML3.2 requires organisations to disable or remove Windows PowerShell 2.0 | |
| E8-RA-ML3.5 | ISM-1584 requires technical enforcement so unprivileged users cannot bypass, disable or modify operating system security functionality an... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.