PCI Requirement 2.2.1 – Implement Only One Primary Function Per Server

by Randy Bartels / June 30th, 2017

Finding Cross-Over Between Servers

PCI Requirement 2.2.1 is another requirement focusing on hardening standards. PCI Requirement 2.2.1 states, “Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. Where virtualization technologies are in use, implement only one primary function per virtual system component.”

Assessors need to make sure that your systems only have one primary function per server. So, what does it even mean to implement only one primary function per server? To comply with PCI Requirement 2.2.1, assessors look to ensure that if, for example, your organization has a server within the presentation tier, that it is not also sitting in the data or application tier. What would happen if one security tier became compromised? Everything else within that tier would become vulnerable. Assessors must make sure that one tier doesn’t pose a risk to another. The PCI DSS states, “If server functions that need different security levels are located on the same server, the security level of the functions with higher security needs would be reduced due to the presence of the lower-security functions. Additionally, the server functions with a lower security level may introduce security weaknesses to other functions on the same server. By considering the security needs of different server functions as part of the system configuration standards and related processes, organizations can ensure that functions requiring different security levels don’t co-exist on the same server.” To comply with PCI Requirement 2.2.1, security tiers must be separated.

To verify that your organization’s hardening standards are implemented and functioning properly, your organization should examine a sample of system components and check to see that only one primary function is implemented per server. The same applies to virtualization technologies; verify that the sample taken meets PCI Requirement 2.2.1.

During the assessment process, your organization’s assessor should pull all of the running services, installed software, and configurations to examine what functions each of your servers have. If they find cross-over between servers, they will find an answer as to why that is. To comply with PCI Requirement 2.2.1, assessors must ensure that your systems implement only one primary function per server.

Continuing on with the hardening standards, we want to make sure that your systems only have one primary function per server. Specific to Requirement 2.2.1, the PCI DSS says that you may only have one primary function per server, so I want to take a little bit of time to describe what that means. What we’re talking about is cross-pollinating the security domains. If you have a server that sits within the presentation tier, we want to make sure that it’s not also standing in the data tier or in the application tier. The reason for that is that if one of these security tiers should somehow become compromised, we want to make sure that it doesn’t pose a risk to one of the other security tiers.

A lot of the time, what we see is that an organization might have a web server that’s producing and publishing web pages, but secondary to that, what we also see that they have a database server sitting on that same application server, and that would violate this particular requirement. So, assessors want to make sure that where you have different security tiers, those are separated. However, it wouldn’t be necessary, if you have something that’s sitting in an application tier, to give an example from Microsoft, you would have an authentication server as your active directory, that particular server could also serve your DNS, your DHCP, because those are all sitting in that same security domain. But what we would not expect to see is your application server is also your active directory server; that would be another situation that is not allowed.

So the assessor will pull all the running services, all the installed software, and all the configs and look at these to see what’s running, see what’s been installed and where there are questions on crossing those lines, they will ask questions as to why that is.