Configure the IP Version 6 Helper service properly., CC ID: 05029
Configure "Message Queuing service" to organizational standards., CC ID: 05030
Configure the Message Queuing Down Level Clients service properly., CC ID: 05031
Configure the Windows Management Instrumentation Driver Extensions service properly., CC ID: 05033
Configure the TCP/IP NetBIOS Helper Service properly., CC ID: 05034
Configure the Utility Manager service properly., CC ID: 05035
Configure the secondary logon service properly., CC ID: 05036
Configure the Windows Management Instrumentation service properly., CC ID: 05037
Configure the Workstation service properly., CC ID: 05038
Configure the Windows Installer service properly., CC ID: 05039
Configure the Windows System Resource Manager service properly., CC ID: 05040
Configure the WinHTTP Web Proxy Auto-Discovery Service properly., CC ID: 05041
Configure the Services for Unix Client for NFS service properly., CC ID: 05042
Configure the Services for Unix Server for PCNFS service properly., CC ID: 05043
Configure the Services for Unix Perl Socket service properly., CC ID: 05044
Configure the Services for Unix User Name Mapping service properly., CC ID: 05045
Configure the Services for Unix Windows Cron service properly., CC ID: 05046
Configure the Windows Media Services service properly., CC ID: 05047
Configure the Services for Netware Service Advertising Protocol (SAP) Agent properly., CC ID: 05048
Configure the Web Element Manager service properly., CC ID: 05049
Configure the Remote Installation Services Single Instance Storage (SIS) Groveler service properly., CC ID: 05050
Configure the Terminal Services Licensing service properly., CC ID: 05051
Configure the COM+ Event System service properly., CC ID: 05052
Configure the Event Log service properly., CC ID: 05053
Configure the Infrared Monitor service properly., CC ID: 05054
Configure the Services for Unix Server for NFS service properly., CC ID: 05055
Configure the System Event Notification Service properly., CC ID: 05056
Configure the NTLM Security Support Provider service properly., CC ID: 05057
Configure the Performance Logs and Alerts service properly., CC ID: 05058
Configure the Protected Storage service properly., CC ID: 05059
Configure the QoS Admission Control (RSVP) service properly., CC ID: 05060
Configure the Remote Procedure Call service properly., CC ID: 05061
Configure the Removable Storage service properly., CC ID: 05062
Configure the Server service properly., CC ID: 05063
Configure the Security Accounts Manager service properly., CC ID: 05064
Configure the âNetwork Connectionsâ service to organizational standards., CC ID: 05065
Configure the Logical Disk Manager service properly., CC ID: 05066
Configure the Logical Disk Manager Administrative Service properly., CC ID: 05067
Configure the File Replication service properly., CC ID: 05068
Configure the Kerberos Key Distribution Center service properly., CC ID: 05069
Configure the Intersite Messaging service properly., CC ID: 05070
Configure the Remote Procedure Call locator service properly., CC ID: 05071
Configure the Distributed File System service properly., CC ID: 05072
Configure the Windows Internet Name Service service properly., CC ID: 05073
Configure the FTP Publishing Service properly., CC ID: 05074
Configure the Windows Search service properly., CC ID: 05075
Configure the Microsoft Peer-to-Peer Networking Services service properly., CC ID: 05076
Configure the Remote Shell service properly., CC ID: 05077
Configure Simple TCP/IP services to organizational standards., CC ID: 05078
Configure the Print Services for Unix service properly., CC ID: 05079
Configure the File Shares service to organizational standards., CC ID: 05080
Configure the NetMeeting service properly., CC ID: 05081
Configure the Application Layer Gateway service properly., CC ID: 05082
Configure the Cryptographic Services service properly., CC ID: 05083
Configure the Help and Support Service properly., CC ID: 05084
Configure the Human Interface Device Access service properly., CC ID: 05085
Configure the IMAPI CD-Burning COM service properly., CC ID: 05086
Configure the MS Software Shadow Copy Provider service properly., CC ID: 05087
Configure the Network Location Awareness service properly., CC ID: 05088
Configure the Portable Media Serial Number Service service properly., CC ID: 05089
Configure the System Restore Service service properly., CC ID: 05090
Configure the Themes service properly., CC ID: 05091
Configure the Uninterruptible Power Supply service properly., CC ID: 05092
Configure the Upload Manager service properly., CC ID: 05093
Configure the Volume Shadow Copy Service properly., CC ID: 05094
Configure the WebClient service properly., CC ID: 05095
Configure the Windows Audio service properly., CC ID: 05096
Configure the Windows Image Acquisition service properly., CC ID: 05097
Configure the WMI Performance Adapter service properly., CC ID: 05098
Enable file uploads via vsftpd service, as appropriate., CC ID: 05100
Disable or remove sadmind unless use of sadmind is absolutely necessary., CC ID: 06885
Configure the "SNMP version 1" setting to organizational standards., CC ID: 08976
Configure the "xdmcp service" setting to organizational standards., CC ID: 08985
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
