You are seeing this protected content for free because you were referred by Google. Please login or register for free access to see more of our protected content.

Disable all unnecessary services unless otherwise noted in a policy exception.

UCF ID: 00880 Control Type: Configuration Status: Live



Supporting and supported controls:

This control directly supports:

  • Establish and maintain a system hardening standard and system hardening procedures. [UCF_CE_ID 00876]

This control has the following supporting controls:

  • Disable rquotad unless rquotad is absolutely necessary. [UCF_CE_ID 01473]
  • Disable telnet unless telnet use is absolutely necessary. [UCF_CE_ID 01478]
  • Disable File Transfer Protocol unless File Transfer Protocol use is absolutely necessary. [UCF_CE_ID 01479]
  • Disable Internet Message Access Protocol unless Internet Message Access Protocol use is absolutely necessary. [UCF_CE_ID 01485]
  • Disable Post Office Protocol unless its use is absolutely necessary. [UCF_CE_ID 01486]
  • Disable SQLServer processes unless SQLServer processes use is absolutely necessary. [UCF_CE_ID 01500]
  • Disable alerter unless alerter use is absolutely necessary. [UCF_CE_ID 01810]
  • Disable Background Intelligent Transfer Service unless Background Intelligent Transfer Service use is absolutely necessary. [UCF_CE_ID 01812]
  • Disable ClipBook unless ClipBook use is absolutely necessary. [UCF_CE_ID 01813]
  • Disable Fax Service unless Fax Service use is absolutely necessary. [UCF_CE_ID 01815]
  • Disable IIS admin service unless IIS admin service use is absolutely necessary. [UCF_CE_ID 01817]
  • Disable indexing service unless indexing service use is absolutely necessary. [UCF_CE_ID 01818]
  • Disable net logon unless net logon use is absolutely necessary. [UCF_CE_ID 01820]
  • Disable Remote Desktop Help Session Manager unless Remote Desktop Help Session Manager use is absolutely necessary. [UCF_CE_ID 01822]
  • Disable Remote Registry Service unless Remote Registry Service use is absolutely necessary. [UCF_CE_ID 01823]
  • Disable Routing and Remote Access unless Routing and Remote Access use is absolutely necessary. [UCF_CE_ID 01824]
  • Disable task scheduler unless task scheduler use is absolutely necessary. [UCF_CE_ID 01829]
  • Disable Terminal Services unless Terminal Services use is absolutely necessary. [UCF_CE_ID 01831]
  • Disable Universal Plug and Play device host unless Universal Plug and Play device host use is absolutely necessary. [UCF_CE_ID 01832]
  • Disable File Service Protocol. [UCF_CE_ID 02167]
  • Disable the License Logging Service unless unless it is absolutely necessary. [UCF_CE_ID 04282]
  • Disable Remote Access Auto Connection Manager unless Remote Access Auto Connection Manager use is absolutely necessary. [UCF_CE_ID 04285]
  • Disable Remote Access Connection Manager unless Remote Access Connection Manager use is absolutely necessary. [UCF_CE_ID 04286]
  • Disable Remote Administration Service unless remote administration management is absolutely necessary. [UCF_CE_ID 04287]
  • Disable remote installation unless remote installation is absolutely necessary. [UCF_CE_ID 04288]
  • Disable Remote Server Manager unless Remote Server Manager is absolutely necessary. [UCF_CE_ID 04289]
  • Disable Remote Server Monitor unless Remote Server Monitor use is absolutely necessary. [UCF_CE_ID 04290]
  • Disable Remote Storage Notification unless Remote Storage Notification use is absolutely necessary. [UCF_CE_ID 04291]
  • Disable Remote Storage Server unless Remote Storage Server use is absolutely necessary. [UCF_CE_ID 04292]
  • Disable telephony services unless telephony services use is absolutely necessary. [UCF_CE_ID 04293]
  • Disable Wireless Zero Configuration service unless Wireless Zero Configuration service use is absolutely necessary. [UCF_CE_ID 04294]
  • Disable SSDP/UPnp unless SSDP/UPnP is absolutely necessary. [UCF_CE_ID 04315]
  • Configure the "ntpd service" setting to organizational standards. [UCF_CE_ID 04911]
  • Configure the "echo service" setting to organizational standards. [UCF_CE_ID 04912]
  • Configure the "netstat service" setting to organizational standards. [UCF_CE_ID 04913]
  • Configure the "chargen service" setting to organizational standards. [UCF_CE_ID 04914]
  • Configure the "tftpd service" setting to organizational standards. [UCF_CE_ID 04915]
  • Configure the "walld service" setting to organizational standards. [UCF_CE_ID 04916]
  • Configure the "rstatd service" setting to organizational standards. [UCF_CE_ID 04917]
  • Configure the "sprayd service" setting to organizational standards. [UCF_CE_ID 04918]
