Description:
Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.
Priority: High
Category: Baseline Security Configurations
Services Associated with AWS:
- AWS Identity and Access Management (IAM), AWS Security Groups, AWS Network Firewall
- AWS Security Groups, AWS Network Firewall
- AWS IAM, AWS Config, AWS Systems Manager
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Technical: screen shot of configuration settings
Possible Technology Considerations :
- Secure Baseline Configurations (SBC)
What needs to be answered :
Is the information system configured to exclude any function not needed in the operational environment?
- Implement Least Functionality Principle
Description: This check ensures that organizational systems are configured to provide only essential capabilities, in line with the principle of least functionality. The principle of least functionality states that systems should have minimal functions and services enabled to reduce the attack surface and potential vulnerabilities. Organizations review the functions and services provided by systems and eliminate or disable any unnecessary or unused functions and services. This helps to minimize the potential risks associated with unused or unnecessary components and functionalities. - Disable Unused or Unnecessary Ports and Protocols
Description: This check verifies that organizations disable any unused or unnecessary physical and logical ports and protocols on their systems. Disabling such ports and protocols prevents unauthorized connections, information transfer, and tunneling that can pose security risks. Organizations utilize network scanning tools, intrusion detection and prevention systems, firewalls, and host-based intrusion detection systems to identify and prevent the use of prohibited ports, protocols, and services. - Regularly Review and Update the Functionality of Systems
Description: This check emphasizes the importance of regularly reviewing and updating the functionality of organizational systems. Organizations should periodically assess the functions and services provided by systems to identify any changes or updates needed. This includes identifying new functions that are necessary for organizational missions, functions, or operations, as well as disabling or removing functions that are no longer required. Regular reviews help ensure that systems maintain essential capabilities and avoid unnecessary functions or services that could introduce security risks.
More Details:
Least functionality in place for all users of company systems.