Back

Disable all unnecessary services unless otherwise noted in a policy exception.


CONTROL ID
00880
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish and maintain a system hardening standard and system hardening procedures., CC ID: 00876

This Control has the following implementation support Control(s):
  • Disable rquotad unless rquotad is absolutely necessary., CC ID: 01473
  • Disable telnet unless telnet use is absolutely necessary., CC ID: 01478
  • Disable File Transfer Protocol unless File Transfer Protocol use is absolutely necessary., CC ID: 01479
  • Disable Internet Message Access Protocol unless Internet Message Access Protocol use is absolutely necessary., CC ID: 01485
  • Disable Post Office Protocol unless its use is absolutely necessary., CC ID: 01486
  • Disable SQLServer processes unless SQLServer processes use is absolutely necessary., CC ID: 01500
  • Disable alerter unless alerter use is absolutely necessary., CC ID: 01810
  • Disable Background Intelligent Transfer Service unless Background Intelligent Transfer Service use is absolutely necessary., CC ID: 01812
  • Disable ClipBook unless ClipBook use is absolutely necessary., CC ID: 01813
  • Disable Fax Service unless Fax Service use is absolutely necessary., CC ID: 01815
  • Disable IIS admin service unless IIS admin service use is absolutely necessary., CC ID: 01817
  • Disable indexing service unless indexing service use is absolutely necessary., CC ID: 01818
  • Disable net logon unless net logon use is absolutely necessary., CC ID: 01820
  • Disable Remote Desktop Help Session Manager unless Remote Desktop Help Session Manager use is absolutely necessary., CC ID: 01822
  • Disable Remote Registry Service unless Remote Registry Service use is absolutely necessary., CC ID: 01823
  • Disable Routing and Remote Access unless Routing and Remote Access use is absolutely necessary., CC ID: 01824
  • Disable task scheduler unless task scheduler use is absolutely necessary., CC ID: 01829
  • Disable Terminal Services unless Terminal Services use is absolutely necessary., CC ID: 01831
  • Disable Universal Plug and Play device host unless Universal Plug and Play device host use is absolutely necessary., CC ID: 01832
  • Disable File Service Protocol., CC ID: 02167
  • Disable the License Logging Service unless unless it is absolutely necessary., CC ID: 04282
  • Disable Remote Access Auto Connection Manager unless Remote Access Auto Connection Manager use is absolutely necessary., CC ID: 04285
  • Disable Remote Access Connection Manager unless Remote Access Connection Manager use is absolutely necessary., CC ID: 04286
  • Disable Remote Administration Service unless remote administration management is absolutely necessary., CC ID: 04287
  • Disable remote installation unless remote installation is absolutely necessary., CC ID: 04288
  • Disable Remote Server Manager unless Remote Server Manager is absolutely necessary., CC ID: 04289
  • Disable Remote Server Monitor unless Remote Server Monitor use is absolutely necessary., CC ID: 04290
  • Disable Remote Storage Notification unless Remote Storage Notification use is absolutely necessary., CC ID: 04291
  • Disable Remote Storage Server unless Remote Storage Server use is absolutely necessary., CC ID: 04292
  • Disable telephony services unless telephony services use is absolutely necessary., CC ID: 04293
  • Disable Wireless Zero Configuration service unless Wireless Zero Configuration service use is absolutely necessary., CC ID: 04294
  • Disable SSDP/UPnp unless SSDP/UPnP is absolutely necessary., CC ID: 04315
  • Configure the "ntpd service" setting to organizational standards., CC ID: 04911
  • Configure the "echo service" setting to organizational standards., CC ID: 04912
  • Configure the "netstat service" setting to organizational standards., CC ID: 04913
  • Configure the "chargen service" setting to organizational standards., CC ID: 04914
  • Configure the "tftpd service" setting to organizational standards., CC ID: 04915
  • Configure the "walld service" setting to organizational standards., CC ID: 04916
  • Configure the "rstatd service" setting to organizational standards., CC ID: 04917
  • Configure the "sprayd service" setting to organizational standards., CC ID: 04918
  • Configure the "rusersd service" setting to organizational standards., CC ID: 04919
  • Configure the "inn service" setting to organizational standards., CC ID: 04920
  • Configure the "font service" setting to organizational standards., CC ID: 04921
  • Configure the "ident service" setting to organizational standards., CC ID: 04922
  • Configure the "rexd service" setting to organizational standards., CC ID: 04923
  • Configure the "daytime service" setting to organizational standards., CC ID: 04924
  • Configure the "dtspc (cde-spc) service" setting to organizational standards., CC ID: 04925
  • Configure the "cmsd service" setting to organizational standards., CC ID: 04926
  • Configure the "ToolTalk service" setting to organizational standards., CC ID: 04927
  • Configure the "discard service" setting to organizational standards., CC ID: 04928
