This post explains how to create a practical least-functionality configuration checklist for Windows and Linux hosts to satisfy NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control CM.L2-3.4.6, and shows how a small business can implement, document, and evidence the configuration changes with low overhead.
Understanding CM.L2-3.4.6 and the Compliance Framework objective
CM.L2-3.4.6 requires configuring systems to provide only essential capabilities, reducing attack surface and limiting opportunities for adversaries — "least functionality." For Compliance Framework mapping, treat this control as a configuration baseline requirement: create a documented baseline, apply it consistently, and retain artifacts showing compliant state (configuration files, GPOs, automation playbooks, output of discovery scans, and exception records).
Step 1 — Discovery and build an inventory baseline
Start with a discovery phase: enumerate installed packages, enabled services, listening ports, and installed Windows features across endpoints and servers. For small businesses (10–100 endpoints), this can be done with lightweight tools and scripts and then centrally recorded in your Compliance Framework. Evidence items: CSV/XLS inventory, output from network scans, and a justification matrix that ties each installed capability to business need.
Practical discovery commands and actions
- Windows: run PowerShell inventory - Get-WindowsOptionalFeature -Online; Get-Service | Where-Object {$_.StartType -ne 'Disabled'}; Get-WmiObject -Class Win32_Product (careful: can be slow) or use Inventory from Intune/SCCM.
- Linux: use package queries and systemd - dpkg-query -l or rpm -qa; systemctl list-unit-files --state=enabled; ss -tulnp to list listening sockets.
- Network: run a credentialed Nessus/OpenVAS or Nmap scan to discover open ports and services.
Step 2 — Create the least-functionality checklist (Windows & Linux)
Translate discovery into a checklist of “allowed” capabilities and a separate list of “disallowed/removed/disabled” items. The checklist should include: packages to remove, services to disable, optional OS features to turn off, firewall rules to implement, and application execution controls to enforce. For each item record: rationale, owner, test plan, rollback steps, and evidence artifact name and location in Compliance Framework.
Windows-specific checklist items (examples)
- Remove or disable unused Windows Features (example commands: Get-WindowsOptionalFeature -Online; use Disable-WindowsOptionalFeature -Online -FeatureName <name> or DISM /Online /Disable-Feature /FeatureName:<name>).
- Disable unnecessary services: review Get-Service and use Set-Service -Name <svc> -StartupType Disabled; stop with Stop-Service <svc>.
- Enable application control: implement AppLocker or Windows Defender Application Control (WDAC) with a default-deny policy for unknown binaries.
- Harden remote access: disable Telnet/SMBv1, turn off RDP if not needed, or restrict RDP with NLA and firewall rules; use GPOs to manage settings centrally.
- Use Controlled Folder Access, Defender Exploit Guard, and limit PowerShell usage (constrained language mode or logging and script block logging enabled).
Linux-specific checklist items (examples)
- Remove unnecessary packages: apt-get purge --auto-remove <pkg> or yum/dnf remove <pkg>; prioritize removing compilers and development tools from production systems.
- Disable unused services: systemctl disable --now <service>; mask units if necessary to prevent re-enablement (systemctl mask <service>).
- Harden SSH: in /etc/ssh/sshd_config set PermitRootLogin no, PasswordAuthentication no, UsePAM yes, and use AllowUsers or Match blocks to restrict logins; restart sshd and test access from a separate session before disconnecting.
- Enable local firewall: ufw default deny incoming; ufw allow from <trusted> to any port 22 proto tcp (or use firewalld/iptables with explicit deny-by-default).
- Enforce Mandatory Access Control: install and enforce SELinux (Enforcing) or AppArmor profiles for key services.
Step 3 — Automate, enforce, and document
For sustainable compliance, automate enforcement with configuration management (Ansible, Puppet, Chef) or endpoint management (Intune/SCCM). Create playbooks that: remove listed packages, disable services, deploy firewall rules, and push application control policies. Store playbooks and GPO backups in your Compliance Framework repository as evidence. For small businesses without a full CM toolchain, use scripted PowerShell remoting or SSH scripts executed from a management host and log output to a centralized SFTP or logging service.
Validation, monitoring, and evidence collection
Validation is critical: schedule periodic scans and compare current state to the baseline checklist. Evidence to collect for auditors and Contracting Officers' Representatives (CORs): baseline configuration documents, output of discovery commands (CSV or JSON), automation playbooks, change-control approvals for exceptions, and periodic scan reports. Implement continuous monitoring: alert when a disabled service is re-enabled, when new listening ports appear, or when new packages are installed.
Risks, real-world small-business scenarios, and compliance tips
Risk of not implementing least functionality includes larger attack surface (unneeded services providing remote entry), easier lateral movement, greater probability of data exfiltration, and failing CMMC/NIST assessments which can jeopardize DoD contracts. Example: a 25-person contractor left development tools and an SSH server enabled on a production workstation; a compromised user executed a reverse shell using the available tooling. To avoid this, document exceptions (why an item is allowed), require time-boxed approvals, and include compensating controls (network segmentation, jump hosts, MFA) where removal isn't immediately possible.
Compliance tips and best practices: align your checklist to CIS Benchmarks and NIST STIGs where applicable, use templates and profiles to speed implementation, run change control and maintenance windows before applying removals, keep backups and test rollback plans, and include owners and review cadence (quarterly). For evidence, use screenshots of GPO settings, output files (systemctl list-unit-files --state=enabled, Get-WindowsOptionalFeature -Online), and Ansible run logs placed in the Compliance Framework repository.
Summary: Build a least-functionality checklist by discovering current state, defining allowed capabilities, automating enforcement, and continuously validating. Map each checklist item to CM.L2-3.4.6 in your Compliance Framework, keep clear evidence and exception records, and prioritize low-cost automation for a small business — this reduces risk, supports audits, and helps maintain eligibility for contracts requiring NIST SP 800-171 / CMMC Level 2 compliance.
