ASD ISM — incremental change analysis
40
Added
6
Substantive
8
Clarification
15
Editorial
6
Relocated
0
Scope changes
0
Removed
1 · Change typology
2 · Classification footprint
Ceiling (highest level reached) / Floor (lowest level reached) — material changes
| Level | as ceiling | as floor |
|---|---|---|
| TOP SECRET | 46 | 0 |
| SECRET | 0 | 0 |
| PROTECTED | 0 | 0 |
| OFFICIAL: Sensitive | 0 | 0 |
| Non-Classified | 0 | 46 |
3 · Level-specific material changes
No level-specific material changes — every added/substantive control applies at all classifications (NC|OS|P|S|TS).
4 · Change location by chapter
5 · Control call-outs by category
Added — new controls (40)
| Control | Footprint | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-1926 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory services | Microsoft AD DS domain controllers, Microsoft AD CS CA servers, Microsoft AD FS servers and Microsoft Entra Connect servers are only used for their de… |
| ISM-1927 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory services | Access to Microsoft AD DS domain controllers, Microsoft AD CS CA servers, Microsoft AD FS servers and Microsoft Entra Connect servers is limited to pr… |
| ISM-1928 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory services | Backups of Microsoft AD DS domain controllers, Microsoft AD CS CA servers, Microsoft AD FS servers and Microsoft Entra Connect servers are encrypted, … |
| ISM-1929 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services domain controllers | Lightweight Directory Access Protocol signing is enabled on Microsoft AD DS domain controllers. |
| ISM-1930 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services domain controllers | Passwords are prevented from being stored in Group Policy Preferences. |
| ISM-1931 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services domain controllers | SID Filtering is enabled for domain and forest trusts. |
| ISM-1932 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | The number of service accounts configured with an SPN is minimised. |
| ISM-1933 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | Service accounts configured with an SPN do not have DCSync permissions. |
| ISM-1934 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | User accounts with DCSync permissions are reviewed at least annually, and those without an ongoing requirement for the permissions have them removed. |
| ISM-1935 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | Computer accounts are not configured for unconstrained delegation. |
| ISM-1936 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | The sIDHistory attribute for user accounts is not used. |
| ISM-1937 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | User accounts are checked at least weekly for the presence of the sIDHistory attribute. |
| ISM-1938 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | The Domain Computers security group does not have write or modify permissions to any Microsoft Active Directory objects. |
| ISM-1939 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services security group memberships | The number of user accounts that are members of the Domain Admins, Enterprise Admins or other highly-privileged security groups is minimised. |
| ISM-1940 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services security group memberships | Service accounts are not members of the Domain Admins, Enterprise Admins or other highly-privileged security groups. |
| ISM-1941 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services security group memberships | Computer accounts are not members of the Domain Admins, Enterprise Admins or other highly-privileged security groups. |
| ISM-1942 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Domain Services security group memberships | The Domain Computers security group is not a member of any privileged or highly-privileged security groups. |
| ISM-1943 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Certificate Services | Strong mapping between certificates and users is enforced. |
| ISM-1944 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Certificate Services | The EDITF_ATTRIBUTESUBJECTALTNAME2 flag is removed from Microsoft AD CS CA configurations. |
| ISM-1945 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Certificate Services | The CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is removed from certificate templates. |
| ISM-1946 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Certificate Services | Unprivileged user accounts do not have write access to certificate templates. |
| ISM-1947 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Certificate Services | Extended Key Usages that enable user authentication are removed. |
| ISM-1948 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Certificate Services | CA Certificate Manager approval is required for certificate templates that allow a Subject Alternative Name to be supplied. |
| ISM-1949 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Active Directory Federation Services | Microsoft AD FS servers are administered using a dedicated service account that is not used to administer other systems. |
| ISM-1950 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Entra Connect | Soft matching between Microsoft AD DS and Microsoft Entra ID is disabled following initial synchronisation activities. |
| ISM-1951 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Entra Connect | Hard match takeover is disabled for Microsoft Entra Connect servers. |
| ISM-1952 | NC|OS|P|S|TS | Guidelines for System Hardening › Microsoft Entra Connect | Privileged user accounts are not synchronised between Microsoft AD DS and Microsoft Entra ID. |
| ISM-1953 | NC|OS|P|S|TS | Guidelines for System Hardening › Setting credentials for built-in Administrator accounts, break glass accounts, local administrator accounts and service accounts | Credentials for the built-in Administrator account in each domain are long, unique, unpredictable and managed. |
