NIST 800-171 • LEVEL 2 • CONFIGURATION MANAGEMENT
3.4.6 — Least Functionality
Configure the system to provide only mission-essential capabilities. Prohibit or restrict use of the following functions, ports, protocols, connections, and services: {{ insert: param, A.03.04.06.ODP.01 }} . Review the system {{ insert: param, A.03.04.06.ODP.06 }} to identify unnecessary or nonsecure functions, ports, protocols, connections, and services. Disable or remove functions, ports, protocols, connections, and services that are unnecessary or nonsecure.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- the use of the following functions is prohibited or restricted: {{ insert: param, A.03.04.06.ODP.01 }}.
- the use of the following ports is prohibited or restricted: {{ insert: param, A.03.04.06.ODP.02 }}.
- the use of the following protocols is prohibited or restricted: {{ insert: param, A.03.04.06.ODP.03 }}.
- the use of the following connections is prohibited or restricted: {{ insert: param, A.03.04.06.ODP.04 }}.
- the use of the following services is prohibited or restricted: {{ insert: param, A.03.04.06.ODP.05 }}.
- the system is reviewed {{ insert: param, A.03.04.06.ODP.06 }} to identify unnecessary or nonsecure functions, ports, protocols, connections, and services.
- unnecessary or nonsecure functions, ports, protocols, connections, and services are disabled or removed.
- the system is configured to provide only mission-essential capabilities.
Practitioner Notes
Your systems should only be running the software, services, and functions they actually need to do their job. Everything else is attack surface — unnecessary services, open ports, and unused protocols give attackers more ways in.
Review regularly and turn off anything that is not mission-essential.
Example 1: On Windows servers, open Server Manager > Manage > Remove Roles and Features and strip out any roles not required for the server's function. A domain controller does not need the Print Server role, for instance. Also review Services.msc and disable services like Xbox Live Auth Manager or Fax that have no business on a server.
Example 2: On your perimeter firewall, run a port audit. In Palo Alto, go to Policies > Security and review each allow rule. Use the Rule Usage statistics (visible in Panorama under Policies > Rule Usage) to identify rules with zero hits over the past 90 days. Disable or remove unused rules and document the cleanup.