Restrict Unauthorised Network Connections
Devices outside the network can't establish connections with administration systems.
Plain language
This control is about making sure only the devices that are part of your core administrative systems can connect to them from outside your network. It's like ensuring only trusted friends can come into your house. If unknown devices are allowed to connect, they can create security holes, leaving your important systems vulnerable to attacks and data breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system managementSection
System administrationOfficial control statement
Network devices that do not belong to administrative infrastructure cannot initiate connections with administrative infrastructure.
Why it matters
If non-admin network devices can initiate connections to administrative infrastructure, attackers can reach privileged services and pivot to compromise admin accounts and systems.
Operational notes
Enforce segmentation so only approved management subnets/jump hosts can initiate sessions to admin interfaces; apply ACLs/firewall rules and alert on blocked connection attempts.
Implementation tips
- The IT team should review and identify the devices that are part of the administrative systems. This means creating a list of all approved devices that can communicate with your administrative infrastructure. They can organise a meeting to validate this list with system owners.
- System administrators should configure network settings to block unauthorised devices. This involves setting up firewalls or filtering rules to only allow the identified, approved devices to connect. Use simple rules based on the device's unique identifiers such as its IP or MAC address.
- The security manager should train staff on identifying unauthorised devices. They can hold workshops explaining why it's important to keep an eye out for devices not on the approved list and who to report them to if noticed.
- The IT security officer should regularly review network connection logs. They should set up a fortnightly reminder to audit these logs, looking for any unexpected device connections, and take action to block or investigate them.
- Managers should establish protocols for reporting and reacting to connection attempts by unauthorised devices. This involves writing a simple procedure document and sharing it with all employees so they know the steps to follow if they spot an unauthenticated connection attempt.
Audit / evidence tips
- AskThe list of authorised devices: Request documentation that lists every device allowed to connect to the admin network GoodIs a comprehensive list with sign-off from the IT manager
- GoodConfiguration will clearly list these rules with no gaps
- AskRecent network log reviews: Request evidence of regular log review activities GoodIncludes dated logs showing signed-off reviews with findings
- GoodSet of materials will be up-to-date and comprehensive
- AskIncident response records: Request records of any investigations into unauthorised connection attempts GoodRecord will show a timeline of actions and resolutions
Cross-framework mappings
How ISM-1899 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.20 | ISM-1899 requires that non-administrative network devices cannot initiate connections to administrative infrastructure, enforcing strong ... | |
| Annex A 8.22 | ISM-1899 requires that devices outside administrative infrastructure are prevented from initiating connections into administrative infras... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML2.4 | ISM-1899 requires that non-administrative devices cannot initiate connections to administrative infrastructure, limiting direct reachabil... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.