This implementation guide explains how to satisfy Compliance Framework control CM.L2-3.4.6 (NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2) by removing or disabling unnecessary features, ports, protocols, and services on Windows and Linux servers — with practical commands, automation tips, documentation requirements, and small‑business scenarios you can apply immediately.
Understanding CM.L2-3.4.6 and the goal
The core objective of CM.L2-3.4.6 is the principle of least functionality: configure systems to provide only the capabilities necessary to perform authorized functions. For compliance this means you must identify and remove or disable unneeded services, packages, listening ports, drivers, GUI components, server roles, and legacy protocols so that systems expose a minimal, documented attack surface. Evidence must show the baseline, decisions, changes, and verification steps.
Practical implementation: discovery and baseline
Start with discovery: build an inventory of running services, installed packages, and listening ports for each server and capture a baseline. On Windows: use PowerShell and built‑in tools — example commands: Get-Service | Where-Object {$_.Status -eq 'Running'}; netstat -ano | findstr LISTEN; DISM /online /Get-Features; Get-WindowsFeature | Where-Object {$_.Installed -eq $true}. On Linux: use ss -tulpen to list listeners, systemctl list-unit-files --state=enabled to list enabled services, and package manager queries (dpkg -l / rpm -qa / yum list installed). Record outputs in your configuration management database (CMDB) and tag each item as Required/Optional/Unapproved with owner and justification.
Practical implementation: removal and disabling
Apply removal steps in a controlled, test-first approach. Windows examples: to stop and disable Print Spooler on servers that do not require printing: Stop-Service -Name Spooler -Force; Set-Service -Name Spooler -StartupType Disabled. To remove optional Windows features use DISM: DISM /online /Disable-Feature /FeatureName:TelnetClient /Remove or Uninstall-WindowsFeature for server roles. On Linux, disable and stop services: systemctl disable --now avahi-daemon; systemctl mask bluetooth.service to prevent startup. Remove unneeded packages with apt remove --purge
Automation, enforcement, and continuous monitoring
Small businesses should automate enforcement to scale and reduce drift. Use Ansible/SaltStack/Chef/PowerShell DSC to declare a baseline state: e.g., an Ansible task to stop and disable a service: - name: disable telnetd service service: name=telnetd state=stopped enabled=no. For Windows, deploy Group Policy or Microsoft Endpoint Configuration Manager to enforce startup types and remove roles, and use Desired State Configuration (DSC) for continuous remediation. Integrate configuration scans into CI: run CIS Benchmarks, OpenSCAP/Lynis, or commercial scanners (Tenable, Qualys) weekly and feed results to your ticketing system for remediation tracking.
Small‑business real-world scenarios
Example 1: A small web-hosting firm runs two Windows servers (AD + file server) and three Linux web servers. The firm removed GUI/desktop features from all servers (Server Core for Windows, no X11 on Linux), disabled Telnet, FTP, and legacy SMB v1 on the Windows file server (Disable-WindowsOptionalFeature and set SMBv1 registry keys), and removed CUPS and avahi from Linux web nodes. Example 2: A small engineering firm with an R&D app restricted RDP only to an administrative jump host and removed remote desktop service on all application servers; they documented the change in a single ticket and captured pre/post netstat and firewall rules as evidence.
Compliance tips, documentation and evidence
To demonstrate compliance, keep a clear paper trail: (1) an approved baseline document per server role referencing the Compliance Framework practice, (2) change control tickets authorizing removals, (3) scripts/playbooks used to implement changes, (4) pre/post discovery outputs (Get-Service, ss, netstat, package lists), (5) scanner reports showing removed services, and (6) monitoring alerts for service re‑enablement. Include exception records for any retained services (owner, risk acceptance, compensating controls such as firewall rules or IPS signatures).
Risk if you do not implement CM.L2-3.4.6
Failing to remove unnecessary features increases attack surface: extra listening ports and services create more exploit paths, outdated packages may harbor unpatched vulnerabilities, and legacy protocols like Telnet/SMBv1 enable credential theft and lateral movement. For small businesses this often leads to ransomware, data exfiltration, and failed audits—resulting in incident response costs, lost customer trust, and potential contract/supply‑chain consequences under federal compliance requirements.
Summary
Meeting CM.L2-3.4.6 is a practical combination of discovery, controlled removal, automation, and documentation: inventory every server, decide required capabilities, remove or disable what’s not needed, enforce the state with automation, and keep auditable evidence. Use the provided commands and examples to create test cases and playbooks for Windows and Linux servers, integrate scanning into routine operations, and maintain a simple exception and change control workflow so your small business can reduce risk and demonstrate NIST SP 800‑171 / CMMC 2.0 Level 2 compliance.
