Every unnecessary feature on your Windows Server is a potential attack surface. It’s a basic hardening principle, yet I still find environments riddled with dormant services just waiting to be exploited. Think of it as leaving extra doors and windows unlocked just because you don’t use them.
Telnet, TFTP, even IIS if it’s not serving a purpose – these aren’t just benign. They are entry points, potential privilege escalation vectors, or data exfiltration routes. Why give an attacker more options than they need? Removing them reduces your attack surface dramatically.
This isn’t rocket science. It’s fundamental hygiene. If you’re not actively using a feature, it needs to go. This simple step blocks a significant number of common attack paths.
Start by auditing what’s enabled.
| Get-WindowsOptionalFeature -Online | Where-Object State -eq ‘Enabled’ |
Then, systematically disable and remove what isn’t strictly necessary for your server’s function.
The fix
# PowerShell — list enabled features
Get-WindowsOptionalFeature -Online | Where-Object State -eq ''Enabled'
Reference: CIS Windows Server Benchmark 2.1