Achieving ACSC Essential Eight Maturity Level 3 is no longer just an aspirational goal for Australian organizations. Driven by stringent cyber insurance requirements and government supply chain mandates, Level 3 is the new baseline. However, reaching this tier is notoriously difficult—particularly when it comes to the mitigation strategy of Restricting Administrative Privileges.
At Maturity Level 3, simply having a password manager is not enough. You must transition from static security configurations to an actively managed, Zero Trust architecture. If you are implementing Privileged Access Management (PAM) to achieve Essential Eight compliance, use this comprehensive checklist to secure your administrative environments, enforce Just-In-Time (JIT) access, and eliminate standing privileges.
The Role of PAM in the ACSC Essential Eight
Administrative privileges are the absolute highest-value target for threat actors. When an attacker compromises a standard user account, their blast radius is limited. When they compromise an admin account, they can bypass security controls, deploy network-wide ransomware, and access sensitive data undetected.
The ACSC explicitly requires organizations to restrict administrative privileges to prevent privilege escalation and lateral movement. A robust PAM solution acts as the enforcement engine for this strategy, ensuring that administrative access is temporary, conditional, heavily monitored, and technically separated from day-to-day corporate environments.
(Internal Link Opportunity: Link to your recent article on Application Control Software here).
The Essential Eight PAM Implementation Checklist (Maturity Level 3)
Maturity Level 3 requires an environment where privileges are ruthlessly minimized and continuously validated. Follow this phased checklist to align your IT operations with the ACSC requirements.
Phase 1: Complete Discovery and Auditing
Before you can protect privileged access, you must know where it exists. The first step to Level 3 compliance is achieving 100% visibility over your administrative footprint.
- Audit all local and domain accounts: Identify every local admin, domain admin, and cloud root account across your environment.
- Remove orphaned accounts: Terminate access for former employees or deprecated service accounts immediately.
- Implement the 45-Day Rule: Configure automated policies to disable any privileged access to systems and applications after 45 days of inactivity.
Phase 2: Implementing the Principle of Least Privilege (PoLP)
Level 3 explicitly requires that users are only granted the specific privileges necessary to execute their immediate duties. The era of the “Global Admin” is over.
- Map roles to requirements: Assign privileges based strictly on technical requirements, not organizational hierarchy.
- Separate operating environments: Privileged accounts (excluding local admins) must be technically restricted from logging into unprivileged environments (standard workstations). Conversely, unprivileged accounts cannot log into privileged environments.
- Block internet access for admins: Privileged accounts must not be able to access the internet, read emails, or browse web services. This neutralizes drive-by downloads and phishing attacks targeting high-level credentials.
Phase 3: Enforcing Just-In-Time (JIT) Access
Standing privileges—where an IT worker is an admin 24/7, even while they sleep—are a critical vulnerability. Level 3 demands a dynamic approach to access.
- Eliminate permanent admin rights: Default all IT staff to standard user accounts for their daily tasks.
- Deploy time-bound elevation: Require users to request admin rights only when needed. Access should be granted for a specific timeframe (e.g., two hours) and automatically revoked when the window expires.
- Require approval workflows: Ensure high-risk administrative tasks trigger an approval request to a secondary IT manager or security officer before JIT access is granted.
Phase 4: Mandating Phishing-Resistant MFA
Multi-Factor Authentication is a standalone Essential Eight strategy, but it deeply intersects with administrative privileges at Level 3.
- Enforce MFA everywhere: All privileged access—whether local, domain, or cloud-based—must require MFA.
- Upgrade to phishing-resistant methods: SMS codes and push notifications are insufficient for Level 3 admins. Implement hardware-backed security keys (like YubiKeys) or certificate-based authentication.
(Internal Link Opportunity: Link to your article on Top 7 Phishing-Resistant MFA Solutions here).
Phase 5: Continuous Logging and Session Monitoring
You cannot protect what you do not measure. Level 3 compliance requires you to prove that your PAM controls are actually working during an audit.
- Centralize event logging: Ensure all privileged access events, privilege escalations, and configuration changes are logged centrally.
- Protect the logs: Event logs must be protected from modification or deletion by threat actors attempting to cover their tracks.
- Deploy session recording: For highly sensitive environments, implement video or keystroke recording of administrative sessions to provide absolute forensic accountability.
Top PAM Software Solutions for Australian IT Teams
Attempting to manage Essential Eight Level 3 compliance manually via spreadsheets and native active directory tools is nearly impossible. To enforce JIT access, automate password rotation, and record sessions, Australian enterprises typically deploy specialized software.
Top-tier solutions heavily utilized in the enterprise space include CyberArk, BeyondTrust, Delinea, and Microsoft Entra Privileged Identity Management (PIM). These platforms natively integrate the auditing, isolation, and automated revocation features required to satisfy strict ACSC assessors.
Conclusion & Next Steps
Securing administrative privileges is arguably the most culturally difficult phase of Essential Eight implementation because it introduces friction to your IT team’s daily workflow. However, it is also the most effective way to stop a localized malware infection from becoming a catastrophic, company-wide ransomware event.
To begin your journey to Maturity Level 3, start with visibility. Run a discovery scan on your network today to identify exactly how many standing admin accounts currently exist—the number is almost always higher than you think.
