Disable or Remove Unneeded Server Features
Remove unnecessary accounts and features from servers to enhance security.
Plain language
This control is about making sure you only keep what you really need on your servers. If servers have unnecessary accounts and features, they can be weak spots for hackers to exploit, which could lead to data breaches or service disruptions. It's like only keeping the doors and windows you use open and securely locked, while closing ones you don't need to stop burglars from getting in.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Unneeded user accounts, components, services and functionality of server applications are disabled or removed.
Why it matters
Excess server features expand the attack surface; unnecessary services/components can be exploited to gain unauthorised access, leading to compromise or data breach.
Operational notes
Maintain a hardened baseline: regularly review installed server roles/features, disable or remove anything not required, and verify services/accounts are not left enabled by default.
Implementation tips
- System owners should take an inventory of all user accounts on each server to identify which ones are unnecessary. This can be done by reviewing account lists and comparing them against current staff and service needs; any accounts not in use should be flagged for removal.
- The IT team should review all installed server components and services to identify any that are not required for daily operations. This involves checking each server's configuration and disabling or uninstalling anything unnecessary to reduce potential entry points for attackers.
- Managers should ensure that there is a regular schedule for reviewing server configurations to add or remove features as business needs change. This means setting a recurring calendar event every few months to reassess server requirements and adjust configurations accordingly.
- IT teams should establish a protocol for immediately disabling unused accounts and features when employees leave or services are discontinued. This can include checklists for account closure and service deactivation as part of the employee exit or service shutdown process.
- Procurement teams should be tasked with ensuring that new server systems or software purchases are only for features that are necessary. This involves careful review of user needs and liaising with IT specialists to avoid acquiring products with extra, potentially vulnerable, features.
Audit / evidence tips
-
Aska list of all server user accounts: The list should include information on the role associated with each account and when it was last used
Goodshows regular updates and justification for all active accounts
-
Aska record of recent configuration review meetings: These documents should show who attended, what was reviewed, and what changes were agreed upon
Goodrecord shows regular and robust review processes
-
Askprocedures on disabling accounts and services: This should include checklists or guidelines used when an employee exits or when a service is retired
-
Goodincludes evaluation reports and notes on the necessity of each feature purchased
Cross-framework mappings
How ISM-1247 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-AH-ML3.2 | E8-AH-ML3.2 requires organisations to disable or remove Windows PowerShell 2.0 | |
| sync_alt Partially overlaps (1) expand_less | ||
| E8-PA-ML1.9 | ISM-1247 requires unneeded user accounts, components, services and functionality of server applications to be disabled or removed | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.