What are the recommended hardened services settings for Windows for PCI DSS, NERC-CIP, NIST 800-53 / 800-171 or other compliance standards?

Security Best Practice advocates the minimizing of your IT systems' 'Attack Surface'. By using CIS Benchmark secure configuration guidance we can harden systems against attack. Known vulnerabilities can be removed and defenses strengthened by applying an expert-derived configuration policy.

Download The Complete Hardened Services Guide

Services

Hardened Windows Service Configurations

PCI DSS V3.2: Requirement 2.2d 'Enabling only necessary services'

  • "Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server
  • Enabling only necessary services, protocols, daemons, etc., as required for the function of the system"

Learn about NNT's SecureOps suite for PCI DSS Compliance
Solution Brief: NNT Solutions Mapped to PCI DSS Version 3.2.1

NIST SP 800-53 Rev 4: CM-7 LEAST FUNCTIONALITY

"The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]"

Requirements Chart: NNT Solutions Mapped to NIST 800-53

NERC-CIP: CIP-007-5 Cyber Security – Systems Security Management

"Where technically feasible, enable only logical network accessible ports that have been determined to be needed by the Responsible Entity, including port ranges or services where needed to handle dynamic ports. Requirement R1 exists to reduce the attack surface of Cyber Assets by requiring entities to disable known unnecessary ports. The SDT intends for the entity to know what network accessible ("listening") ports and associated services are accessible on their assets and systems, whether they are needed for that Cyber Asset's function, and disable or restrict access to all other ports. 1.1. This requirement is most often accomplished by disabling the corresponding service or program that is listening on the port or configuration settings within the Cyber Asset"

Learn about SecureOps Suite for NERC CIP Compliance

The Center for Internet Security also recommends hardening services configurations, cutting back functionality to reduce further the opportunities to compromise a system. However, the demands of each organization, their IT services and their environment are all different, making it impossible to accurately prescribe a hardened services policy for every situation.

To help you get started with deriving your own hardened services policies, NNT in conjunction with Microsoft have provided the following Hardened Services checklists. You can manually audit your server for compliance using the checklists provided below, changing service mode and state using the Windows Services Console (search or run -> services.msc). As ever, it pays to test application and service delivery as you apply hardening measures to ensure required functionality is preserved while security is improved.

Please contact [email protected] with any questions or to get help with your hardening project.

Next Steps

Are you ready to get started in securing your IT environment with
industry-approved foundational controls, intelligent change control and automation?

The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

Netwrix
6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)


[email protected]
 

United Kingdom

Netwrix
5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023


 [email protected]
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2024, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.