STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← CM-7 (1) — Least Functionality

CCI-001762

Definition

Disable or remove organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure.

Parent Control

CM-7 (1)Least FunctionalityConfiguration Management

Linked STIG Checks (101)

V-214266CAT IIThe Apache web server must prohibit or restrict the use of nonsecure or unnecessary ports, protocols, modules, and/or services.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214390CAT IIThe Apache web server must prohibit or restrict the use of nonsecure or unnecessary ports, protocols, modules, and/or services.Apache Server 2.4 Windows Site Security Technical Implementation Guide V-237335CAT IIThe organization must disable organization-defined functions, ports, protocols, and services within the ArcGIS Server deemed to be unnecessary and/or nonsecure.ArcGIS for Server 10.3 Security Technical Implementation Guide V-272638CAT IICylanceON-PREM must disable all functions, ports, protocols and services not required.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-251641CAT IIIDMS terminal and lines that are not secure must be disabled.CA IDMS Security Technical Implementation Guide V-233190CAT IIAll non-essential, unnecessary, and unsecure DoD ports, protocols, and services must be disabled in the container platform.Container Platform Security Requirements Guide V-233548CAT IIPostgreSQL must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261926CAT IIPostgreSQL must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accordance with the Ports, Protocols, and Services Management (PPSM) guidance.Crunchy Data Postgres 16 Security Technical Implementation Guide V-206599CAT IIThe DBMS must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.Database Security Requirements Guide V-235776CAT IITCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235837CAT IIDocker Enterprise network ports on all running containers must be limited to what is needed.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-279960CAT IIThe platform on which the name server software is hosted must be configured to respond to DNS traffic only.Domain Name System (DNS) Security Requirements Guide V-271027CAT IIThe Syslog client must use TCP connections.Dragos Platform 2.x Security Technical Implementation Guide V-224203CAT IIThe EDB Postgres Advanced Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213628CAT IIThe EDB Postgres Advanced Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-259286CAT IIThe EDB Postgres Advanced Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-278389CAT IINGINX must be configured to prohibit or restrict using ports, protocols, and/or services.F5 NGINX Security Technical Implementation Guide V-245538CAT IIUse of the QUIC protocol must be disabled.Google Chrome Current Windows Security Technical Implementation Guide V-213726CAT IIDB2 must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.IBM DB2 V10.5 LUW Security Technical Implementation Guide V-24398CAT IDial-out access from the Hardware Management Console Remote Support Facility (RSF) must be disabled for all classified systems. IBM Hardware Management Console (HMC) STIG V-25388CAT IProduct engineering access to the Hardware Management Console must be disabled.IBM Hardware Management Console (HMC) STIG V-256870CAT IDial-out access from the Hardware Management Console Remote Support Facility (RSF) must be disabled for all classified systems.IBM Hardware Management Console (HMC) Security Technical Implementation Guide V-224781CAT IIAll Web applications included with Apache Tomcat that are not required must be removed.ISEC7 Sphere Security Technical Implementation Guide V-224782CAT IILockOutRealm must not be removed from Apache Tomcat.ISEC7 Sphere Security Technical Implementation Guide V-224788CAT IIStack tracing must be disabled in Apache Tomcat.ISEC7 Sphere Security Technical Implementation Guide V-241799CAT IIThe default mysql_secure_installation must be installed.Jamf Pro v10.x EMM Security Technical Implementation Guide V-213875CAT IISQL Server must disable communication protocols not required for operation.MS SQL Server 2014 Instance Security Technical Implementation Guide V-253734CAT IIMariaDB must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.MariaDB Enterprise 10.x Security Technical Implementation Guide V-220384CAT IIMarkLogic Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accordance with Ports, Protocols, and Services Management (PPSM) guidance.MarkLogic Server v9 Security Technical Implementation Guide V-74211CAT IThe Solidcore client Command Line Interface (CLI) must be in lockdown mode.McAfee Application Control 7.x Security Technical Implementation Guide V-255346CAT IIAzure SQL Database must only use approved firewall settings deemed by the organization to be secure, including denying public network access.Microsoft Azure SQL Database Security Technical Implementation Guide V-255347CAT IIAzure SQL Database must only use approved firewall settings deemed by the organization to be secure, including denying azure services access to the server.Microsoft Azure SQL Database Security Technical Implementation Guide V-276246CAT IIThe Azure SQL Managed Instance must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-225238CAT IIUpdate and configure the .NET Framework to support TLS.Microsoft DotNet Framework 4.0 Security Technical Implementation Guide V-221256CAT IIExchange services must be documented and unnecessary services must be removed or disabled.