Hardening Virtual Server Isolation Configuration
Secure virtual servers by simplifying controls and restricting admin interface access.
Plain language
This control is about making sure that virtual servers, which are like digital versions of physical servers, are kept secure by limiting what they can do and who can access them for management. If this isn't done, hackers might get access to sensitive information or even take control of your servers, which could lead to data breaches, downtime, and damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
July 2020
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Virtualisation hardeningOfficial control statement
When using a software-based isolation mechanism to share a physical server's hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism.
Why it matters
Poorly isolated virtual servers are vulnerable to cross-tenant attacks and data leakage, risking critical data theft and service outages.
Operational notes
Review hypervisor/admin interface access regularly (MFA, least privilege) and disable unused isolation features/plugins to reduce attack surface.
Implementation tips
- The IT team should identify and disable any unnecessary features in the virtual server software. This involves reviewing all current functionalities and incorporating only those necessary for current operational tasks, reducing the risk of misuse.
- System administrators should set up strict access controls for the administration interface of the servers. This can be achieved by using strong passwords and limiting administrative access to only those who truly need it for their job, thereby narrowing the opportunity for unauthorised access.
- Managers should ensure that the IT team regularly reviews user access to the server management interface. Conduct quarterly meetings to confirm that only authorised personnel have access and adjust permissions if someone changes roles or leaves the organisation.
- Procurement managers should verify with cloud or software service providers that security features in virtual server software meet ACSC (Australian Cyber Security Centre) guidelines. This step ensures the purchased software is compliant and focused on security from the start.
- IT leaders should enforce regular training sessions for staff on recognising and reporting suspicious activities. Use practical scenarios to help everyone understand the importance of vigilance and quick reporting of potential security threats.
Audit / evidence tips
-
Aska list of disabled features on the virtual servers
Goodincludes a documented list specifying disabled features and a date of last review
-
Goodincludes a limited number of users with detailed roles justifying their access
-
Asklogs of past reviews of server configurations
Goodis detailed logs showing consistent review frequency and actions, if changes were made
-
Goodwould have dated notes with clear actions on restricting or maintaining access
-
Asktraining schedules and materials used for security awareness training
Goodincludes recent and relevant training sessions with materials tailored to current threats
Cross-framework mappings
How ISM-1604 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 5.15 | ISM-1604 requires hardening of the virtual server isolation mechanism and restricting access to the administrative interface used to mana... | |
| Annex A 8.3 | ISM-1604 requires hardening of the virtual isolation mechanism and restricting access to its administrative interface | |
| Annex A 8.9 | ISM-1604 requires a hardened configuration for the software-based isolation mechanism, including removing unneeded functionality and rest... | |
| handshake Supports (3) expand_less | ||
| Annex A 5.18 | ISM-1604 requires that access to the administrative interface of the software isolation mechanism is restricted as part of hardening | |
| Annex A 8.2 | ISM-1604 requires restricting access to the administrative interface used to manage the isolation mechanism, reducing who can administer ... | |
| Annex A 8.20 | ISM-1604 requires hardening the virtualisation/isolation mechanism and restricting administrative interface access, which often includes ... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-RA-ML2.4 | ISM-1604 requires the administrative interface for the isolation mechanism (e.g | |
| E8-RA-ML3.3 | ISM-1604 requires the virtualisation/isolation mechanism to be hardened by removing unneeded functionality and restricting access to the ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.