Where these guidelines refer to security clearances, it applies to Australian security clearances or security clearances from a foreign government which are formally recognised by Australia.
Further information on access to government resources, including required security clearances, can be found in the Attorney-General’s Department’s Protective Security Policy Framework, Access to information policy.
Further information on access to highly sensitive government resources, including required briefings, can be found in the Government Security Committee’s Australian Government Security Caveat Guidelines. This publication is available from the Protective Security Policy GovTEAMS community or the Australian Security Intelligence Organisation by email.
Further information on restricting the use of privileged accounts can be found in the ACSC’s Restricting Administrative Privileges publication.
Further information on event logging can be found in the event logging and monitoring section of the Guidelines for System Monitoring.
Privileged accounts are considered to be those which can alter or circumvent a system’s controls. This can also apply to users who have only limited privileges, such as software developers, but can still bypass controls. A privileged account often has the ability to modify system configurations, account privileges, event logs and security configurations for applications.
Privileged users, and in some cases privileged service accounts, are often targeted by an adversary as they can potentially give full access to systems. As such, ensuring that privileged accounts do not have the ability to access the internet, email and web services minimises opportunities for these accounts to be compromised.
Finally, privileged access event logs, privileged account management event logs and privileged group management logs can assist in monitoring the security posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents. To facilitate such activities, privileged access event logs, privileged account management event logs and privileged group management logs should be captured and stored centrally.
Requests for privileged access to systems and applications are validated when first requested.
Privileged user accounts are prevented from accessing the internet, email and web services.
Privileged access events are logged.
Privileged account and group management events are logged.
Removing or suspending access to systems, applications and data repositories can prevent them from being accessed when there is no longer a legitimate business requirement for their use, such as when personnel change duties, leave an organisation or are detected undertaking malicious activities.
Privileged access to systems and applications is automatically disabled after 45 days of inactivity.
Privileged access to systems and applications is automatically disabled after 12 months unless revalidated.
Further information on cyber supply chain risk management can be found in the cyber supply chain risk management section of the Guidelines for Procurement and Outsourcing.
Further information on patching or updating operating systems can be found in the system patching section of the Guidelines for System Management.
Further information on securely configuring Microsoft Windows operating systems can be found in the ACSC’s Hardening Microsoft Windows 10 version 21H1 Workstations publication.
Further information on securely configuring Linux workstations and servers can be found in the ACSC’s Hardening Linux Workstations and Servers publication.
Further information on exploit protection functionality within Microsoft Windows is available from Microsoft.
Further information on implementing application control can be found in the ACSC’s Implementing Application Control publication.
Further information on Microsoft’s ‘ recommended block rules’ and ‘ recommended driver block rules’ are available from Microsoft.
Further information on the use of PowerShell can be found in the ACSC’s Securing PowerShell in the Enterprise publication.
Further information on the use of PowerShell by blue teams is available from Microsoft while further information on obtaining greater visibility through PowerShell logging is available from FireEye.
Further information on independent testing of security products’ ability to detect or prevent various stages of network intrusions is available from The MITRE Corporation.
Further information on independent testing of antivirus software is available from AV-Comparatives and AV-TEST.
Further information on the use of removable media can be found in the media usage section of the Guidelines for Media.
Further information on event logging can be found in the event logging and monitoring section of the Guidelines for System Monitoring.
Application control can be an effective way to not only prevent malicious code from executing on workstations and servers, but also to ensure only approved applications can execute. When developing application control rulesets, determining approved executables (e.g. .exe and .com files), software libraries (e.g. .dll and.ocx files), scripts (e.g. .ps1, .bat, .cmd, .vbs and .js files), installers (e.g. .msi, .msp and .mst files), compiled HTML (e.g. .chm), HTML applications (e.g. .hta), control panel applets (e.g. .cpl) and drivers based on business requirements is a more secure method than simply approving those already residing on a workstation or server. Furthermore, it is preferable that an organisation defines their own application control rulesets, rather than relying on those from application control vendors, and validate them on an annual or more frequent basis.
In implementing application control, an organisation should use a reliable method, or combination of methods, such as cryptographic hash rules, publisher certificate rules or path rules. Depending on the method chosen, further hardening may be required to ensure that application control mechanisms and application control rulesets cannot be bypassed by an adversary.
Finally, application control event logs can assist in monitoring the security posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents. To facilitate such activities, application control event logs should be captured and stored centrally.
Application control is implemented on workstations.
Application control is implemented on internet-facing servers.
Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.
Allowed and blocked execution events on workstations are logged.
Allowed and blocked execution events on internet-facing servers are logged.
PowerShell is a powerful scripting language developed by Microsoft and, due to its ubiquity and ease with which it can be used to fully control operating systems, is an important part of system administrator toolkits. However, PowerShell can also be a dangerous exploitation tool in the hands of an adversary.