  • Configure the "vino-server service" setting to organizational standards., CC ID: 04929
  • Configure the "bind service" setting to organizational standards., CC ID: 04930
  • Configure the "nfsd service" setting to organizational standards., CC ID: 04931
  • Configure the "mountd service" setting to organizational standards., CC ID: 04932
  • Configure the "statd service" setting to organizational standards., CC ID: 04933
  • Configure the "lockd service" setting to organizational standards., CC ID: 04934
  • Configure the "decode sendmail alias" setting to organizational standards., CC ID: 04935
  • Configure the sendmail vrfy command, as appropriate., CC ID: 04936
  • Configure the sendmail expn command, as appropriate., CC ID: 04937
  • Configure .netrc with an appropriate set of services., CC ID: 04938
  • Enable NFS insecure locks as necessary., CC ID: 04939
  • Configure the "X server ac" setting to organizational standards., CC ID: 04940
  • Configure the "X server core" setting to organizational standards., CC ID: 04941
  • Enable or disable the setroubleshoot service, as appropriate., CC ID: 05540
  • Configure the "X server nolock" setting to organizational standards., CC ID: 04942
  • Enable or disable the mcstrans service, as appropriate., CC ID: 05541
  • Configure the "PAM console" setting to organizational standards., CC ID: 04943
  • Enable or disable the restorecond service, as appropriate., CC ID: 05542
  • Enable the rhnsd service as necessary., CC ID: 04944
  • Enable the yum-updatesd service as necessary., CC ID: 04945
  • Enable the autofs service as necessary., CC ID: 04946
  • Enable the ip6tables service as necessary., CC ID: 04947
  • Enable the iptables service as necessary., CC ID: 04948
  • Enable the syslog service as necessary., CC ID: 04949
  • Enable the auditd service as necessary., CC ID: 04950
  • Enable the logwatch service as necessary., CC ID: 04951
  • Enable the logrotate (syslog rotator) service as necessary., CC ID: 04952
  • Install or uninstall the telnet server package, only if absolutely necessary., CC ID: 04953
  • Enable the ypbind service as necessary., CC ID: 04954
  • Enable the ypserv service as necessary., CC ID: 04955
  • Enable the firstboot service as necessary., CC ID: 04956
  • Enable the gpm service as necessary., CC ID: 04957
  • Enable the irqbalance service as necessary., CC ID: 04958
  • Enable the isdn service as necessary., CC ID: 04959
  • Enable the kdump service as necessary., CC ID: 04960
  • Enable the mdmonitor service as necessary., CC ID: 04961
  • Enable the microcode_ctl service as necessary., CC ID: 04962
  • Enable the pcscd service as necessary., CC ID: 04963
  • Enable the smartd service as necessary., CC ID: 04964
  • Enable the readahead_early service as necessary., CC ID: 04965
  • Enable the readahead_later service as necessary., CC ID: 04966
  • Enable the messagebus service as necessary., CC ID: 04967
  • Enable the haldaemon service as necessary., CC ID: 04968
  • Enable the apmd service as necessary., CC ID: 04969
  • Enable the acpid service as necessary., CC ID: 04970
  • Enable the cpuspeed service as necessary., CC ID: 04971
  • Enable the network service as necessary., CC ID: 04972
  • Enable the hidd service as necessary., CC ID: 04973
  • Enable the crond service as necessary., CC ID: 04974
  • Install and enable the anacron service as necessary., CC ID: 04975
  • Enable the xfs service as necessary., CC ID: 04976
  • Install and enable the Avahi daemon service as necessary., CC ID: 04977
  • Enable the CUPS service as necessary., CC ID: 04978
  • Enable the hplip service as necessary., CC ID: 04979
  • Enable the dhcpd service as necessary., CC ID: 04980
  • Enable the nfslock service as necessary., CC ID: 04981
  • Enable the rpcgssd service as necessary., CC ID: 04982
  • Enable the rpcidmapd service as necessary., CC ID: 04983
  • Enable the nfs service as necessary., CC ID: 04984
  • Enable the rpcsvcgssd service as necessary., CC ID: 04985
  • Configure root squashing for all NFS shares, as appropriate., CC ID: 04986
  • Configure write access to NFS shares, as appropriate., CC ID: 04987
  • Configure the named service, as appropriate., CC ID: 04988
  • Configure the vsftpd service, as appropriate., CC ID: 04989
  • Install and enable the dovecot service, as appropriate., CC ID: 04990
  • Enable the smb service as necessary., CC ID: 04991
  • Enable the snmpd service as necessary., CC ID: 04992
  • Enable the calendar manager as necessary., CC ID: 04993
  • Enable the GNOME logon service as necessary., CC ID: 04994
  • Enable the WBEM services as necessary., CC ID: 04995
  • Enable the keyserv service as necessary., CC ID: 04996
  • Enable the Generic Security Service daemon as necessary., CC ID: 04997
  • Enable the volfs service as necessary., CC ID: 04998
  • Enable the smserver service as necessary., CC ID: 04999
  • Enable the mpxio-upgrade service as necessary., CC ID: 05000
  • Enable the metainit service as necessary., CC ID: 05001
  • Enable the meta service as necessary., CC ID: 05003
  • Enable the metaed service as necessary., CC ID: 05004
