3.4.7 — Restrict, Disable, or Prevent the Use of Nonessential Programs, Functions, Ports, Protocols, and Services

This practice reinforces the "least functionality" concept: actively restrict, disable, or prevent anything nonessential from running on your systems. Think of it as the enforcement arm of CM.L2-3.4.6 — you identified what is unnecessary, now you block it.

Example 1: Use Windows Defender Application Control (WDAC) or AppLocker to block unauthorized executables. In Group Policy, navigate to Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker. Create default rules that allow Windows and Program Files paths, then add explicit deny rules for user-writable directories like %TEMP% and %APPDATA%.

Example 2: On Linux systems, use systemctl list-unit-files --type=service to identify all enabled services. Disable nonessential ones with systemctl disable --now [service]. For ports, configure firewalld or iptables to drop all inbound traffic except explicitly allowed ports, and run ss -tlnp periodically to verify no unexpected listeners appear.