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-228403CAT IIExchange services must be documented and unnecessary services must be removed or disabled.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-259635CAT IIExchange services must be documented, and unnecessary services must be removed or disabled.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259702CAT IIExchange services must be documented, and unnecessary services must be removed or disabled.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-218817CAT IIThe IIS 10.0 web server must not be running on a system providing any other role.Microsoft IIS 10.0 Server Security Technical Implementation Guide V-218818CAT IIThe Internet Printing Protocol (IPP) must be disabled on the IIS 10.0 web server.Microsoft IIS 10.0 Server Security Technical Implementation Guide V-218766CAT IIThe IIS 10.0 websites must use ports, protocols, and services according to Ports, Protocols, and Services Management (PPSM) guidelines.Microsoft IIS 10.0 Site Security Technical Implementation Guide V-260941CAT IIThe network ports on all running containers must be limited to required ports.Mirantis Kubernetes Engine Security Technical Implementation Guide V-265943CAT IIThe DBMS must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-279382CAT IIMongoDB must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-270558CAT IIOracle Database must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments.Oracle Database 19c Security Technical Implementation Guide V-235167CAT IIThe MySQL Database Server 8.0 must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.Oracle MySQL 8.0 Security Technical Implementation Guide V-214048CAT IIPostgreSQL must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.PostgreSQL 9.x Security Technical Implementation Guide V-254566CAT IIRancher RKE2 runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.Rancher Government Solutions RKE2 Security Technical Implementation Guide V-251215CAT IIRedis Enterprise DBMS must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.Redis Enterprise 6.x Security Technical Implementation Guide V-240997CAT IIFirewall rules must be configured on the Tanium Server for Console-to-Server communications.Tanium 7.0 Security Technical Implementation Guide V-241014CAT IIFirewall rules must be configured on the Tanium Server for Server-to-Database communications.Tanium 7.0 Security Technical Implementation Guide V-241041CAT IIFirewall rules must be configured on the Tanium module server to allow Server-to-Module Server communications from the Tanium Server.Tanium 7.0 Security Technical Implementation Guide V-241042CAT IIFirewall rules must be configured on the Tanium Server for Server-to-Module Server communications.Tanium 7.0 Security Technical Implementation Guide V-241043CAT IIFirewall rules must be configured on the Tanium Server for Server-to-Zone Server communications.Tanium 7.0 Security Technical Implementation Guide V-234057CAT IIFirewall rules must be configured on the Tanium Server for Console-to-Server communications.Tanium 7.3 Security Technical Implementation Guide V-234075CAT IIFirewall rules must be configured on the Tanium Server for Server-to-Database communications.Tanium 7.3 Security Technical Implementation Guide V-234102CAT IIFirewall rules must be configured on the Tanium module server to allow Server-to-Module Server communications from the Tanium Server.Tanium 7.3 Security Technical Implementation Guide V-234103CAT IIFirewall rules must be configured on the Tanium Server for Server-to-Module Server communications.Tanium 7.3 Security Technical Implementation Guide V-234104CAT IIFirewall rules must be configured on the Tanium Server for Server-to-Zone Server communications.Tanium 7.3 Security Technical Implementation Guide V-254942CAT IIFirewall rules must be configured on the Tanium module server to allow Server-to-Module Server communications from the Tanium Server.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-254943CAT IIFirewall rules must be configured on the Tanium Server for Server-to-Module Server communications.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-254944CAT IIFirewall rules must be configured on the Tanium Server for Server-to-Zone Server communications.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253822CAT IIFirewall rules must be configured on the Tanium Server for Console-to-Server communications.Tanium 7.x Security Technical Implementation Guide V-253836CAT IIFirewall rules must be configured on the Tanium Server for server-to-database communications.Tanium 7.x Security Technical Implementation Guide V-253856CAT IIFirewall rules must be configured on the Tanium module server to allow Server-to-Module Server communications from the Tanium Server.Tanium 7.x Security Technical Implementation Guide V-253857CAT IIFirewall rules must be configured on the Tanium Server for Server-to-Module Server communications.Tanium 7.x Security Technical Implementation Guide V-253858CAT IIFirewall rules must be configured on the Tanium Server for Server-to-Zone Server communications.Tanium 7.x Security