CM.L2-3.4.7: Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services

📖 What This Means

This practice requires organizations to identify and limit unnecessary software, network ports, and services that could create security vulnerabilities. Think of it like closing unused doors and windows in your house to prevent break-ins. For example, if your team doesn't need remote desktop protocol (RDP) enabled on workstations, it should be disabled. Or if employees only use approved accounting software, other financial apps should be blocked. The goal is to reduce 'attack surfaces' by only allowing what's essential for business operations.

🎯 Why It Matters

Unnecessary programs and services are prime targets for attackers. The 2023 Verizon DBIR found that 74% of breaches involved exploiting unnecessary ports/services. A real-world example: A defense contractor had an old FTP server running for legacy file transfers that wasn't needed anymore. Attackers used it to upload malware, leading to a $3.2M data breach. From DoD's perspective, this control is critical because every unused service is a potential backdoor into systems handling Controlled Unclassified Information (CUI).

✅ How to Implement

1. Use AWS Systems Manager or Azure Policy to inventory all running services across cloud instances
2. Create allow-list policies in AWS EC2 Security Groups/Azure NSGs blocking all ports except explicitly approved ones (e.g., 443 for HTTPS)
3. Implement GCP Organization Policy Constraints like 'constraints/compute.vmExternalIpAccess' to restrict unnecessary external access
4. Use cloud-native tools like AWS Inspector or Azure Security Center to detect and flag nonessential services
5. Configure auto-remediation rules to disable prohibited services (e.g., Lambda function that stops EC2 instances running unauthorized database services)

⏱️

Estimated Effort

Initial implementation: 40-60 hours (Mid-level sysadmin). Ongoing: 4-8 hours/month for monitoring. Critical skills: Network protocols knowledge, GPO/cloud policy management.

📋 Evidence Examples

Approved Services Whitelist

Format: Excel/PDF

Frequency: Quarterly reviews

Contents: List of all allowed programs/ports with business justification (e.g., 'Port 443 - Required for CRM system')

Collection: Export from CMDB or manually maintained spreadsheet

Service Disablement Logs

Format: CSV/Syslog

Frequency: Continuous

Contents: Records of disabled services (timestamp, hostname, service name, responsible admin)

Collection: Automated via PowerShell: Get-Service | Where-Object {$_.Status -eq 'Stopped'} | Export-CSV

Firewall Rule Export

Format: Netsh/iptables dump

Frequency: Before/after changes

Contents: Current firewall configuration showing restrictive inbound rules

Collection: Windows: netsh advfirewall export. Linux: iptables-save > firewall.rules

Vulnerability Scan Report

Format: PDF from Nessus/OpenVAS

Frequency: Monthly

Contents: Scan showing no unauthorized listening services

Collection: Run credentialed scan targeting all network ports

AppLocker Policy Backup

Format: XML

Frequency: After policy changes

Contents: Exported application control policies showing allowed executables

Collection: Windows: Export-AppLockerPolicy -XML

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For CM.L2-3.4.7 ("Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your configuration management process, including baseline configurations, change control procedures, vulnerability management, and how configuration compliance is monitored and enforced. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"CM.L2-3.4.7 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to restrict, disable, or prevent the use of nonessential programs, functions, ports.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"CM.L2-3.4.7 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to restrict, disable, or prevent the use of nonessential programs, functions, ports.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"CM.L2-3.4.7 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Identify all system types within the CUI boundary requiring baselines
• Document configuration management tools and CMDB
• Map change control workflow from request to implementation
• Ensure this control covers all systems within your defined CUI boundary where restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 Configuration Management Policy
📄 Baseline configuration documents
📄 Change management records
📄 CMDB/asset inventory
📄 Evidence artifacts specific to CM.L2-3.4.7
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will compare actual system configurations against documented baselines, review change tickets for proper approval workflow, and verify vulnerability remediation within SLA.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you maintain a current inventory of all running services and listening ports across systems?

✅ YES → Proceed to Q2

❌ NO → GAP: Implement monthly service inventory scans using tools like Lansweeper or native PowerShell commands. Should be completed within 30 days.

Remediation:

Document first scan results as baseline, then implement automated monitoring.

Question 2: Is there a formal approval process for adding new services/ports to the whitelist?

✅ YES → Proceed to Q3

❌ NO → GAP: Create service request form requiring CISO/IT Director approval for new exceptions. Template should include business justification and risk assessment. Implement within 2 weeks.

Remediation:

Use existing ticketing system (ServiceNow/Jira) or simple SharePoint form.

Question 3: Are host-based firewalls configured to block all inbound connections by default?

✅ YES → Proceed to Q4

❌ NO → GAP: Deploy firewall baseline via GPO (Windows) or Ansible playbook (Linux) to set default inbound policy to 'block'. Complete within 7 days for critical systems.

Remediation:

Test first on non-production systems to avoid business disruption.

Question 4: Have all end-user workstations had unnecessary browser plugins (Flash, Java) removed or disabled?

✅ YES → Proceed to Q5

❌ NO → GAP: Run PDQ Deploy/SCCM job to uninstall high-risk plugins. Use Chrome GPO to disable NPAPI plugins. Complete within 14 days.

Remediation:

Communicate change to users in advance for any legacy web apps requiring plugins.

Question 5: Can you produce evidence showing regular review and cleanup of unused services?

✅ YES → COMPLIANT: Maintain current processes

❌ NO → GAP: Implement quarterly service review meetings with IT and security teams. First review should occur within 45 days with minutes documented.

Remediation:

Tie to existing change control board meetings if possible.

⚠️ Common Mistakes (What Auditors Flag)

1. Approved services list exists but isn't enforced

Why this happens: Lack of technical controls to actually block unapproved services

How to avoid: Combine documentation with technical enforcement via AppLocker, host firewalls, or endpoint protection tools

2. Missing legacy system exceptions

Why this happens: Fear of breaking old systems that 'might' need certain ports

How to avoid: Test legacy systems in isolation first, document any required exceptions with sunset dates

3. No monitoring for new services

Why this happens: One-time cleanup without ongoing checks

How to avoid: Implement weekly service inventory comparisons using tools like Tanium or Rapid7

4. Overlooking cloud services

Why this happens: Focus only on traditional servers/workstations

How to avoid: Include cloud workload checks in AWS Config Rules/Azure Policy compliance scans

5. Incomplete evidence

Why this happens: Only showing current config without change history

How to avoid: Maintain version-controlled firewall rule backups and change tickets for all modifications

📚 Parent Policy

This practice is governed by the Configuration Management Policy

View CM Policy →

📚 Related Controls

CM.L2-3.4.2 (Baseline configurations) SI.L2-3.14.4 (Malicious code protection) AC.L2-3.1.8 (Default deny for network communications)