Ensure Strong Management of Admin Account Credentials
Make sure admin account passwords in each domain are long, unique, and securely managed.
Plain language
This control is about making sure the administrator accounts used to run your computer networks have passwords that are long, unique, and handled securely. This matters because weak or shared passwords make it easy for hackers to break into your systems, potentially leading to theft of sensitive information or disruption of services.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Credentials for the built-in Administrator account in each domain are long, unique, unpredictable and managed.
Why it matters
Weak or reused built-in domain Administrator credentials enable domain compromise, privilege escalation and widespread service disruption.
Operational notes
Ensure each domain’s built-in Administrator password is long, unique and stored in a vault; rotate regularly and after suspected compromise.
Implementation tips
- The IT team should create strong passwords for admin accounts. They can do this by using password management software to generate long and unique passwords that aren't easy to guess.
- System owners need to ensure each admin account is tied to a specific person rather than using generic accounts. This involves assigning admin accounts by individual names and ensuring they are only used by authorised personnel.
- Managers should review who has access to admin accounts regularly. To do this, schedule quarterly meetings with the IT team to review user access logs and make sure only the right people have access.
- HR, along with the IT team, should implement a process to immediately update passwords when staff leave. This can be achieved by integrating account update tasks into the employee exit process.
- The IT team should use multi-factor authentication (MFA) for admin accounts. This means setting up an additional step when logging in, like a mobile app code, besides the password itself.
Audit / evidence tips
-
Askthe password policy document: Request the official policy on password requirements for admin accounts
Goodpolicy will have a clear requirement for long, complex passwords that are changed regularly
-
Aska recent admin user list with access dates: Check when each admin last changed their password. Good practice is shown by recent password changes that comply with the organisation's policy
-
Aska record of MFA implementation for admin accounts: Review documents showing which admin accounts have MFA enabled
-
Askaccess audit logs: Review logs detailing who accessed admin accounts and when. Good logs show regular reviews of who is accessing sensitive accounts and any unusual login attempts
-
Askthe process document for handling admin account changes post-employment: Check that this process includes steps for promptly changing passwords when someone leaves. Good practice means all admin accounts have updated passwords within a day of employee departure
Cross-framework mappings
How ISM-1953 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.17 | ISM-1953 mandates that credentials for the built-in Administrator account in each domain are long, unique, unpredictable and managed | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RA-ML2.5 | ISM-1953 requires credentials for the built-in Administrator account in each domain to be long, unique, unpredictable and managed | |
| handshake Supports (2) expand_less | ||
| E8-RA-ML2.7 | ISM-1953 focuses on ensuring the built-in domain Administrator credentials are strong (long, unique, unpredictable) and properly managed | |
| E8-RA-ML3.2 | ISM-1953 requires strong, unique and managed credentials for the built-in Administrator account in each domain | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.