A systems administrator is hardening a newly deployed Windows Server that will function exclusively as an internal file server. The initial OS installation used the company's standard image, which includes several common roles and features. To reduce the server's attack surface in alignment with the principle of least functionality, which of the following is the MOST appropriate action for the administrator to take?
Enter the UEFI/BIOS setup and disable all unused physical USB and COM ports.
Disable the 'Server' (LanmanServer) service.
Remove the Web Server (IIS) and FTP Server roles.
Configure the host-based firewall to allow only inbound traffic on TCP port 445.
The correct action is to remove the Web Server (IIS) and FTP Server roles. According to the principle of least functionality, a server should only have the services, roles, and features necessary for its designated purpose. A dedicated internal file server's primary function is to share files using the SMB protocol and does not require web or FTP services. Removing these unneeded roles is a critical application hardening step that significantly reduces the server's potential attack surface.
The 'Server' service, also known as 'LanmanServer', is essential for providing SMB file and print sharing capabilities; disabling it would render the file server non-functional. Configuring firewall rules and disabling unused physical ports are valid and important server hardening tasks, but they fall under OS hardening and hardware hardening, respectively, not application hardening through the removal of roles or features.