Disabling Unused Services
Disabling unused services on a Cisco device is an important security measure. Many services, such as CDP, Telnet, and HTTP, are enabled by default on Cisco devices. If these services are not needed or used, it is recommended to disable them to reduce the attack surface of the device.
When these services are enabled but unused, attackers can exploit them to gain unauthorized access to the device or launch attacks on other devices on the network.
You can use the show control-plane host open-ports command to obtain a list of the UDP or TCP ports on which the device is currently listening and identify which services should be disabled if not needed. You can consider the following practices when configuring your Cisco device:
- Although HTTP service provides convenient browser-based access to your device, it is highly recommended to disable it. It can be done using the no ip http server command in global configuration mode. However, it is advised to keep the HTTPS service on.
- Although CDP is enabled by default on Cisco devices, it is recommended to have it active only on selected ports that do not pose any risk and disable it on the rest, such as those interfaces at the internet edge. You can disable CDP on a specific interface using the no cdp enable command in the interface configuration mode or to disable it on all interfaces, use the no cdp run command in the global configuration mode.
In addition, disabling unused services can also help reduce the device’s resource usage, leading to improved performance and stability.