Back

Disable all unnecessary applications unless otherwise noted in a policy exception.


CONTROL ID
04827
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Remove all unnecessary functionality., CC ID: 00882

This Control has the following implementation support Control(s):
  • Restrict and control the use of privileged utility programs., CC ID: 12030
  • Disable the storing of movies in cache in Apple's QuickTime., CC ID: 04489
  • Install and enable file sharing utilities, as necessary., CC ID: 02174
  • Disable boot services unless boot services are absolutely necessary., CC ID: 01481
  • Disable File Services for Macintosh unless File Services for Macintosh are absolutely necessary., CC ID: 04279
  • Configure the Trivial FTP Daemon service to organizational standards., CC ID: 01484
  • Disable printer daemons or the printer service unless printer daemons or the printer service is absolutely necessary., CC ID: 01487
  • Disable web server unless web server is absolutely necessary., CC ID: 01490
  • Disable portmapper unless portmapper is absolutely necessary., CC ID: 01492
  • Disable writesrv, pmd, and httpdlite unless writesrv, pmd, and httpdlite are absolutely necessary., CC ID: 01498
  • Disable hwscan hardware detection unless hwscan hardware detection is absolutely necessary., CC ID: 01504
  • Configure the “xinetd” service to organizational standards., CC ID: 01509
  • Disable inetd unless inetd is absolutely necessary., CC ID: 01508
  • Disable Network Computing System unless it is absolutely necessary., CC ID: 01497
  • Disable print server for macintosh unless print server for macintosh is absolutely necessary., CC ID: 04284
  • Disable Print Server unless Print Server is absolutely necessary., CC ID: 01488
  • Disable ruser/remote login/remote shell/rcp command, unless it is absolutely necessary., CC ID: 01480
  • Disable xfsmd unless xfsmd is absolutely necessary., CC ID: 02179
  • Disable RPC-based services unless RPC-based services are absolutely necessary., CC ID: 01455
  • Disable netfs script unless netfs script is absolutely necessary., CC ID: 01495
  • Disable Remote Procedure Calls unless Remote Procedure Calls are absolutely necessary and if enabled, set restrictions., CC ID: 01456
  • Disable ncpfs Script unless ncpfs Script is absolutely necessary., CC ID: 01494
  • Disable sendmail server unless sendmail server is absolutely necessary., CC ID: 01511
  • Disable postfix unless postfix is absolutely necessary., CC ID: 01512
  • Disable directory server unless directory server is absolutely necessary., CC ID: 01464
  • Disable Windows-compatibility client processes unless Windows-compatibility client processes are absolutely necessary., CC ID: 01471
  • Disable Windows-compatibility servers unless Windows-compatibility servers are absolutely necessary., CC ID: 01470
  • Configure the “Network File System” server to organizational standards, CC ID: 01472
  • Disable webmin processes unless the webmin process is absolutely necessary., CC ID: 01501
  • Disable automount daemon unless automount daemon is absolutely necessary., CC ID: 01476
  • Disable CDE-related daemons unless CDE-related daemons are absolutely necessary., CC ID: 01474
  • Disable finger unless finger is absolutely necessary., CC ID: 01505
  • Disable Rexec unless Rexec is absolutely necessary., CC ID: 02164
  • Disable Squid cache server unless Squid cache server is absolutely necessary., CC ID: 01502
  • Disable Kudzu hardware detection unless Kudzu hardware detection is absolutely necessary., CC ID: 01503
  • Install and enable public Instant Messaging clients as necessary., CC ID: 02173
  • Disable x font server unless x font server is absolutely necessary., CC ID: 01499
  • Validate, approve, and document all UNIX shells prior to use., CC ID: 02161
  • Disable NFS client processes unless NFS client processes are absolutely necessary., CC ID: 01475
  • Disable the use of removable storage media for systems that process restricted data or restricted information, as necessary., CC ID: 06681
  • Disable GSS daemon unless GSS daemon is absolutely necessary., CC ID: 01465
  • Disable Computer Browser unless Computer Browser is absolutely necessary., CC ID: 01814
  • Disable NetMeeting remote desktop sharing unless NetMeeting remote desktop sharing is absolutely necessary., CC ID: 01821
  • Disable web directory browsing on all web-enabled devices., CC ID: 01874
  • Disable WWW publishing services unless WWW publishing services are absolutely necessary., CC ID: 01833
  • Install and enable samba, as necessary., CC ID: 02175
  • Disable Usenet Internet news package file capabilities unless Usenet Internet news package file capabilities are absolutely necessary., CC ID: 02176
  • Disable iPlanet Web Server unless iPlanet Web Server is absolutely necessary., CC ID: 02172
  • Disable volume manager unless volume manager is absolutely necessary., CC ID: 01469
  • Disable Solaris Management Console unless Solaris Management Console is absolutely necessary., CC ID: 01468
  • Disable the Graphical User Interface unless it is absolutely necessary., CC ID: 01466
  • Disable help and support unless help and support is absolutely necessary., CC ID: 04280
  • Disable speech recognition unless speech recognition is absolutely necessary., CC ID: 04491
  • Disable or secure the NetWare QuickFinder search engine., CC ID: 04453