  • Enable the metamh service as necessary., CC ID: 05005
  • Enable the Local RPC Port Mapping Service as necessary., CC ID: 05006
  • Enable the Kerberos kadmind service as necessary., CC ID: 05007
  • Enable the Kerberos krb5kdc service as necessary., CC ID: 05008
  • Enable the Kerberos kpropd service as necessary., CC ID: 05009
  • Enable the Kerberos ktkt_warnd service as necessary., CC ID: 05010
  • Enable the sadmin service as necessary., CC ID: 05011
  • Enable the IPP listener as necessary., CC ID: 05012
  • Enable the serial port listener as necessary., CC ID: 05013
  • Enable the Network News Transport Protocol service as necessary., CC ID: 05017
  • Enable the network Dynamic Data Exchange service as necessary., CC ID: 05018
  • Enable the RARP service as necessary., CC ID: 05020
  • Configure the ".NET Framework service" setting to organizational standards., CC ID: 05021
  • Enable the Network DDE Share Database Manager service as necessary., CC ID: 05022
  • Configure the TCP/IP NetBIOS Helper Service properly., CC ID: 05034
  • Configure the Services for Netware Service Advertising Protocol (SAP) Agent properly., CC ID: 05048
  • Configure the Remote Installation Services Single Instance Storage (SIS) Groveler service properly., CC ID: 05050
  • Configure the Network Connections service properly., CC ID: 05065
  • Configure the File Replication service properly., CC ID: 05068
  • Configure the Remote Procedure Call locator service properly., CC ID: 05071
  • Configure the FTP Publishing Service properly., CC ID: 05074
  • Configure the Remote Shell service properly., CC ID: 05077
  • Configure the Help and Support Service properly., CC ID: 05084
  • Enable file uploads via vsftpd service, as appropriate., CC ID: 05100
  • Disable or remove sadmind unless use of sadmind is absolutely necessary., CC ID: 06885
  • Configure the "SNMP version 1" setting to organizational standards., CC ID: 08976
  • Configure the "xdmcp service" setting to organizational standards., CC ID: 08985


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • T44: The organization shall minimize the number of connected devices, communication routes, and communications-related devices that can be accessed from external networks. The organization shall not connect unnecessary devices. T44.2: The organization shall securely set up computers that are connect… (T44, T44.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The organization must develop a hardened Standard Operating Environment for servers and workstations that includes removing unnecessary software, operating system components, and hardware. (Control: 0380 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization should remove or disable unnecessary Database Management System software features and procedures. (Control: 1247, Australian Government Information Security Manual: Controls)
  • The organization should disable Database Management System software from reading local files from a server. (Control: 1251, Australian Government Information Security Manual: Controls)
  • The organization must disable open e-mail relaying, so e-mail servers only relay messages that originate inside the domain and messages destined for the domain. (Control: 0567, Australian Government Information Security Manual: Controls)
  • The organization should disable agent credential forwarding, if logins absent a passphrase for automated purposes are used for remote access to Secure Shell. (Control: 0487 Bullet 3, Australian Government Information Security Manual: Controls)
  • The organization must disable split tunneling when a Virtual Private Network is used to connect a mobile device to a system. (Control: 0705, Australian Government Information Security Manual: Controls)
  • The organization should disable all protocols, permissions, functions, and features, unless they are required for the business operations. (¶ 26(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Portable computers and personal electronic devices that process classified information should have all unnecessary hardware and services disabled or removed. (§ 3.4.63, § 3.5.8, Australian Government ICT Security Manual (ACSI 33))
  • (§ XI.5, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Have all unnecessary services on each client and server been disabled? (Table Row XIII.4, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • During the installation process, deselect any packages, especially the X11 package, that are not going to be used. This reduces the risk of attackers using known vulnerabilities in unused packages to enter the system. If an upgrade from Mac OS X to Mac OS X 10.4 was performed, an adaptation of Mac O… (Pg 22, Pg 33, Pg 87, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • Disable all standard services. (§ 3.9, The Center for Internet Security AIX Benchmark, 1.0.1)
  • The organization must disable all standard services. (§ 2.1, The Center for Internet Security FreeBSD Benchmark, 1.0.5)
  • Disable all standard services. (§ 2.1, The Center for Internet Security HP-UX Benchmark, 1.4.2)