In order to prevent attacks leveraging security vulnerabilities in earlier PowerShell versions, Windows PowerShell 2.0 should be disabled or removed from operating systems. Additionally, PowerShell’s language mode should be set to Constrained Language Mode to achieve a balance between security and functionality.
Finally, PowerShell event logs can assist in monitoring the security posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents. To facilitate such activities, PowerShell event logs should be captured and stored centrally.
Blocked PowerShell script execution events are logged.
Further information on cyber supply chain risk management can be found in the cyber supply chain risk management section of the Guidelines for Procurement and Outsourcing.
Further information on patching or updating applications can be found in the system patching section of the Guidelines for System Management.
Further information on securely configuring Microsoft Office can be found in the ACSC’s Hardening Microsoft 365, Office 2021, Office 2019 and Office 2016 publication.
Further information on configuring Microsoft Office macro settings can be found in the ACSC’s Microsoft Office Macro Security publication.
Further information on event logging can be found in the event logging and monitoring section of the Guidelines for System Monitoring.
When applications are deployed in their default state it can lead to an insecure operating environment that may allow an adversary to gain an initial foothold on networks. This can be especially risky for office productivity suites, web browsers, email clients, PDF software and security products as such applications are routinely targeted for exploitation. Many configuration settings exist within such applications to allow them to be configured in a secure state in order to minimise this security risk. As such, the ACSC and vendors often produce guidance to assist in hardening the configuration of such applications. Note, however, in situations where ACSC and vendor guidance conflicts, preference should be given to implementing ACSC hardening guidance.
ACSC or vendor hardening guidance for web browsers, Microsoft Office and PDF software is implemented.
Web browsers do not process Java from the internet.
Web browsers do not process web advertisements from the internet.
Internet Explorer 11 does not process content from the internet.
Microsoft Office is blocked from creating child processes.
Microsoft Office is blocked from creating executable content.
Microsoft Office is blocked from injecting code into other processes.
Microsoft Office is configured to prevent activation of Object Linking and Embedding packages.
PDF software is blocked from creating child processes.
Web browser, Microsoft Office and PDF software security settings cannot be changed by users.
Microsoft Office files can contain embedded code, known as a macro, written in the Visual Basic for Applications programming language. A macro can contain a series of commands that can be coded or recorded and replayed at a later time to automate repetitive tasks. Macros are powerful tools that can be easily created by users to greatly improve their productivity. However, an adversary can also create macros to perform a variety of malicious activities, such as assisting to compromise workstations in order to exfiltrate or deny access to data. To reduce this security risk, an organisation should disable Microsoft Office macros for users that do not have a demonstrated business requirement and secure their use for the remaining users that do.
Finally, Microsoft Office macro event logs can assist in monitoring the security posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents. To facilitate such activities, Microsoft Office macro event logs should be captured and stored centrally.
Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.
Microsoft Office macros in files originating from the internet are blocked.
Microsoft Office macro antivirus scanning is enabled.
Microsoft Office macros are blocked from making Win32 API calls.
Microsoft Office macro security settings cannot be changed by users.
Allowed and blocked Microsoft Office macro execution events are logged.
The guidance within this section is equally applicable to all account types. This includes unprivileged accounts, privileged accounts, break glass accounts and service accounts. In addition, the guidance is equally applicable to interactive authentication and non-interactive authentication.
Further information on cyber supply chain risk management can be found in the cyber supply chain risk management section of the Guidelines for Procurement and Outsourcing.
Further information on implementing multi-factor authentication can be found in the ACSC’s Implementing Multi-Factor Authentication publication.
Further information on event logging can be found in the event logging and monitoring section of the Guidelines for System Monitoring.
Further information on randomly generating passphrases (preferably using five dice rolls and a long word list) is available from the Electronic Frontier Foundation while a random dice roller is available from RANDOM.ORG.
Further information on group Managed Service Accounts in Microsoft Windows Server is available from Microsoft.
Further information on mitigating the use of stolen credentials can be found in the ACSC’s Mitigating the Use of Stolen Credentials publication.
Further information on mitigating the use of stolen credentials can also be found in Microsoft’s Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques, Version 1 and 2 publication.
Multi-factor authentication uses two or more authentication factors. This may include:
Note, however, that if a memorised secret is written down, or stored in a document on a system, this becomes something that a user has rather than something a user knows.
Privileged users, users of remote access solutions and users with access to important data repositories are more likely to be targeted by an adversary due to their access. For this reason, it is especially important that multi-factor authentication is used for these accounts. In addition, multi-factor authentication is vital to any administrative activities as it can limit the consequences of a compromise by preventing or slowing an adversary’s ability to gain unrestricted access to assets. In this regard, multi-factor authentication can be implemented as part of jump server authentication where assets being administered do not support multi-factor authentication themselves.
