Back

Disable all unnecessary services unless otherwise noted in a policy exception.


CONTROL ID
00880
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Remove all unnecessary functionality., CC ID: 00882

This Control has the following implementation support Control(s):
  • Disable rquotad unless rquotad is absolutely necessary., CC ID: 01473
  • Disable telnet unless telnet use is absolutely necessary., CC ID: 01478
  • Disable File Transfer Protocol unless File Transfer Protocol use is absolutely necessary., CC ID: 01479
  • Disable Internet Message Access Protocol unless Internet Message Access Protocol use is absolutely necessary., CC ID: 01485
  • Disable Post Office Protocol unless its use is absolutely necessary., CC ID: 01486
  • Disable SQLServer processes unless SQLServer processes use is absolutely necessary., CC ID: 01500
  • Disable alerter unless alerter use is absolutely necessary., CC ID: 01810
  • Disable Background Intelligent Transfer Service unless Background Intelligent Transfer Service use is absolutely necessary., CC ID: 01812
  • Disable ClipBook unless ClipBook use is absolutely necessary., CC ID: 01813
  • Disable Fax Service unless Fax Service use is absolutely necessary., CC ID: 01815
  • Disable IIS admin service unless IIS admin service use is absolutely necessary., CC ID: 01817
  • Disable indexing service unless indexing service use is absolutely necessary., CC ID: 01818
  • Disable net logon unless net logon use is absolutely necessary., CC ID: 01820
  • Disable Remote Desktop Help Session Manager unless Remote Desktop Help Session Manager use is absolutely necessary., CC ID: 01822
  • Disable Remote Registry Service unless Remote Registry Service use is absolutely necessary., CC ID: 01823
  • Disable Routing and Remote Access unless Routing and Remote Access use is necessary., CC ID: 01824
  • Disable task scheduler unless task scheduler use is absolutely necessary., CC ID: 01829
  • Disable Terminal Services unless Terminal Services use is absolutely necessary., CC ID: 01831
  • Disable Universal Plug and Play device host unless Universal Plug and Play device host use is absolutely necessary., CC ID: 01832
  • Disable File Service Protocol., CC ID: 02167
  • Disable the License Logging Service unless unless it is absolutely necessary., CC ID: 04282
  • Disable Remote Access Auto Connection Manager unless Remote Access Auto Connection Manager use is absolutely necessary., CC ID: 04285
  • Disable Remote Access Connection Manager unless Remote Access Connection Manager use is absolutely necessary., CC ID: 04286
  • Disable Remote Administration Service unless remote administration management is absolutely necessary., CC ID: 04287
  • Disable remote installation unless remote installation is absolutely necessary., CC ID: 04288
  • Disable Remote Server Manager unless Remote Server Manager is absolutely necessary., CC ID: 04289
  • Disable Remote Server Monitor unless Remote Server Monitor use is absolutely necessary., CC ID: 04290
  • Disable Remote Storage Notification unless Remote Storage Notification use is absolutely necessary., CC ID: 04291
  • Disable Remote Storage Server unless Remote Storage Server use is absolutely necessary., CC ID: 04292
  • Disable telephony services unless telephony services use is absolutely necessary., CC ID: 04293
  • Disable Wireless Zero Configuration service unless Wireless Zero Configuration service use is absolutely necessary., CC ID: 04294
  • Disable SSDP/UPnp unless SSDP/UPnP is absolutely necessary., CC ID: 04315
  • Configure the "ntpd service" setting to organizational standards., CC ID: 04911
  • Configure the "echo service" setting to organizational standards., CC ID: 04912
  • Configure the "netstat service" setting to organizational standards., CC ID: 04913
  • Configure the "character generator protocol (chargen)" setting to organizational standards., CC ID: 04914
  • Configure the "tftpd service" setting to organizational standards., CC ID: 04915
  • Configure the "walld service" setting to organizational standards., CC ID: 04916
  • Configure the "rstatd service" setting to organizational standards., CC ID: 04917
  • Configure the "sprayd service" setting to organizational standards., CC ID: 04918
  • Configure the "rusersd service" setting to organizational standards., CC ID: 04919
  • Configure the "inn service" setting to organizational standards., CC ID: 04920
  • Configure the "font service" setting to organizational standards., CC ID: 04921
  • Configure the "ident service" setting to organizational standards., CC ID: 04922
  • Configure the "rexd service" setting to organizational standards., CC ID: 04923
  • Configure the "daytime service" setting to organizational standards., CC ID: 04924
  • Configure the "dtspc (cde-spc) service" setting to organizational standards., CC ID: 04925
  • Configure the "cmsd service" setting to organizational standards., CC ID: 04926
  • Configure the "ToolTalk service" setting to organizational standards., CC ID: 04927
  • Configure the "discard service" setting to organizational standards., CC ID: 04928
  • Configure the "vino-server service" setting to organizational standards., CC ID: 04929
  • Configure the "bind service" setting to organizational standards., CC ID: 04930
  • Configure the "nfsd service" setting to organizational standards., CC ID: 04931
  • Configure the "mountd service" setting to organizational standards., CC ID: 04932
  • Configure the "statd service" setting to organizational standards., CC ID: 04933
  • Configure the "lockd service" setting to organizational standards., CC ID: 04934
  • Configure the "decode sendmail alias" setting to organizational standards., CC ID: 04935
  • Configure the sendmail vrfy command, as appropriate., CC ID: 04936
  • Configure the sendmail expn command, as appropriate., CC ID: 04937
  • Configure .netrc with an appropriate set of services., CC ID: 04938
  • Enable NFS insecure locks as necessary., CC ID: 04939
  • Configure the "X server ac" setting to organizational standards., CC ID: 04940
  • Configure the "X server core" setting to organizational standards., CC ID: 04941
  • Enable or disable the setroubleshoot service, as appropriate., CC ID: 05540
  • Configure the "X server nolock" setting to organizational standards., CC ID: 04942
  • Enable or disable the mcstrans service, as appropriate., CC ID: 05541
  • Configure the "PAM console" setting to organizational standards., CC ID: 04943