Technical Implementation Guide V-213327CAT IThe Solidcore client Command Line Interface (CLI) must be in lockdown mode.Trellix Application Control 8.x Security Technical Implementation Guide V-234526CAT IIThe UEM server must disable organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure.Unified Endpoint Management Server Security Requirements Guide V-240081CAT IIHAProxy psql-local frontend must be bound to port 5433.VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide V-240082CAT IIHAProxy vcac frontend must be bound to ports 80 and 443.VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide V-240083CAT IIHAProxy vro frontend must be bound to the correct port 8283.VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide V-240342CAT IIvRA Postgres must be configured to use the correct port.VMW vRealize Automation 7.x PostgreSQL Security Technical Implementation Guide V-239810CAT IIThe vROps PostgreSQL DB must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.VMW vRealize Operations Manager 6.x PostgreSQL Security Technical Implementation Guide V-240266CAT IILighttpd must not be configured to listen to unnecessary ports.VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide V-240857CAT IItc Server HORIZON must be configured with the appropriate ports.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240858CAT IItc Server VCO must be configured with the appropriate ports.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240859CAT IItc Server VCAC must be configured with the appropriate ports.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-241713CAT IItc Server UI must be configured with the appropriate ports.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241714CAT IItc Server CaSa must be configured with the appropriate ports.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241715CAT IItc Server API must be configured with the appropriate ports.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-256703CAT IIESX Agent Manager must be configured with the appropriate ports.VMware vSphere 7.0 vCenter Appliance EAM Security Technical Implementation Guide V-256734CAT IILookup Service must be configured with the appropriate ports.VMware vSphere 7.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-256641CAT IIPerformance Charts must be configured with the appropriate ports.VMware vSphere 7.0 vCenter Appliance Perfcharts Security Technical Implementation Guide V-256598CAT IIVMware Postgres must be configured to use the correct port.VMware vSphere 7.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide V-256771CAT IIThe Security Token Service must be configured with the appropriate ports.VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide V-256807CAT IIvSphere UI must be configured with the appropriate ports.VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide V-259174CAT IIThe vCenter PostgreSQL service must be configured to use an authorized port.VMware vSphere 8.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide V-206428CAT IIThe web server must prohibit or restrict the use of nonsecure or unnecessary ports, protocols, modules, and/or services.Web Server Security Requirements Guide V-224352CAT IVendor-supplied user accounts for the WebSphere Application Server must be defined to the ACP.zOS WebSphere Application Server for ACF2 Security Technical Implementation Guide V-224353CAT IIThe WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.zOS WebSphere Application Server for ACF2 Security Technical Implementation Guide V-225621CAT IVendor-supplied user accounts for the WebSphere Application Server must be defined to the ACP.zOS WebSphere Application Server for TSS Security Technical Implementation Guide V-225622CAT IIThe WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.zOS WebSphere Application Server for TSS Security Technical Implementation Guide V-224363CAT IIWebSphere MQ dead letter and alias dead letter queues are not properly defined.zOS WebSphere MQ for ACF2 Security Technical Implementation Guide V-224370CAT IIWebSphere MQ RESLEVEL resources in the appropriate ADMIN resource class must be protected in accordance with security requirements.zOS WebSphere MQ for ACF2 Security Technical Implementation Guide V-224560CAT IIWebSphere MQ dead letter and alias dead letter queues are not properly defined.zOS WebSphere MQ for RACF Security Technical Implementation Guide V-224567CAT IIWebSphere MQ RESLEVEL resources in the appropriate ADMIN resource class must be protected in accordance with security requirements.zOS WebSphere MQ for RACF Security Technical Implementation Guide V-225632CAT IIWebSphere MQ dead letter and alias dead letter queues are not properly defined.zOS WebSphere MQ for TSS Security Technical Implementation Guide V-225639CAT IIWebSphere MQ RESLEVEL resources in the appropriate ADMIN resource class must be protected in accordance with security requirements.zOS WebSphere MQ for TSS Security Technical Implementation Guide V-224549CAT IVendor-supplied user accounts for the WebSphere Application Server must be defined to the ACP.zOS Websphere Application Server for RACF Security Technical Implementation Guide V-224550CAT IIThe WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.zOS Websphere Application Server for RACF Security Technical Implementation Guide