Guidelines for system hardening
221 controls in this part of theASD ISM. Each control links to plain-English guidance, audit tips and cross-framework mappings.
Authentication hardening
ISM-0408
System Login Security Reminder Banner
ISM-0417
Use Passwords When Multi-Factor Authentication Isn't Supported
ISM-0418
Keep Physical Credentials Separate from Systems
ISM-0421
Require Minimum 15-Character Passwords for Security
ISM-0422
Ensuring Strong Passwords for TOP SECRET Systems
ISM-0428
Enforcement of Secure Session Locking Measures
ISM-0974
Implement Multi-factor Authentication for User Access
ISM-1055
Disable Insecure LAN Manager Authentication
ISM-1173
Use Multi-Factor Authentication for Privileged Users
ISM-1227
Randomly Generate User Account Credentials
ISM-1401
Implement Multi-Factor Authentication for Security
ISM-1402
Protecting Stored Credentials with Security Measures
ISM-1504
Implement Multi-factor Authentication
ISM-1505
Implement Multi-factor Authentication for Data Repositories
ISM-1546
Ensure User Authentication Before System Access
ISM-1557
Ensure Strong Passwords for SECRET Systems
ISM-1558
Ensure Secure Construction of Passwords
ISM-1559
Minimum Password Length for Secure Systems
ISM-1560
Ensure Strong Passwords for SECRET System Authentication
ISM-1561
Ensure Strong Passwords for TOP SECRET Systems
ISM-1590
Mandate Credential Changes Upon Compromise
ISM-1593
Verifying User Identity for New Credentials
ISM-1594
Secure Delivery of User Account Credentials
ISM-1595
Ensure Initial User Credentials Are Changed
ISM-1596
Avoid Reusing Credentials Across Systems
ISM-1597
Ensuring Credential Input Obscurity
ISM-1603
Disabling Vulnerable Authentication Methods
ISM-1619
Configure Service Accounts as Managed Service Accounts
ISM-1679
Use Multi-factor Authentication for Third-party Services
ISM-1680
Use Multi-Factor Authentication for Online Services
ISM-1681
Mandating Multi-Factor Authentication for Customer Services
ISM-1682
Enhance User Security with Phishing-resistant MFA
ISM-1683
Central Logging of Multi-factor Authentication Events
ISM-1685
Strengthening Passwords for Critical Accounts
ISM-1686
Enable Credential Guard for Credential Protection
ISM-1749
Limit Cached Credentials to Single Logon
ISM-1795
Set 30-Character Minimum for Key Administrator Passwords
ISM-1861
Enable Local Security Authority Protection
ISM-1872
Ensuring Phishing-Resistant Multi-Factor Authentication
ISM-1873
Enhance Security with Phishing-Resistant MFA
ISM-1874
Phishing-Resistant Multi-Factor Authentication for Customers
ISM-1875
Monthly Network Scans for Clear-Text Credentials
ISM-1892
Implement Multi-factor Authentication for Customer Services
ISM-1893
Enforcing Multi-Factor Authentication for User Security
ISM-1894
Ensuring Phishing-Resistant Multi-factor Authentication
ISM-1895
Log Single-factor Authentication Events
ISM-1896
Enable Memory Integrity for Credential Protection
ISM-1897
Enable Remote Credential Guard for Credential Protection
ISM-1919
Disable Non-MFA Authentication Protocols
ISM-1920
Prevent Self-enrollment on Untrusted Devices
ISM-1953
Ensure Strong Management of Admin Account Credentials
ISM-1954
Enforce Random Credentials for Administrator Accounts
ISM-1955
Regularly Change Compromised Credentials
ISM-1956
Regularly Update AD FS Certificates to Prevent Risks
ISM-1957
Ensure CA Servers Use Hardware Security Modules
ISM-1980
Avoid Using Credential Hints in Systems
ISM-2011
Restrict MFA Options to Phishing-resistant Only
ISM-2012
Ensure Secure Screen Locking on Systems
ISM-2076
Eliminating Security Questions for Authentication
ISM-2077
Avoid Email for Out-of-Band Authentication
ISM-2078
Ensure Passwords Are Not Common or Compromised
ISM-2079
Ensure Password Length is at Least 64 Characters
ISM-2080
No Password Complexity Requirements Enforced
ISM-2081
Enforce Use of All ASCII Characters in Passwords
Authentication Hardening
Operating system hardening
ISM-0341
Disable Automatic Execution for Removable Media
ISM-0343
Disabling Unnecessary Access to Removable Media
ISM-0345
Disable External Interfaces for Direct Memory Access
ISM-0380
Disable Unneeded OS Accounts and Services
ISM-0382
Restrict Unprivileged User Actions on Applications
ISM-0383
Change Default OS User Accounts During Setup
ISM-0582
Central Logging of Windows Security Events
ISM-0843
Ensure Workstation Security with Application Control
