ACSC Essential Eight, Restrict Administrative Privileges

Welcome to the Australian Cyber Security Centre (ACSC) Essential Eight series where we help decode the ACSC Essential Eight risk mitigation strategies and how they can strengthen your protection plan against cyberthreat attacks. To-date we have covered Application Control, Application Patching, Configure Microsoft Office Macro Settings, and User Application Hardening.

As you continue to strengthen your cyber defences and change your focus from preventing malware delivery and execution to limiting the extent of a cybersecurity incident, the ACSC has three recommendations under the Essential Eight banner. The first one is ‘restrict administrative privileges’.

Before we dive into this, let’s recap the purpose of this framework. The Essential Eight is a set of mitigation strategies to harden the MS Windows operating environment. These hardening strategies are essential to protect and defend the IT infrastructure. You can refer to the ACSC Strategies to Mitigate Cybersecurity Incidents framework and ACSC Information Security Manual (ISM) for information on additional strategies.

Why restrict administrative privileges

The primary objective of the ‘restrict administrative privileges’ strategy is to harden windows by minimising access to tools and resources based on defined requirements. This also prevents malicious actors from gaining easy access to the same tools. These tools and system components are often administrative and used to secure or manage the environment.

Despite the importance of implementing these controls, the resistance within the organisation can be high. Users like to be able to do what they want and will resist change. There could also be applications with technical debt that require administrative permissions.

Working to backfill the separation of privileged and unprivileged environments is also a significant challenge for SMBs. Much of this is technical—such as implementing jump boxes and restricting access. In addition, there are other challenges, including educating staff and users on why the change is occurring and getting their commitment to the technical and policy updates

The three maturity levels of restricting administrative privileges

The ACSC Essential Eight has three targeted maturity levels based on risk profiles. To determine your target profile, you will need a clear understanding of the risk profiles.

The strategies listed are taken directly from the ACSC Essential Eight Maturity Model (October 2021). Each maturity level builds on the foundation of the lower maturity level, where lower maturity level items need to be completed before progressing to the next level.


Restricting administrative privileges and the Information Security Manual (ISM)

As you continue to build out the security posture for you and your customers, you will likely be looking beyond the Essential Eight to a broader security framework like the ACSC Information Security Manual (ISM).

The following mapping of the Essential Eight to the ISM framework will assist in building clarity.



By using the Essential Eight as a guide to harden the environment and protect businesses, the separation of administrative rights is crucial not only at the user level but also within privileged environments. This strategy helps businesses manage insider risk, secure their environment, and limit the impact of a cyber incident.