When implementing multi-factor authentication, several different authentication factors can be implemented. Unfortunately, some authentication factors, such as biometrics or codes sent via Short Message Service, Voice over Internet Protocol or email, are more susceptible to compromise than others. For this reason, authentication factors that involve something a user has should be used as part of multi-factor authentication. Furthermore, for increased security, the use of verifier impersonation resistant authentication factors are recommended to protect against real-time phishing attacks.
Finally, multi-factor authentication event logs can assist in monitoring the security posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents. To facilitate such activities, multi-factor authentication event logs should be captured and stored centrally.
Multi-factor authentication is used to authenticate privileged users of systems.
Multi-factor authentication is used by an organisation’s users if they authenticate to their organisation’s internet-facing services.
Multi-factor authentication is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data.
Multi-factor authentication (where available) is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's non-sensitive data.
Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services.
Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are.
Successful and unsuccessful multi-factor authentication events are logged.
When local administrator accounts and service accounts use common usernames and credentials, it can allow an adversary that compromises credentials on one workstation or server to easily compromise other workstations and servers. As such, it is critical that credentials for local administrator accounts and service accounts are long, unique, unpredictable and managed.
To provide additional security and credential management functionality for service accounts, Microsoft introduced group Managed Service Accounts to Microsoft Windows Server. In doing so, service accounts that are created as group Managed Service Accounts do not require manual credential management by system administrators, as the operating system automatically ensures that they are long, unique, unpredictable and managed. This ensures that service account credentials are secure, not misplaced or forgotten, and that they are automatically changed on a regular basis. However, in cases where the use of group Managed Service Accounts is not possible, credentials for service accounts should still be unique and unpredictable with a minimum length of 30 characters.
Written down credentials (e.g. memorised secrets), and dedicated devices that store or generate credentials (e.g. security keys, smart cards and one-time password tokens), when kept together with systems they are used to authenticate to can increase the likelihood of an adversary gaining unauthorised access to systems. For example, when smart cards are left on desks, one-time password tokens are left in laptop bags, security keys are left connected to computers or passphrases are written down and stuck to computer monitors. Furthermore, obscuring credentials as they are entered into systems can assist in protecting them against screen scrapers and shoulder surfers.
If storing credentials on systems, sufficient protection should be implemented to prevent them from being compromised. For example, credentials can be stored in a password manager or hardware security module, while credentials stored in a database should be hashed, salted and stretched. In addition, Windows Defender Credential Guard and Windows Defender Remote Credential Guard can be enabled to provide additional protection for credentials.
When using Microsoft Windows systems, cached credentials are stored in the Security Accounts Manager database and can allow a user to logon to a workstation they have previously logged onto even if the domain is not available. Whilst this functionality may be desirable from an availability perspective, this functionality can be abused by an adversary who can retrieve these cached credentials. To reduce this security risk, cached credentials should be limited to only one previous logon.
Credentials for local administrator accounts and service accounts are long, unique, unpredictable and managed.
System administration of cloud services brings unique challenges when compared to system administration of on-premises assets. Notably, responsibility for system administration of cloud services is often shared between service providers and their customers. As the system administration processes and procedures implemented by service providers are often opaque to their customers, customers should consider a service provider’s control plane to operate within a different security domain.
Further information on system administration can be found in the Australian Cyber Security Centre (ACSC)’s Secure Administration publication.
Further information on the use of privileged accounts can be found in the access to systems and their resources section of the Guidelines for Personnel Security.
Further information on multi-factor authentication can be found in the authentication hardening section of the Guidelines for System Hardening.
Further information on event logging can be found in the event logging and monitoring section of the Guidelines for System Monitoring.
Further information on network segmentation and segregation can be found in the network design and configuration section of the Guidelines for Networking.
One of the greatest threats to the security of networks is the compromise of privileged accounts. Providing a separate privileged operating environment for system administrators, in addition to their unprivileged operating environment, makes it much harder for administrative activities and privileged accounts to be compromised by an adversary.
Using different physical workstations is the most secure approach to separating privileged and unprivileged operating environments for system administrators. However, a virtualisation-based solution may be sufficient for separating privileged and unprivileged operating environments. In such cases, privileged operating environments should not be virtualised within unprivileged operating environments.
Privileged users use separate privileged and unprivileged operating environments.
Privileged operating environments are not virtualised within unprivileged operating environments.
Unprivileged accounts cannot logon to privileged operating environments.
Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.
The security of administrative activities can be improved by segregating administrative infrastructure from the wider network. In doing so, the use of a jump server (also known as a jump host or jump box) can be an effective way of simplifying and securing administrative activities. Specifically, a jump server can provide filtering of network management traffic while also acting as a focal point to perform multi-factor authentication; store and manage administrative tools; and perform logging, monitoring and alerting activities. Finally, using separate jump servers for the administration of critical servers, high-value servers and regular servers can further assist in protecting these assets.
