ISM-1927 ASD Information Security Manual (ISM)

Restrict Access to Microsoft Active Directory Servers

Only privileged users should access key Microsoft servers for security.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security Manual Governance Access control Privileged access

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Aug 2024

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Server application hardening

Topic

Microsoft Active Directory Services

Official control statement

Access to Microsoft AD DS domain controllers, Microsoft AD CS CA servers, Microsoft AD FS servers and Microsoft Entra Connect servers is limited to privileged users that require access.

Source: ASD Information Security Manual (ISM)

Plain language

This control is about making sure only the right people have access to key Microsoft servers like Active Directory, which are critical for managing your computer systems. If these servers are accessed by the wrong people, it could lead to serious problems, such as a potential data breach, loss of sensitive information, or disruptions to your operations.

Why it matters

Unauthorised access to AD DS/CS/FS or Entra Connect servers can enable credential theft, certificate abuse and full domain compromise, disrupting critical business services.

Operational notes

Restrict logon (RDP/console) to AD DS/CS/FS and Entra Connect servers to approved admins only; regularly review group membership, logon rights and access logs.

Implementation tips

The IT team should identify who needs access to Microsoft Active Directory servers. They can list all current users and assess if they truly need access to perform their duties. This ensures that only those with a legitimate reason can get in.
Managers should work with the IT department to regularly review user access lists. They should schedule periodic meetings to check that access rights are still appropriate as roles and responsibilities change over time.
System owners should configure security settings to restrict access. They can do this by setting up permissions that align with the user's role, making it harder for unauthorised users to access important systems.
The IT team should implement strong password policies and enable alerts for any unusual login attempts. They can set up the server to notify them if someone tries to log in who shouldn't have access, allowing quick response to potential threats.
Human Resources should coordinate with IT to ensure leavers have access removed immediately upon exit. When someone leaves the organisation, HR must notify the IT team to revoke their server access without delay.

Audit / evidence tips

Ask: the current list of users with access to key Microsoft servers: Request a user access list for the Active Directory and other critical servers

Good: shows a list where each user’s access aligns with their job role
Ask: records of user access reviews: Request documentation of past access reviews

Good: is a dated record showing regular reviews with actions taken where changes were needed
Ask: about the configuration settings for access permissions: Request configurations or screenshots showing permission settings

Good: has permissions that reflect a clear role-based access approach
Ask: system logs which record login attempts to key servers

Good: is a log showing monitoring and alerts that are acted upon promptly
Ask: the leavers’ access removal document: Request a record of access removal for past employees. Look to ensure there’s a quick removal process initiated by HR notifications

Good: is a documented process that shows access is removed on or shortly after the employee’s end date

Cross-framework mappings

How ISM-1927 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially meets (2)
Annex A 8.2	ISM-1927 requires restricting access to specific Microsoft identity servers to privileged users who require access
Annex A 8.3	ISM-1927 requires restricting access to AD DS domain controllers, AD CS CA servers, AD FS servers and Entra Connect servers to privileged...

E8

Control	Notes	Details
Partially overlaps (2)

E8-RA-ML1.1	ISM-1927 requires that only privileged users who require access can access AD DS/CS/FS and Entra Connect servers
E8-RA-ML1.6	E8-RA-ML1.6 requires that unprivileged accounts cannot logon to privileged operating environments
Supports (5)

E8-MF-ML2.1	ISM-1927 requires that access to key Microsoft identity servers is limited to privileged users who require access

E8-RA-ML1.4	ISM-1927 requires that access to AD DS domain controllers, AD CS CA servers, AD FS servers and Entra Connect servers is limited to privil...
E8-RA-ML2.2	ISM-1927 requires limiting access to AD DS/CS/FS and Entra Connect servers to privileged users that require access
E8-RA-ML2.4	ISM-1927 requires that access to Microsoft identity servers is limited to privileged users who need that access
E8-RA-ML3.3	ISM-1927 requires limiting access to key Microsoft identity servers (AD DS/CS/FS and Entra Connect) to privileged users who need it