TL;DR: Simplifying Essential Features for Compliance
The Goal: Restrict and disable nonessential programs, ports, protocols, functions, and services to reduce your system’s attack surface and improve security.
Challenges: Documentation—not implementation—is where most companies fall short. You must define “essential” clearly and apply it consistently.
What to Do:
• Inventory: Identify everything running on your systems.
• Policies: Establish strict definitions and approval processes for what’s “essential.”
• Disable & Monitor: Remove unused features (e.g., bloatware, FTP, SMBv1) and actively monitor for unauthorized changes.
• Document: Keep thorough records.
Configuration Management Practice 3.4.7 is one of those requirements that seems pretty straightforward—restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Easy, right? The goal is simple: minimize security vulnerabilities by reducing your system’s attack surface to only what’s necessary for operations.
Here’s the kicker: Most companies don’t struggle with implementing this practice—they struggle with the documentation. When it’s time to show evidence, things can get messy. You need to define exactly what’s “essential” and “nonessential” and provide proof that you’ve applied these definitions consistently across your systems.
Where to Start
Inventory and Assessment
1. Take a complete inventory of the programs, ports, protocols, and services running in your systems.
2. Define what “essential” means for your organization. Remember, this will vary depending on your specific operations. Document these definitions and implement strict approval processes for enabling or disabling features.
How to Determine What is Essential
Determining necessity requires evaluating a service’s role in your organization. If it directly supports critical operations, it’s essential. If not, it’s likely nonessential. Conduct regular reviews to ensure your systems run only what’s needed, reducing risks and simplifying compliance.
Each program, function, port, protocol, and service is evaluated using the following:
| 01 | 02 | 03 | 04 |
| Assess Business Needs | Evaluate Security Impacts | Consult Policies | Review Usage |
| Does the port, protocol, program, function, or service directly support critical operations or compliance requirements? | Every service or protocol in your network introduces potential security risks. Prioritize the removal or restriction of those with high risk but little business value. By addressing these risks, you minimize vulnerabilities and protect your operations from exploitation. Does enabling the element introduce vulnerabilities? If so, is the risk justified by its value? | Align with organizational policies to determine if the element is permitted or necessary. | Monitor system logs to confirm if the port, protocol, program, function, or service is actively used and required. |
By systematically applying these criteria, a comprehensive and defensible list of essential elements is created, while disabling nonessential ones.
Pro Tip:
Add an Appendix to your System Security Plan (SSP) listing all essential programs, ports, protocols, and services.
Anything not listed is considered nonessential by default.
Stick around to the end of this post and I promise to make documenting Practice 3.4.7 easier for you!
Change Management Process
Any changes to ports, protocols, programs, functions, or services must go through the Change Management Process to ensure consistency, security, and alignment with organizational policies.
Before pushing changes live, test them in a controlled environment to avoid disruptions. Validate that disabling features doesn’t negatively affect operations.
Disabling Nonessential Elements
Default operating systems often come with unnecessary programs—think Candy Crush, Skype, or FaceTime—that are irrelevant for most business operations. These bloatware programs can:
• Consume resources.
• Introduce vulnerabilities.
• Complicate compliance efforts.
Manage Default Programs
• Remove unnecessary apps during system imaging or setup using automation tools like PowerShell (Windows) or Jamf (macOS).
• Establish a baseline configuration that excludes all nonessential software.
• Periodically audit for reintroduced programs and unauthorized installations.
Host-level changes are more secure than relying solely on firewalls.
Remove or disable unused or outdated features like:
• Bloatware: Preinstalled apps such as games, entertainment software, or trial programs.
• Legacy Protocols: FTP, SMBv1, or Telnet.
• Unneeded Services: Peer-to-peer networking or unused network services.
