OS Hardening & Service Disabling

Part of the PROTECT Playbook ← Return to Hub

OS Hardening & Service Disabling

Regulatory Context: IACS UR E27 (Section 4.3.1) mandates the hardening of all OT hosts. This involves the removal of unnecessary software and the deactivation of non-essential services to reduce the “Attack Surface” of critical shipboard systems.

Every active service or open port on an HMI (Human Machine Interface) is a potential vulnerability. “Hardening” is the process of stripping away everything that isn’t required for the vessel’s operation. If an AMS workstation never needs to print a document, the “Print Spooler” service should not only be stopped—it should be disabled at the root.

The Principle: Minimalist Computing

Modern operating systems are built for general-purpose convenience, shipping with hundreds of background processes designed for office environments or home use. In a maritime OT environment, these services represent “technical debt” that increases the risk of exploitation. Hardening transforms a standard Windows or Linux installation into a Single-Purpose Asset. By ensuring the OS only does what is strictly necessary to run the Scada or Navigation software, we create a predictable environment where any unexpected process becomes immediately obvious during a security audit.

Reducing the Attack Surface

By disabling 10 unnecessary services, you remove 10 potential entry points for malware to gain “System” level privileges on your bridge computer. Fewer services mean fewer patches to manage.

Performance & Stability

On older, legacy hardware found in Engine Control Rooms, OS hardening frees up critical CPU and RAM, making monitoring applications more responsive and reducing the risk of “blue screen” crashes.

Top Services to Disable in Maritime OT

Unless specifically required for the system’s function, the following services should be set to “Disabled” in the Windows Service Manager (services.msc):

Service Name	Risk Category	Why Disable?
Print Spooler	Remote Code Execution	Frequent “PrintNightmare” style exploits allow full system takeover via the network.
Remote Registry	Unauthorized Config	Allows users (or malware) to modify system registry settings from across the network.
Windows Error Reporting	Information Leakage	Attempts to send technical data/crash logs over VSAT, wasting bandwidth and leaking info.
Bluetooth Support	Physical Proximity	Prevents unauthorized wireless peripherals from connecting to assets in the ECR.

Automation: Service Lockdown

Run this PowerShell command as Administrator to instantly disable the most exploited non-OT services:


            # Disable Print Spooler (PrintNightmare protection)

            Stop-Service -Name "Spooler" -Force ; Set-Service -Name "Spooler" -StartupType Disabled


            # Disable Remote Registry

            Stop-Service -Name "RemoteRegistry" ; Set-Service -Name "RemoteRegistry" -StartupType Disabled


            # Disable Bluetooth Support

            Stop-Service -Name "bthserv" ; Set-Service -Name "bthserv" -StartupType Disabled

Secondary Hardening (Low Risk)
Xbox Live Services	Safe to disable on all OT assets. Removes unnecessary gaming telemetry and background sync.
Geolocation Service	Prevents the OS from tracking vessel position via Wi-Fi/IP (Critical for cyber-privacy).
Retail Demo Service	Removes “Shop Mode” vulnerabilities often left in OEM Windows images from shore-side vendors.

Compliance Documentation Previews

Standardized templates and technical logs. View watermarked previews below; premium SOPs and fillable forms require the Pro Bundle.

TAG-OT-AUD-02

Hardening Audit Record

View Form

TAG-NET-XLS-12

Fleet Hardening Tracker

Unlock with Pro Bundle

ETO Hardening Workflow

Remove Non-Essential Software

Uninstall any bloatware, games, or trial software that came with the PC. If it’s not the AMS application, it shouldn’t be there.

Disable Default Shared Folders

Disable administrative shares (C$, ADMIN$) to prevent lateral movement via SMB exploits.

Host-Based Firewall

Enable the local Windows Firewall and set it to “Block All” incoming traffic except for the specific ports used by the PLC/SCADA software.

Advisor Tip: The “Test-then-Lock” Rule. Hardening can sometimes break old OEM software. Always perform hardening on a backup or a clone of the system first. Verify that all alarms and signals still work before applying the changes to the live production asset.

Unlock Full Compliance & Intelligence

Upgrade to the TAGSIA Pro Bundle to get all 40+ fillable documents, editable SOPs, and unlimited access to our real-time Threat Intel feed, CVE Library, and Vendor Advisories.

Upgrade to Pro Bundle

Includes Unlimited Intel Search

Instant access to IACS E26/E27 Templates

PREVIOUS:
RJ45 Port Security & Cabinet Hardening

Next Section

Anti-Malware for OT: EDR vs. AV

Anti-Malware for OT: EDR vs. AV Regulatory Context: IACS UR E27 (Section 4.3.2) mandates protection against malicious co...

Anti-Malware for OT: EDR vs. AV →