  • Configure the "rusersd service" setting to organizational standards. [UCF_CE_ID 04919]
  • Configure the "inn service" setting to organizational standards. [UCF_CE_ID 04920]
  • Configure the "font service" setting to organizational standards. [UCF_CE_ID 04921]
  • Configure the "ident service" setting to organizational standards. [UCF_CE_ID 04922]
  • Configure the "rexd service" setting to organizational standards. [UCF_CE_ID 04923]
  • Configure the "daytime service" setting to organizational standards. [UCF_CE_ID 04924]
  • Configure the "dtspc (cde-spc) service" setting to organizational standards. [UCF_CE_ID 04925]
  • Configure the "cmsd service" setting to organizational standards. [UCF_CE_ID 04926]
  • Configure the "ToolTalk service" setting to organizational standards. [UCF_CE_ID 04927]
  • Configure the "discard service" setting to organizational standards. [UCF_CE_ID 04928]
  • Configure the "vino-server service" setting to organizational standards. [UCF_CE_ID 04929]
  • Configure the "bind service" setting to organizational standards. [UCF_CE_ID 04930]
  • Configure the "nfsd service" setting to organizational standards. [UCF_CE_ID 04931]
  • Configure the "mountd service" setting to organizational standards. [UCF_CE_ID 04932]
  • Configure the "statd service" setting to organizational standards. [UCF_CE_ID 04933]
  • Configure the "lockd service" setting to organizational standards. [UCF_CE_ID 04934]
  • Configure the "decode sendmail alias" setting to organizational standards. [UCF_CE_ID 04935]
  • Configure the sendmail vrfy command, as appropriate. [UCF_CE_ID 04936]
  • Configure the sendmail expn command, as appropriate. [UCF_CE_ID 04937]
  • Configure .netrc with an appropriate set of services. [UCF_CE_ID 04938]
  • Enable NFS insecure locks as necessary. [UCF_CE_ID 04939]
  • Configure the "X server ac" setting to organizational standards. [UCF_CE_ID 04940]
  • Configure the "X server core" setting to organizational standards. [UCF_CE_ID 04941]
  • Configure the "X server nolock" setting to organizational standards. [UCF_CE_ID 04942]
  • Configure the "PAM console" setting to organizational standards. [UCF_CE_ID 04943]
  • Enable the rhnsd service as necessary. [UCF_CE_ID 04944]
  • Enable the yum-updatesd service as necessary. [UCF_CE_ID 04945]
  • Enable the autofs service as necessary. [UCF_CE_ID 04946]
  • Enable the ip6tables service as necessary. [UCF_CE_ID 04947]
  • Enable the iptables service as necessary. [UCF_CE_ID 04948]
  • Enable the syslog service as necessary. [UCF_CE_ID 04949]
  • Enable the auditd service as necessary. [UCF_CE_ID 04950]
  • Enable the logwatch service as necessary. [UCF_CE_ID 04951]
  • Enable the logrotate (syslog rotator) service as necessary. [UCF_CE_ID 04952]
  • Install or uninstall the telnet server package, only if absolutely necessary. [UCF_CE_ID 04953]
  • Enable the ypbind service as necessary. [UCF_CE_ID 04954]
  • Enable the ypserv service as necessary. [UCF_CE_ID 04955]
  • Enable the firstboot service as necessary. [UCF_CE_ID 04956]
  • Enable the gpm service as necessary. [UCF_CE_ID 04957]
  • Enable the irqbalance service as necessary. [UCF_CE_ID 04958]
  • Enable the isdn service as necessary. [UCF_CE_ID 04959]
  • Enable the kdump service as necessary. [UCF_CE_ID 04960]
  • Enable the mdmonitor service as necessary. [UCF_CE_ID 04961]
  • Enable the microcode_ctl service as necessary. [UCF_CE_ID 04962]
  • Enable the pcscd service as necessary. [UCF_CE_ID 04963]
  • Enable the smartd service as necessary. [UCF_CE_ID 04964]
  • Enable the readahead_early service as necessary. [UCF_CE_ID 04965]
  • Enable the readahead_later service as necessary. [UCF_CE_ID 04966]
  • Enable the messagebus service as necessary. [UCF_CE_ID 04967]
  • Enable the haldaemon service as necessary. [UCF_CE_ID 04968]
  • Enable the apmd service as necessary. [UCF_CE_ID 04969]
  • Enable the acpid service as necessary. [UCF_CE_ID 04970]
  • Enable the cpuspeed service as necessary. [UCF_CE_ID 04971]
  • Enable the network service as necessary. [UCF_CE_ID 04972]
  • Enable the hidd service as necessary. [UCF_CE_ID 04973]
  • Enable the crond service as necessary. [UCF_CE_ID 04974]
  • Install and enable the anacron service as necessary. [UCF_CE_ID 04975]
  • Enable the xfs service as necessary. [UCF_CE_ID 04976]
  • Install and enable the Avahi daemon service as necessary. [UCF_CE_ID 04977]
  • Enable the CUPS service as necessary. [UCF_CE_ID 04978]
  • Enable the hplip service as necessary. [UCF_CE_ID 04979]
  • Enable the dhcpd service as necessary. [UCF_CE_ID 04980]
  • Enable the nfslock service as necessary. [UCF_CE_ID 04981]