funds transfer functions should be disabled or the relevant transaction limit(s) for high-risk funds transfers should be pre-set to zero when a new Internet banking account is first opened. Furthermore, the function or the limit(s) should also be reset to zero if they have not been used for a period… (§ 6.1.2(i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
if cards are used as one of the factors for customer identity authentication in using the terminals, adequate security and controls should be implemented covering the issuance, activation, replacement and loss of cards. In addition, chip-based authentication on chip cards issued by AIs should be enf… (§ 7.3.2(i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
funds transfer functions should be disabled or the relevant transaction limit(s) for high-risk funds transfers should be pre-set to zero when a new Internet banking account is first opened. For transaction limit(s) that allow high-value funds transfers to unregistered payees, consideration should be… (§ 6.1.2(i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
T44: The organization shall minimize the number of connected devices, communication routes, and communications-related devices that can be accessed from external networks. The organization shall not connect unnecessary devices.
T44.2: The organization shall securely set up computers that are connect… (T44, T44.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
Hardening the firewall by removing all unnecessary services and appropriately patching, enhancing, and maintaining all software on the firewall unit (Critical components of information security 24) vii. a) ¶ 13 Bullet 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Unnecessary programmes and services: all unnecessary programs should be uninstalled, and all unnecessary services should be disabled. (EMERGING TECHNOLOGIES AND INFORMATION SECURITY 1 ¶ 9 b., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Remove unused software and turn off unnecessary services from computers. (Annex A2: Security of Personal Computers & Other Computing Devices 17, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface. (Security Control: 1272; Revision: 1, Australian Government Information Security Manual, March 2021)
IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries. (Security Control: 1429; Revision: 2, Australian Government Information Security Manual, March 2021)
Unused physical ports on network devices are disabled. (Security Control: 0534; Revision: 2, Australian Government Information Security Manual, March 2021)
Unneeded operating system accounts, software, components, services and functionality are removed or disabled. (Security Control: 0380; Revision: 7, Australian Government Information Security Manual, March 2021)
agent credential forwarding (Security Control: 0487; Revision: 3; Bullet 3, Australian Government Information Security Manual, March 2021)
MAC address filtering is not used to restrict which devices can connect to wireless networks. (Control: ISM-1320; Revision: 2, Australian Government Information Security Manual, June 2023)
If only local access to a database is required, networking functionality of database management system software is disabled or directed to listen solely to the localhost interface. (Control: ISM-1272; Revision: 1, Australian Government Information Security Manual, June 2023)
Unneeded accounts, components, services and functionality of operating systems are disabled or removed. (Control: ISM-0380; Revision: 9, Australian Government Information Security Manual, June 2023)
Unneeded accounts, components, services and functionality of server applications are disabled or removed. (Control: ISM-1247; Revision: 4, Australian Government Information Security Manual, June 2023)
Unneeded components, services and functionality of office productivity suites, web browsers, email clients, PDF software and security products are disabled or removed. (Control: ISM-1470; Revision: 5, Australian Government Information Security Manual, June 2023)
MAC address filtering is not used to restrict which devices can connect to wireless networks. (Control: ISM-1320; Revision: 2, Australian Government Information Security Manual, September 2023)
If only local access to a database is required, networking functionality of database management system software is disabled or directed to listen solely to the localhost interface. (Control: ISM-1272; Revision: 1, Australian Government Information Security Manual, September 2023)
Unneeded accounts, components, services and functionality of operating systems are disabled or removed. (Control: ISM-0380; Revision: 9, Australian Government Information Security Manual, September 2023)
Unneeded accounts, components, services and functionality of server applications are disabled or removed. (Control: ISM-1247; Revision: 4, Australian Government Information Security Manual, September 2023)
Unneeded components, services and functionality of office productivity suites, web browsers, email clients, PDF software and security products are disabled or removed. (Control: ISM-1470; Revision: 5, Australian Government Information Security Manual, September 2023)
The organization must develop a hardened Standard Operating Environment for servers and workstations that includes removing unnecessary software, operating system components, and hardware. (Control: 0380 Bullet 1, Australian Government Information Security Manual: Controls)
The organization should remove or disable unnecessary Database Management System software features and procedures. (Control: 1247, Australian Government Information Security Manual: Controls)