  • All services on the operating system are set to OFF by default. Only absolutely necessary services should be enabled. If possible, the services should be enabled only while they are being used and should be disabled as soon as the service is no longer needed. None of the services needs to be enabled… (§ 2.9, The Center for Internet Security Mac OS X Tiger Level I Security Benchmark, 1)
  • If unneeded services are enabled or left on the system, security issues could evolve. Many of these services are not securely configured by default. Any unused or unnecessary services should be removed from the system. QuickFinder, a search engine for finding web data on the server, should be disabl… (§ 1.2, § 2.15, The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Benchmark, 1)
  • The organization must disable all standard services. (§ 2.1, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.0.5)
  • Disable all standard services. (§ 2.1, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.1.1)
  • Disable all standard services. (§ 2.1, The Center for Internet Security Slackware Linux Benchmark, 1.1)
  • Disable all standard services. (§ 2.1, The Center for Internet Security Solaris Benchmark, 1.5.0)
  • Disable all standard services. (§ 2.1, The Center for Internet Security SuSE Linux Enterprise Server Benchmark, 2)
  • Harden an OS before it is used in production. Disable all unnecessary services in the configuration of the server. (§ 3-8, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003)
  • For a sample of system components, inspect enabled system services, daemons, and protocols. Verify that unnecessary or insecure services or protocols are not enabled, or are justified and documented as to appropriate use of the service. (§ 2.2.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 2.0)
  • For a sample of system components, inspect enabled system services, daemons, and protocols. verify that unnecessary or insecure services or protocols are not enabled, or are justified and documented as to appropriate use of the service. (§ 2.2.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify the system configuration standards include procedures for enabling only the necessary services, daemons, protocols, and others that are required for system functions. (Testing Procedures § 2.2.d Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Inspect the enabled system services, protocols, and daemons from a sample of system components to verify only the necessary services and protocols are enabled. (Testing Procedures § 2.2.2.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel to verify the identified insecure services, protocols, and daemons that are enabled have been justified in accordance with the documented configuration standards. (Testing Procedures § 2.2.2.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Review the services and the parameter files on a sample of systems to verify that telnet and other insecure remote login commands are not available for non-console access. (Testing Procedures § 2.3.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • All unnecessary services and applications must be disabled, unless they have been justified and documented. (§ 2.2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • For a sample of system components, inspect enabled system services, daemons, and protocols. (§ 2.2.2.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Only necessary services, protocols, or daemons for the function of the system must be enabled. (PCI DSS Requirements § 2.2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • All services, daemons, and protocols required by the application or enabled should be examined. The payment application must not use or require the use of unnecessary and insecure services or protocols. (§ 5.4, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Do system configuration standards include enabling only necessary services, protocols, daemons, etc., as required for the function of the system? (PCI DSS Question 2.2(d) Bullet 3, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are only necessary services, protocols, daemons, etc., enabled as required for the function of the system (services and protocols not directly needed to perform the device's specified function are disabled)? (PCI DSS Question 2.2.2(a), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? (PCI DSS Question 4.1(e), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? (PCI DSS Question 4.1(e), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Do system configuration standards include enabling only necessary services, protocols, daemons, etc., as required for the function of the system? (PCI DSS Question 2.2(d) Bullet 3, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are only necessary services, protocols, daemons, etc., enabled as required for the function of the system (services and protocols not directly needed to perform the device's specified function are disabled)? (PCI DSS Question 2.2.2(a), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? (PCI DSS Question 4.1(e), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are only necessary