Georgetown University has adopted the configuration management principles established in NIST SP 800-171 “Configuration Management” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.

The principle of least functionality provides that information systems are configured  to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and/or services that are not integral to the operation of that information system. 

Least Functionality Requirements

  1. Configure information systems to provide only essential capabilities and specifically prohibit or restrict the use of functions, ports, protocols, and/or services that are not required for the business function of the information system.
     

  2. Limit component functionality to a single function per device (e.g. database server, web server, etc.), where feasible.
     

  3. Disable any functions, ports, protocols, and services within an information system that are deemed to be unnecessary and/or non-secure.
     

  4. Specifically prohibit or restrict the use of functions, ports, protocols, and/or services, at a minimum in accordance to Restricted List of Ports, Protocols, and/or Services. 
     

  5. Identify and remove/disable unauthorized and/or non-secure functions, ports, protocols, services, and applications.
     

  6. Prevent program execution regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage