Control CM.L2-3.4.7 in the Compliance Framework requires organizations to disable unnecessary daemons, services, and listening ports to reduce attack surface and protect Controlled Unclassified Information (CUI); this post gives practical, auditable steps for Linux and Windows servers to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 expectations, including commands, automation ideas, and small-business examples.
Implementation Overview
Start with a clear inventory and baseline: identify every server’s purpose, the services required for that purpose, and the expected open ports. For each host create a documented baseline (for example: Web server — httpd/nginx, port 80/443; File server — Samba/SMB, ports 445/139), then map installed daemons/services to that baseline. Use the baseline as the source of truth for change control: if a service must be added later, require a documented exception with risk acceptance and compensating controls (firewall rules, MFA, monitoring).
Linux: discovery and removal/disable steps
On Linux, discovery and remediation are straightforward with systemd, netstat/ss, and package managers. Commands to discover listening services: `ss -tuln` or `netstat -tulpn`. To map sockets to packages/processes: `lsof -i -P -n` and `ps -ef | grep
Windows: discovery and remediation
On Windows, use PowerShell and built-in tools to enumerate and disable services and listening ports. Discover listening ports with `netstat -ano | findstr LISTEN` or PowerShell: `Get-NetTCPConnection -State Listen | Select-Object LocalAddress,LocalPort,OwningProcess`. Map PIDs to services: `Get-Process -Id
Automation, Scanning, and Continuous Monitoring
Manual changes must be codified into automation and regular scans. Implement periodic network scans (Nmap, Nessus, OpenVAS) to detect unexpected open ports and compare results to baselines. On Linux, use configuration management (Ansible, Puppet, Chef) to enforce disabled services: an Ansible task can ensure `state: stopped` and `enabled: no`. On Windows, use Desired State Configuration (DSC) or SCCM to enforce service states. Enable audit logging: auditd rules on Linux to log socket openings or service starts, and Windows Event Logging (enable Service Control Manager auditing and use Sysmon to track process/connection events). Integrate findings with your SIEM to create alerts for deviations from the baseline (e.g., a previously disabled service becomes active). Schedule quarterly penetrations or vulnerability assessments and remediate findings through ticketing with evidence of changes for compliance auditors.
Real-World Small-Business Scenarios
Example 1: Small accounting firm runs a file server plus one public web server. The web host should run only nginx (80/443) — disable FTP, Telnet, database instances bound to 0.0.0.0, and any RPC or Samba services not required. Example command sequence: `ss -tuln` -> identify `:21` -> `systemctl disable --now vsftpd` -> `apt-get purge vsftpd` -> `ufw deny 21`. Example 2: A Windows-based project server used for collaboration doesn’t need print services or IIS: run `Get-WmiObject -Class Win32_Service | Where {$_.Name -eq "Spooler" -or $_.Name -eq "W3SVC"}` then stop/disable non-required ones, and deploy a Group Policy to prevent reinstallation. For small businesses without full IT teams, use managed configuration tools, documented checklists, and weekly vulnerability scan reports from a third-party managed service to stay compliant.
Compliance Tips and Best Practices
Document every baseline and exception to satisfy auditability: include the business reason, risk analysis, compensating controls, owner, and expiration for temporary exceptions. Tie service inventories to asset inventory and change control tickets. Adopt CIS Benchmarks or vendor hardening guides as the baseline and maintain versioned baselines in source control. Use role-based access control so only authorized admins can change service states, and require multi-factor authentication for privileged access. Retain logs for the period required by your compliance policy and demonstrate that monitoring alerts are acted on (include timestamps and ticket references) to prove ongoing compliance with CM.L2-3.4.7.
Risks of Not Disabling Unnecessary Services
Failing to disable unnecessary daemons and listening ports increases attack surface — attackers can exploit vulnerable services, gain initial access, move laterally, or exfiltrate CUI. Unnecessary services often run with elevated privileges or have poor patch coverage, creating easy attack vectors (e.g., exposed database ports or legacy SMB/NetBIOS services). From a compliance perspective, failing to document baselines and exceptions, or showing repeat deviations, can result in failed assessments, breach notification obligations, lost contracts, and financial penalties for inadequate CUI protection.
Summary: To meet CM.L2-3.4.7, maintain a documented baseline of required services, use discovery tools (ss/netstat, lsof, Get-NetTCPConnection/netstat) to find listening ports, remove or disable unneeded daemons with systemctl/Set-Service/sc, enforce baselines with configuration management or Group Policy, and continuously scan and log to detect drift; document exceptions and link changes to change control for auditable compliance. These practical steps, when combined with monitoring and automation, will reduce risk and help demonstrate adherence to NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 requirements.
