This post explains how to implement NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control CM.L2-3.4.7 — disable nonessential functions — on Windows and Linux systems, with step-by-step commands, group policy and automation examples, and practical advice for small business environments.
Understanding CM.L2-3.4.7 and the Compliance Framework context
CM.L2-3.4.7 requires organizations to limit system functionality to only what is essential for mission and business operations. In practice this means you must inventory system capabilities, identify nonessential services/protocols/features (e.g., Telnet, FTP, unused daemons, legacy APIs), and disable or remove them in a controlled manner. Within the Compliance Framework of NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2, this is a configuration management control intended to reduce attack surface and support the protection of Controlled Unclassified Information (CUI).
Inventory and a risk-based approach (first steps)
Begin with an inventory: list OS versions, installed packages, enabled services, listening ports, and configured features for all endpoints and servers. Use tools such as Microsoft Defender Inventory, SCCM/Intune, or a lightweight Nmap/Netstat sweep and Linux package managers (dpkg/rpm) for small environments. Prioritize by risk and business impact: systems that host CUI, domain controllers, file servers and jump boxes get higher priority. Document allowed services in a baseline configuration profile (gold image) and record exceptions with business justification and expiration.
How to disable nonessential functions on Windows (practical steps)
On Windows, nonessential functions are usually services, Windows features, scheduled tasks, and legacy protocols. A standard hardening sequence is: 1) identify services with Get-Service and listening ports with Get-NetTCPConnection or netstat -ano; 2) test disabling in a staging VM; 3) disable/stop the service and set startup to Disabled; 4) apply via Group Policy / Intune / SCCM for scale. Example interactive commands:
# Stop and disable a service (e.g., Print Spooler)
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
# Disable SMBv1 (if still present)
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
# View listening ports
Get-NetTCPConnection -State Listen | Format-Table LocalAddress,LocalPort,OwningProcess
Group Policy and automation examples for Windows
Use Group Policy: Computer Configuration → Policies → Windows Settings → Security Settings → System Services to set service startup types centrally, or use Group Policy Preferences to run scripts. For modern management, use Intune device configuration profiles or PowerShell DSC / Salt to enforce desired state. Example GPO approach for Print Spooler: configure the service startup as Disabled and apply a Scheduled Task to re-stop the service as a fallback. Keep a change request and rollback plan for any disabling that impacts end users (e.g., printing in a particular office).
How to disable nonessential functions on Linux (practical steps)
On Linux, the equivalent items are systemd services, installed packages, kernel modules, and open ports. Steps: audit with ss -tuln, systemctl list-unit-files --state=enabled, and package lists (apt list --installed or rpm -qa). For a given service:
# Stop + disable + mask a service
sudo systemctl stop telnet.socket
sudo systemctl disable telnet.socket
sudo systemctl mask telnet.socket
# Remove an unneeded package (Debian/Ubuntu)
sudo apt-get remove --purge telnetd -y
sudo apt-get autoremove -y
To prevent kernel modules from loading, add a blacklist file in /etc/modprobe.d/ (for example, create /etc/modprobe.d/blacklist-usb-storage.conf with "blacklist usb-storage") and rebuild initramfs (update-initramfs -u) if required. Carefully test module blacklisting on systems that rely on the hardware.
Automation example with Ansible
For small businesses that want repeatable enforcement, Ansible playbooks are efficient. Example snippet for disabling services and removing packages:
- name: Harden servers - remove telnet and disable print spooler
hosts: servers
become: yes
tasks:
- name: Remove telnet package
apt:
name: telnetd
state: absent
when: ansible_facts['os_family'] == 'Debian'
- name: Disable and mask telnet service
systemd:
name: telnet.socket
enabled: no
masked: yes
state: stopped
Use CI/CD or Ansible Tower/AWX to run against inventories and log changes. For Windows, use WinRM-enabled Ansible modules or Group Policy/Intune as the enforcement mechanism.
Operational considerations, monitoring, and verification
Disabling functions is not a one-time task: integrate into change management and patch cycles. Build automated compliance checks: periodic scans with Nessus/OpenVAS, CIS-CAT, or customized scripts that verify service states and listening ports. Keep baselines in version-controlled configuration repositories and enforce via configuration management tools. For exceptions, maintain an approvals log with compensating controls (e.g., firewall rules, host-based IDS) and a re-evaluation date. Finally, collect and centralize logs (Windows Event Forwarding, syslog/rsyslog -> SIEM) so you can detect attempts to re-enable forbidden services or unexpected new listeners.
Risk of not implementing CM.L2-3.4.7
Failing to disable nonessential functions leaves unnecessary attack surfaces that adversaries can exploit — e.g., legacy protocols like Telnet/FTP enable credential capture; unused services give remote code execution paths; exposed management interfaces enable lateral movement. For organizations handling CUI, this increases the risk of data breach, contract loss with DoD or prime contractors, regulatory penalties, and reputational damage. From a cost perspective, incident remediation and forensic response often far exceed the investment required to harden and maintain baselines.
In summary, meeting CM.L2-3.4.7 under the Compliance Framework requires a disciplined, repeatable process: inventory systems, apply a risk-based decision on what is essential, disable or remove nonessential functions with testing and change control, automate enforcement and monitoring, and document exceptions. For small businesses, start by hardening high-value assets (file servers, domain controllers), use Group Policy/Intune or Ansible for consistency, and run periodic verification scans to prove compliance.