services, protocols, daemons, etc., enabled as required for the function of the system (services and protocols not directly needed to perform the device's specified function are disabled)? (PCI DSS Question 2.2.2(a), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? (PCI DSS Question 4.1(e), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Do system configuration standards include enabling only necessary services, protocols, daemons, etc., as required for the function of the system? (PCI DSS Question 2.2(d) Bullet 3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are only necessary services, protocols, daemons, etc., enabled as required for the function of the system (services and protocols not directly needed to perform the device's specified function are disabled)? (PCI DSS Question 2.2.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? (PCI DSS Question 4.1(e), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Do system configuration standards include enabling only necessary services, protocols, daemons, etc., as required for the function of the system? (PCI DSS Question 2.2(d) Bullet 3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are only necessary services, protocols, daemons, etc., enabled as required for the function of the system (services and protocols not directly needed to perform the device's specified function are disabled)? (PCI DSS Question 2.2.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? (PCI DSS Question 4.1(e), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • System / network monitoring activities should involve checking whether powerful utilities / commands have been disabled on attached hosts (e.g., by using a 'network sniffer'). (CF.10.05.05b, The Standard of Good Practice for Information Security)
  • Connections between servers (e.g., web servers) and back-office systems (e.g., application and database servers) should be restricted to only the services that are required by business applications. (CF.04.01.07b, The Standard of Good Practice for Information Security)
  • Servers should be configured to disable or restrict non-essential or redundant services (e.g., X Windows, open windows, fingerd, and web browsers). (CF.07.02.03a, The Standard of Good Practice for Information Security)
  • Servers should be configured to disable or restrict communication services that are inherently susceptible to abuse (e.g., tftp, rpc, rlogin, rsh, or Rexec). (CF.07.02.03b, The Standard of Good Practice for Information Security)
  • Servers should be configured to disable or restrict communication protocols that are prone to abuse (e.g., http, https, ssh, ftp, smtp, telnet, and uucp). (CF.07.02.03c, The Standard of Good Practice for Information Security)
  • Servers should be configured in accordance with documented standards / procedures, which should cover disabling or restricting unnecessary functions or services. (CF.07.02.01b, The Standard of Good Practice for Information Security)
  • Mobile devices should be subject to 'system hardening' by disabling unnecessary services and user accounts (e.g., guest). (CF.14.02.03b, The Standard of Good Practice for Information Security)
  • System / network monitoring activities should involve checking whether powerful utilities / commands have been disabled on attached hosts (e.g., by using a 'network sniffer'). (CF.10.05.05b, The Standard of Good Practice for Information Security, 2013)
  • Connections between servers (e.g., web servers) and back-office systems (e.g., application and database servers) should be restricted to only the services that are required by business applications. (CF.04.01.07b, The Standard of Good Practice for Information Security, 2013)
  • Servers should be configured to disable or restrict non-essential or redundant services (e.g., X Windows, open windows, fingerd, and web browsers). (CF.07.02.03a, The Standard of Good Practice for Information Security, 2013)
  • Servers should be configured to disable or restrict communication services that are inherently susceptible to abuse (e.g., tftp, rpc, rlogin, rsh, or Rexec). (CF.07.02.05b, The Standard of Good Practice for Information Security, 2013)
  • Servers should be configured to disable or restrict communication protocols that are prone to abuse (e.g., http, https, ssh, ftp, smtp, telnet, and uucp). (CF.07.02.05c, The Standard of Good Practice for Information Security, 2013)
  • Servers should be configured in accordance with documented standards / procedures, which should cover disabling or restricting unnecessary functions or services. (CF.07.02.01c, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices should be subject to 'system hardening' by disabling unnecessary services and user accounts (e.g., guest). (CF.14.02.06b, The Standard of Good Practice for Information Security, 2013)
  • Servers should be configured to disable or restrict the 'auto-run' feature (e.g., from Compact Discs, Digital Video Disks and portable storage devices, and mounted / shared network folders). (CF.07.02.05g, The Standard of Good Practice for Information Security, 2013)
