NIST 800-171 • LEVEL 2 • CONFIGURATION MANAGEMENT
3.4.6 — Least Functionality
Configure the system to provide only mission-essential capabilities. Prohibit or restrict use of the following functions, ports, protocols, connections, and services: organization-defined parameter . Review the system organization-defined parameter to identify unnecessary or nonsecure functions, ports, protocols, connections, and services. Disable or remove functions, ports, protocols, connections, and services that are unnecessary or nonsecure.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- the use of the following functions is prohibited or restricted: organization-defined parameter.
- the use of the following ports is prohibited or restricted: organization-defined parameter.
- the use of the following protocols is prohibited or restricted: organization-defined parameter.
- the use of the following connections is prohibited or restricted: organization-defined parameter.
- the use of the following services is prohibited or restricted: organization-defined parameter.
- the system is reviewed organization-defined parameter to identify unnecessary or nonsecure functions, ports, protocols, connections, and services.
- unnecessary or nonsecure functions, ports, protocols, connections, and services are disabled or removed.
- the system is configured to provide only mission-essential capabilities.
Practitioner Notes
Your systems should only be running the software, services, and functions they actually need to do their job. Everything else is attack surface — unnecessary services, open ports, and unused protocols give attackers more ways in.
Review regularly and turn off anything that is not mission-essential.
Example 1: On Windows servers, open Server Manager > Manage > Remove Roles and Features and strip out any roles not required for the server's function. A domain controller does not need the Print Server role, for instance. Also review Services.msc and disable services like Xbox Live Auth Manager or Fax that have no business on a server.
Example 2: On your perimeter firewall, run a port audit. In Palo Alto, go to Policies > Security and review each allow rule. Use the Rule Usage statistics (visible in Panorama under Policies > Rule Usage) to identify rules with zero hits over the past 90 days. Disable or remove unused rules and document the cleanup.