| ISM-1954 | NC|OS|P|S|TS | Guidelines for System Hardening › Setting credentials for built-in Administrator accounts, break glass accounts, local administrator accounts and service accounts | Credentials for built-in Administrator accounts, break glass accounts, local administrator accounts and service accounts are randomly generated. |
| ISM-1955 | NC|OS|P|S|TS | Guidelines for System Hardening › Changing credentials | Credentials for computer accounts are changed if: - they are compromised - they are suspected of being compromised - they have not been changed in the… |
| ISM-1956 | NC|OS|P|S|TS | Guidelines for System Hardening › Changing credentials | Microsoft AD FS token-signing and encryption certificates are changed twice in quick succession if: - they are compromised - they are suspected of bei… |
| ISM-1957 | NC|OS|P|S|TS | Guidelines for System Hardening › Protecting credentials | Private keys for Microsoft AD CS CA servers are protected by a hardware security module. |
| ISM-1958 | NC|OS|P|S|TS | Guidelines for System Management › Separate privileged operating environments | User accounts with DCSync permissions cannot logon to unprivileged operating environments. |
| ISM-1959 | NC|OS|P|S|TS | Guidelines for System Monitoring › Event log details | To the extent possible, event logs are captured and stored in a consistent and structured format. |
| ISM-1960 | NC|OS|P|S|TS | Guidelines for System Monitoring › Event log monitoring | Event logs from internet-facing network devices are analysed in a timely manner to detect cyber security events. |
| ISM-1961 | NC|OS|P|S|TS | Guidelines for System Monitoring › Event log monitoring | Event logs from non-internet-facing network devices are analysed in a timely manner to detect cyber security events. |
| ISM-1962 | NC|OS|P|S|TS | Guidelines for Networking › Using the Server Message Block protocol | SMB version 1 is not used on networks. |
| ISM-1963 | NC|OS|P|S|TS | Guidelines for Networking › Network device event logging | Security-relevant events for internet-facing network devices are centrally logged. |
| ISM-1964 | NC|OS|P|S|TS | Guidelines for Networking › Network device event logging | Security-relevant events for non-internet-facing network devices are centrally logged. |
| ISM-1965 | NC|OS|P|S|TS | Guidelines for Gateways › Content checking | Files imported or exported via gateways or CDSs undergo content checking. |
Substantive amendments (6)
| Control | Edit dist | Location | Statement (excerpt) |
|---|---|---|---|
| ISM-0582 | 0.98 | Guidelines for System Hardening › Operating system event logging | Security-relevant events for operating systems are centrally logged, including: - application and operating system crashes and error messages - change… |
| ISM-1537 | 0.79 | Guidelines for Database Systems › Database event logging | Security-relevant events for databases are centrally logged, including: - access or modification of particularly important content - addition of new u… |
| ISM-0634 | 0.74 | Guidelines for Gateways › Gateway event logging | Security-relevant events for gateways are centrally logged, including: - data packets and data flows permitted through gateways - data packets and dat… |
| ISM-0988 | 0.58 | Guidelines for System Monitoring › Centralised event logging facility | An accurate and consistent time source is used for event logging. |
| ISM-1830 | 0.47 | Guidelines for System Hardening › Microsoft Active Directory services | Security-relevant events for Microsoft AD DS domain controllers, Microsoft AD CS CA servers, Microsoft AD FS servers and Microsoft Entra Connect serve… |
| ISM-1833 | 0.43 | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening | User accounts are provisioned with the minimum privileges required. |
Clarifications (8)
| Control | Edit dist | Location |
|---|---|---|
| ISM-1829 | 0.16 | Guidelines for System Hardening › Microsoft Active Directory Domain Services domain controllers |
| ISM-0670 | 0.15 | Guidelines for Gateways › Cross Domain Solution event logging |
| ISM-1717 | 0.13 | Guidelines for Software Development › Vulnerability disclosure program |
| ISM-1795 | 0.12 | Guidelines for System Hardening › Setting credentials for built-in Administrator accounts, break glass accounts, local administrator accounts and service accounts |
| ISM-1735 | 0.11 | Guidelines for Media › Media that cannot be successfully sanitised |
| ISM-1650 | 0.09 | Guidelines for Personnel Security › Privileged access to systems |
| ISM-1842 | 0.08 | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening |
| ISM-1843 | 0.06 | Guidelines for System Hardening › Microsoft Active Directory Domain Services account hardening |
Editorial / grammatical (15)
Cosmetic edits (normalised edit distance < 0.05). ISM-0421, ISM-0445, ISM-0487, ISM-1175, ISM-1263, ISM-1590, ISM-1688, ISM-1689, ISM-1705, ISM-1706, ISM-1707, ISM-1812, ISM-1813, ISM-1814, ISM-1883
Relocated (6)
0 cross-chapter moves (listed) · 6 intra-chapter section/topic reshuffles (count only).
Scope / applicability changes (0)
No control changed its classification reach this release.
Removed (0)
None.
Method. Controls only (ISM-principles excluded). A content modification requires ASD's native
revision/updated stamp to move (1 prose-only re-renders excluded as format noise). Relocation compares case/spelling-normalised chapter›section›topic paths. Nature = normalised edit distance (editorial <0.05, clarification <0.25, substantive ≥0.25 — uncalibrated). Footprints normalised across schemes (O→OS, ALL→NC|OS|P|S|TS); pre-Dec-2024 NC imputed.Generated by ISMexplorer v1.0.0 — longitudinal and per-release analysis of ASD Information Security Manual control changes.
Information Security Manual (ISM) published by Australian Signals Directorate / Australian Cyber Security Centre and © Commonwealth of Australia 2022-2026;
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026
ISMexplorer analysis tool and publication © Baden Hughes, 2022-2026