Restrict Server Application Extensions to an Approved Set
Only extensions (add-on components) that your organisation has formally approved may be installed and run in your server applications.
Plain language
Many server applications (the programs running on your business servers, such as web servers and database tools) can be expanded with "extensions", extra add-on components that add features. This control says you should keep a list of which extensions your organisation has approved, and block any that are not on that list. This matters because unapproved or unknown extensions are a common way attackers sneak harmful code onto your servers, so limiting them to a trusted, approved set shrinks the ways your systems can be attacked.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
June 2026
Control Stack last updated
19 June 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server Application HardeningOfficial control statement
Extensions for server applications are restricted to an organisation-approved set.
Why it matters
If server applications can run any extension, an attacker or careless install can add harmful add-on code to your servers, leading to compromised systems, stolen data, or downtime.
Operational notes
Keep the approved list current as business needs change, re-check installed extensions against it on a regular schedule, and remove extensions that are no longer needed or supported.
Implementation tips
- The IT manager should create a written, approved list of server application extensions, naming each allowed extension and the business reason it is needed, and have a senior person such as the business owner or board sign off on that list.
- The system administrator should configure each server application so that only the extensions on the approved list can load, using the application's built-in settings (for example an allow-list or by removing the install permissions for everyone else).
- Whoever manages the servers should run a check across all servers to find extensions already installed, compare them against the approved list, and remove or disable any extension that is not approved.
- The IT manager should set up a simple request-and-approval process so that when staff need a new extension they submit it for review, and it is only added to a server once it has been added to the approved list.
- The system administrator should schedule a regular review (for example every quarter) to re-check installed extensions against the approved list and remove ones that are no longer needed or supported.
Audit / evidence tips
- Askthe organisation's approved list of server application extensions Look atwhether it names specific extensions, gives a business reason for each, and has been signed off by someone with authority Goodis a current, dated list with clear ownership and approval
- Askhow the server applications are configured to block extensions that are not approved Look atthe actual application settings or allow-list configuration on a sample server Goodshows the technical restriction is switched on, not just written in a policy
- Aska recent scan or inventory of extensions actually installed on the servers Look atwhether every installed extension also appears on the approved list Goodshows the installed set matches the approved set with no unexplained extras
- Askhow a new extension gets approved and added to a server Look ata real example of a request that was reviewed, approved, and added to the list Goodshows a documented request-and-approval trail rather than ad hoc installs
- Askwhen the approved list was last reviewed and who did it Look atreview dates, notes, and any extensions that were removed Goodshows a recent review on a regular schedule with evidence that unneeded extensions were taken out
Cross-framework mappings
How ISM-2115 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-AC-ML1.3 | ISM-2115 requires server application extensions to be restricted to an organisation-approved set to prevent unauthorised add-ons from bei... | |
| handshake Supports (4) expand_less | ||
| E8-AC-ML2.1 | ISM-2115 requires restricting server application extensions to an organisation-approved set to reduce the attack surface on servers | |
| E8-AC-ML2.2 | ISM-2115 requires that server application extensions are limited to an approved set, reducing the likelihood of malicious or shadow IT ad... | |
| E8-AC-ML2.4 | ISM-2115 requires organisations to control which server application extensions are permitted by maintaining an approved set | |
| E8-AC-ML3.1 | ISM-2115 requires that only organisation-approved extensions are permitted within server applications | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.