  • Enable or disable the restorecond service, as appropriate., CC ID: 05542
  • Enable the rhnsd service as necessary., CC ID: 04944
  • Enable the yum-updatesd service as necessary., CC ID: 04945
  • Enable the autofs service as necessary., CC ID: 04946
  • Enable the ip6tables service as necessary., CC ID: 04947
  • Configure syslog to organizational standards., CC ID: 04949
  • Enable the auditd service as necessary., CC ID: 04950
  • Enable the logwatch service as necessary., CC ID: 04951
  • Enable the logrotate (syslog rotator) service as necessary., CC ID: 04952
  • Install or uninstall the telnet server package, only if absolutely necessary., CC ID: 04953
  • Enable the ypbind service as necessary., CC ID: 04954
  • Enable the ypserv service as necessary., CC ID: 04955
  • Enable the firstboot service as necessary., CC ID: 04956
  • Enable the gpm service as necessary., CC ID: 04957
  • Enable the irqbalance service as necessary., CC ID: 04958
  • Enable the isdn service as necessary., CC ID: 04959
  • Enable the kdump service as necessary., CC ID: 04960
  • Enable the mdmonitor service as necessary., CC ID: 04961
  • Enable the microcode_ctl service as necessary., CC ID: 04962
  • Enable the pcscd service as necessary., CC ID: 04963
  • Enable the smartd service as necessary., CC ID: 04964
  • Enable the readahead_early service as necessary., CC ID: 04965
  • Enable the readahead_later service as necessary., CC ID: 04966
  • Enable the messagebus service as necessary., CC ID: 04967
  • Enable the haldaemon service as necessary., CC ID: 04968
  • Enable the apmd service as necessary., CC ID: 04969
  • Enable the acpid service as necessary., CC ID: 04970
  • Enable the cpuspeed service as necessary., CC ID: 04971
  • Enable the network service as necessary., CC ID: 04972
  • Enable the hidd service as necessary., CC ID: 04973
  • Enable the crond service as necessary., CC ID: 04974
  • Install and enable the anacron service as necessary., CC ID: 04975
  • Enable the xfs service as necessary., CC ID: 04976
  • Install and enable the Avahi daemon service, as necessary., CC ID: 04977
  • Enable the CUPS service, as necessary., CC ID: 04978
  • Enable the hplip service as necessary., CC ID: 04979
  • Enable the dhcpd service as necessary., CC ID: 04980
  • Enable the nfslock service as necessary., CC ID: 04981
  • Enable the rpcgssd service as necessary., CC ID: 04982
  • Enable the rpcidmapd service as necessary., CC ID: 04983
  • Enable the rpcsvcgssd service as necessary., CC ID: 04985
  • Configure root squashing for all NFS shares, as appropriate., CC ID: 04986
  • Configure write access to NFS shares, as appropriate., CC ID: 04987
  • Configure the named service, as appropriate., CC ID: 04988
  • Configure the vsftpd service, as appropriate., CC ID: 04989
  • Configure the “dovecot” service to organizational standards., CC ID: 04990
  • Configure Server Message Block (SMB) to organizational standards., CC ID: 04991
  • Enable the snmpd service as necessary., CC ID: 04992
  • Enable the calendar manager as necessary., CC ID: 04993
  • Enable the GNOME logon service as necessary., CC ID: 04994
  • Enable the WBEM services as necessary., CC ID: 04995
  • Enable the keyserv service as necessary., CC ID: 04996
  • Enable the Generic Security Service daemon as necessary., CC ID: 04997
  • Enable the volfs service as necessary., CC ID: 04998
  • Enable the smserver service as necessary., CC ID: 04999
  • Enable the mpxio-upgrade service as necessary., CC ID: 05000
  • Enable the metainit service as necessary., CC ID: 05001
  • Enable the meta service as necessary., CC ID: 05003
  • Enable the metaed service as necessary., CC ID: 05004
  • Enable the metamh service as necessary., CC ID: 05005
  • Enable the Local RPC Port Mapping Service as necessary., CC ID: 05006
  • Enable the Kerberos kadmind service as necessary., CC ID: 05007
  • Enable the Kerberos krb5kdc service as necessary., CC ID: 05008
  • Enable the Kerberos kpropd service as necessary., CC ID: 05009
  • Enable the Kerberos ktkt_warnd service as necessary., CC ID: 05010
  • Enable the sadmin service as necessary., CC ID: 05011
  • Enable the IPP listener as necessary., CC ID: 05012
  • Enable the serial port listener as necessary., CC ID: 05013
  • Enable the Smart Card Helper service as necessary., CC ID: 05014
  • Enable the Application Management service as necessary., CC ID: 05015
  • Enable the Resultant Set of Policy (RSoP) Provider service as necessary., CC ID: 05016
  • Enable the Network News Transport Protocol service as necessary., CC ID: 05017
  • Enable the network Dynamic Data Exchange service as necessary., CC ID: 05018
  • Enable the Distributed Link Tracking Server service as necessary., CC ID: 05019
  • Enable the RARP service as necessary., CC ID: 05020
  • Configure the ".NET Framework service" setting to organizational standards., CC ID: 05021
  • Enable the Network DDE Share Database Manager service as necessary., CC ID: 05022
  • Enable the Certificate Services service as necessary., CC ID: 05023
  • Configure the ATI hotkey poller service properly., CC ID: 05024
  • Configure the Interix Subsystem Startup service properly., CC ID: 05025
  • Configure the Cluster Service service properly., CC ID: 05026
  • Configure the IAS Jet Database Access service properly., CC ID: 05027
  • Configure the IAS service properly., CC ID: 05028
  • Configure the IP Version 6 Helper service properly., CC ID: 05029
  • Configure "Message Queuing service" to organizational standards., CC ID: 05030
  • Configure the Message Queuing Down Level Clients service properly., CC ID: 05031
  • Configure the Windows Management Instrumentation Driver Extensions service properly., CC ID: 05033
  • Configure the TCP/IP NetBIOS Helper Service properly., CC ID: 05034
  • Configure the Utility Manager service properly., CC ID: 05035
  • Configure the secondary logon service properly., CC ID: 05036
  • Configure the Windows Management Instrumentation service properly., CC ID: 05037
  • Configure the Workstation service properly., CC ID: 05038
  • Configure the Windows Installer service properly., CC ID: 05039
  • Configure the Windows System Resource Manager service properly., CC ID: 05040
  • Configure the WinHTTP Web Proxy Auto-Discovery Service properly., CC ID: 05041
  • Configure the Services for Unix Client for NFS service properly., CC ID: 05042
  • Configure the Services for Unix Server for PCNFS service properly., CC ID: 05043
