Harden Operating Systems for Secure Virtual Environments
Ensure systems sharing a server are protected by solidifying the operating system.
Plain language
When you have several systems sharing the same server, it's like multiple households sharing one house. If one system gets hacked, the others are at risk too. Hardening the operating system is like making sure each household locks their doors and windows securely, so if one neighbour leaves theirs open, it doesn't put everyone else in danger.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Virtualisation hardeningOfficial control statement
When using a software-based isolation mechanism to share a physical server's hardware, the underlying operating system is hardened.
Why it matters
Without hardening the host OS in shared virtual environments, a compromise can enable cross-VM access, data loss and service disruption.
Operational notes
Maintain hardened host OS baselines for hypervisors/VM hosts; patch promptly, disable unused services, and regularly audit settings to prevent drift.
Implementation tips
- IT team should review server configurations: Ensure operating systems on shared servers are set up according to best practices. This can involve adjusting settings to minimise exposure and installing the latest security updates to keep threats at bay.
- System owners should coordinate with IT to conduct regular vulnerability scans: Use simple scanning tools to check for any weaknesses that could be exploited. Organise these scans monthly and make sure to fix any issues immediately.
- Managers should oversee user-access management: Limit who can access the server to only those who really need it. Set clear permission levels so employees only have access to the data necessary for their job.
- Procurement should ensure software compatibility: Before purchasing new software, check with the IT team that it's fully compatible with the current server setup and won't introduce any new security issues.
- HR should organise security awareness training: Educate staff on why security measures are in place and how their behaviour impacts the organisation. This can be done through quarterly training sessions.
Audit / evidence tips
-
Aska configuration document of shared servers: Request a document showing how each server's operating system is configured
GoodConfiguration settings match security best practices and guidelines
-
Askto see the reports from recent scans conducted on the operating systems
GoodReports show minimal vulnerabilities and proof of timely rectification
-
Askaccess logs: Request logs of who has accessed the servers over the past 6 months
GoodLogs show only authorised users, with no unexpected access attempts
-
GoodAll software is officially approved and regularly updated
-
Asktraining attendance records: Request proof of staff attending security awareness sessions. Look to confirm these are recent and cover essential topics
GoodMajority of staff have attended recent training, with sessions covering key security protocols
Cross-framework mappings
How ISM-1605 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| Annex A 8.8 | ISM-1605 requires hardening of the underlying operating system that hosts software-based isolation (e.g., hypervisor/host OS) to protect ... | |
| Annex A 8.9 | ISM-1605 requires that the underlying operating system for software-based isolation on shared servers is hardened, which relies on establ... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-PO-ML3.3 | ISM-1605 requires the host operating system underpinning software-based isolation on shared servers to be hardened to reduce the likeliho... | |
| E8-PO-ML3.9 | ISM-1605 requires that the underlying host operating system is hardened when using software-based isolation to share physical server hard... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.