Safeguard 4.8 is required for Implementation Groups 2 and 3, but is a great policy for everyone to deploy as it calls for the uninstallation or disabling of any unnecessary services on your company devices or within software applications.

Besides the point of if it's not needed then why is it there?

Leaving unnecessary services and software (components) on your devices means you have to manage those components and that includes patching, security concerns, and often times the added costs of the components themselves.

File sharing services, web application modules, service functions, server roles, old Apple Quicktime software (end of life in 2016), Adobe Flash (end of life in 2020), and so many others that were common tools for us as users.

Also think about your administrative habits. How many times have we left LANScanner, Putty, or other tools on windows servers just so they were there when we needed them? When was the last time you updated or reviewed those services.

How many years are you going to maintain that old SQL Server or Exchange Server?

You can see why there is the threat here. Services on systems create potential security risks, so if it's not needed uninstall it, disable it, and block those the services on your firewall already.

For compliance here you want to have two things.

First, you want to call out to Safeguard's 1.1, 2.1 which was your computer and software inventory, and have a process that reviews any services which those systems or applications use. Are those services still needed today? Document them!

Second, ensure your Acceptable use policy outlines that any installation of services like FTP, HTTP, SFTP, RDP (even on port 3390) and ohh so many others must be approved and documented by IT first. Especially, if you don't have a tool that scans your network and looks for these open ports and services.

I want to personally thank you for following along and if you learned something new or found this content to be valuable please like and share. Since I have started this journey I am seeing more education around CIS Security and its framework throughout the industry.