  • Enable the rpcgssd service as necessary. [UCF_CE_ID 04982]
  • Enable the rpcidmapd service as necessary. [UCF_CE_ID 04983]
  • Enable the nfs service as necessary. [UCF_CE_ID 04984]
  • Enable the rpcsvcgssd service as necessary. [UCF_CE_ID 04985]
  • Configure root squashing for all NFS shares, as appropriate. [UCF_CE_ID 04986]
  • Configure write access to NFS shares, as appropriate. [UCF_CE_ID 04987]
  • Configure the named service, as appropriate. [UCF_CE_ID 04988]
  • Configure the vsftpd service, as appropriate. [UCF_CE_ID 04989]
  • Install and enable the dovecot service, as appropriate. [UCF_CE_ID 04990]
  • Enable the smb service as necessary. [UCF_CE_ID 04991]
  • Enable the snmpd service as necessary. [UCF_CE_ID 04992]
  • Enable the calendar manager as necessary. [UCF_CE_ID 04993]
  • Enable the GNOME logon service as necessary. [UCF_CE_ID 04994]
  • Enable the WBEM services as necessary. [UCF_CE_ID 04995]
  • Enable the keyserv service as necessary. [UCF_CE_ID 04996]
  • Enable the Generic Security Service daemon as necessary. [UCF_CE_ID 04997]
  • Enable the volfs service as necessary. [UCF_CE_ID 04998]
  • Enable the smserver service as necessary. [UCF_CE_ID 04999]
  • Enable the mpxio-upgrade service as necessary. [UCF_CE_ID 05000]
  • Enable the metainit service as necessary. [UCF_CE_ID 05001]
  • Enable the meta service as necessary. [UCF_CE_ID 05003]
  • Enable the metaed service as necessary. [UCF_CE_ID 05004]
  • Enable the metamh service as necessary. [UCF_CE_ID 05005]
  • Enable the Local RPC Port Mapping Service as necessary. [UCF_CE_ID 05006]
  • Enable the Kerberos kadmind service as necessary. [UCF_CE_ID 05007]
  • Enable the Kerberos krb5kdc service as necessary. [UCF_CE_ID 05008]
  • Enable the Kerberos kpropd service as necessary. [UCF_CE_ID 05009]
  • Enable the Kerberos ktkt_warnd service as necessary. [UCF_CE_ID 05010]
  • Enable the sadmin service as necessary. [UCF_CE_ID 05011]
  • Enable the IPP listener as necessary. [UCF_CE_ID 05012]
  • Enable the serial port listener as necessary. [UCF_CE_ID 05013]
  • Enable the Smart Card Helper service as necessary. [UCF_CE_ID 05014]
  • Enable the Application Management service as necessary. [UCF_CE_ID 05015]
  • Enable the Resultant Set of Policy (RSoP) Provider service as necessary. [UCF_CE_ID 05016]
  • Enable the Network News Transport Protocol service as necessary. [UCF_CE_ID 05017]
  • Enable the network Dynamic Data Exchange service as necessary. [UCF_CE_ID 05018]
  • Enable the Distributed Link Tracking Server service as necessary. [UCF_CE_ID 05019]
  • Enable the RARP service as necessary. [UCF_CE_ID 05020]
  • Configure the ".NET Framework service" setting to organizational standards. [UCF_CE_ID 05021]
  • Enable the Network DDE Share Database Manager service as necessary. [UCF_CE_ID 05022]
  • Enable the Certificate Services service as necessary. [UCF_CE_ID 05023]
  • Configure the ATI hotkey poller service properly. [UCF_CE_ID 05024]
  • Configure the Interix Subsystem Startup service properly. [UCF_CE_ID 05025]
  • Configure the Cluster Service service properly. [UCF_CE_ID 05026]
  • Configure the IAS Jet Database Access service properly. [UCF_CE_ID 05027]
  • Configure the IAS service properly. [UCF_CE_ID 05028]
  • Configure the IP Version 6 Helper service properly. [UCF_CE_ID 05029]
  • Configure the Message Queuing service properly. [UCF_CE_ID 05030]
  • Configure the Message Queuing Down Level Clients service properly. [UCF_CE_ID 05031]
  • Configure the Message Queueing Triggers service properly. [UCF_CE_ID 05032]
  • Configure the Windows Management Instrumentation Driver Extensions service properly. [UCF_CE_ID 05033]
  • Configure the TCP/IP NetBIOS Helper Service properly. [UCF_CE_ID 05034]
  • Configure the Utility Manager service properly. [UCF_CE_ID 05035]
  • Configure the secondary logon service properly. [UCF_CE_ID 05036]
  • Configure the Windows Management Instrumentation service properly. [UCF_CE_ID 05037]
  • Configure the Workstation service properly. [UCF_CE_ID 05038]
  • Configure the Windows Installer service properly. [UCF_CE_ID 05039]
  • Configure the Windows System Resource Manager service properly. [UCF_CE_ID 05040]
  • Configure the WinHTTP Web Proxy Auto-Discovery Service properly. [UCF_CE_ID 05041]
  • Configure the Services for Unix Client for NFS service properly. [UCF_CE_ID 05042]
  • Configure the Services for Unix Server for PCNFS service properly. [UCF_CE_ID 05043]
  • Configure the Services for Unix Perl Socket service properly. [UCF_CE_ID 05044]
  • Configure the Services for Unix User Name Mapping service properly. [UCF_CE_ID 05045]
  • Configure the Services for Unix Windows Cron service properly. [UCF_CE_ID 05046]