  • Configure the Services for Unix Perl Socket service properly., CC ID: 05044
  • Configure the Services for Unix User Name Mapping service properly., CC ID: 05045
  • Configure the Services for Unix Windows Cron service properly., CC ID: 05046
  • Configure the Windows Media Services service properly., CC ID: 05047
  • Configure the Services for Netware Service Advertising Protocol (SAP) Agent properly., CC ID: 05048
  • Configure the Web Element Manager service properly., CC ID: 05049
  • Configure the Remote Installation Services Single Instance Storage (SIS) Groveler service properly., CC ID: 05050
  • Configure the Terminal Services Licensing service properly., CC ID: 05051
  • Configure the COM+ Event System service properly., CC ID: 05052
  • Configure the Event Log service properly., CC ID: 05053
  • Configure the Infrared Monitor service properly., CC ID: 05054
  • Configure the Services for Unix Server for NFS service properly., CC ID: 05055
  • Configure the System Event Notification Service properly., CC ID: 05056
  • Configure the NTLM Security Support Provider service properly., CC ID: 05057
  • Configure the Performance Logs and Alerts service properly., CC ID: 05058
  • Configure the Protected Storage service properly., CC ID: 05059
  • Configure the QoS Admission Control (RSVP) service properly., CC ID: 05060
  • Configure the Remote Procedure Call service properly., CC ID: 05061
  • Configure the Removable Storage service properly., CC ID: 05062
  • Configure the Server service properly., CC ID: 05063
  • Configure the Security Accounts Manager service properly., CC ID: 05064
  • Configure the “Network Connections” service to organizational standards., CC ID: 05065
  • Configure the Logical Disk Manager service properly., CC ID: 05066
  • Configure the Logical Disk Manager Administrative Service properly., CC ID: 05067
  • Configure the File Replication service properly., CC ID: 05068
  • Configure the Kerberos Key Distribution Center service properly., CC ID: 05069
  • Configure the Intersite Messaging service properly., CC ID: 05070
  • Configure the Remote Procedure Call locator service properly., CC ID: 05071
  • Configure the Distributed File System service properly., CC ID: 05072
  • Configure the Windows Internet Name Service service properly., CC ID: 05073
  • Configure the FTP Publishing Service properly., CC ID: 05074
  • Configure the Windows Search service properly., CC ID: 05075
  • Configure the Microsoft Peer-to-Peer Networking Services service properly., CC ID: 05076
  • Configure the Remote Shell service properly., CC ID: 05077
  • Configure Simple TCP/IP services to organizational standards., CC ID: 05078
  • Configure the Print Services for Unix service properly., CC ID: 05079
  • Configure the File Shares service to organizational standards., CC ID: 05080
  • Configure the NetMeeting service properly., CC ID: 05081
  • Configure the Application Layer Gateway service properly., CC ID: 05082
  • Configure the Cryptographic Services service properly., CC ID: 05083
  • Configure the Help and Support Service properly., CC ID: 05084
  • Configure the Human Interface Device Access service properly., CC ID: 05085
  • Configure the IMAPI CD-Burning COM service properly., CC ID: 05086
  • Configure the MS Software Shadow Copy Provider service properly., CC ID: 05087
  • Configure the Network Location Awareness service properly., CC ID: 05088
  • Configure the Portable Media Serial Number Service service properly., CC ID: 05089
  • Configure the System Restore Service service properly., CC ID: 05090
  • Configure the Themes service properly., CC ID: 05091
  • Configure the Uninterruptible Power Supply service properly., CC ID: 05092
  • Configure the Upload Manager service properly., CC ID: 05093
  • Configure the Volume Shadow Copy Service properly., CC ID: 05094
  • Configure the WebClient service properly., CC ID: 05095
  • Configure the Windows Audio service properly., CC ID: 05096
  • Configure the Windows Image Acquisition service properly., CC ID: 05097
  • Configure the WMI Performance Adapter service properly., CC ID: 05098
  • Enable file uploads via vsftpd service, as appropriate., CC ID: 05100
  • Disable or remove sadmind unless use of sadmind is absolutely necessary., CC ID: 06885
  • Configure the "SNMP version 1" setting to organizational standards., CC ID: 08976
  • Configure the "xdmcp service" setting to organizational standards., CC ID: 08985


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • funds transfer functions should be disabled or the relevant transaction limit(s) for high-risk funds transfers should be pre-set to zero when a new Internet banking account is first opened. Furthermore, the function or the limit(s) should also be reset to zero if they have not been used for a period… (§ 6.1.2(i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • if cards are used as one of the factors for customer identity authentication in using the terminals, adequate security and controls should be implemented covering the issuance, activation, replacement and loss of cards. In addition, chip-based authentication on chip cards issued by AIs should be enf… (§ 7.3.2(i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • funds transfer functions should be disabled or the relevant transaction limit(s) for high-risk funds transfers should be pre-set to zero when a new Internet banking account is first opened. For transaction limit(s) that allow high-value funds transfers to unregistered payees, consideration should be… (§ 6.1.2(i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • T44: The organization shall minimize the number of connected devices, communication routes, and communications-related devices that can be accessed from external networks. The organization shall not connect unnecessary devices. T44.2: The organization shall securely set up computers that are connect… (T44, T44.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Hardening the firewall by removing all unnecessary services and appropriately patching, enhancing, and maintaining all software on the firewall unit (Critical components of information security 24) vii. a) ¶ 13 Bullet 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Unnecessary programmes and services: all unnecessary programs should be uninstalled, and all unnecessary services should be disabled. (EMERGING TECHNOLOGIES AND INFORMATION SECURITY 1 ¶ 9 b., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Remove unused software and turn off unnecessary services from computers. (Annex A2: Security of Personal Computers & Other Computing Devices 17, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface. (Security Control: 1272; Revision: 1, Australian Government Information Security Manual, March 2021)
  • IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries. (Security Control: 1429; Revision: 2, Australian Government Information Security Manual, March 2021)
  • Unused physical ports on network devices are disabled. (Security Control: 0534; Revision: 2, Australian Government Information Security Manual, March 2021)
  • Unneeded operating system accounts, software, components, services and functionality are removed or disabled. (Security Control: 0380; Revision: 7, Australian Government Information Security Manual, March 2021)
  • agent credential forwarding (Security Control: 0487; Revision: 3; Bullet 3, Australian Government Information Security Manual, March 2021)
  • MAC address filtering is not used to restrict which devices can connect to wireless networks. (Control: ISM-1320; Revision: 2, Australian Government Information Security Manual, June 2023)
  • If only local access to a database is required, networking functionality of database management system software is disabled or directed to listen solely to the localhost interface. (Control: ISM-1272; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Unneeded accounts, components, services and functionality of operating systems are disabled or removed. (Control: ISM-0380; Revision: 9, Australian Government Information Security Manual, June 2023)
  • Unneeded accounts, components, services and functionality of server applications are disabled or removed. (Control: ISM-1247; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Unneeded components, services and functionality of office productivity suites, web browsers, email clients, PDF software and security products are disabled or removed. (Control: ISM-1470; Revision: 5, Australian Government Information Security Manual, June 2023)
  • MAC address filtering is not used to restrict which devices can connect to wireless networks. (Control: ISM-1320; Revision: 2, Australian Government Information Security Manual, September 2023)
  • If only local access to a database is required, networking functionality of database management system software is disabled or directed to listen solely to the localhost interface. (Control: ISM-1272; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Unneeded accounts, components, services and functionality of operating systems are disabled or removed. (Control: ISM-0380; Revision: 9, Australian Government Information Security Manual, September 2023)
  • Unneeded accounts, components, services and functionality of server applications are disabled or removed. (Control: ISM-1247; Revision: 4, Australian Government Information Security Manual, September 2023)
  • Unneeded components, services and functionality of office productivity suites, web browsers, email clients, PDF software and security products are disabled or removed. (Control: ISM-1470; Revision: 5, Australian Government Information Security Manual, September 2023)
  • The organization must develop a hardened Standard Operating Environment for servers and workstations that includes removing unnecessary software, operating system components, and hardware. (Control: 0380 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization should remove or disable unnecessary Database Management System software features and procedures. (Control: 1247, Australian Government Information Security Manual: Controls)
  • The organization should disable Database Management System software from reading local files from a server. (Control: 1251, Australian Government Information Security Manual: Controls)
  • The organization must disable open e-mail relaying, so e-mail servers only relay messages that originate inside the domain and messages destined for the domain. (Control: 0567, Australian Government Information Security Manual: Controls)
  • The organization should disable agent credential forwarding, if logins absent a passphrase for automated purposes are used for remote access to Secure Shell. (Control: 0487 Bullet 3, Australian Government Information Security Manual: Controls)
  • The organization must disable split tunneling when a Virtual Private Network is used to connect a mobile device to a system. (Control: 0705, Australian Government Information Security Manual: Controls)
  • The organization should disable all protocols, permissions, functions, and features, unless they are required for the business operations. (¶ 26(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Portable computers and personal electronic devices that process classified information should have all unnecessary hardware and services disabled or removed. (§ 3.4.63, § 3.5.8, Australian Government ICT Security Manual (ACSI 33))
  • If you do have services enabled on your firewall, do you have a process to ensure they are disabled in a timely manner when they are no longer required? A description of the process is required. (A4.6, Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Have vulnerable services (e.g. Server Message Block (SMB), NetBIOS, Telnet, TFTP, RPC, rlogin, rsh or rexec) been disabled (blocked) by default and those that are allowed have a business justification? (Firewalls Question 4, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • Where a debug interface is physically accessible, it shall be disabled in software. (Provision 5.6-4, CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, V2.1.1)
  • Unnecessary network services are disabled. (5.2.3 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
  • The entity uses a combination of controls to restrict access to its information assets including data classification. The entity enforces logical separations of data structures and the segregation of incompatible duties applies device security hardening and security configuration policies, including… (S7.1 Restricts access to information assets, Privacy Management Framework, Updated March 1, 2020)
