Remove User Authentication from Extended Key Usages
Ensure that Extended Key Usages do not allow user authentication.
Plain language
This control is about ensuring that certain parts of your system that deal with verification keys are not used to log users in. If this isn't done, your company could experience unauthorised access, putting confidential information at risk and potentially resulting in financial and reputational harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Extended Key Usages that enable user authentication are removed.
Why it matters
If user-authentication EKUs remain on certificates, they can be used for client logon, enabling unauthorised access to systems and data.
Operational notes
Audit certificates/AD CS templates and remove EKUs that permit user auth (eg Client Authentication, Smart Card Logon) to prevent certificate-based logon.
Implementation tips
- The IT team should review the certificate templates used in Active Directory Certificate Services. They need to identify any templates that include user authentication and update them by removing this capability. They can do this by following step-by-step instructions available in Microsoft's documentation.
- The system administrator should organise a training session for staff involved with managing certificates. This session should explain why removing user authentication from these templates is important and demonstrate how to identify and modify the settings. The training could consist of an interactive workshop with practical exercises.
- The compliance officer ought to check with the IT department to ensure that any newly deployed or existing certificate templates do not allow user authentication. They can ask for an updated list of all certificate templates and their current settings related to user authentication.
- The security manager should set up a procedure for regularly reviewing certificate permissions. This includes a schedule for checks and balances to ensure continuous adherence to the policy of not using these certificates for user authentication.
- The IT team should implement automated monitoring tools to alert them if any certificate templates are configured incorrectly in the future. These tools could be simple scripts that scan the certificate settings periodically and notify the administrator of any discrepancies.
Audit / evidence tips
- AskThe list of all certificate templates currently in use: Ensure that this list is recent and covers all relevant systems in Active Directory Certificate Services GoodWould show no templates with user authentication enabled
- GoodWould show recent updates to remove user authentication capabilities along with approvals from responsible parties
- GoodIs training records showing that staff attended a session on certificate management in the last year
- GoodDemonstration will involve an admin successfully modifying a template as per guidelines
- AskRecords from automated monitoring tools: These could be logs or alerts related to certificate management GoodIncludes logs showing consistent, periodic checks with zero unauthorized authentication configurations
Cross-framework mappings
How ISM-1947 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-1947 requires organisations to remove Extended Key Usages (EKUs) in certificates that enable user authentication, ensuring certificat... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.