  • Configure the Windows Media Services service properly. [UCF_CE_ID 05047]
  • Configure the Services for Netware Service Advertising Protocol (SAP) Agent properly. [UCF_CE_ID 05048]
  • Configure the Web Element Manager service properly. [UCF_CE_ID 05049]
  • Configure the Remote Installation Services Single Instance Storage (SIS) Groveler service properly. [UCF_CE_ID 05050]
  • Configure the Terminal Services Licensing service properly. [UCF_CE_ID 05051]
  • Configure the COM+ Event System service properly. [UCF_CE_ID 05052]
  • Configure the Event Log service properly. [UCF_CE_ID 05053]
  • Configure the Infrared Monitor service properly. [UCF_CE_ID 05054]
  • Configure the Services for Unix Server for NFS service properly. [UCF_CE_ID 05055]
  • Configure the System Event Notification Service properly. [UCF_CE_ID 05056]
  • Configure the NTLM Security Support Provider service properly. [UCF_CE_ID 05057]
  • Configure the Performance Logs and Alerts service properly. [UCF_CE_ID 05058]
  • Configure the Protected Storage service properly. [UCF_CE_ID 05059]
  • Configure the QoS Admission Control (RSVP) service properly. [UCF_CE_ID 05060]
  • Configure the Remote Procedure Call service properly. [UCF_CE_ID 05061]
  • Configure the Removable Storage service properly. [UCF_CE_ID 05062]
  • Configure the Server service properly. [UCF_CE_ID 05063]
  • Configure the Security Accounts Manager service properly. [UCF_CE_ID 05064]
  • Configure the Network Connections service properly. [UCF_CE_ID 05065]
  • Configure the Logical Disk Manager service properly. [UCF_CE_ID 05066]
  • Configure the Logical Disk Manager Administrative Service properly. [UCF_CE_ID 05067]
  • Configure the File Replication service properly. [UCF_CE_ID 05068]
  • Configure the Kerberos Key Distribution Center service properly. [UCF_CE_ID 05069]
  • Configure the Intersite Messaging service properly. [UCF_CE_ID 05070]
  • Configure the Remote Procedure Call locator service properly. [UCF_CE_ID 05071]
  • Configure the Distributed File System service properly. [UCF_CE_ID 05072]
  • Configure the Windows Internet Name Service service properly. [UCF_CE_ID 05073]
  • Configure the FTP Publishing Service properly. [UCF_CE_ID 05074]
  • Configure the Windows Search service properly. [UCF_CE_ID 05075]
  • Configure the Microsoft Peer-to-Peer Networking Services service properly. [UCF_CE_ID 05076]
  • Configure the Remote Shell service properly. [UCF_CE_ID 05077]
  • Configure the Simple TCP/IP service properly. [UCF_CE_ID 05078]
  • Configure the Print Services for Unix service properly. [UCF_CE_ID 05079]
  • Configure the File Shares service properly. [UCF_CE_ID 05080]
  • Configure the NetMeeting service properly. [UCF_CE_ID 05081]
  • Configure the Application Layer Gateway service properly. [UCF_CE_ID 05082]
  • Configure the Cryptographic Services service properly. [UCF_CE_ID 05083]
  • Configure the Help and Support Service properly. [UCF_CE_ID 05084]
  • Configure the Human Interface Device Access service properly. [UCF_CE_ID 05085]
  • Configure the IMAPI CD-Burning COM service properly. [UCF_CE_ID 05086]
  • Configure the MS Software Shadow Copy Provider service properly. [UCF_CE_ID 05087]
  • Configure the Network Location Awareness service properly. [UCF_CE_ID 05088]
  • Configure the Portable Media Serial Number Service service properly. [UCF_CE_ID 05089]
  • Configure the System Restore Service service properly. [UCF_CE_ID 05090]
  • Configure the Themes service properly. [UCF_CE_ID 05091]
  • Configure the Uninterruptible Power Supply service properly. [UCF_CE_ID 05092]
  • Configure the Upload Manager service properly. [UCF_CE_ID 05093]
  • Configure the Volume Shadow Copy Service properly. [UCF_CE_ID 05094]
  • Configure the WebClient service properly. [UCF_CE_ID 05095]
  • Configure the Windows Audio service properly. [UCF_CE_ID 05096]
  • Configure the Windows Image Acquisition service properly. [UCF_CE_ID 05097]
  • Configure the WMI Performance Adapter service properly. [UCF_CE_ID 05098]
  • Enable file uploads via vsftpd service, as appropriate. [UCF_CE_ID 05100]
  • Enable or disable the setroubleshoot service, as appropriate. [UCF_CE_ID 05540]
  • Enable or disable the mcstrans service, as appropriate. [UCF_CE_ID 05541]
  • Enable or disable the restorecond service, as appropriate. [UCF_CE_ID 05542]
  • Disable or remove sadmind unless use of sadmind is absolutely necessary. [UCF_CE_ID 06885]
  • Configure the "SNMP version 1" setting to organizational standards. [UCF_CE_ID 08976]
  • Configure the "xdmcp service" setting to organizational standards. [UCF_CE_ID 08985]