ISM-0955
Implementing Application Control Measures
ISM-1034
Disable Legacy Authentication Methods in Networks
ISM-1341
Implement HIPS or EDR on Workstations
ISM-1392
Restrict File Modifications via Path Rules
ISM-1406
Use SOEs for Workstations and Servers
ISM-1407
Ensure Use of Current OS Versions
ISM-1408
Use 64-bit Operating Systems Where Supported
ISM-1409
Implement Restrictive OS Hardening Guidelines
ISM-1416
Implement Firewalls to Control Network Connections
ISM-1418
Disable Unnecessary Removable Media Access
ISM-1471
Utilise Publisher and Product Names in App Control
ISM-1490
Implement Application Control on Internet-Facing Servers
ISM-1491
Prevent Script Execution by Unprivileged Users
ISM-1492
Enable Exploit Protection in Operating Systems
ISM-1544
Implement Microsoft's Application Blocklist
ISM-1584
Prevent Unauthorised Changes to Security Settings
ISM-1588
Annual Review of Standard Operating Environments
ISM-1592
Prevent Unauthorised Application Installations by Users
ISM-1601
Implement Microsoft Attack Surface Reduction Rules
ISM-1608
Scan Third-Party SOEs for Malicious Code
ISM-1621
Disable or Remove Windows PowerShell 2.0
ISM-1622
Ensure PowerShell Uses Constrained Language Mode
ISM-1623
Centralised Logging of PowerShell Activities
ISM-1624
Protect PowerShell Script Block Logs
ISM-1654
Disable or Remove Internet Explorer 11
ISM-1655
Ensure .NET Framework 3.5 is Disabled or Removed
ISM-1656
Implement Application Control on Secure Servers
ISM-1657
Restrict Application Execution to Approved Set
ISM-1658
Restrict Execution of Drivers via Application Control
ISM-1659
Implement Microsoft's Vulnerable Driver Blocklist
ISM-1660
Central Logging of Application Events
ISM-1743
Choose Secure Operating System Vendors
ISM-1745
Enable Security Features for System Protection
ISM-1746
Restrict File System Permission Changes
ISM-1870
Implement Application Control for User Profiles and Folders
ISM-1871
Implement Application Control Exclusions for System Areas
ISM-1889
Central Logging of Command Line Events
ISM-1914
Ensure Operating Systems Have Approved Configurations
ISM-1976
Central Logging of Security Events on macOS
ISM-1977
Central Logging of Linux System Events
Operating System Hardening
Server application hardening
ISM-1246
Apply Strict Server Application Hardening Guidelines
ISM-1247
Disable or Remove Unneeded Server Features
ISM-1249
Limit Server Application User Privileges
ISM-1250
Limit Server Application User Account Privileges
ISM-1260
Secure Server Applications by Changing Default Credentials
ISM-1620
Ensure Privileged Accounts are Secured in AD
ISM-1826
Select Vendors Committed to Secure Design for Servers
ISM-1827
Use Dedicated Admin Accounts for Domain Controllers
ISM-1828
Disable Print Spooler on AD DS Domain Controllers
ISM-1829
Prevent Password Storage in Group Policy Preferences
ISM-1830
Central Logging for Microsoft AD Server Activities
ISM-1832
SPN Configuration for Active Directory Accounts
ISM-1833
Limit Privileges for User Accounts in Active Directory
ISM-1834
Ensure No Duplicate SPNs in Active Directory
ISM-1835
Restrict Delegation of Privileged Active Directory Accounts
ISM-1836
Require Kerberos Pre-Authentication for User Accounts
ISM-1838
Restrict UserPassword Attribute in AD Accounts
ISM-1839
Secure Account Properties in Active Directory
ISM-1840
Prevent Reversible Encryption of User Passwords
ISM-1841
Restrict Domain Joining to Admin Users Only
ISM-1842
Use Privileged Accounts for Domain Machine Addition
ISM-1843
Annual Review of Unconstrained Delegation in AD Accounts
ISM-1844
Prevent Non-Controller Accounts from Delegating Services
ISM-1845
Disable User Security Group Access in Active Directory
ISM-1846
Restrict Pre-Windows 2000 Access Group Membership
ISM-1916
Ensure Server Application Configurations Are Approved
ISM-1926
Ensure Exclusive Usage of Microsoft AD Servers
ISM-1927
Restrict Access to Microsoft Active Directory Servers
ISM-1929
Ensure LDAP Signing on AD DS Domain Controllers
ISM-1930
Prevent Storing Passwords in Group Policy Preferences
ISM-1931
Ensure SID Filtering for Domain and Forest Trusts
ISM-1932
Limit Service Accounts with SPNs in Active Directory
ISM-1933
Restrict DCSync Permissions on Service Accounts
ISM-1934
Annual Review of DCSync Permissions
ISM-1935
Prevent Unconstrained Delegation in Domain Services