Administrative activities are conducted through jump servers.
Further information on system patching can be found in the ACSC’s Assessing Security Vulnerabilities and Applying Patches publication.
Further information on patching evaluated products can be found in the evaluated product usage section of the Guidelines for Evaluated Products.
Further information on cessation of support for Microsoft Windows operating systems, including potential compensating controls for use beyond their cessation date for support, can be found in the ACSC’s End of Support for Microsoft Windows 10 and End of Support for Microsoft Windows Server 2008 and Windows Server 2008 R2 publications.
To ensure that patches or updates are being applied to applications, operating systems, drivers and firmware, it is essential that an organisation regularly identifies all assets within their environment using an automated method of asset discovery, such as an asset discovery tool or a vulnerability scanner with equivalent functionality. Following asset discovery, identified assets can be scanned for missing patches or updates using a vulnerability scanner with an up-to-date vulnerability database. Ideally, vulnerability scanning should be conducted in an automated manner and take place at half the frequency in which patches or updates need to be applied. For example, if patches or updates are to be applied within two weeks of release then vulnerability scanning should be undertaken at least weekly.
An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.
A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in internet-facing services.
A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in other applications.
A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services.
A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices.
When patches or updates are released by vendors for security vulnerabilities, an organisation should apply them in a timeframe commensurate with the likelihood of attempted exploitation by an adversary. For example, by prioritising patches or updates for security vulnerabilities in internet-facing services and their operating systems, especially when exploitation code exists or active exploitation is occurring.
If no patches or updates are available for security vulnerabilities, mitigation advice from vendors, trusted authorities or security researchers may provide some protection until patches or updates are made available. Such mitigation advice may be published in conjunction with, or soon after, announcements made relating to security vulnerabilities. Mitigation advice may cover how to disable or block access to vulnerable functionality, how to reconfigure vulnerable functionality, or how to detect attempted or successful exploitation of vulnerable functionality.
If a patch or update is released for high assurance ICT equipment, the ACSC will conduct an assessment of the patch or update. Subsequently, if the patch or update is approved for deployment, the ACSC will provide guidance on the methods and timeframes in which it is to be applied.
Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.
Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release.
Patches, updates or vendor mitigations for security vulnerabilities in other applications are applied within one month of release.
Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.
Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release.
When applications, operating systems, network devices and other ICT equipment reach their cessation date for support, an organisation will find it increasingly difficult to protect them against security vulnerabilities as patches, updates and other forms of support will no longer be made available by vendors. As such, unsupported applications, operating systems, network devices and other ICT equipment should be removed or replaced.
In planning for cessation of support, it is important to note that while vendors generally advise the cessation date for support of operating systems well in advance, some applications, network devices and other ICT equipment may cease to receive support immediately after newer versions are released.
Finally, when the immediate removal or replacement of unsupported applications, operating systems, network devices or other ICT equipment is not possible, compensating controls should be implemented until such time that they can be removed or replaced.
Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.
Operating systems that are no longer supported by vendors are replaced.
Further information on preserving digital information is available from the National Archives of Australia.
Further information on business continuity and disaster recovery planning can be found in the Chief Information Security Officer section of the Guidelines for Cyber Security Roles.
To mitigate the security risk of losing system availability or important data as part of a ransomware attack, or other form of destructive attack, backups of important data, software and configuration settings should be performed and retained with a frequency and retention timeframe in accordance with an organisation’s business continuity requirements. In doing so, backups of all important data, software and configuration settings should be synchronised to enable restoration to a common point in time. Furthermore, it is essential that all backups are retained in a secure and resilient manner. This will ensure that should a system fall victim to a ransomware attack, or other form of destructive attack, important data will not be lost and, if necessary, systems can be quickly restored.
Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements.
Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time.
Backups of important data, software and configuration settings are retained in a secure and resilient manner.
To mitigate the security risk of unauthorised access to backups, an organisation should ensure that access to backups is controlled through the use of appropriate access controls.
Unprivileged accounts cannot access backups belonging to other accounts.
Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts.
To mitigate the security risk of backups being accidentally or maliciously modified or deleted, an organisation should ensure that backups are sufficiently protected from unauthorised modification and deletion through the use of appropriate access controls during their retention period.
Unprivileged accounts are prevented from modifying and deleting backups.
Privileged accounts (excluding backup administrator accounts) are prevented from modifying and deleting backups.
To ensure that backups can be restored when the need arises, and that any dependencies can be identified and managed beforehand, it is important that the restoration of important data, software and configuration settings from backups to a common point in time is tested in a coordinated manner as part of disaster recovery exercises.
Restoration of important data, software and configuration settings from backups to a common point of time is tested as part of disaster recovery exercises.