The organization shall configure the business-critical systems to provide only essential
capabilities.
Guidance
Consider applying the principle of least functionality to access systems and assets (see also PR.AC-4).
The organization shall disable defined functions, ports, protocols, and services within its critical systems that it deems unnecessary.
The organization shall implement technical safeguards to enforce a deny-all, permit-byexception policy to only allow the execution of authorized software programs.
Systems here mean servers, workstations, active network devices (firewalls, routers, switches, wireless base stations, etc.) and the like. Hardening, on the other hand, means changing the system's settings in such a way that the system's vulnerability area can be reduced.
Organization has defined operating processes through which:
The organization utilizes the principle of least functionality in deploying and configuring systems. Systems must not have rights to anything that is not needed to accomplish what they are intended for.
Our organization has defined policies in place to prevent or at least detect the use of unauthorized programs.