ISM-1936
Prevent Usage of sIDHistory in User Accounts
ISM-1937
Weekly Audit of sIDHistory in User Accounts
ISM-1938
Restrict Domain Computers Group in Active Directory
ISM-1943
Enforce Certificate and User Mapping in AD Services
ISM-1944
Configuration Changes in Active Directory Certificate Services
ISM-1945
Remove Enrollee Supplies Subject Flag from Templates
ISM-1946
Restrict Write Access to Certificate Templates
ISM-1947
Remove User Authentication from Extended Key Usages
ISM-1948
Approval for Certificate Template SANs in AD Services
ISM-1949
Use Dedicated Accounts for AD FS Administration
ISM-1950
Disable Soft Matching After Synchronisation
ISM-1951
Disable Hard Match Takeover in Microsoft Entra Connect
ISM-1952
Prevent Synchronisation of Privileged Accounts
ISM-1978
Centralised Logging for Server Application Events
ISM-1979
Central Logging for Security Events on Servers
ISM-2010
Ensure SPNs Use Strong Encryption in AD Services
Server Application Hardening
ISM-1245
Remove Temporary Files After Server Installation
ISM-1483
Use Latest Release of Internet-Facing Server Applications
ISM-1928
Encrypt Backups of Microsoft AD Servers
ISM-1939
Minimise Members in Privileged Security Groups
ISM-1940
Restrict Service Accounts from Privileged Groups
ISM-1941
Restrict Computer Accounts in Privileged Security Groups
ISM-1942
Domain Computers Group Privilege Restriction
ISM-2115
Restrict Server Application Extensions to an Approved Set
User application hardening
ISM-0938
Select Secure-by-Design Committed Vendors
ISM-1412
Web Browser Hardening with Strict Guidelines
ISM-1485
Prevent Web Browsers from Processing Ads
ISM-1486
Restrict Java Processing in Web Browsers
ISM-1487
Restrict Macro Editing to Privileged Users
ISM-1488
Blocking Internet-Originating Macros in Office Files
ISM-1489
Prevent Users from Changing Office Macro Security Settings
ISM-1542
Disable OLE in Microsoft Office for Security
ISM-1585
Prevent User Changes to Browser Security Settings
ISM-1667
Prevent Child Processes in Microsoft Office
ISM-1668
Prevent Microsoft Office from Creating Executable Files
ISM-1669
Prevent Microsoft Office from Injecting Code
ISM-1670
Prevent PDF Applications from Creating Child Processes
ISM-1671
Disabling Microsoft Office Macros for Unauthorised Users
ISM-1672
Enable Antivirus Scanning for Office Macros
ISM-1673
Prevent Win32 API Calls by Office Macros
ISM-1674
Ensuring Secure Execution of Microsoft Office Macros
ISM-1675
Prevent Enabling Untrusted Microsoft Office Macros
ISM-1748
Prevent Changes to Email Client Security Settings
ISM-1806
Change Default User Credentials During Setup
ISM-1823
Prevent Users from Changing Security Settings in Apps
ISM-1824
Prevent Changes to PDF Application Security Settings
ISM-1825
Ensure Security Configuration Is Immutable by Users
ISM-1859
Hardening Office Productivity Suites
ISM-1860
Harden PDF Applications Using ASD Guidance
ISM-1890
Ensure Macros Are Free of Malicious Code
ISM-1891
Restrict Non-V3 Signed Macros in Microsoft Office
ISM-1915
Ensure User Application Configurations are Approved
User Application Hardening
ISM-1235
Restrict User Application Extensions
ISM-1467
Use Latest Releases of User Applications
ISM-1470
Disable Unneeded Accounts, Components, Services and Application Functionality
ISM-1676
Validate Microsoft Office Trusted Publishers List At Least Annually
ISM-2110
Hardening User Applications with ASD and Vendor Guidance
ISM-2111
Remove Temporary Installation Files Post-Installation
ISM-2112
Disable AI Applications' Direct Access to External Public Data Sources
ISM-2113
AI Applications Flag Risky Actions for Approval
ISM-2114
Monitor Baselines for AI Application Performance
Virtualisation Hardening
ISM-1460
Secure By Design Vendor Isolation Mechanisms
ISM-1461
Same Classification and Security Domain for Shared Isolation Hosts
ISM-1604
Harden Software Isolation Mechanisms Sharing Physical Computing Resources
ISM-1605
Harden the Operating System Beneath Software Isolation Mechanisms
ISM-1606
Patch Isolation Mechanisms and Underlying Operating Systems Promptly
ISM-1607
Integrity Monitoring and Logging for Isolation Mechanism
ISM-1848
Replace Unsupported Software-Based Isolation Mechanisms Sharing Physical Resources
Back to the full Australian Government Information Security Manual control list, or browse the complete control library.