  • The organization should run as few services as possible and ensure they are well protected. (Special Action 7.1, SANS Computer Security Incident Handling, Version 2.3.1)
  • The organization should turn off services for projects or limited engagements when they are no longer needed. (Critical Control 11.6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should turn unneeded services off for 30 days and uninstall them after 30 days. (Critical Control 11.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The service provider shall plan for the removal of any services that are to be removed. (§ 5.2 ¶ 4, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Utility programs are programs that may be able to override system and application controls. They should be restricted and controlled. If these system utilities are not needed, they should be disabled or removed. (§ 11.5.4, ISO 27002 Code of practice for information security management, 2005)
  • The organization should restrict logical access to master passwords, powerful utilities, system configurations, Superuser functionality, and security devices. (Generally Accepted Privacy Principles and Criteria § 8.2.2 i, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should restrict access to master passwords, powerful utilities, system configurations, Superuser functionality, and security devices. (Table Ref 8.2.2.i, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization must implement and monitor the status of services minimization controls. (PE 15.j, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives)
  • On UNIX computers or Linux computers that transmit scoped data, Are all unnecessary services and unused services turned off? (§ G.16.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that process scoped data, Are all unnecessary services and unused services turned off? (§ G.16.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that store scoped data, Are all unnecessary services and unused services turned off? (§ G.16.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that transmit scoped data, are unnecessary services and unused services turned off? (§ G.17.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that process scoped data, are unnecessary services and unused services turned off? (§ G.17.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that store scoped data, are unnecessary services and unused services turned off? (§ G.17.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When windows Internet Information Services is used for web services, are unused services turned off on Internet Information Services servers? (§ G.21.2.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are service accounts disallowed for normal operations and monitored for usage? (§ H.3.4, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are unnecessary/unused services turned off? (§ V.1.72.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are unneeded hypervisor services (e.g. File-sharing) between the guest and the host Operating System disabled? (§ V.1.72.23, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Table F-2: For Windows 2003 Server, the organization must review all services for proper configuration and disable all unnecessary services. Table F-3: For Windows 2000 Professional, the organization must disable all unnecessary services. Table F-4: For Windows XP Professional, the organization must… (Table F-2, Table F-3, Table F-4, Table F-8, Table F-10, CMS Business Partners Systems Security Manual, Rev. 10)
  • CSR 2.1.4: The organization must disable all file system access that is not explicitly required for application, administrator, or system functionality. CSR 10.7.9: The organization must disable all system services, ports, and network protocols that are not explicitly required for application and sy… (CSR 2.1.4, CSR 10.7.9, CSR 10.8.7, CSR 10.8.8, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The system administrator should disable any network services which are not necessary for the operation of the network. These services are disabled in the inetd.conf file. (§ 4, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1)
  • Services not needed for the operational use of the system must be disabled on all wireless clients. Non-required software and/or services that support remote access services must not be installed on remote access servers or network access servers. Non-required services that support remote access ser… (§ 4.1.5, § 4.2.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • Any unnecessary services should be disabled, unless there is a site requirement for specific services. If there is a requirement, then it should be documented and justified with the Information Assurance Officer. The following services should be disabled: Alerter; Application Layer Gateway Service; … (§ 5.2.2.1, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • The Access Control Lists (ACLs) for disabled services should have permissions set to Administrators: Full Control; System: Full Control; and Interactive: Read. The Internet Information System (IIS) should not be installed on the system. (§ 3.5.9 (2.014), § 3.12 (5.016), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
