Restrict Privileged Accounts Access to Non-Privileged Environments
Privileged users aren't allowed to log into standard environments to ensure security.
Plain language
This control means that people with special access to make changes on computer systems (privileged users) should not use their special accounts to access regular work environments. This is important because if their accounts get compromised, it could allow hackers to make unauthorised changes or access sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system managementSection
System administrationOfficial control statement
Privileged user accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.
Why it matters
If privileged accounts can log on to standard desktops, malware or phishing on those hosts can steal admin credentials and enable rapid privilege escalation across the network.
Operational notes
Enforce deny logon (interactive/RDP) for privileged accounts on user PCs and require admin tasks via PAWs. Review logon events to confirm privileged logons only occur on approved admin hosts.
Implementation tips
- IT team should identify who has privileged accounts: Make a list of all users with enhanced system access and clearly document the purpose of each account. This can be done by reviewing user access logs and collaborating with department heads to ensure all privileged users are known.
- System administrators should set up separate accounts: Ensure that each privileged user has a regular account for day-to-day activities and a separate privileged account for maintenance or configuration tasks. Implement a clear policy stating this practice and educate users about its importance.
- Network security team should enforce access controls: Use tools or systems that block privileged accounts from accessing non-privileged environments. This can involve configuring network firewalls or access management systems to ensure these rules are strictly followed.
- Managers should conduct regular reviews: Schedule quarterly reviews to check that privileged accounts are used properly. During these reviews, look for any sign of misuse, such as privileged logins to regular environments.
- Training and awareness officer should provide regular training: Hold awareness sessions for privileged users explaining why they should not use their special access for regular tasks. Include examples of potential risks and damages involved if this control is not followed.
Audit / evidence tips
-
Askthe privileged account list: Request a current list of all users with privileged access and their roles
Goodlist has clear justifications for each user and shows regular updates
-
Askaccount separation policy: Request the written policy that explains the separation of regular accounts from privileged accounts. Look to ensure the policy is clear and accessible to staff
Goodpolicy is one that aligns with the control's requirement and is dated with periodic reviews
-
Askevidence of blocked logins: Request logs or reports showing attempts to use privileged accounts in regular environments
Goodreport shows that the system effectively blocks unauthorized access effortlessly
-
Asktraining materials: Request copies of training materials related to this control
Goodtraining program provides clear guidance and regularly scheduled sessions
-
Askto see audit reports: Request recent audit reports regarding privileged account activities
Goodreport shows compliance with this control with no significant issues noted
Cross-framework mappings
How ISM-1689 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.31 | Annex A 8.31 requires development, testing and production environments to be separated and secured | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RA-ML1.6 | E8-RA-ML1.6 requires that unprivileged accounts cannot logon to privileged operating environments | |
| handshake Supports (2) expand_less | ||
| E8-RA-ML1.5 | E8-RA-ML1.5 requires privileged users to operate in separate privileged and unprivileged environments | |
| E8-RA-ML2.3 | ISM-1689 requires privileged user accounts to be prevented from logging on to unprivileged operating environments to reduce exposure and ... | |
| link Related (1) expand_less | ||
| E8-RA-ML1.7 | E8-RA-ML1.7 requires that privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.