  • (§ XI.5, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Have all unnecessary services on each client and server been disabled? (Table Row XIII.4, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • During the installation process, deselect any packages, especially the X11 package, that are not going to be used. This reduces the risk of attackers using known vulnerabilities in unused packages to enter the system. If an upgrade from Mac OS X to Mac OS X 10.4 was performed, an adaptation of Mac O… (Pg 22, Pg 33, Pg 87, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • Ensure nonessential services are removed or masked Description: A network port is identified by its number, the associated IP address, and the type of the communication protocol such as TCP or UDP. A listening port is a network port on which an application or process listens on, acting as a communic… (2.4, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
  • Ensure nonessential services are removed or masked Description: A network port is identified by its number, the associated IP address, and the type of the communication protocol such as TCP or UDP. A listening port is a network port on which an application or process listens on, acting as a communic… (2.4, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
  • Disable all standard services. (§ 3.9, The Center for Internet Security AIX Benchmark, 1.0.1)
  • The organization must disable all standard services. (§ 2.1, The Center for Internet Security FreeBSD Benchmark, 1.0.5)
  • Disable all standard services. (§ 2.1, The Center for Internet Security HP-UX Benchmark, 1.4.2)
  • All services on the operating system are set to OFF by default. Only absolutely necessary services should be enabled. If possible, the services should be enabled only while they are being used and should be disabled as soon as the service is no longer needed. None of the services needs to be enabled… (§ 2.9, The Center for Internet Security Mac OS X Tiger Level I Security Benchmark, 1)
  • If unneeded services are enabled or left on the system, security issues could evolve. Many of these services are not securely configured by default. Any unused or unnecessary services should be removed from the system. QuickFinder, a search engine for finding web data on the server, should be disabl… (§ 1.2, § 2.15, The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Benchmark, 1)
  • The organization must disable all standard services. (§ 2.1, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.0.5)
  • Disable all standard services. (§ 2.1, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.1.1)
  • Disable all standard services. (§ 2.1, The Center for Internet Security Slackware Linux Benchmark, 1.1)
  • Disable all standard services. (§ 2.1, The Center for Internet Security Solaris Benchmark, 1.5.0)
  • Disable all standard services. (§ 2.1, The Center for Internet Security SuSE Linux Enterprise Server Benchmark, 2)
  • Harden an OS before it is used in production. Disable all unnecessary services in the configuration of the server. (§ 3-8, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003)
  • For a sample of system components, inspect enabled system services, daemons, and protocols. Verify that unnecessary or insecure services or protocols are not enabled, or are justified and documented as to appropriate use of the service. (§ 2.2.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 2.0)
  • For a sample of system components, inspect enabled system services, daemons, and protocols. verify that unnecessary or insecure services or protocols are not enabled, or are justified and documented as to appropriate use of the service. (§ 2.2.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify the system configuration standards include procedures for enabling only the necessary services, daemons, protocols, and others that are required for system functions. (Testing Procedures § 2.2.d Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Inspect the enabled system services, protocols, and daemons from a sample of system components to verify only the necessary services and protocols are enabled. (Testing Procedures § 2.2.2.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel to verify the identified insecure services, protocols, and daemons that are enabled have been justified in accordance with the documented configuration standards. (Testing Procedures § 2.2.2.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Review the services and the parameter files on a sample of systems to verify that telnet and other insecure remote login commands are not available for non-console access. (Testing Procedures § 2.3.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • All unnecessary services and applications must be disabled, unless they have been justified and documented. (§ 2.2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • For a sample of system components, inspect enabled system services, daemons, and protocols. (§ 2.2.2.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Only necessary services, protocols, or daemons for the function of the system must be enabled. (PCI DSS Requirements § 2.2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Enable only necessary services, protocols, daemons, etc., as required for the function of the system. (2.2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Enable only necessary services, protocols, daemons, etc., as required for the function of the system. (2.2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Systems are configured per configuration standards, with all default passwords changed and unnecessary services disabled. (A3.2.2.1 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Enable only necessary services, protocols, daemons, etc., as required for the function of the system. (2.2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)? (2.2.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)? (2.2.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)? (2.2.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are all enabled insecure services, daemons, or protocols justified per documented configuration standards? (2.2.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)? (2.2.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)? (2.2.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)? (2.2.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)? (2.2.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)? (2.2.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)? (2.2.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)? (2.2.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Select a sample of system components and inspect enabled system services, daemons, and protocols to verify that only necessary services or protocols are enabled. (2.2.2.