PCI Requirement 2.2.5 – Remove all Unnecessary Functionality
by Randy Bartels / June 30th, 2017
Removing All Unnecessary Functionality
PCI Requirement 2.2.5 states, “Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file system, and unnecessary web servers.” Unnecessary functions are yet another way that hackers could gain access to your system, so if a function is not needed, it needs to be shut off. The PCI DSS says that, “By removing all unnecessary functionality, organizations can focus on securing the functions that are required and reduce the risk that unknown functions will be exploited.” PCI Requirement 2.2.5 is not just focused on servers; it applies to protocols, ports, services, applications, databases, etc.
It is not the assessor’s job to define what is necessary or required for your business. That is the organization’s responsibility. It is the assessor’s job to verify that you are doing the things you say you’re doing to keep your system secure. When an assessor asks you to validate why you need a certain application or port, it’s not to challenge you. It’s to gain an understanding of the level of due diligence that your organization has gone to.
Like other PCI Requirement 2 sub-requirements, the way to test that your organization meets PCI Requirement 2.2.5 is to take a sample of system components and compare it to your configuration and hardening standards. An assessor will inspect the sample to see that all unnecessary functionality has been removed, that there is appropriate documentation that verifies enabled functions, and that only the documented functionality is present on the sample. For example, if an assessor finds unnecessary default services running, this would call into question whether or not you’ve actually hardened your assets.
The purpose of PCI Requirement 2.2.5 is to help protect your organization’s environment from becoming susceptible to malicious individuals. Like many other PCI Requirement 2 sub-requirements, PCI Requirement 2.2.5 hopes to protect your organization from providing opportunities for hackers to invade your environment. Just remember: if it is not needed, it needs to be removed. Once PCI Requirement 2.2.5 is met, your organization can focus on securing the functions that are required for your business.
PCI DSS Requirement 2.2.5
Moving along with the theme of removing things that are unnecessary, we come to the next requirement, PCI DSS Requirement 2.2.5. This requirement specifically states that we have to remove all unnecessary functionality. This would include protocols, ports, services, applications – really anything. Understand that this is not just focused on servers; this is your application layer, this is your database layer. It basically boils down to: if it’s not needed, it needs to be shut off. From an assessment perspective, it’s really not our job as assessors to define what’s required for your business. It’s not our job to state whether or not you truly need something or not.
When we’re asking those questions as assessors, like “Why do you need this?”, it’s not really to challenge you to say you don’t need it. It’s really to get an understanding of the level of due diligence that you’ve done around why this particular situation or why this particular configuration is required. For this assessment, what we’re doing is we’re going back and we’re looking at your configuration standards, looking at your hardening standards, and then we’re looking at what’s actually installed. Often times we find unnecessary default services running and once again, this calls into question whether or not you’ve hardened those assets.
