This article is the fourth in an eight-part series examining the Australian Cyber Security Centre’s Essential Eight — a baseline set of mitigation strategies recommended for all Australian organisations.
The first three Essential Eight strategies focus on preventing attackers from gaining access — through unpatched vulnerabilities or stolen credentials. The fourth strategy acknowledges a harder reality: some attacks will succeed. When they do, the damage an attacker can cause depends heavily on whose account they have compromised. Restricting administrative privileges is about ensuring that a successful intrusion does not automatically become a catastrophic one.
What the Strategy Requires
Administrative privileges grant the ability to change system configurations, install software, create accounts, access all data, and — critically — disable security controls. These are capabilities that most users never need and most attackers always want.
The ACSC’s guidance is built on the principle of least privilege: every user and every account should have only the access required to perform their specific role, and no more. In practice, this means creating separate accounts for administrative tasks, distinct from the accounts used for everyday work such as email and web browsing. An administrator should not read their email from the same account they use to manage servers.
Technical controls should enforce this separation — preventing privileged accounts from accessing email clients, web browsers, and internet services. At higher maturity levels, administrative activities should be conducted through dedicated jump servers or privileged access workstations, isolated from the general network.
The ACSC is explicit about approaches that do not satisfy this strategy: simply reducing the number of admin accounts, using shared non-attributable admin credentials, or temporarily elevating standard accounts are all considered insufficient. Accounts must be individual, attributable, and scoped to specific roles.
Why Privileged Accounts Are the Primary Target
Once inside a network, attackers seek privilege escalation — the ability to move from a limited foothold to control over the broader environment. Administrative accounts are the objective because they provide that control. They can disable endpoint protection, exfiltrate data, deploy ransomware, and erase evidence.
In the 2020 SolarWinds supply chain attack, the intrusion was able to propagate across thousands of organisations in part because compromised accounts had broad administrative access. The initial foothold, however obtained, was transformed into systemic compromise through the abuse of privileged credentials.
At the SMB level, the pattern is typically simpler: a user with local administrator rights on their workstation clicks a malicious link, and the malware that executes has immediate access to install itself, disable defences, and establish persistence — because the user’s account had more privileges than their role required.
The Operational Challenge
Restricting administrative privileges is widely acknowledged as one of the more operationally demanding Essential Eight controls to implement. It requires a clear understanding of which roles require which privileges, the creation and management of separate accounts, and technical controls to enforce the separation.
It also requires cultural change. Users accustomed to having local admin rights on their machines will experience friction when those rights are removed. That friction is the point — it applies equally to malware attempting to execute with elevated permissions.
For SMBs, the practical starting point is straightforward: audit who currently has administrative access, remove it where it is not genuinely required, and ensure that those who do require it use separate, dedicated accounts for administrative tasks.
Damage Limitation as a Security Principle — and an Amplifier of Every Other Control
The first three Essential Eight controls reduce the probability of a successful attack. Restricting administrative privileges reduces its impact when prevention fails. These are complementary objectives, and the ACSC’s framework reflects that by treating the strategy not as a prevention measure but as a limit on the blast radius of an incident.
However, this control should not be viewed in isolation. Its value is multiplicative across the entire Essential Eight framework. An attacker who compromises a standard user account and encounters application control, macro restrictions, and hardened browser settings faces significant resistance. The same attacker with administrative privileges can disable each of those controls in sequence. Conversely, strong privilege restriction means that a breach of any individual control does not automatically compromise the others.
Restricting administrative privileges is therefore both a damage limitation strategy and a force multiplier for every other Essential Eight control in place. A business that has applied the first three controls diligently but grants broad administrative privileges to all staff has built a layered defence with a single point of total failure.
The interdependence of all eight controls is a central principle of the Essential Eight framework. The ACSC recommends implementing all strategies at a consistent maturity level precisely because gaps in any one of them — including this one — undermine the value of the rest.
This series continues with Essential Eight #5: Application Control.
Further reading: ACSC Essential Eight, Luminol Cyber