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Identify any enabled insecure services, daemons, or protocols and interview personnel to verify they are justified per documented configuration standards. (2.2.2.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • All services, daemons, and protocols required by the application or enabled should be examined. The payment application must not use or require the use of unnecessary and insecure services or protocols. (§ 5.4, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Examine settings for system components and authentication services to verify that insecure remote login services are not available for non-console administrative access. (2.2.7.c, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Do system configuration standards include enabling only necessary services, protocols, daemons, etc., as required for the function of the system? (PCI DSS Question 2.2(d) Bullet 3, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are only necessary services, protocols, daemons, etc., enabled as required for the function of the system (services and protocols not directly needed to perform the device's specified function are disabled)? (PCI DSS Question 2.2.2(a), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? (PCI DSS Question 4.1(e), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? (PCI DSS Question 4.1(e), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Do system configuration standards include enabling only necessary services, protocols, daemons, etc., as required for the function of the system? (PCI DSS Question 2.2(d) Bullet 3, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are only necessary services, protocols, daemons, etc., enabled as required for the function of the system (services and protocols not directly needed to perform the device's specified function are disabled)? (PCI DSS Question 2.2.2(a), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? (PCI DSS Question 4.1(e), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are only necessary services, protocols, daemons, etc., enabled as required for the function of the system (services and protocols not directly needed to perform the device's specified function are disabled)? (PCI DSS Question 2.2.2(a), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? (PCI DSS Question 4.1(e), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Do system configuration standards include enabling only necessary services, protocols, daemons, etc., as required for the function of the system? (PCI DSS Question 2.2(d) Bullet 3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are only necessary services, protocols, daemons, etc., enabled as required for the function of the system (services and protocols not directly needed to perform the device's specified function are disabled)? (PCI DSS Question 2.2.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? (PCI DSS Question 4.1(e), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Do system configuration standards include enabling only necessary services, protocols, daemons, etc., as required for the function of the system? (PCI DSS Question 2.2(d) Bullet 3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are only necessary services, protocols, daemons, etc., enabled as required for the function of the system (services and protocols not directly needed to perform the device's specified function are disabled)? (PCI DSS Question 2.2.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? (PCI DSS Question 4.1(e), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Disable USB debugging and disallowing of untrusted sources should be enforced on an ongoing basis. As an additional defense-in-depth, the device should be monitored for jailbreaking or rooting activity, and when detected the device should be quarantined by a solution that either removes it from the … (¶ 5.4.3, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users, Version 1.1)
  • System / network monitoring activities should involve checking whether powerful utilities / commands have been disabled on attached hosts (e.g., by using a 'network sniffer'). (CF.10.05.05b, The Standard of Good Practice for Information Security)
  • Connections between servers (e.g., web servers) and back-office systems (e.g., application and database servers) should be restricted to only the services that are required by business applications. (CF.04.01.07b, The Standard of Good Practice for Information Security)
  • Servers should be configured to disable or restrict non-essential or redundant services (e.g., X Windows, open windows, fingerd, and web browsers). (CF.07.02.03a, The Standard of Good Practice for Information Security)
  • Servers should be configured to disable or restrict communication services that are inherently susceptible to abuse (e.g., tftp, rpc, rlogin, rsh, or Rexec). (CF.07.02.03b, The Standard of Good Practice for Information Security)
  • Servers should be configured to disable or restrict communication protocols that are prone to abuse (e.g., http, https, ssh, ftp, smtp, telnet, and uucp). (CF.07.02.03c, The Standard of Good Practice for Information Security)
  • Servers should be configured in accordance with documented standards / procedures, which should cover disabling or restricting unnecessary functions or services. (CF.07.02.01b, The Standard of Good Practice for Information Security)
  • Mobile devices should be subject to 'system hardening' by disabling unnecessary services and user accounts (e.g., guest). (CF.14.02.03b, The Standard of Good Practice for Information Security)
  • System / network monitoring activities should involve checking whether powerful utilities / commands have been disabled on attached hosts (e.g., by using a 'network sniffer'). (CF.10.05.05b, The Standard of Good Practice for Information Security, 2013)
  • Connections between servers (e.g., web servers) and back-office systems (e.g., application and database servers) should be restricted to only the services that are required by business applications. (CF.04.01.07b, The Standard of Good Practice for Information Security, 2013)
  • Servers should be configured to disable or restrict non-essential or redundant services (e.g., X Windows, open windows, fingerd, and web browsers). (CF.07.02.03a, The Standard of Good Practice for Information Security, 2013)
