Restricting programs, functions, ports, and protocols on endpoints is a high-impact control for meeting NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 (CM.L2-3.4.7) — it reduces attack surface, limits lateral movement, and enforces the "only what is required" principle for systems that process Controlled Unclassified Information (CUI).
Understand the objective and scope
The Compliance Framework requirement CM.L2-3.4.7 expects organizations to allow only the programs, services, ports and protocols necessary for mission-essential functions. Start by defining the scope: which endpoints process or access CUI, which user groups and roles need network access, and which services are required for business workflows. If you manage a mixed environment (Windows, macOS, Linux, mobile), list each OS and group endpoints by role (workstation, build server, file server, admin workstation) so rules are meaningful and testable.
Inventory and create a secure baseline
Practical inventory steps
Before you block anything, build an accurate inventory of installed applications, running services, and open ports. Use tools suited to your environment: Microsoft Intune or SCCM for Windows, osquery or Open-AudIT for mixed environments, and nmap or Nessus for network-level port discovery. Record the executable hashes, versions, and publisher metadata so you can create precise allow/deny rules rather than blunt path-only rules.
Small-business example
Example: a 40-person contracting firm has 35 Windows workstations and 5 Linux servers. Use PDQ Inventory on workstations and a simple Ansible playbook on servers to collect installed packages and running sockets (ss -tuln). Produce a baseline spreadsheet showing which hosts run RDP, SSH, SMTP relays, or proprietary vendor software — that becomes the starting whitelist for endpoints.
Application allowlisting and function restriction
Application allowlisting is the most effective way to enforce "only required programs." On Windows, implement AppLocker or Microsoft Defender Application Control (MDAC) with rules by publisher, file hash, or path and start in Audit mode to gather policy exceptions before enforcement. On Linux, use SELinux, AppArmor, or tools like authselect and systemd service unit restrictions to limit process capabilities. For macOS, consider Jamf and built-in signed-app enforcement. Avoid naive path-based allowlists; prefer publisher-signature or hash-based rules for better security.
Restrict ports and protocols at the host and network level
Windows and host firewall examples
On Windows endpoints, use Windows Defender Firewall with Advanced Security: implement inbound rules that are 'Allow' only for required services and create default-deny for unsolicited inbound connections. For outbound control, configure rules to prevent unauthorized remote connections (e.g., block outbound RDP/Telnet). Example command for a quick block: netsh advfirewall firewall add rule name="Block RDP Out" dir=out action=block protocol=TCP localport=3389. Use Group Policy or Intune to push rules centrally.
Linux and network examples
On Linux servers, enforce restrictions with nftables/iptables or ufw where appropriate. Example: to deny telnet use 'sudo ufw deny 23' or use nftables to permit only required ports (22 for hardened SSH, 443 for web) and reject the rest. At the network edge, ensure perimeter firewalls only allow necessary ports and protocols to and from CUI-related systems; implement internal segmentation (VLANs or micro-segmentation) so that even if a host is compromised, access to other sensitive systems is very limited.
Harden services and disable unused functions
Many endpoints run unnecessary services by default. Use service management to stop and disable nonessential services: on systemd systems use 'systemctl disable --now
Automate, validate, and monitor
Automation and continuous validation make the control sustainable. Bake allowlist and firewall rules into your configuration management (Ansible, Chef, Salt, or Intune policies), and automate periodic validation with vulnerability scans, nmap sweeps, and endpoint audits. Use endpoint logging (Sysmon for Windows, auditd for Linux) with a SIEM or log aggregation (Splunk, Elastic, or a hosted EDR console) to detect deviations, attempted use of blocked protocols, and unauthorized service start attempts. Keep change detection (file integrity monitoring) on critical executables to catch tampering.
Exceptions, change control and documentation
Implement a documented exceptions and change-control process: every exception must include business justification, time box, compensating controls (e.g., only allow access from a management subnet), and approval by the system owner. Track exceptions in your configuration management database (CMDB) and include them in the annual assessment for CM.L2-3.4.7. Maintain a rollback plan and test plan so that if a new rule breaks business-critical functionality, you can quickly remediate without risking data access or availability.
Risks of not implementing CM.L2-3.4.7
Failing to restrict programs, functions, ports, and protocols leaves numerous attack vectors open: exposed services can be exploited for remote code execution, legacy protocols enable credential theft, and unnecessary applications increase the likelihood of vulnerable software. From a compliance perspective, non-implementation can result in failed audits, loss of federal contracts that require NIST/CMMC compliance, and increased liability if CUI is compromised. Operationally, it increases detection noise and response complexity.
Summary: To meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 CM.L2-3.4.7, adopt a repeatable lifecycle: inventory and baseline endpoints, apply targeted allowlisting and host firewall rules, disable unused services and legacy protocols, automate policy deployment and validation, and manage exceptions with documented change control. For small businesses, start with a prioritized inventory, test rules in audit mode, and roll changes through your MDM or configuration management tool so that security improvements are enforced consistently without disrupting workflows.
