Skip to content
arrow_back
boltEssential 8

Restrict admin privileges

29 controls in this part of theEssential Eight. Each control links to plain-English guidance, audit tips and cross-framework mappings.

E8-RA-ML1.1
Validating privileged access requests upon initial request
E8-RA-ML1.2
Dedicated privileged accounts for admin tasks
E8-RA-ML1.3
Prevent privileged accounts from accessing internet, email, and web services
E8-RA-ML1.4
Limit privileged accounts to essential online service access
E8-RA-ML1.5
Privileged users use separate privileged and unprivileged environments
E8-RA-ML1.6
Unprivileged accounts restricted from logging into privileged environments
E8-RA-ML1.7
Prevent privileged accounts from accessing unprivileged environments
E8-RA-ML2.1
Disable privileged access after 12 months without revalidation
E8-RA-ML2.2
Privileged access is disabled after 45 days of inactivity
E8-RA-ML2.3
Privileged environments are not virtualised within unprivileged environments
E8-RA-ML2.4
Conduct administrative activities through jump servers
E8-RA-ML2.5
Long, unique, and managed credentials for admin accounts
E8-RA-ML2.6
Privileged access events are centrally logged.
E8-RA-ML2.7
Centrally log privileged account and group management events
E8-RA-ML2.8
Event logs are protected from unauthorised changes and losses
E8-RA-ML2.9
Event logs are analysed promptly for security events
E8-RA-ML2.10
Timely analysis of cyber security events to identify incidents
E8-RA-ML2.11
Report cyber incidents to the CISO promptly
E8-RA-ML2.12
Report cyber security incidents to ASD promptly
E8-RA-ML2.13
Enact cyber incident response plan after an incident is identified
E8-RA-ML3.1
Limit privileged access to what is necessary for duties
E8-RA-ML3.2
Use Secure Admin Workstations for Administrative Tasks
E8-RA-ML3.3
Just-in-time administration is used for administering systems and applications.
E8-RA-ML3.4
Memory integrity functionality is enabled
E8-RA-ML3.5
Local Security Authority protection functionality is enabled
E8-RA-ML3.6
Enable Credential Guard for secure credential storage
E8-RA-ML3.7
Enable Remote Credential Guard functionality
E8-RA-ML3.8
Timely analysis of event logs from non-internet-facing servers
E8-RA-ML3.9
Timely analysis of workstation event logs for security events

Back to the full ASD Essential Eight control list, or browse the complete control library.