The organization should disable Database Management System software from reading local files from a server. (Control: 1251, Australian Government Information Security Manual: Controls)
The organization must disable open e-mail relaying, so e-mail servers only relay messages that originate inside the domain and messages destined for the domain. (Control: 0567, Australian Government Information Security Manual: Controls)
The organization should disable agent credential forwarding, if logins absent a passphrase for automated purposes are used for remote access to Secure Shell. (Control: 0487 Bullet 3, Australian Government Information Security Manual: Controls)
The organization must disable split tunneling when a Virtual Private Network is used to connect a mobile device to a system. (Control: 0705, Australian Government Information Security Manual: Controls)
The organization should disable all protocols, permissions, functions, and features, unless they are required for the business operations. (¶ 26(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
Portable computers and personal electronic devices that process classified information should have all unnecessary hardware and services disabled or removed. (§ 3.4.63, § 3.5.8, Australian Government ICT Security Manual (ACSI 33))
If you do have services enabled on your firewall, do you have a process to ensure they are disabled in a timely manner when they are no longer required? A description of the process is required. (A4.6, Cyber Essentials Scheme (CES) Questionnaire, Version 13)
Have vulnerable services (e.g. Server Message Block (SMB), NetBIOS, Telnet, TFTP, RPC, rlogin, rsh or rexec) been disabled (blocked) by default and those that are allowed have a business justification? (Firewalls Question 4, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
Where a debug interface is physically accessible, it shall be disabled in software. (Provision 5.6-4, CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, V2.1.1)
Unnecessary network services are disabled. (5.2.3 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
The entity uses a combination of controls to restrict access to its information assets including data classification. The entity enforces logical separations of data structures and the segregation of incompatible duties applies device security hardening and security configuration policies, including… (S7.1 Restricts access to information assets, Privacy Management Framework, Updated March 1, 2020)
(§ XI.5, OECD / World Bank Technology Risk Checklist, Version 7.3)
Have all unnecessary services on each client and server been disabled? (Table Row XIII.4, OECD / World Bank Technology Risk Checklist, Version 7.3)
During the installation process, deselect any packages, especially the X11 package, that are not going to be used. This reduces the risk of attackers using known vulnerabilities in unused packages to enter the system. If an upgrade from Mac OS X to Mac OS X 10.4 was performed, an adaptation of Mac O… (Pg 22, Pg 33, Pg 87, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
Ensure nonessential services are removed or masked Description: A network port is identified by its number, the associated IP address, and the type of the communication protocol such as TCP or UDP. A listening port is a network port on which an application or process listens on, acting as a communic… (2.4, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
Ensure nonessential services are removed or masked Description: A network port is identified by its number, the associated IP address, and the type of the communication protocol such as TCP or UDP. A listening port is a network port on which an application or process listens on, acting as a communic… (2.4, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
Disable all standard services. (§ 3.9, The Center for Internet Security AIX Benchmark, 1.0.1)
The organization must disable all standard services. (§ 2.1, The Center for Internet Security FreeBSD Benchmark, 1.0.5)
Disable all standard services. (§ 2.1, The Center for Internet Security HP-UX Benchmark, 1.4.2)
All services on the operating system are set to OFF by default. Only absolutely necessary services should be enabled. If possible, the services should be enabled only while they are being used and should be disabled as soon as the service is no longer needed. None of the services needs to be enabled… (§ 2.9, The Center for Internet Security Mac OS X Tiger Level I Security Benchmark, 1)
If unneeded services are enabled or left on the system, security issues could evolve. Many of these services are not securely configured by default. Any unused or unnecessary services should be removed from the system. QuickFinder, a search engine for finding web data on the server, should be disabl… (§ 1.2, § 2.15, The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Benchmark, 1)
The organization must disable all standard services. (§ 2.1, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.0.5)
Disable all standard services. (§ 2.1, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.1.1)
Disable all standard services. (§ 2.1, The Center for Internet Security Slackware Linux Benchmark, 1.1)
Disable all standard services. (§ 2.1, The Center for Internet Security Solaris Benchmark, 1.5.0)
Disable all standard services. (§ 2.1, The Center for Internet Security SuSE Linux Enterprise Server Benchmark, 2)