Authority documents complied with:



Asia and Pacific Rim Guidance

Portable computers and personal electronic devices that process classified information should have all unnecessary hardware and services disabled or removed. [§ 3.4.63, § 3.5.8, Australian Government ICT Security Manual (ACSI 33)]

T44: The organization shall minimize the number of connected devices, communication routes, and communications-related devices that can be accessed from external networks. The organization shall not connect unnecessary devices.
T44.2: The organization shall securely set up computers that are connected to an external network by stopping or restricting the use of operating system services, such as ftp, finger, and telnet, that are not used and limiting the amount of software that is installed on the computer to what is necessary.
[T44, T44.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition]

The organization should disable all protocols, permissions, functions, and features, unless they are required for the business operations. [¶ 26(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology]

The organization must develop a hardened Standard Operating Environment for servers and workstations that includes removing unnecessary software, operating system components, and hardware. [Control: 0380 Bullet 1, Australian Government Information Security Manual: Controls]

The organization should remove or disable unnecessary Database Management System software features and procedures. [Control: 1247, Australian Government Information Security Manual: Controls]

The organization should disable Database Management System software from reading local files from a server. [Control: 1251, Australian Government Information Security Manual: Controls]

The organization must disable open e-mail relaying, so e-mail servers only relay messages that originate inside the domain and messages destined for the domain. [Control: 0567, Australian Government Information Security Manual: Controls]

The organization should disable agent credential forwarding, if logins absent a passphrase for automated purposes are used for remote access to Secure Shell. [Control: 0487 Bullet 3, Australian Government Information Security Manual: Controls]

The organization must disable split tunneling when a Virtual Private Network is used to connect a mobile device to a system. [Control: 0705, Australian Government Information Security Manual: Controls]



Banking and Finance Guidance

Determine whether adequate inspection for, and removal of, unauthorized hardware and software takes place. [Exam Tier II Obj D.3, FFIEC IT Examination Handbook - Information Security]

The organization should strictly control the use of utility programs. [Pg 57, Exam Obj 10.1, FFIEC IT Examination Handbook - Development and Acquisition]

Have the unnecessary services on the web server been disabled and appropriate controls implemented? [IT - Member Online Services Q 8, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A]

Do the configuration policies and procedures include removing or disabling unnecessary network services and Operating System services? [IT - Networks Q 25, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A]

Are all unnecessary services shut down on the routers? [IT - Routers Q 31, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A]

Has network autoloading been disabled, unless the router absolutely needs to autoload the startup configuration from a Trivial File Transfer Protocol host? [IT - Routers Q 37, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A]



EU Guidance

[§ XI.5, OECD / World Bank Technology Risk Checklist, Version 7.3]

Have all unnecessary services on each client and server been disabled? [Table Row XIII.4, OECD / World Bank Technology Risk Checklist, Version 7.3]



General Guidance

The organization should run as few services as possible and ensure they are well protected. [Special Action 7.1, SANS Computer Security Incident Handling, Version 2.3.1]

The organization should restrict access to master passwords, powerful utilities, system configurations, Superuser functionality, and security devices. [Table Ref 8.2.2.i, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009]

On UNIX computers or Linux computers that transmit scoped data, Are all unnecessary services and unused services turned off? [§ G.16.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0]

On UNIX computers or Linux computers that process scoped data, Are all unnecessary services and unused services turned off? [§ G.16.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0]

On UNIX computers or Linux computers that store scoped data, Are all unnecessary services and unused services turned off? [§ G.16.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0]

On windows systems that transmit scoped data, are unnecessary services and unused services turned off? [§ G.17.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0]

On windows systems that process scoped data, are unnecessary services and unused services turned off? [§ G.17.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0]

On windows systems that store scoped data, are unnecessary services and unused services turned off? [§ G.17.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0]

When windows Internet Information Services is used for web services, are unused services turned off on Internet Information Services servers? [§ G.21.2.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0]

Are service accounts disallowed for normal operations and monitored for usage? [§ H.3.4, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0]

For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are unnecessary/unused services turned off? [§ V.1.72.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0]

For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are unneeded hypervisor services (e.g. File-sharing) between the guest and the host Operating System disabled? [§ V.1.72.23, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0]

System / network monitoring activities should involve checking whether powerful utilities / commands have been disabled on attached hosts (e.g., by using a 'network sniffer'). [CF.10.05.05b, The Standard of Good Practice for Information Security]

Connections between servers (e.g., web servers) and back-office systems (e.g., application and database servers) should be restricted to only the services that are required by business applications. [CF.04.01.07b, The Standard of Good Practice for Information Security]

