Prevent Unauthorised Access for DCSync Accounts
Users with certain permissions can't access less secure systems to maintain security.
Plain language
This control is about making sure that certain powerful user accounts, which can copy sensitive data from your systems, don't log into less secure computers where they might be more easily compromised. It's important because if these accounts are used in unsafe environments, hackers could gain access and steal or alter important data, putting your entire organisation at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system managementSection
System administrationOfficial control statement
User accounts with DCSync permissions cannot logon to unprivileged operating environments.
Why it matters
If DCSync-capable accounts can log on to unprivileged hosts, attackers can steal AD credentials (e.g., hashes) and escalate domain compromise.
Operational notes
For DCSync accounts, deny interactive/RDP/local logon via GPO, enforce PAW/admin tiering, and allow only required AD replication rights.
Implementation tips
- IT team should restrict powerful account access: Set up the system so that accounts with special permissions for sensitive tasks can't log into everyday computers. This could involve configuring your servers to only accept these logins from secure and monitored devices.
- System administrators need to use separate accounts for daily tasks: Encourage them to have one account for everyday activities and another for highly sensitive tasks. This ensures that if their regular account gets compromised, the sensitive parts of the system remain secure.
- Organisation leaders should define high-risk accounts: Work with your IT team to identify which accounts need these restrictions. Clearly outline criteria to ensure only necessary accounts get these permissions to reduce potential security risks.
- IT support should regularly review logs: Check who has logged in with powerful accounts and from where. Automate alerts if such an account logs in from an unapproved location.
- Train all staff on security measures: Make sure everyone understands the importance of these accounts and what processes are in place to protect them. Regularly update training materials to reinforce policy adherence.
Audit / evidence tips
-
Aska list of accounts with DCSync permissions: Verify the list includes only authorised personnel
Goodincludes a dated list with corresponding authorisation records
-
Goodshows regular checks with no unapproved access
-
Askpolicy documents defining access restrictions: Check if policies clearly mention the logon restrictions for sensitive accounts
Goodis an up-to-date document with clear, detailed policies
-
Askevidence of security training sessions: Check that all personnel with access have completed training
Goodis a documented schedule with signatures or completion certificates
-
Goodis a well-documented process with checks and balances
Cross-framework mappings
How ISM-1958 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.3 | Annex A 5.3 requires conflicting duties and responsibilities to be segregated so that no single person can misuse end-to-end capability | |
| link Related (1) expand_less | ||
| Annex A 8.2 | Annex A 8.2 requires privileged access rights to be restricted and managed, including controlling where and how highly privileged rights ... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| E8-RA-ML1.6 | E8-RA-ML1.6 requires preventing unprivileged accounts from logging on to privileged operating environments | |
| E8-RA-ML1.7 | E8-RA-ML1.7 requires privileged accounts (excluding local administrator accounts) cannot logon to unprivileged environments | |
| E8-RA-ML3.1 | E8-RA-ML3.1 requires privileged access to be limited to only what is necessary for duties across systems, applications and data repositories | |
| handshake Supports (2) expand_less | ||
| E8-RA-ML1.5 | E8-RA-ML1.5 requires privileged users to use separate privileged and unprivileged operating environments to reduce exposure of high-value... | |
| E8-RA-ML2.3 | E8-RA-ML2.3 mandates that privileged environments are not virtualised within unprivileged environments to reduce admin context exposure | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.