CM-7 Least Functionality

Description

Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components but doing so increases risk over limiting the services provided by any one component.

Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing).

Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling.

Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.

Applicability

The intended audience includes information resource owners and custodians; and pertains to information resources considered moderate or high impact.

Implementation

TAMU-CC shall:

  1. Configures the information system to provide only essential capabilities. Primary Custodians shall configure information resources according to the principles of least functionality; and
  2. Prohibits or restricts the use of the following functions, ports, protocols, and/or services:
    1. FTP (Port 21)
    2. Telnet (Port 23)
    3. POP (Port 110)
    4. TFTP (Port 69)
    5. SMTP (Port 25)
    6. DNS (Port 53)
    7. NTP (Port 123)
    8. MS RPC – TCP & UDP (Port 135)
    9. NetBIOS/IP – TCP & UDP (Ports 137-139)
    10. SMB/IP – TCP (Port 445)
    11. Trivial File Transfer Protocol (TFTP) – UDP (Port 69)
    12. Syslog – UDP (Port 514)
    13. Simple Network Management Protocol (SNMP) – UDP (Ports 161-162)
    14. Internet Relay Chat (IRC) – TCP (Ports 6660-6669)
    15. Protocols that utilize nonsecure methods (e.g., those that utilize plaintext authentication)

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019

Chief Information Security and Privacy Officer

Submit a Ticket

News

See All News

Events

See All Events