Disable Unnecessary Features

CyberSecure Canada Section 5.4.2.1(b) requires organizations to implement secure configurations by turning off unnecessary features, which includes blocking unused ports, disabling unused services, and removing unused or obsolete software.

Administrators should compare currently running services against documented secure baseline configuration standards for servers and endpoints to identify and turn off anything not explicitly required for business operations.

Organizations use network and vulnerability scanning tools to identify open ports, and then apply strict firewall rules to block unused ports on a firewall or local host.

The best approach is to maintain a disable default services and features hardening checklist or internal hardening standard that is reviewed annually and consistently applied to all new deployments.

Configurations should be reviewed periodically, typically at least annually or after major system changes, supported by continuous or monthly vulnerability scanning to catch deviations.

Attack surface reduction in cybersecurity means minimizing the number of possible entry points for an attacker. Disabling unused network services and daemons directly eliminates potential vulnerabilities that could be exploited.

Organizations should test the removal of obsolete software and unsupported applications in an isolated staging environment first to ensure it does not negatively impact dependent critical business processes.

Auditors expect documented internal hardening standards, clean vulnerability scan results showing no unnecessary open ports or end-of-life software, and firewall configurations that demonstrate a default-deny posture.

Organizations can use Group Policy Objects (GPO), Mobile Device Management (MDM) profiles, or Infrastructure as Code to automatically disable unused network services and daemons across all enrolled endpoints and servers.

Regular vulnerability scanning and automated secure configuration management for endpoints and servers can detect unauthorized changes and automatically revert them, preventing configuration drift.

Auditors typically want to see a consistent hardening standard and proof it’s applied. Tools like WatchDog Security's Compliance Center can map your hardening checklist, scan results, and firewall evidence to CSC-05-010 and highlight gaps when artifacts are missing or out of date.

Configuration drift happens when systems deviate from approved baselines over time, reintroducing risky services or ports. Tools like WatchDog Security's Posture Management can help detect misconfigurations aligned to baseline expectations and provide remediation guidance you can track as evidence.