Restrict File System Permission Changes
Only authorised users can change file permissions for approved applications to maintain system security.
Plain language
This control ensures that only people who are allowed to do so can change the permissions for important files and folders on your computer or server. This is important because if the wrong person changes these permissions, it could make sensitive information vulnerable to being seen or altered by unauthorised people, leading to potential data breaches or system malfunctions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Application ControlOfficial control statement
When implementing application control using path rules, only approved users can change file system permissions for approved files and folders.
Why it matters
If unapproved users can change permissions on approved paths, they can grant access to protected files, enabling data theft or service disruption.
Operational notes
When using path rules, restrict chmod/ACL changes to approved admin groups; review permission change rights and audit logs on approved folders regularly.
Implementation tips
- The IT team should identify all important applications and files that need special permissions. They can do this by reviewing the applications and data critical to business operations and ensuring their permissions align with security policies.
- Managers should appoint specific users who are authorised to make changes to file permissions. They can select trusted staff members who understand the importance of this responsibility and ensure they're aware of the security protocols.
- System administrators should configure settings to limit who can alter permissions on critical files and folders. They can achieve this by using system tools to restrict permission changes, ensuring it is only accessible to those who have been authorised.
- IT security staff should conduct training for authorised users on how to safely manage permissions. This involves showing them step-by-step how to check and change permissions without causing security vulnerabilities.
- The Compliance Officer or equivalent should regularly review who has permission to change critical file settings. They can schedule periodic audits and collect feedback to ensure only the right people have this access and that security policies are being followed.
Audit / evidence tips
-
Askthe list of applications and files with restricted permissions: Request documentation detailing which files and applications have controlled permission settings
Goodis a comprehensive list showing clear identification of sensitive files
-
Askthe list of users authorised to change permissions: Review the documentation or system settings showing which users have access
Goodhas an updated list of active, authorised users
-
Asktraining records: Request evidence of training provided to users who can change permissions
Goodincludes recent training sessions with well-documented materials
-
Askaudit records of permission changes: Request logs or reports showing past permission alterations
Goodincludes regularly reviewed and verified logs with appropriate justifications for changes
-
Askpolicy documents on permission changes: Request the written policies that outline how permission changes should be managed
Goodincludes clear guidelines adhered to by all relevant staff
Cross-framework mappings
How ISM-1746 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.15 | ISM-1746 requires a specific access restriction: only approved users can change file system permissions for approved files and folders us... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.4 | Annex A 8.4 requires organisations to appropriately manage read and write access to source code, development tools and software libraries | |
| handshake Supports (1) expand_less | ||
| Annex A 8.18 | Annex A 8.18 requires restricting and tightly controlling utilities that could override system and application controls, which relies on ... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| E8-AC-ML1.2 | E8-AC-ML1.2 requires application control in user profile and temporary folders to prevent unapproved execution from those common drop loc... | |
| E8-AC-ML2.2 | E8-AC-ML2.2 enforces control excluding certain folders, while ISM-1746 maintains file system integrity, preventing unauthorised permissio... | |
| E8-RA-ML3.1 | ISM-1746 requires that, when application control uses path rules, only approved users can change file system permissions for approved fil... | |
| extension Depends on (2) expand_less | ||
| E8-AC-ML2.1 | E8-AC-ML2.1 requires application control on internet-facing servers to limit execution to approved applications | |
| E8-AC-ML3.2 | E8-AC-ML3.2 requires restricting driver execution through application control to an organisation-approved set | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.