CIS Safeguard 4.8: Uninstall Unnecessary Services on Assets and Software

CIS Safeguard 4.8: Uninstall Unnecessary Services on Assets and Software

By Steve Gold
Posted in Security
On July 08, 2025

Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation

Do more with less. That’s the core idea behind CIS Safeguard 4.8, which advises organizations to uninstall or disable unnecessary services on enterprise assets and software. Why? Because every extra service is a potential doorway for attackers.

To illustrate this, let’s look at a survival lesson from The Walking Dead.

The Walking Dead and the Dangers of Unsecured Doors

In The Walking Dead, survivors often find themselves in abandoned buildings. One of their first tasks? Secure the perimeter. That means checking every door, window, and crawlspace because any unguarded entry point could let in walkers.

Now imagine your enterprise network is that building. Every unnecessary service running on a server or endpoint is like an unlocked door. It might seem harmless—until something slips through.

What Does This Safeguard Involve?

CIS Safeguard 4.8 focuses on minimizing the attack surface by:

  • Identifying and cataloging all services running on enterprise assets.
  • Determining which services are not required for business operations.
  • Uninstalling or disabling those services.
  • Ensuring new systems are deployed with only essential services enabled.
Why It Matters

Unnecessary services can:

  • Introduce vulnerabilities that attackers can exploit.
  • Consume resources and slow down systems.
  • Complicate incident response by increasing the number of potential attack vectors.

For example, leaving remote desktop services enabled on machines that don’t need them has led to countless ransomware attacks.

How to Implement CIS Safeguard 4.8
  1. Conduct a service audit across all enterprise assets.
  2. Create a list of approved services for each asset type.
  3. Use configuration management tools to enforce service policies.
  4. Regularly review and update the list of necessary services.
  5. Train IT staff to recognize and remove unnecessary components.
Final Thought

Just like in The Walking Dead, survival depends on vigilance. Don’t leave digital doors open for attackers. By uninstalling or disabling unnecessary services, you reduce risk, improve performance, and strengthen your overall security posture.

 

"

Resources

Here’s a link to the Secure Configuration Management for CIS Control 4, 9, and 12 provided free of charge from the fine folks at the Center for Internet Security:

Looking for even more detail? Here you go. If this still doesn’t satisfy your curiosity, DM me.

CIS Control 4 – Secure Configuration of Enterprise Assets and Software

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

CIS Safeguard 4.8: - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.