ISM-1927 policy ASD Information Security Manual (ISM)

Restrict Access to Microsoft Active Directory Servers

Only privileged users should access key Microsoft servers for security.

Preventative NC OS P ASD Information Security ManualGuidelines for system hardening access control access rights privileged access

record_voice_over

Plain language

This control is about making sure only the right people have access to key Microsoft servers like Active Directory, which are critical for managing your computer systems. If these servers are accessed by the wrong people, it could lead to serious problems, such as a potential data breach, loss of sensitive information, or disruptions to your operations.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Aug 2024

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Server application hardening

Topic

Microsoft Active Directory Services

Official control statement

Access to Microsoft AD DS domain controllers, Microsoft AD CS CA servers, Microsoft AD FS servers and Microsoft Entra Connect servers is limited to privileged users that require access.

policy ASD Information Security Manual (ISM) ISM-1927

priority_high

Why it matters

Unauthorised access to AD DS/CS/FS or Entra Connect servers can enable credential theft, certificate abuse and full domain compromise, disrupting critical business services.

settings

Operational notes

Restrict logon (RDP/console) to AD DS/CS/FS and Entra Connect servers to approved admins only; regularly review group membership, logon rights and access logs.

02 - Implement

build

Implementation tips

The IT team should identify who needs access to Microsoft Active Directory servers. They can list all current users and assess if they truly need access to perform their duties. This ensures that only those with a legitimate reason can get in.
Managers should work with the IT department to regularly review user access lists. They should schedule periodic meetings to check that access rights are still appropriate as roles and responsibilities change over time.
System owners should configure security settings to restrict access. They can do this by setting up permissions that align with the user's role, making it harder for unauthorised users to access important systems.
The IT team should implement strong password policies and enable alerts for any unusual login attempts. They can set up the server to notify them if someone tries to log in who shouldn't have access, allowing quick response to potential threats.
Human Resources should coordinate with IT to ensure leavers have access removed immediately upon exit. When someone leaves the organisation, HR must notify the IT team to revoke their server access without delay.

03 - Audit

fact_check

Audit / evidence tips

AskThe current list of users with access to key Microsoft servers: Request a user access list for the Active Directory and other critical servers GoodShows a list where each user’s access aligns with their job role
AskRecords of user access reviews: Request documentation of past access reviews GoodIs a dated record showing regular reviews with actions taken where changes were needed
AskAbout the configuration settings for access permissions: Request configurations or screenshots showing permission settings GoodHas permissions that reflect a clear role-based access approach
AskSystem logs which record login attempts to key servers GoodIs a log showing monitoring and alerts that are acted upon promptly
AskThe leavers’ access removal document: Request a record of access removal for past employees. Look to ensure there’s a quick removal process initiated by HR notifications GoodIs a documented process that shows access is removed on or shortly after the employee’s end date

04 - Mappings

link

Cross-framework mappings

How ISM-1927 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (2) expand_less
Annex A 8.2	ISM-1927 requires restricting access to specific Microsoft identity servers to privileged users who require access
Annex A 8.3	ISM-1927 requires restricting access to AD DS domain controllers, AD CS CA servers, AD FS servers and Entra Connect servers to privileged...
link Related (1) expand_less
Annex A 5.18	Annex A 5.18 requires organisations to manage access rights across their lifecycle in line with access control rules

E8

Control	Notes	Details
sync_alt Partially overlaps (1) expand_less

E8-RA-ML1.1	ISM-1927 requires that only privileged users who require access can access AD DS/CS/FS and Entra Connect servers
handshake Supports (6) expand_less

E8-MF-ML2.1	ISM-1927 requires that access to key Microsoft identity servers is limited to privileged users who require access

E8-RA-ML1.4	ISM-1927 requires that access to AD DS domain controllers, AD CS CA servers, AD FS servers and Entra Connect servers is limited to privil...
E8-RA-ML1.6	E8-RA-ML1.6 requires that unprivileged accounts cannot logon to privileged operating environments
E8-RA-ML2.2	ISM-1927 requires limiting access to AD DS/CS/FS and Entra Connect servers to privileged users that require access
E8-RA-ML2.4	ISM-1927 requires that access to Microsoft identity servers is limited to privileged users who need that access
E8-RA-ML3.3	ISM-1927 requires limiting access to key Microsoft identity servers (AD DS/CS/FS and Entra Connect) to privileged users who need it

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.