Cyber Essentials
DashboardSign Out

Lesson 5.4 — Unnecessary software, services and system utilities: reducing attack surface

This lesson helps the learner identify, review and remove or disable unnecessary software, applications, system utilities and network services across in-scope devices and systems.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • identify unnecessary applications
  • system utilities and network services
  • decide whether to keep
  • remove or disable them
  • collect appropriate evidence
  • record any software or service risks that need to be carried into security update management

Why This Matters

It explains how unnecessary software increases attack surface, update workload and Cyber Essentials Plus failure risk, and gives learners a practical way to create a software and service clean-up record.

The most common problems are:

  • reviewing only visible desktop applications;
  • forgetting services running in the background;
  • forgetting browser extensions;
  • forgetting SaaS integrations and OAuth apps;

The Core Rule

Cyber Essentials expects organisations to regularly remove or disable unnecessary software, including applications, system utilities and network services.

Unnecessary software increases attack surface, creates update work and can introduce avoidable vulnerabilities.

What the CE Assessor Looks For

A strong position shows:

  • software inventory exists for main device groups;
  • standard builds exist for common device types;
  • unnecessary applications are removed;
  • unnecessary system utilities are removed or restricted;
  • unnecessary network services are disabled;
  • old remote access tools are removed;

Common Mistakes

  • reviewing only visible desktop applications;
  • forgetting services running in the background;
  • forgetting browser extensions;
  • forgetting SaaS integrations and OAuth apps;
  • forgetting cloud-hosted servers;
  • removing server services blindly without dependency checks;

Copy This

Keep this rule visible:

If it is not required for the device or system to do its job, remove it or disable it.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What does Cyber Essentials require regarding unnecessary software?
  • [ ] What is attack surface?
  • [ ] Why should unnecessary software be removed?
  • [ ] What is the difference between removing and disabling?
  • [ ] Why should server services not be removed blindly?

Your Action

Do this now — it takes 10–20 minutes.

List unnecessary software, services, or features that are installed but not needed. Plan which to remove. Add to Section SC.

Key Takeaway

If it is not required for the device or system to do its job, remove it or disable it.

Your Workbook Activity

Complete: Unnecessary software and services review record

Next Lesson

In the next lesson: Auto-run and automatic execution: stopping files running without user authorisation

Up next

Auto-run and automatic execution

Disable auto-run style behaviour that can execute untrusted files without explicit user approval.