  • Servers should be configured to disable or restrict communication services that are inherently susceptible to abuse (e.g., tftp, rpc, rlogin, rsh, or Rexec). (CF.07.02.05b, The Standard of Good Practice for Information Security, 2013)
  • Servers should be configured to disable or restrict communication protocols that are prone to abuse (e.g., http, https, ssh, ftp, smtp, telnet, and uucp). (CF.07.02.05c, The Standard of Good Practice for Information Security, 2013)
  • Servers should be configured in accordance with documented standards / procedures, which should cover disabling or restricting unnecessary functions or services. (CF.07.02.01c, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices should be subject to 'system hardening' by disabling unnecessary services and user accounts (e.g., guest). (CF.14.02.06b, The Standard of Good Practice for Information Security, 2013)
  • Servers should be configured to disable or restrict the 'auto-run' feature (e.g., from Compact Discs, Digital Video Disks and portable storage devices, and mounted / shared network folders). (CF.07.02.05g, The Standard of Good Practice for Information Security, 2013)
  • The organization should run as few services as possible and ensure they are well protected. (Special Action 7.1, SANS Computer Security Incident Handling, Version 2.3.1)
  • The organization should turn off services for projects or limited engagements when they are no longer needed. (Critical Control 11.6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should turn unneeded services off for 30 days and uninstall them after 30 days. (Critical Control 11.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Each operating system shall be hardened to provide only necessary ports, protocols, and services to meet business needs and have in place supporting technical controls such as: antivirus, file integrity monitoring, and logging as part of their baseline operating build standard or template. (IVS-07, Cloud Controls Matrix, v3.0)
  • Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). D… (CIS Control 4: Safeguard 4.6 Securely Manage Enterprise Assets and Software, CIS Controls, V8)
  • Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function. (CIS Control 4: Safeguard 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software, CIS Controls, V8)
  • Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error check… (CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures, CIS Controls, V8)
  • The service provider shall plan for the removal of any services that are to be removed. (§ 5.2 ¶ 4, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Utility programs are programs that may be able to override system and application controls. They should be restricted and controlled. If these system utilities are not needed, they should be disabled or removed. (§ 11.5.4, ISO 27002 Code of practice for information security management, 2005)
  • Components shall provide the capability to specifically restrict the use of unnecessary functions, ports, protocols and/or services. (11.9.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. (M1035 Limit Access to Resource Over Network, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • The organization should restrict logical access to master passwords, powerful utilities, system configurations, Superuser functionality, and security devices. (Generally Accepted Privacy Principles and Criteria § 8.2.2 i, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should restrict access to master passwords, powerful utilities, system configurations, Superuser functionality, and security devices. (Table Ref 8.2.2.i, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization must implement and monitor the status of services minimization controls. (PE 15.j, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives)
  • On UNIX computers or Linux computers that transmit scoped data, Are all unnecessary services and unused services turned off? (§ G.16.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that process scoped data, Are all unnecessary services and unused services turned off? (§ G.16.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that store scoped data, Are all unnecessary services and unused services turned off? (§ G.16.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that transmit scoped data, are unnecessary services and unused services turned off? (§ G.17.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that process scoped data, are unnecessary services and unused services turned off? (§ G.17.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that store scoped data, are unnecessary services and unused services turned off? (§ G.17.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When windows Internet Information Services is used for web services, are unused services turned off on Internet Information Services servers? (§ G.21.2.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are service accounts disallowed for normal operations and monitored for usage? (§ H.3.4, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are unnecessary/unused services turned off? (§ V.1.72.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are unneeded hypervisor services (e.g. File-sharing) between the guest and the host Operating System disabled? (§ V.1.72.23, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Table F-2: For Windows 2003 Server, the organization must review all services for proper configuration and disable all unnecessary services. Table F-3: For Windows 2000 Professional, the organization must disable all unnecessary services. Table F-4: For Windows XP Professional, the organization must… (Table F-2, Table F-3, Table F-4, Table F-8, Table F-10, CMS Business Partners Systems Security Manual, Rev. 10)
  • CSR 2.1.4: The organization must disable all file system access that is not explicitly required for application, administrator, or system functionality. CSR 10.7.9: The organization must disable all system services, ports, and network protocols that are not explicitly required for application and sy… (CSR 2.1.4, CSR 10.7.9, CSR 10.8.7, CSR 10.8.8, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The system administrator should disable any network services which are not necessary for the operation of the network. These services are disabled in the inetd.conf file. (§ 4, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1)