  • Disable messenger unless messenger is absolutely necessary., CC ID: 01819
  • Disable automatic updates unless automatic updates are absolutely necessary., CC ID: 01811
  • Disable Name Service Cache Daemon unless Name Service Cache Daemon is absolutely necessary., CC ID: 04846
  • Prohibit R-command files from existing for root or administrator., CC ID: 16322
  • Verify the /bin/rsh file exists or not, as appropriate., CC ID: 05101
  • Verify the /sbin/rsh file exists or not, as appropriate., CC ID: 05102
  • Verify the /usr/bin/rsh file exists or not, as appropriate., CC ID: 05103
  • Verify the /etc/ftpusers file exists or not, as appropriate., CC ID: 05104
  • Verify the /etc/rsh file exists or not, as appropriate., CC ID: 05105
  • Install or uninstall the AIDE package, as appropriate., CC ID: 05106
  • Enable the GNOME automounter (gnome-volume-manager) as necessary., CC ID: 05107
  • Install or uninstall the setroubleshoot package, as appropriate., CC ID: 05108
  • Configure Avahi properly., CC ID: 05109
  • Install or uninstall OpenNTPD, as appropriate., CC ID: 05110
  • Configure the "httpd" service to organizational standards., CC ID: 05111
  • Install or uninstall the net-smtp package properly., CC ID: 05112
  • Configure the apache web service properly., CC ID: 05113
  • Configure the vlock package properly., CC ID: 05114
  • Establish, implement, and maintain service accounts., CC ID: 13861
  • Configure the daemon account properly., CC ID: 05115
  • Configure the bin account properly., CC ID: 05116
  • Configure the nuucp account properly., CC ID: 05117
  • Configure the smmsp account properly., CC ID: 05118
  • Configure the listen account properly., CC ID: 05119
  • Configure the gdm account properly., CC ID: 05120
  • Configure the webservd account properly., CC ID: 05121
  • Configure the nobody account properly., CC ID: 05122
  • Configure the noaccess account properly., CC ID: 05123
  • Configure the nobody4 account properly., CC ID: 05124
  • Configure the sys account properly., CC ID: 05125
  • Configure the adm account properly., CC ID: 05126
  • Configure the lp account properly., CC ID: 05127
  • Configure the uucp account properly., CC ID: 05128
  • Install or uninstall the tftp-server package, as appropriate., CC ID: 05130
  • Enable the web console as necessary., CC ID: 05131
  • Enable rlogin auth by Pluggable Authentication Modules or pam.d properly., CC ID: 05132
  • Enable rsh auth by Pluggable Authentication Modules properly., CC ID: 05133
  • Enable the listening sendmail daemon, as appropriate., CC ID: 05134
  • Configure Squid properly., CC ID: 05135
  • Configure the "global Package signature checking" setting to organizational standards., CC ID: 08735
  • Configure the "Package signature checking" setting for "all configured repositories" to organizational standards., CC ID: 08736
  • Configure the "verify against the package database" setting for "all installed software packages" to organizational standards., CC ID: 08737
  • Configure the "isdn4k-utils" package to organizational standards., CC ID: 08738
  • Configure the "postfix" package to organizational standards., CC ID: 08739
  • Configure the "vsftpd" package to organizational standards., CC ID: 08740
  • Configure the "net-snmpd" package to organizational standards., CC ID: 08741
  • Configure the "rsyslog" package to organizational standards., CC ID: 08742
  • Configure the "ipsec-tools" package to organizational standards., CC ID: 08743
  • Configure the "pam_ccreds" package to organizational standards., CC ID: 08744
  • Configure the "talk-server" package to organizational standards., CC ID: 08745
  • Configure the "talk" package to organizational standards., CC ID: 08746
  • Configure the "irda-utils" package to organizational standards., CC ID: 08747
  • Configure the "/etc/shells" file to organizational standards., CC ID: 08978
  • Configure the LDAP package to organizational standards., CC ID: 09937
  • Configure the "FTP server" package to organizational standards., CC ID: 09938
  • Configure the "HTTP Proxy Server" package to organizational standards., CC ID: 09939
  • Configure the "prelink" package to organizational standards., CC ID: 11379
  • Configure the Network Information Service (NIS) package to organizational standards., CC ID: 11380
  • Configure the "time" setting to organizational standards., CC ID: 11381
  • Configure the "biosdevname" package to organizational standards., CC ID: 11383
  • Configure the "ufw" setting to organizational standards., CC ID: 11384


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • T44: The organization shall minimize the number of connected devices, communication routes, and communications-related devices that can be accessed from external networks. The organization shall not connect unnecessary devices. T44.2: The organization shall securely set up computers that are connect… (T44, T44.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Unneeded operating system accounts, software, components, services and functionality are removed or disabled. (Security Control: 0380; Revision: 7, Australian Government Information Security Manual, March 2021)
  • DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed. (Security Control: 1247; Revision: 2, Australian Government Information Security Manual, March 2021)