How Ports, Programs, Services, Functions, and Protocols Relate to Each Other
| Aspect | Ports | Programs | Protocols | Services | Functions |
| Purpose | Endpoint for communication. | Executes tasks or processes. | Defines rules for communication. | Provides features or capabilities. | Performs specific tasks. |
| Examples | Port 443 (HTTPS), Port 22 (SSH) | Apache, Exchange, OpenSSL | TCP, UDP, HTTP, FTP | Web service, email service | Logging, encryption, authentication |
| Dependency | Used by protocols and services. | Executes services and functions. | Supports services. | Often relies on programs and protocols. | Often integrated into programs or services. |
| Layer of Operation | Network layer. | Application layer. | Network and transport layers. | Application layer. | Application or system layer. |
Services
A service is a capability or feature provided by a system or application that allows communication or interaction over a network or within a system. They often rely on specific ports and protocols to operate and can include functionality like file sharing, email, or database access. Services are typically outward-facing, enabling communication and interaction over a network
Examples:
• Web Services: Hosting websites over HTTP/HTTPS.
• File Sharing Services: Using SMB (Server Message Block) for file transfers.
• Email Services: SMTP for sending emails, IMAP/POP for retrieving emails.
Key Characteristics:
• Operates on defined ports (e.g., port 80 for HTTP).
• Can involve one or more protocols (e.g., HTTP or FTP).
• Typically provided by server processes or software running on a machine.
Functions
A function refers to a specific operation or role performed by a system or software. Functions may be part of a service or an independent action within an application or process.
Functions are internal operations or capabilities within a system, focusing on specific tasks or processes (e.g., encrypting data, authenticating users).
Examples:
• Authentication Function: Verifying user credentials.
• Data Encryption Function: Encrypting data in transit or at rest.
• Logging Function: Recording system activity for auditing purposes.
Key Characteristics:
• Functions are broader than services and can include actions that don’t involve external communication.
• Functions often implement specific security requirements (e.g., access control, encryption).
• May not directly rely on ports or protocols but are crucial for system integrity and security.
Protocols
Protocols are standardized sets of rules that determine how data is transmitted and received over a network.
They specify:
• How communication is initiated, maintained, and terminated.
• The format and structure of the data being exchanged.
• Error detection and correction mechanisms.
Protocols Support Services:
• Services use protocols as the underlying mechanism for communication.
• Example: A web service (service) uses HTTP or HTTPS (protocols) to transmit data over the network.
Ports
Ports are numerical identifiers assigned to specific services or processes running on a computer to facilitate communication.
• They act as “endpoints” for network connections, allowing data to be sent to the correct application or service.
• Ports work in tandem with protocols to enable services (e.g., HTTPS uses port 443 and the TLS protocol).
The “deny all, allow by exception” strategy is a highly effective security approach for managing ports. By default, all ports are blocked, and only those explicitly needed for essential operations are allowed. This minimizes the attack surface and reduces the risk of unauthorized access or exploitation.
Advantages of this Strategy
• Reduced Attack Surface: By default, no unnecessary ports are open to attackers.
• Improved Visibility: Only explicitly required traffic is allowed, making it easier to monitor and troubleshoot.
• Enhanced Compliance: Meets many regulatory and security framework requirements, such as NIST 800-171 and CMMC.
Example Essential Ports:
| Port Number(s) | Service/Protocol | Description |
| 80 | HTTP | Used for web traffic, essential for accessing websites on the internet. |
| 443 | HTTPS | Secures HTTP traffic, providing encrypted web access. |
| 445 | SMB | Used for Windows file sharing and various Windows services. |
| 3389 | RDP | Remote Desktop Protocol, crucial for remote management and support. |
| 53 | DNS | Domain Name System, necessary for resolving domain names to IP addresses. |
| 135 | RPC | Remote Procedure Call, used for various Windows services like Active Directory. |
| 25 | SMTP | Simple Mail Transfer Protocol, used for sending emails. |
| 1433 | MSSQL | Microsoft SQL Server, if SQL services are being used. |
| 50000-50100 | Custom Application Ports | Example range: Used for specific application communication or testing purposes. |
I Promised! – The Essential Ports table is right out of the free Appendix template I’ve created for this practice. The template is available below.
Bonus:
A pre-built template for your System Security Plan Appendix!
• Includes sections for listing all essential programs, ports, protocols, and services.
• Clearly defines nonessential features and provides guidelines for updates.
Ready to make Practice 3.4.7 a breeze?
Fill out the form to receive the template!
Leave a Reply