Harden an OS before it is used in production. Disable all unnecessary services in the configuration of the server. (§ 3-8, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003)
For a sample of system components, inspect enabled system services, daemons, and protocols. Verify that unnecessary or insecure services or protocols are not enabled, or are justified and documented as to appropriate use of the service. (§ 2.2.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 2.0)
For a sample of system components, inspect enabled system services, daemons, and protocols. verify that unnecessary or insecure services or protocols are not enabled, or are justified and documented as to appropriate use of the service. (§ 2.2.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
Verify the system configuration standards include procedures for enabling only the necessary services, daemons, protocols, and others that are required for system functions. (Testing Procedures § 2.2.d Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Inspect the enabled system services, protocols, and daemons from a sample of system components to verify only the necessary services and protocols are enabled. (Testing Procedures § 2.2.2.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Interview personnel to verify the identified insecure services, protocols, and daemons that are enabled have been justified in accordance with the documented configuration standards. (Testing Procedures § 2.2.2.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Review the services and the parameter files on a sample of systems to verify that telnet and other insecure remote login commands are not available for non-console access. (Testing Procedures § 2.3.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
All unnecessary services and applications must be disabled, unless they have been justified and documented. (§ 2.2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
For a sample of system components, inspect enabled system services, daemons, and protocols. (§ 2.2.2.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Only necessary services, protocols, or daemons for the function of the system must be enabled. (PCI DSS Requirements § 2.2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Enable only necessary services, protocols, daemons, etc., as required for the function of the system. (2.2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Enable only necessary services, protocols, daemons, etc., as required for the function of the system. (2.2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Systems are configured per configuration standards, with all default passwords changed and unnecessary services disabled. (A3.2.2.1 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Enable only necessary services, protocols, daemons, etc., as required for the function of the system. (2.2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Do system configuration standards include all of the following:
- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts?
- Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the deviceâs specified function are disabled)? (2.2.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
Do system configuration standards include all of the following:
- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts?
- Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the deviceâs specified function are disabled)? (2.2.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
Do system configuration standards include all of the following:
- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts?
- Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the deviceâs specified function are disabled)? (2.2.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
Are all enabled insecure services, daemons, or protocols justified per documented configuration standards? (2.2.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
Do system configuration standards include all of the following:
- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts?
- Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the deviceâs specified function are disabled)? (2.2.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the deviceâs specified function are disabled)? (2.2.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the deviceâs specified function are disabled)? (2.2.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
Do system configuration standards include all of the following:
- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts?
- Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the deviceâs specified function are disabled)? (2.2.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Do system configuration standards include all of the following:
- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts?
- Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the deviceâs specified function are disabled)? (2.2.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Do system configuration standards include all of the following:
- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts?
- Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the deviceâs specified function are disabled)? (2.2.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Do system configuration standards include all of the following:
- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts?
- Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the deviceâs specified function are disabled)? (2.2.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Select a sample of system components and inspect enabled system services, daemons, and protocols to verify that only necessary services or protocols are enabled. (2.2.2.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Identify any enabled insecure services, daemons, or protocols and interview personnel to verify they are justified per documented configuration standards. (2.2.2.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
All services, daemons, and protocols required by the application or enabled should be examined. The payment application must not use or require the use of unnecessary and insecure services or protocols. (§ 5.4, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
Examine settings for system components and authentication services to verify that insecure remote login services are not available for non-console administrative access. (2.2.7.c, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Do system configuration standards include enabling only necessary services, protocols, daemons, etc., as required for the function of the system? (PCI DSS Question 2.2(d) Bullet 3, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
Are only necessary services, protocols, daemons, etc., enabled as required for the function of the system (services and protocols not directly needed to perform the device's specified function are disabled)? (PCI DSS Question 2.2.2(a), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? (PCI DSS Question 4.1(e), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? (PCI DSS Question 4.1(e), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
Do system configuration standards include enabling only necessary services, protocols, daemons, etc., as required for the function of the system? (PCI DSS Question 2.2(d) Bullet 3, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
Are only necessary services, protocols, daemons, etc., enabled as required for the function of the system (services and protocols not directly needed to perform the device's specified function are disabled)? (PCI DSS Question 2.2.2(a), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? (PCI DSS Question 4.1(e), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
Are only necessary services, protocols, daemons, etc., enabled as required for the function of the system (services and protocols not directly needed to perform the device's specified function are disabled)? (PCI DSS Question 2.2.2(a), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? (PCI DSS Question 4.1(e), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
Do system configuration standards include enabling only necessary services, protocols, daemons, etc., as required for the function of the system? (PCI DSS Question 2.2(d) Bullet 3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Are only necessary services, protocols, daemons, etc., enabled as required for the function of the system (services and protocols not directly needed to perform the device's specified function are disabled)? (PCI DSS Question 2.2.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? (PCI DSS Question 4.1(e), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Do system configuration standards include enabling only necessary services, protocols, daemons, etc., as required for the function of the system? (PCI DSS Question 2.2(d) Bullet 3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Are only necessary services, protocols, daemons, etc., enabled as required for the function of the system (services and protocols not directly needed to perform the device's specified function are disabled)? (PCI DSS Question 2.2.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? (PCI DSS Question 4.1(e), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Disable USB debugging and disallowing of untrusted sources should be enforced on an ongoing basis. As an additional defense-in-depth, the device should be monitored for jailbreaking or rooting activity, and when detected the device should be quarantined by a solution that either removes it from the … (¶ 5.4.3, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users, Version 1.1)
System / network monitoring activities should involve checking whether powerful utilities / commands have been disabled on attached hosts (e.g., by using a 'network sniffer'). (CF.10.05.05b, The Standard of Good Practice for Information Security)
Connections between servers (e.g., web servers) and back-office systems (e.g., application and database servers) should be restricted to only the services that are required by business applications. (CF.04.01.07b, The Standard of Good Practice for Information Security)
Servers should be configured to disable or restrict non-essential or redundant services (e.g., X Windows, open windows, fingerd, and web browsers). (CF.07.02.03a, The Standard of Good Practice for Information Security)
Servers should be configured to disable or restrict communication services that are inherently susceptible to abuse (e.g., tftp, rpc, rlogin, rsh, or Rexec). (CF.07.02.03b, The Standard of Good Practice for Information Security)
Servers should be configured to disable or restrict communication protocols that are prone to abuse (e.g., http, https, ssh, ftp, smtp, telnet, and uucp). (CF.07.02.03c, The Standard of Good Practice for Information Security)
Servers should be configured in accordance with documented standards / procedures, which should cover disabling or restricting unnecessary functions or services. (CF.07.02.01b, The Standard of Good Practice for Information Security)
Mobile devices should be subject to 'system hardening' by disabling unnecessary services and user accounts (e.g., guest). (CF.14.02.03b, The Standard of Good Practice for Information Security)
System / network monitoring activities should involve checking whether powerful utilities / commands have been disabled on attached hosts (e.g., by using a 'network sniffer'). (CF.10.05.05b, The Standard of Good Practice for Information Security, 2013)
Connections between servers (e.g., web servers) and back-office systems (e.g., application and database servers) should be restricted to only the services that are required by business applications. (CF.04.01.07b, The Standard of Good Practice for Information Security, 2013)
