All,

I am curious if anyone has any compensating control ideas for merchant companies that are using servers to perform multiple functions (requirement 2.2.1). I realize that separating server functions guarantees a layered security approach; however, I do believe that it is possible for multiple systems to securely coexist on a single server in a non-VM environment. Admins just need to make sure that secure configurations are implemented. Furthermore, this can turn into a financial burden for some businesses if new equipment needs to be purchased. Again, I am looking for any compensating control ideas here. I am specifically dealing with a Solaris 9 box. Thanks!

First, as an assessor, you need to bring some reality to 2.2.1 as there are numerous applications that just do not install in such a manner without the Enterprise version or other large scale implementation. A prime example is Microsoft Sharepoint which requires SQL Server, IIS and other services installed on the same server unless you are implementing it in a clustered environment. So, such situations are not necessarily going to be exceptions. And what about mainframe systems, where everything can possibly run on a single system?

That said, there is also need for compensating controls to be put into place for these sorts of implementations.

In your case, the Sun system can have it's memory fenced off between the various services on the system so that if one service is compromised, it's tougher to compromise other services. You can implement a host IDS solution to monitor critical files that should not change as a result of execution. Automated log monitoring can also be used to ensure that the system does not get compromised. Minimize the number of people with administrator access.

I'm sure there are a number of other controls that can be implemented. My idea here was to give you an idea of where to start.

One key point is to take a reasonable definition of 'fucntion'
Active Directory install time servers, LDAP, Kerberos etc as well as a domain controller functionality.
Enabling NTP on windows XP workstations makes them act, by default as an NTP time source. And the list goes on.

Too loose, and anything goes (not the PCI intent), too narrow a view, and the hardware count expands to hundreds of servers, not in the interests of cost of securely manageable infrastructure.

Sometimes, separate JVM instances can provide appropriate logical seperation, along with integrity and audit controls.

More interesting is can you group PCI-scoped functionality onto common systems (with the srongest logical segregation you can implement), and place non-PCI functionality on machines wholly outside of the cardholder environment?

Lyal