Restrict Access to Microsoft Active Directory Servers
Only privileged users should access key Microsoft servers for security.
Plain language
This control is about making sure only the right people have access to key Microsoft servers like Active Directory, which are critical for managing your computer systems. If these servers are accessed by the wrong people, it could lead to serious problems, such as a potential data breach, loss of sensitive information, or disruptions to your operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Access to Microsoft AD DS domain controllers, Microsoft AD CS CA servers, Microsoft AD FS servers and Microsoft Entra Connect servers is limited to privileged users that require access.
Why it matters
Unauthorised access to AD DS/CS/FS or Entra Connect servers can enable credential theft, certificate abuse and full domain compromise, disrupting critical business services.
Operational notes
Restrict logon (RDP/console) to AD DS/CS/FS and Entra Connect servers to approved admins only; regularly review group membership, logon rights and access logs.
Implementation tips
- The IT team should identify who needs access to Microsoft Active Directory servers. They can list all current users and assess if they truly need access to perform their duties. This ensures that only those with a legitimate reason can get in.
- Managers should work with the IT department to regularly review user access lists. They should schedule periodic meetings to check that access rights are still appropriate as roles and responsibilities change over time.
- System owners should configure security settings to restrict access. They can do this by setting up permissions that align with the user's role, making it harder for unauthorised users to access important systems.
- The IT team should implement strong password policies and enable alerts for any unusual login attempts. They can set up the server to notify them if someone tries to log in who shouldn't have access, allowing quick response to potential threats.
- Human Resources should coordinate with IT to ensure leavers have access removed immediately upon exit. When someone leaves the organisation, HR must notify the IT team to revoke their server access without delay.
Audit / evidence tips
-
Askthe current list of users with access to key Microsoft servers: Request a user access list for the Active Directory and other critical servers
Goodshows a list where each user’s access aligns with their job role
-
Askrecords of user access reviews: Request documentation of past access reviews
Goodis a dated record showing regular reviews with actions taken where changes were needed
-
Askabout the configuration settings for access permissions: Request configurations or screenshots showing permission settings
Goodhas permissions that reflect a clear role-based access approach
-
Asksystem logs which record login attempts to key servers
Goodis a log showing monitoring and alerts that are acted upon promptly
-
Askthe leavers’ access removal document: Request a record of access removal for past employees. Look to ensure there’s a quick removal process initiated by HR notifications
Goodis a documented process that shows access is removed on or shortly after the employee’s end date
Cross-framework mappings
How ISM-1927 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.2 | ISM-1927 requires restricting access to specific Microsoft identity servers to privileged users who require access | |
| Annex A 8.3 | ISM-1927 requires restricting access to AD DS domain controllers, AD CS CA servers, AD FS servers and Entra Connect servers to privileged... | |
| link Related (1) expand_less | ||
| Annex A 5.18 | Annex A 5.18 requires organisations to manage access rights across their lifecycle in line with access control rules | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| handshake Supports (6) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.