Servers should be configured to disable or restrict non-essential or redundant services (e.g., X Windows, open windows, fingerd, and web browsers). (CF.07.02.03a, The Standard of Good Practice for Information Security, 2013)
Servers should be configured to disable or restrict communication services that are inherently susceptible to abuse (e.g., tftp, rpc, rlogin, rsh, or Rexec). (CF.07.02.05b, The Standard of Good Practice for Information Security, 2013)
Servers should be configured to disable or restrict communication protocols that are prone to abuse (e.g., http, https, ssh, ftp, smtp, telnet, and uucp). (CF.07.02.05c, The Standard of Good Practice for Information Security, 2013)
Servers should be configured in accordance with documented standards / procedures, which should cover disabling or restricting unnecessary functions or services. (CF.07.02.01c, The Standard of Good Practice for Information Security, 2013)
Mobile devices should be subject to 'system hardening' by disabling unnecessary services and user accounts (e.g., guest). (CF.14.02.06b, The Standard of Good Practice for Information Security, 2013)
Servers should be configured to disable or restrict the 'auto-run' feature (e.g., from Compact Discs, Digital Video Disks and portable storage devices, and mounted / shared network folders). (CF.07.02.05g, The Standard of Good Practice for Information Security, 2013)
The organization should run as few services as possible and ensure they are well protected. (Special Action 7.1, SANS Computer Security Incident Handling, Version 2.3.1)
The organization should turn off services for projects or limited engagements when they are no longer needed. (Critical Control 11.6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
The organization should turn unneeded services off for 30 days and uninstall them after 30 days. (Critical Control 11.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
Each operating system shall be hardened to provide only necessary ports, protocols, and services to meet business needs and have in place supporting technical controls such as: antivirus, file integrity monitoring, and logging as part of their baseline operating build standard or template. (IVS-07, Cloud Controls Matrix, v3.0)
Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). D… (CIS Control 4: Safeguard 4.6 Securely Manage Enterprise Assets and Software, CIS Controls, V8)
Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function. (CIS Control 4: Safeguard 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software, CIS Controls, V8)
Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error check… (CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures, CIS Controls, V8)
The service provider shall plan for the removal of any services that are to be removed. (§ 5.2 ¶ 4, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
Utility programs are programs that may be able to override system and application controls. They should be restricted and controlled. If these system utilities are not needed, they should be disabled or removed. (§ 11.5.4, ISO 27002 Code of practice for information security management, 2005)
Components shall provide the capability to specifically restrict the use of unnecessary functions, ports, protocols and/or services. (11.9.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. (M1035 Limit Access to Resource Over Network, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
The organization should restrict logical access to master passwords, powerful utilities, system configurations, Superuser functionality, and security devices. (Generally Accepted Privacy Principles and Criteria § 8.2.2 i, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The organization should restrict access to master passwords, powerful utilities, system configurations, Superuser functionality, and security devices. (Table Ref 8.2.2.i, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The organization must implement and monitor the status of services minimization controls. (PE 15.j, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives)
On UNIX computers or Linux computers that transmit scoped data, Are all unnecessary services and unused services turned off? (§ G.16.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On UNIX computers or Linux computers that process scoped data, Are all unnecessary services and unused services turned off? (§ G.16.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On UNIX computers or Linux computers that store scoped data, Are all unnecessary services and unused services turned off? (§ G.16.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On windows systems that transmit scoped data, are unnecessary services and unused services turned off? (§ G.17.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On windows systems that process scoped data, are unnecessary services and unused services turned off? (§ G.17.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On windows systems that store scoped data, are unnecessary services and unused services turned off? (§ G.17.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
When windows Internet Information Services is used for web services, are unused services turned off on Internet Information Services servers? (§ G.21.2.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
Are service accounts disallowed for normal operations and monitored for usage? (§ H.3.4, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are unnecessary/unused services turned off? (§ V.1.72.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are unneeded hypervisor services (e.g. File-sharing) between the guest and the host Operating System disabled? (§ V.1.72.23, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
Table F-2: For Windows 2003 Server, the organization must review all services for proper configuration and disable all unnecessary services.
Table F-3: For Windows 2000 Professional, the organization must disable all unnecessary services.
Table F-4: For Windows XP Professional, the organization must… (Table F-2, Table F-3, Table F-4, Table F-8, Table F-10, CMS Business Partners Systems Security Manual, Rev. 10)
CSR 2.1.4: The organization must disable all file system access that is not explicitly required for application, administrator, or system functionality.
