3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.

Actionable Items: Maintain and keep up-to-date lists of equipment along with their function. Make lists of open ports and other open gateways into and out of your business. De-activate any unused equipment and close open ports and gateways that are unused. Use third party software to monitor these and any other intrusions into your system.