Servers should be configured to disable or restrict non-essential or redundant services (e.g., X Windows, open windows, fingerd, and web browsers). [CF.07.02.03a, The Standard of Good Practice for Information Security]

Servers should be configured to disable or restrict communication services that are inherently susceptible to abuse (e.g., tftp, rpc, rlogin, rsh, or Rexec). [CF.07.02.03b, The Standard of Good Practice for Information Security]

Servers should be configured to disable or restrict communication protocols that are prone to abuse (e.g., http, https, ssh, ftp, smtp, telnet, and uucp). [CF.07.02.03c, The Standard of Good Practice for Information Security]

Servers should be configured in accordance with documented standards / procedures, which should cover disabling or restricting unnecessary functions or services. [CF.07.02.01b, The Standard of Good Practice for Information Security]

Mobile devices should be subject to 'system hardening' by disabling unnecessary services and user accounts (e.g., guest). [CF.14.02.03b, The Standard of Good Practice for Information Security]

The organization should turn off services for projects or limited engagements when they are no longer needed. [Critical Control 11.6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0]

The organization should turn unneeded services off for 30 days and uninstall them after 30 days. [Critical Control 11.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0]

The organization should restrict logical access to master passwords, powerful utilities, system configurations, Superuser functionality, and security devices. [Generally Accepted Privacy Principles and Criteria § 8.2.2 i, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria]

System / network monitoring activities should involve checking whether powerful utilities / commands have been disabled on attached hosts (e.g., by using a 'network sniffer'). [CF.10.05.05b, The Standard of Good Practice for Information Security, 2013]

Connections between servers (e.g., web servers) and back-office systems (e.g., application and database servers) should be restricted to only the services that are required by business applications. [CF.04.01.07b, The Standard of Good Practice for Information Security, 2013]

Servers should be configured to disable or restrict non-essential or redundant services (e.g., X Windows, open windows, fingerd, and web browsers). [CF.07.02.03a, The Standard of Good Practice for Information Security, 2013]

Servers should be configured to disable or restrict communication services that are inherently susceptible to abuse (e.g., tftp, rpc, rlogin, rsh, or Rexec). [CF.07.02.05b, The Standard of Good Practice for Information Security, 2013]

Servers should be configured to disable or restrict communication protocols that are prone to abuse (e.g., http, https, ssh, ftp, smtp, telnet, and uucp). [CF.07.02.05c, The Standard of Good Practice for Information Security, 2013]

Servers should be configured in accordance with documented standards / procedures, which should cover disabling or restricting unnecessary functions or services. [CF.07.02.01c, The Standard of Good Practice for Information Security, 2013]

Mobile devices should be subject to 'system hardening' by disabling unnecessary services and user accounts (e.g., guest). [CF.14.02.06b, The Standard of Good Practice for Information Security, 2013]

Servers should be configured to disable or restrict the 'auto-run' feature (e.g., from Compact Discs, Digital Video Disks and portable storage devices, and mounted / shared network folders). [CF.07.02.05g, The Standard of Good Practice for Information Security, 2013]



Healthcare and Life Science Guidance

CSR 2.1.4: The organization must disable all file system access that is not explicitly required for application, administrator, or system functionality.
CSR 10.7.9: The organization must disable all system services, ports, and network protocols that are not explicitly required for application and system functionality.
CSR10.8.7: The organization must use automated mechanisms to centrally apply and verify configuration settings. The organization must review the information system annually or on an incremental basis where all parts are addressed in the year, to identify and eliminate all unnecessary services, ports, protocols, and/or functions.
CSR 10.8.8: The organization must specifically configure the system to prohibit and/or restrict the use of the protocols, ports, functions, and/or services listed in the NIST Common Vulnerabilities and Exposures (www.cve.mitre.org/cve/) and the SANS List of Vulnerabilities (www.sans.org/top20/). The organization must disable all network protocols that are not explicitly required for application and system functionality.
[CSR 2.1.4, CSR 10.7.9, CSR 10.8.7, CSR 10.8.8, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006]

Table F-2: For Windows 2003 Server, the organization must review all services for proper configuration and disable all unnecessary services.
Table F-3: For Windows 2000 Professional, the organization must disable all unnecessary services.
Table F-4: For Windows XP Professional, the organization must disable all unnecessary services.
Table F-8: For RedHat Linux, the organization must disable all standard services, except the ones needed for the system's role.
Table F-10: For Cisco IOS, the organization must disable all unnecessary services.
[Table F-2, Table F-3, Table F-4, Table F-8, Table F-10, CMS Business Partners Systems Security Manual, Rev. 10]



ISO Guidance

Utility programs are programs that may be able to override system and application controls. They should be restricted and controlled. If these system utilities are not needed, they should be disabled or removed. [§ 11.5.4, ISO 27002 Code of practice for information security management, 2005]

The service provider shall plan for the removal of any services that are to be removed. [§ 5.2 ¶ 4, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition]



NIST Guidance

[§ 5.2, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002]