CSR 10.7.9: The organization must disable all system services, ports, and network protocols that are not explicitly required for application and sy… (CSR 2.1.4, CSR 10.7.9, CSR 10.8.7, CSR 10.8.8, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
The system administrator should disable any network services which are not necessary for the operation of the network. These services are disabled in the inetd.conf file. (§ 4, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1)
Services not needed for the operational use of the system must be disabled on all wireless clients. Non-required software and/or services that support remote access services must not be installed on remote access servers or network access servers. Non-required services that support remote access ser… (§ 4.1.5, § 4.2.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
Any unnecessary services should be disabled, unless there is a site requirement for specific services. If there is a requirement, then it should be documented and justified with the Information Assurance Officer. The following services should be disabled: Alerter; Application Layer Gateway Service; … (§ 5.2.2.1, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
The Access Control Lists (ACLs) for disabled services should have permissions set to Administrators: Full Control; System: Full Control; and Interactive: Read. The Internet Information System (IIS) should not be installed on the system. (§ 3.5.9 (2.014), § 3.12 (5.016), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
Sites should disable all services, unless there is a site requirement for the service. If the service is Enabled, it should be documented and justified and given to the Information Assurance Officer. (§ 5.2.2, § 5.2.2.1, DISA Windows XP Security Checklist, Version 6 Release 1.11)
§ 4.5.1 (MED0260: CAT II) The Information Assurance Officer/Network Security Officer, for all medical device VLAN access ports, in compliance with the Network Infrastructure STIG, shall disable trunking.
§ 6.1.2.2 (MED0660: CAT II) The Information Assurance Officer, for networked medical devices, … (§ 4.5.1 (MED0260: CAT II), § 6.1.2.2 (MED0660: CAT II), Medical Devices Security Technical Implementation Guide, Version 1, Release 1)
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. (CM.3.068, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. (CM.3.068, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. (CM.3.068, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. (CM.L2-3.4.7 Nonessential Functionality, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
Verify that unapproved im clients / services are uninstalled or disabled on all operating systems. (ECIM-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
The agency shall configure applications, Information Systems, and services to provide only the necessary capabilities. (§ 5.7.1.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
The agency shall prohibit and/or restrict the use of stated functions, ports, protocols, and services. (§ 5.7.1.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
The agency shall configure the application, service, or information system to provide only essential capabilities and shall specifically prohibit and/or restrict the use of specified functions, ports, protocols, and/or services. (§ 5.7.1.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Disable all nonessential management protocols on the APs. (§ 5.13.1.1 ¶ 2(12), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Ensure that the ad hoc mode has been disabled. (§ 5.13.1.1 ¶ 2(11), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
The organization should strictly control the use of utility programs. (Pg 57, Exam Obj 10.1, FFIEC IT Examination Handbook - Development and Acquisition)
Have the unnecessary services on the web server been disabled and appropriate controls implemented? (IT - Member Online Services Q 8, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Do the configuration policies and procedures include removing or disabling unnecessary network services and Operating System services? (IT - Networks Q 25, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Are all unnecessary services shut down on the routers? (IT - Routers Q 31, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Has network autoloading been disabled, unless the router absolutely needs to autoload the startup configuration from a Trivial File Transfer Protocol host? (IT - Routers Q 37, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
CM-7(1) Organizational records and documents should be examined on a regular basis to ensure all unnecessary functions, ports, protocols, and services have been disabled or removed from the system.
CM-7.2 Test the system to ensure all identified functions, ports, protocols, and services have been di… (CM-7(1), CM-7.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
The organization should remove or permanently disable unnecessary services, applications, and user controls on all Bluetooth devices. (Table 4-3 Item 9, Table 4-4 Item 6, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
Wireless interfaces, such as Bluetooth, WiFi, and infrared, should be disabled when not needed, and automatic connections to cellular data services should be turned off. If possible, unneeded functions should be removed to prevent them from being reactivated. Another option is to subscribe only to t… (§ 4.1.6, § 4.1.8, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
(§ 5.2, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002)
The organization should review the system on an organizationally defined period to identify and restrict any unnecessary protocols, ports, services, and/or functions. (SG.CM-7 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services. (3.4.7, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. (3.4.7, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. (3.4.7, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
The organization should periodically review the system to identify and eliminate unnecessary functions, ports, protocols, and/or services. (App F § CM-7(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization must remove all unused and unnecessary functions and services from the Industrial Control System. (App I § SI-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization configures the information system to provide only essential capabilities. (CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization configures the information system to provide only essential capabilities. (CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization configures the information system to provide only essential capabilities. (CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization configures the information system to provide only essential capabilities. (CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
Disable all standard services which are normally enabled in the Solaris inetd.conf file. (§ 2.1, NSA Guide to the Secure Configuration of Solaris 9, Version 1.0)