  • Sites should disable all services, unless there is a site requirement for the service. If the service is Enabled, it should be documented and justified and given to the Information Assurance Officer. (§ 5.2.2, § 5.2.2.1, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • § 4.5.1 (MED0260: CAT II) The Information Assurance Officer/Network Security Officer, for all medical device VLAN access ports, in compliance with the Network Infrastructure STIG, shall disable trunking. § 6.1.2.2 (MED0660: CAT II) The Information Assurance Officer, for networked medical devices, wi… (§ 4.5.1 (MED0260: CAT II), § 6.1.2.2 (MED0660: CAT II), Medical Devices Security Technical Implementation Guide, Version 1, Release 1)
  • Verify that unapproved im clients / services are uninstalled or disabled on all operating systems. (ECIM-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The agency shall configure applications, Information Systems, and services to provide only the necessary capabilities. (§ 5.7.1.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall prohibit and/or restrict the use of stated functions, ports, protocols, and services. (§ 5.7.1.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The organization should strictly control the use of utility programs. (Pg 57, Exam Obj 10.1, FFIEC IT Examination Handbook - Development and Acquisition)
  • Determine whether adequate inspection for, and removal of, unauthorized hardware and software takes place. (Exam Tier II Obj D.3, FFIEC IT Examination Handbook - Information Security)
  • Have the unnecessary services on the web server been disabled and appropriate controls implemented? (IT - Member Online Services Q 8, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Do the configuration policies and procedures include removing or disabling unnecessary network services and Operating System services? (IT - Networks Q 25, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are all unnecessary services shut down on the routers? (IT - Routers Q 31, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Has network autoloading been disabled, unless the router absolutely needs to autoload the startup configuration from a Trivial File Transfer Protocol host? (IT - Routers Q 37, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The organization should remove or permanently disable unnecessary services, applications, and user controls on all Bluetooth devices. (Table 4-3 Item 9, Table 4-4 Item 6, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
  • Wireless interfaces, such as Bluetooth, WiFi, and infrared, should be disabled when not needed, and automatic connections to cellular data services should be turned off. If possible, unneeded functions should be removed to prevent them from being reactivated. Another option is to subscribe only to t… (§ 4.1.6, § 4.1.8, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • (§ 5.2, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002)
  • The organization should review the system on an organizationally defined period to identify and restrict any unnecessary protocols, ports, services, and/or functions. (SG.CM-7 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should periodically review the system to identify and eliminate unnecessary functions, ports, protocols, and/or services. (App F § CM-7(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must remove all unused and unnecessary functions and services from the Industrial Control System. (App I § SI-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization configures the information system to provide only essential capabilities. (CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization configures the information system to provide only essential capabilities. (CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • The organization configures the information system to provide only essential capabilities. (CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization configures the information system to provide only essential capabilities. (CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • CM-7(1) Organizational records and documents should be examined on a regular basis to ensure all unnecessary functions, ports, protocols, and services have been disabled or removed from the system. CM-7.2 Test the system to ensure all identified functions, ports, protocols, and services have been di… (CM-7(1), CM-7.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Disable all standard services which are normally enabled in the Solaris inetd.conf file. (§ 2.1, NSA Guide to the Secure Configuration of Solaris 9, Version 1.0)
  • Vendor-supplied defaults should be changed during installation of third party software on the network, including the elimination of unnecessary accounts/user IDs (i.e., guest). Functions, services, utilities, or commands, such as inessential, unnecessary or redundant services, communications that ar… (ATCS-311, ATCS-478, Archer Control Table)

To see more, create an account with the Common Controls Hub!

SIGN UP