Disable Unneeded Accounts, Components, Services and Application Functionality
Unneeded user accounts, components, services and functionality within user applications must be disabled or removed so that nothing extra remains available for an attacker to misuse.
Plain language
Software and systems often ship with far more than your people actually use: spare login accounts, optional add-ons (components), background services, and built-in features inside everyday programs like web browsers, email clients and office software. This control says to switch off or delete anything you do not need. Each of these four areas matters: (1) **user accounts** that are no longer used, such as leftover logins from people who have left or test accounts; (2) **components**, which are optional add-on parts of an application; (3) **services**, which are background processes the software runs; and (4) **functionality of user applications**, meaning specific features inside the programs your staff use day to day. The idea is simple. The fewer accounts, parts and features that exist, the fewer ways there are for an attacker to get in or cause harm. This is often called reducing the "attack surface". A feature that is turned off cannot be exploited, so cleaning out the unused ones makes your systems both tidier and safer.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
June 2026
Control Stack last updated
18 June 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
User Application HardeningOfficial control statement
Unneeded user accounts, components, services and functionality of user applications are disabled or removed.
Why it matters
Unused accounts, components, services and app features each give attackers an extra way in. Removing them shrinks the attack surface and lowers the chance of a breach.
Operational notes
Treat this as ongoing, not a one-off. Re-check accounts, components, services and application features after every software update, since upgrades can re-enable items you previously removed.
Implementation tips
- The IT team should build and maintain a list of every user account on each system, then disable or delete any account that no longer belongs to an active, authorised user, including leftover logins from departed staff, test accounts and default vendor accounts.
- System owners should review the optional components and add-ons installed with each user application and remove the ones the business does not use, so that only the parts staff actually rely on remain present.
- IT administrators should examine the background services each application or system runs and stop any that are not needed for the way your organisation uses that software, reducing the number of running processes that could be targeted.
- Whoever configures the standard build for user applications such as web browsers, email clients and office suites should turn off built-in features that are not required, for example unused scripting, automatic content downloads or legacy file formats, and apply that hardened configuration to every machine.
- IT should record this hardened baseline in a documented standard and re-check accounts, components, services and application features whenever software is updated or a new version is rolled out, because updates can quietly re-enable things that were previously switched off.
Audit / evidence tips
- Askhow the organisation identifies and removes unneeded user accountsLook ata current account list with disabled or deleted entries tied to departures, test accounts and default accountsGoodshows accounts are reviewed on a schedule and removed promptly with records kept
- Askwhich optional components of user applications have been removed and whyLook atdocumentation listing the components removed from each applicationGoodexplains that only components the business actually uses remain installed
- Askwhat background services have been disabled and how that decision was madeLook ata list of stopped services with a reason for eachGoodties each disabled service to it not being needed for business use
- Askto see the hardened configuration applied to user applications such as browsers, email clients and office softwareLook ata documented standard that turns off unneeded built-in featuresGoodshows the same hardened settings applied consistently across all machines
- Askhow the four areas are kept clean after software updatesLook atevidence that accounts, components, services and application features are re-checked after upgradesGoodshows updates do not silently re-enable removed items
Cross-framework mappings
How ISM-1470 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
layersPartially meets(2)expand_less | ||
sync_altPartially overlaps(2)expand_less | ||
linkRelated(2)expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
Related ASD ISM controls in System hardening
See all Guidelines for system hardening controls, or browse the full ASD ISM library.