Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation
Do more with less. That’s the core idea behind CIS Safeguard 4.8, which advises organizations to uninstall or disable unnecessary services on enterprise assets and software. Why? Because every extra service is a potential doorway for attackers.
To illustrate this, let’s look at a survival lesson from The Walking Dead.
The Walking Dead and the Dangers of Unsecured Doors
In The Walking Dead, survivors often find themselves in abandoned buildings. One of their first tasks? Secure the perimeter. That means checking every door, window, and crawlspace because any unguarded entry point could let in walkers.
Now imagine your enterprise network is that building. Every unnecessary service running on a server or endpoint is like an unlocked door. It might seem harmless—until something slips through.
What Does This Safeguard Involve?
CIS Safeguard 4.8 focuses on minimizing the attack surface by:
- Identifying and cataloging all services running on enterprise assets.
- Determining which services are not required for business operations.
- Uninstalling or disabling those services.
- Ensuring new systems are deployed with only essential services enabled.
Why It Matters
Unnecessary services can:
- Introduce vulnerabilities that attackers can exploit.
- Consume resources and slow down systems.
- Complicate incident response by increasing the number of potential attack vectors.
For example, leaving remote desktop services enabled on machines that don’t need them has led to countless ransomware attacks.
How to Implement CIS Safeguard 4.8
- Conduct a service audit across all enterprise assets.
- Create a list of approved services for each asset type.
- Use configuration management tools to enforce service policies.
- Regularly review and update the list of necessary services.
- Train IT staff to recognize and remove unnecessary components.
Final Thought
Just like in The Walking Dead, survival depends on vigilance. Don’t leave digital doors open for attackers. By uninstalling or disabling unnecessary services, you reduce risk, improve performance, and strengthen your overall security posture.
Resources
Here’s a link to the Secure Configuration Management for CIS Control 4, 9, and 12 provided free of charge from the fine folks at the Center for Internet Security:
Looking for even more detail? Here you go. If this still doesn’t satisfy your curiosity, DM me.
CIS Control 4 – Secure Configuration of Enterprise Assets and Software
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
CIS Safeguard 4.8: - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.