Secure and Encrypt Backups of AD Servers
Microsoft AD server backups must be secure, encrypted, and only accessible to backup admins.
Plain language
This control is about making sure backups of important Microsoft Active Directory servers are properly encrypted and only accessible to those who are supposed to handle them. This matters because if backups are not secure, they could be stolen or tampered with, leading to potential leaks of sensitive information and disruptions in operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Backups of Microsoft AD DS domain controllers, Microsoft AD CS CA servers, Microsoft AD FS servers and Microsoft Entra Connect servers are encrypted, stored securely and only accessible to backup administrator accounts.
Why it matters
If AD server backups are not encrypted or tightly restricted, attackers can extract directory data or CA private keys and compromise identities and trust.
Operational notes
Confirm AD/AD CS/AD FS/Entra Connect backups are encrypted and stored securely; restrict access to backup admin accounts and review access quarterly.
Implementation tips
- The IT team should ensure that all backups of Microsoft Active Directory servers are encrypted. This can be done by enabling encryption features within the backup software or using an external encryption tool to secure the files before storage.
- Backup administrators must set access permissions on the encrypted backups to ensure only authorised personnel can access them. This involves configuring permission settings within the backup system or file storage platform to limit access rights.
- The IT security officer should regularly review and update the list of backup administrators who have access to these encrypted backups. This is done by maintaining an up-to-date log of authorised users and conducting periodic audits to verify that no unapproved individuals have access.
- System owners need to institute regular backup procedures that include testing the encryption and access controls. This involves running test restores to ensure that the backup data is recoverable and that the encryption keys function as expected.
- Managers should conduct training sessions for backup administrators on the importance of encrypted backups and restricted access. This involves organising workshops or online training modules that explain the risks of unencrypted backups and how to manage access controls effectively.
Audit / evidence tips
-
Askthe backup encryption policy document: Request the documented policy that outlines how backups are encrypted
GoodA detailed policy stating encryption standards and implementation procedures
-
Askthe access control list for backup files: Request a list of who currently has access to backup files
GoodA document clearly listing names and roles that match the approved access list
-
Askrecords of backup encryption tests: Request logs or reports that detail the results of regular encryption testing
GoodLogs showing successful tests or reports detailing resolved issues
-
Asktraining records on backup procedures: Request evidence that staff have completed training on handling encrypted backups
GoodTraining records with completion dates, participants, and agendas that match training objectives
-
Askaudit records of backup access: Request documentation from recent audits of backup access permissions
GoodAudit reports showing no unauthorized access incidents or documentation of prompt resolution of issues
Cross-framework mappings
How ISM-1928 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.13 | Annex A 8.13 requires organisations to maintain backup copies of information, software and systems and to test them against a backup policy | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| sync_alt Partially overlaps (2) expand_less | ||
| handshake Supports (1) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.