CM-7(1) Organizational records and documents should be examined on a regular basis to ensure all unnecessary functions, ports, protocols, and services have been disabled or removed from the system.
CM-7.2 Test the system to ensure all identified functions, ports, protocols, and services have been disabled or removed from the system.
[CM-7(1), CM-7.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A]

The organization should remove or permanently disable unnecessary services, applications, and user controls on all Bluetooth devices. [Table 4-3 Item 9, Table 4-4 Item 6, Guide to Bluetooth Security, NIST SP 800-121, September 2008]

Wireless interfaces, such as Bluetooth, WiFi, and infrared, should be disabled when not needed, and automatic connections to cellular data services should be turned off. If possible, unneeded functions should be removed to prevent them from being reactivated. Another option is to subscribe only to the services that are needed. For example, subscribing only to voice services prevents access to the Internet. [§ 4.1.6, § 4.1.8, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008]

The organization should periodically review the system to identify and eliminate unnecessary functions, ports, protocols, and/or services. [App F § CM-7(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53]

The organization must remove all unused and unnecessary functions and services from the Industrial Control System. [App I § SI-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53]

The organization should review the system on an organizationally defined period to identify and restrict any unnecessary protocols, ports, services, and/or functions. [SG.CM-7 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010]

The organization configures the information system to provide only essential capabilities. [CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4]

The organization configures the information system to provide only essential capabilities. [CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4]

The organization configures the information system to provide only essential capabilities. [CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4]

The organization configures the information system to provide only essential capabilities. [CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4]



Other Configuration Guidance

Services not needed for the operational use of the system must be disabled on all wireless clients. Non-required software and/or services that support remote access services must not be installed on remote access servers or network access servers. Non-required services that support remote access services must not be enabled on remote access servers or network access servers. [§ 4.1.5, § 4.2.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2]

§ 4.5.1 (MED0260: CAT II) The Information Assurance Officer/Network Security Officer, for all medical device VLAN access ports, in compliance with the Network Infrastructure STIG, shall disable trunking.
§ 6.1.2.2 (MED0660: CAT II) The Information Assurance Officer, for networked medical devices, will ensure services not intended for clinical function are disabled or uninstalled.
[§ 4.5.1 (MED0260: CAT II), § 6.1.2.2 (MED0660: CAT II), Medical Devices Security Technical Implementation Guide, Version 1, Release 1]



Payment Card Guidance

Harden an OS before it is used in production. Disable all unnecessary services in the configuration of the server. [§ 3-8, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003]

All services, daemons, and protocols required by the application or enabled should be examined. The payment application must not use or require the use of unnecessary and insecure services or protocols. [§ 5.4, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1]

All unnecessary services and applications must be disabled, unless they have been justified and documented. [§ 2.2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0]

For a sample of system components, inspect enabled system services, daemons, and protocols. [§ 2.2.2.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0]

For a sample of system components, inspect enabled system services, daemons, and protocols. Verify that unnecessary or insecure services or protocols are not enabled, or are justified and documented as to appropriate use of the service. [§ 2.2.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 2.0]

For a sample of system components, inspect enabled system services, daemons, and protocols. verify that unnecessary or insecure services or protocols are not enabled, or are justified and documented as to appropriate use of the service. [§ 2.2.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0]

Only necessary services, protocols, or daemons for the function of the system must be enabled. [PCI DSS Requirements § 2.2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0]

Verify the system configuration standards include procedures for enabling only the necessary services, daemons, protocols, and others that are required for system functions. [Testing Procedures § 2.2.d Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3]

Inspect the enabled system services, protocols, and daemons from a sample of system components to verify only the necessary services and protocols are enabled. [Testing Procedures § 2.2.2.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3]

Interview personnel to verify the identified insecure services, protocols, and daemons that are enabled have been justified in accordance with the documented configuration standards. [Testing Procedures § 2.2.2.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3]

Review the services and the parameter files on a sample of systems to verify that telnet and other insecure remote login commands are not available for non-console access. [Testing Procedures § 2.3.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3]



System Configuration Guidance

Disable all standard services. [§ 2.1, The Center for Internet Security Solaris Benchmark, 1.5.0]

Disable all standard services. [§ 2.1, The Center for Internet Security HP-UX Benchmark, 1.4.2]

Disable all standard services. [§ 2.1, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.1.1]

The organization must disable all standard services. [§ 2.1, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.0.5]

Disable all standard services. [§ 2.1, The Center for Internet Security SuSE Linux Enterprise Server Benchmark, 2]

Disable all standard services. [§ 2.1, The Center for Internet Security Slackware Linux Benchmark, 1.1]

Disable all standard services. [§ 3.9, The Center for Internet Security AIX Benchmark, 1.0.1]

The organization must disable all standard services. [§ 2.1, The Center for Internet Security FreeBSD Benchmark, 1.0.5]

All services on the operating system are set to OFF by default. Only absolutely necessary services should be enabled. If possible, the services should be enabled only while they are being used and should be disabled as soon as the service is no longer needed. None of the services needs to be enabled in order to access files stored on a remote computer. Services are enabled and disabled in the Sharing preference pane by checking or unchecking the appropriate box on the "Services" tab. [§ 2.9, The Center for Internet Security Mac OS X Tiger Level I Security Benchmark, 1]

