Restrict Exposure of Network Management Interfaces
IT equipment management interfaces should not be accessible from the internet to enhance security.
Plain language
This control is about keeping the parts of your office technology that let you manage and control those systems away from the public internet. Think of it like keeping the keys to your store locked up. If these management tools are available online, someone could break in and control your systems, steal information, or disrupt your operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
Networked management interfaces for IT equipment are not directly exposed to the internet.
Why it matters
Exposing management interfaces to the internet enables unauthorised admin access, leading to compromise, data loss, and disruption.
Operational notes
Ensure management interfaces are not internet-exposed; provide admin access only via VPN/bastion and restrict by allowlisted subnets.
Implementation tips
- The IT team should ensure that management interfaces are only accessible from within the company network. They can set this up by configuring firewall rules to block internet access to these interfaces.
- System administrators should implement network segmentation to separate management interfaces from the standard user network. This can be done by creating a dedicated management network and ensuring that only authorised personnel have access.
- IT security staff should set up a Virtual Private Network (VPN) for remote access to management interfaces. This involves configuring a secure tunnel that encrypts data, providing access only after verifying the user's identity.
- Network managers should regularly review and update access control lists. This includes checking who has access to management interfaces and ensuring that only necessary personnel are allowed.
- The security officer should conduct regular training sessions for staff who require access to management interfaces. They can educate staff on best practices and the importance of not exposing these systems to the internet.
Audit / evidence tips
- AskThe network diagram that shows the management interfaces of IT equipment GoodIs a diagram that clearly indicates segmentation and controlled access points
- GoodOutcome is seeing rules that completely prevent outside access
- AskTo see VPN configuration documents for remote access to management interfaces GoodResult is having robust encryption and clear access policies that restrict users
- GoodHas only essential staff on the list with documentation of managerial approval
- AskTraining records regarding the secure use of management interfaces GoodRecord shows consistent training aligned with current risks
Cross-framework mappings
How ISM-1863 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-1863 requires that networked management interfaces for IT equipment are not directly exposed to the internet | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.