2.2.4 Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.

Defined Approach Requirements

2.2.4 Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.

Defined Approach Testing Procedures

2.2.4.a Examine system configuration standards to verify that they require only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.

2.2.4.b Examine system configurations to verify that only necessary functionality is enabled, and all unnecessary functionality is removed or disabled.

Purpose

Unnecessary services, protocols, or functions can provide additional attack vectors for malicious individuals. By removing or disabling all unnecessary services, protocols, daemons, and functions, organizations can focus on securing the functions that are required and reduce the risk that unknown or unnecessary functions will be exploited.

Good Practice

Enabling only necessary services, protocols, daemons, and functions prevents unauthorized access to system components through less-secure services, protocols, or functions. It also reduces the number of system functions that need to be secured.

Unnecessary functionality may include but is not limited to scripts, drivers, features, subsystems, file systems, interfaces (USB, Bluetooth, etc.) and unnecessary web servers, protocols such as FTP, DNS, ICMP, or services such as NetBIOS, file sharing, and Windows/Mac sharing.