Use Privileged Accounts for Domain Machine Addition
Special accounts are used for adding computers to the network for security purposes.
Plain language
This control is about using special accounts with extra privileges to add computers to your network. It's like having a trusted person to do the important job of letting new devices join your secure group. If you don't use these trusted accounts, unauthorised devices could sneak in, causing data breaches or disrupting operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Dedicated privileged service accounts are used to add machines to the domain.
Why it matters
If non-privileged accounts can add machines to the domain, unauthorised hosts may join, enabling credential theft and lateral movement.
Operational notes
Use a dedicated privileged service account for domain joins, restrict who can use it, and routinely audit domain-add events for misuse.
Implementation tips
- The IT team should identify which accounts in the system have the special privileges needed for adding computers to the domain. They should ensure that these accounts are used only for this purpose and are secure with strong passwords or other authentication methods.
- Managers should ensure their team members understand the importance of only using these privileged accounts for adding devices. This can be done through training sessions explaining why extra security measures are necessary.
- System administrators should monitor who is using these privileged accounts and when. They should regularly review the logs to detect any unusual activity, such as attempts to add too many devices or at odd hours.
- The organisation's security manager should review the policy for using privileged accounts at least once a year. They should check whether the guidelines are still being followed by everyone and update them to adapt to any changes in the network structure.
- HR should collaborate with IT to ensure that when someone with access to these privileged accounts leaves the organisation, their access is immediately revoked to prevent any unauthorised use of the accounts.
Audit / evidence tips
-
Aska list of privileged accounts: Request a document that identifies all accounts with the capability to add devices to the domain
Goodis a document listing each account, the person responsible, and the security measures applied
-
Asktraining records: Request records of training sessions provided to staff about using privileged accounts
Goodis a complete record showing regular training with specific focus on security practices
-
Askaccount usage logs: Request logs that show how and when privileged accounts have been used
Goodis logs with normal activity patterns and no security breaches
-
Askpolicy documents: Request the current policies regarding privileged account usage
Goodis a policy document that is detailed, up-to-date, and approved by management
-
Askto see account revocation process: Request a document explaining the process for removing access when employees leave the organisation
Goodis a document that outlines a timely and secure access revocation process
Cross-framework mappings
How ISM-1842 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 8.2 | Annex A 8.2 requires privileged access rights to be restricted and managed so only authorised entities can perform high-impact actions | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RA-ML1.2 | E8-RA-ML1.2 requires privileged users to use dedicated privileged accounts exclusively for administrative tasks | |
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RA-ML2.5 | ISM-1842 requires dedicated privileged service accounts to add machines to the domain, reducing exposure from using standard or personal ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.