  • Services not needed for the operational use of the system must be disabled on all wireless clients. Non-required software and/or services that support remote access services must not be installed on remote access servers or network access servers. Non-required services that support remote access ser… (§ 4.1.5, § 4.2.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • Any unnecessary services should be disabled, unless there is a site requirement for specific services. If there is a requirement, then it should be documented and justified with the Information Assurance Officer. The following services should be disabled: Alerter; Application Layer Gateway Service; … (§ 5.2.2.1, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • The Access Control Lists (ACLs) for disabled services should have permissions set to Administrators: Full Control; System: Full Control; and Interactive: Read. The Internet Information System (IIS) should not be installed on the system. (§ 3.5.9 (2.014), § 3.12 (5.016), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
  • Sites should disable all services, unless there is a site requirement for the service. If the service is Enabled, it should be documented and justified and given to the Information Assurance Officer. (§ 5.2.2, § 5.2.2.1, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • § 4.5.1 (MED0260: CAT II) The Information Assurance Officer/Network Security Officer, for all medical device VLAN access ports, in compliance with the Network Infrastructure STIG, shall disable trunking. § 6.1.2.2 (MED0660: CAT II) The Information Assurance Officer, for networked medical devices, … (§ 4.5.1 (MED0260: CAT II), § 6.1.2.2 (MED0660: CAT II), Medical Devices Security Technical Implementation Guide, Version 1, Release 1)
  • Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. (CM.3.068, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. (CM.3.068, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. (CM.3.068, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. (CM.L2-3.4.7 Nonessential Functionality, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Verify that unapproved im clients / services are uninstalled or disabled on all operating systems. (ECIM-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The agency shall configure applications, Information Systems, and services to provide only the necessary capabilities. (§ 5.7.1.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall prohibit and/or restrict the use of stated functions, ports, protocols, and services. (§ 5.7.1.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall configure the application, service, or information system to provide only essential capabilities and shall specifically prohibit and/or restrict the use of specified functions, ports, protocols, and/or services. (§ 5.7.1.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Disable all nonessential management protocols on the APs. (§ 5.13.1.1 ¶ 2(12), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Ensure that the ad hoc mode has been disabled. (§ 5.13.1.1 ¶ 2(11), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The organization should strictly control the use of utility programs. (Pg 57, Exam Obj 10.1, FFIEC IT Examination Handbook - Development and Acquisition)
  • Have the unnecessary services on the web server been disabled and appropriate controls implemented? (IT - Member Online Services Q 8, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Do the configuration policies and procedures include removing or disabling unnecessary network services and Operating System services? (IT - Networks Q 25, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are all unnecessary services shut down on the routers? (IT - Routers Q 31, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Has network autoloading been disabled, unless the router absolutely needs to autoload the startup configuration from a Trivial File Transfer Protocol host? (IT - Routers Q 37, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • CM-7(1) Organizational records and documents should be examined on a regular basis to ensure all unnecessary functions, ports, protocols, and services have been disabled or removed from the system. CM-7.2 Test the system to ensure all identified functions, ports, protocols, and services have been di… (CM-7(1), CM-7.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization should remove or permanently disable unnecessary services, applications, and user controls on all Bluetooth devices. (Table 4-3 Item 9, Table 4-4 Item 6, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
  • Wireless interfaces, such as Bluetooth, WiFi, and infrared, should be disabled when not needed, and automatic connections to cellular data services should be turned off. If possible, unneeded functions should be removed to prevent them from being reactivated. Another option is to subscribe only to t… (§ 4.1.6, § 4.1.8, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • (§ 5.2, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002)
  • The organization should review the system on an organizationally defined period to identify and restrict any unnecessary protocols, ports, services, and/or functions. (SG.CM-7 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services. (3.4.7, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. (3.4.7, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. (3.4.7, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization should periodically review the system to identify and eliminate unnecessary functions, ports, protocols, and/or services. (App F § CM-7(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must remove all unused and unnecessary functions and services from the Industrial Control System. (App I § SI-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization configures the information system to provide only essential capabilities. (CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization configures the information system to provide only essential capabilities. (CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization configures the information system to provide only essential capabilities. (CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization configures the information system to provide only essential capabilities. (CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Disable all standard services which are normally enabled in the Solaris inetd.conf file. (§ 2.1, NSA Guide to the Secure Configuration of Solaris 9, Version 1.0)