  • The organization must develop a hardened Standard Operating Environment for servers and workstations that includes removing unnecessary software, operating system components, and hardware. (Control: 0380 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization should disable all protocols, permissions, functions, and features, unless they are required for the business operations. (¶ 26(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Has unnecessary (frequently vendor bundled) software been removed or disabled and do systems only have software on them that is required to meet business requirements? (Secure configuration Question 13, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • Has out-date or older software been removed from computer and network devices that are connected to or capable of connecting to the Internet? (Patch management Question 47, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • Have all unnecessary applications on each client and server been disabled? (Table Row XIII.4, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Disable all unnecessary applications, ports, and protocols. (4.2.3 E, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
  • Verify the system configuration standards include procedures for enabling only the necessary services, daemons, protocols, and others that are required for system functions. (Testing Procedures § 2.2.d Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Mobile devices should be subject to 'system hardening' by removing or restricting unnecessary applications (e.g., unapproved games, non-business software, and utilities). (CF.14.02.03a, The Standard of Good Practice for Information Security)
  • Mobile devices should be subject to 'system hardening' by removing or restricting unnecessary applications (e.g., unapproved games, non-business software, and utilities). (CF.14.02.06a, The Standard of Good Practice for Information Security, 2013)
  • Access services on the system should be regularly examined to ensure the available services is not being misused. (Special Action 7.2, SANS Computer Security Incident Handling, Version 2.3.1)
  • Uninstall or disable any unnecessary or unauthorized browser or email client plugins or add-on applications. Each plugin shall utilize application / URL whitelisting and only allow the use of the application for pre-approved domains. (Control 7.2, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should remove all older software and outdated software from the system. (Critical Control 3.5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Uninstall or disable any unauthorized browser or email client plugins or add-on applications. (CIS Control 7: Sub-Control 7.2 Disable Unnecessary or Unauthorized Browser or Email Client Plugins, CIS Controls, 7.1)
  • Uninstall or disable any unauthorized browser or email client plugins or add-on applications. (CIS Control 7: Sub-Control 7.2 Disable Unnecessary or Unauthorized Browser or Email Client Plugins, CIS Controls, V7)
  • Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications. (CIS Control 9: Safeguard 9.4 Restrict Unnecessary or Unauthorized and Email Client Extensions, CIS Controls, V8)
  • Protection Against Malicious Code. Users need to be aware that malicious code may be introduced into their environment through network connections. Malicious code may not be detected before damage is done unless suitable safeguards are implemented. Malicious code may result in compromise of security… (¶ 13.6, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021 Restrict Web-Based Content, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • For Cisco IOS, the organization must review the servers to verify they are necessary and disable the ones that are not needed. (Table F-10, CMS Business Partners Systems Security Manual, Rev. 10)
  • CSR 2.1.4: The organization must disable all file system access that is not explicitly required for application, administrator, or system functionality. CSR 10.7.9: The organization must disable all system services, ports, and network protocols that are not explicitly required for application and sy… (CSR 2.1.4, CSR 10.7.9, CSR 10.8.7, CSR 10.8.8, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The agency shall configure applications, Information Systems, and services to provide only the necessary capabilities. (§ 5.7.1.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Do the configuration policies and procedures include removing or disabling unnecessary network services and Operating System services? (IT - Networks Q 25, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The organization should review the system on an organizationally defined period to identify and restrict any unnecessary protocols, ports, services, and/or functions. (SG.CM-7 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must remove all unused and unnecessary functions and services from the Industrial Control System. (App I § SI-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization disables {organizationally documented functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure}. (CM-7(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization disables {organizationally documented functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure}. (CM-7(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization disables {organizationally documented functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure}. (CM-7(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)