If unneeded services are enabled or left on the system, security issues could evolve. Many of these services are not securely configured by default. Any unused or unnecessary services should be removed from the system. QuickFinder, a search engine for finding web data on the server, should be disabled or secured. If it is being used, the following settings should be set to secure it: AdminServlet.RequireSSL=TRUE; AdminServlet.Authenticate=TRUE; and Security.RequireHTTPS=TRUE. [§ 1.2, § 2.15, The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Benchmark, 1]

Disable all standard services which are normally enabled in the Solaris inetd.conf file. [§ 2.1, NSA Guide to the Secure Configuration of Solaris 9, Version 1.0]

The system administrator should disable any network services which are not necessary for the operation of the network. These services are disabled in the inetd.conf file. [§ 4, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1]

During the installation process, deselect any packages, especially the X11 package, that are not going to be used. This reduces the risk of attackers using known vulnerabilities in unused packages to enter the system. If an upgrade from Mac OS X to Mac OS X 10.4 was performed, an adaptation of Mac OS 9, called Classic, will remain on the computer. If a new installation was performed, Mac OS 9 will not be located on the computer. Mac OS 9 should be removed from the computer if it is not needed. Mac OS 9 does not have the security features of Mac OS X. If Mac OS 9 is needed, it can be run from a CD or DVD. [Pg 22, Pg 33, Pg 87, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition]

Any unnecessary services should be disabled, unless there is a site requirement for specific services. If there is a requirement, then it should be documented and justified with the Information Assurance Officer. The following services should be disabled: Alerter; Application Layer Gateway Service; Application Management; ASP .NET State Service; Certificate Services; Client Service for NetWare; ClipBook; Cluster Service; COM+ System Application; DHCP Server; Distributed Link Tracking Client; Distributed Link Tracking Server; Distributed Transaction Coordinator; Error Reporting Service; Fax Service; File Server for Macintosh; FTP Publishing Service; Help and Support; HTTP SSL; Human Interface Device Access; IAS Jet Database Access; IIS Admin Service; IMAPI CD-Burning COM Service; Indexing Service; Infrared Monitor; Internet Authentication Service; IP Version 6 Helper Service; License Logging Service; Message Queuing; Message Queuing Down Level Clients; Message Queuing Triggers; Messenger; Microsoft POP3 Service; MSSQL$UDDI; MSSQLServerADHelper; .NET Framework Support Service; NetMeeting Remote Desktop Sharing; Network DDE; Network DDE DSDM; Network News Transport Protocol (NNTP); Portable Media Serial Number; Print Server for Macintosh; Print Spooler; Remote Access Auto Connection Manager; Remote Access Connection Manager; Remote Desktop Help Session Manager; Remote Installation; Remote Server Manager; Remote Server Monitor; Remote Storage Notification; Remote Storage Server; Resultant Set of Policy Provider; Routing and Remote Access; SAP Agent; Secondary Logon; Shell Hardware Detection; Simple Mail Transport Protocol (SMTP); Simple TCP/IP Services; Single Instance Storage Groveler; SNMP Service; SNMP Trap Service; Special Administration Console Helper; Task Scheduler; TCP/IP Print Server; Telephony; Telnet; Terminal Services; Terminal Services Licensing; Terminal Services Session Directory; Themes; Trivial FTP Daemon; Uninterruptible Power Supply; Upload Manager; Virtual Disk Service; WebClient; Web Element Manager; Windows Audio; Windows Firewall/Internet Connection Sharing (ICS); Windows Image Acquisition (WIA); Windows Internet Name Service (WINS); Windows Media Services; Windows System Resource Manager; WinHTTP Web Proxy Auto-Discovery Service; Wireless Configuration; and World Wide Web Publishing Service. [§ 5.2.2.1, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11]

Sites should disable all services, unless there is a site requirement for the service. If the service is Enabled, it should be documented and justified and given to the Information Assurance Officer. [§ 5.2.2, § 5.2.2.1, DISA Windows XP Security Checklist, Version 6 Release 1.11]

The Access Control Lists (ACLs) for disabled services should have permissions set to Administrators: Full Control; System: Full Control; and Interactive: Read. The Internet Information System (IIS) should not be installed on the system. [§ 3.5.9 (2.014), § 3.12 (5.016), DISA Windows VISTA Security Checklist, Version 6 Release 1.11]



US Federal Security Guidance

The organization must implement and monitor the status of services minimization controls. [PE 15.j, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives]

Verify that unapproved im clients / services are uninstalled or disabled on all operating systems. [ECIM-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

The agency shall configure applications, Information Systems, and services to provide only the necessary capabilities. [§ 5.7.1.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2]

The agency shall prohibit and/or restrict the use of stated functions, ports, protocols, and services. [§ 5.7.1.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2]






Copyright 2005-2014 Unified Compliance Framework®. All rights reserved.

Disable all unnecessary services unless otherwise noted in a policy exception.