Back

Implement only one application or primary function per network component or server.


CONTROL ID
00879
CONTROL TYPE
Systems Design, Build, and Implementation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Only server-initiated secure renegotiation is used. (Security Control: 1370; Revision: 2, Australian Government Information Security Manual, March 2021)
  • Database servers and web servers are functionally separated, physically or virtually. (Security Control: 1269; Revision: 2, Australian Government Information Security Manual, March 2021)
  • The organization should maintain an effective functional separation between high value servers that connect to a public network infrastructure to allow them to operate independently. (Control: 0385 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization should functionally separate servers physically, using single dedicated machines for each function or use virtualization technology to create separate virtual machines for each function in the same security domain. (Control: 0953, Australian Government Information Security Manual: Controls)
  • Virtualization technology should not be used for functional separation between network equipment or servers located in different security domains at the same classification. (Control: 0841, Australian Government Information Security Manual: Controls)
  • Virtualization technology must not be used to functionally separate servers or network equipment of different classifications. (Control: 0842, Australian Government Information Security Manual: Controls)
  • Separate networks should be created for the servers, users, and network Administrators. Routing, firewalls, and intrusion -prevention software should be placed between these networks to prevent sessions from being hijacked by an attacker. (§ 1.8, The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Benchmark, 1)
  • All functions of wired and wireless multifunctional devices should be secured by ensuring the security policy is applied for all functions of the device. (§ 2.2 (2.2.050), The Center for Internet Security Wireless Networking Benchmark, 1)
  • For a sample of system components, verify that only one primary function is implemented per server. (§ 2.2.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify the system configuration standards include procedures for implementing only one primary function per server to prevent functions requiring different security levels on the same server. (Testing Procedures § 2.2.d Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Inspect the system configurations of a sample of system components to verify that only one primary function is implemented per server. (Testing Procedures § 2.2.1.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Inspect the system configurations of a sample of system components that use virtualization techniques to verify that only one primary function is implemented per virtual system component or device. (Testing Procedures § 2.2.1.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Each server must only have one primary function. (§ 2.2.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • For a sample of system components, verify that only one primary function is implemented per server. (§ 2.2.1.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • If virtualization technologies are used, verify that only one primary function is implemented per virtual system component or device. (§ 2.2.1.b Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Only one primary function per server must be implemented to prevent functions requiring different levels of security from being on the same server. (PCI DSS Requirements § 2.2.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (2.2.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.) (2.2.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (2.2.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Is only one primary function implemented per server, to prevent functions that require different security levels from co-existing on the same server? (2.2.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • If virtualization technologies are used, is only one primary function implemented per virtual system component or device? (2.2.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • If virtualization technologies are used, is only one primary function implemented per virtual system component or device? (2.2.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Is only one primary function implemented per server, to prevent functions that require different security levels from co-existing on the same server? (2.2.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Is only one primary function implemented per server, to prevent functions that require different security levels from co-existing on the same server? (2.2.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • If virtualization technologies are used, is only one primary function implemented per virtual system component or device? (2.2.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • If virtualization technologies are used, is only one primary function implemented per virtual system component or device? (2.2.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Is only one primary function implemented per server, to prevent functions that require different security levels from co-existing on the same server? (2.2.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is only one primary function implemented per server, to prevent functions that require different security levels from co-existing on the same server? (2.2.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • If virtualization technologies are used, is only one primary function implemented per virtual system component or device? (2.2.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • If virtualization technologies are used, is only one primary function implemented per virtual system component or device? (2.2.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is only one primary function implemented per server, to prevent functions that require different security levels from co-existing on the same server? (2.2.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is only one primary function implemented per server, to prevent functions that require different security levels from co-existing on the same server? (2.2.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • If virtualization technologies are used, is only one primary function implemented per virtual system component or device? (2.2.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • If virtualization technologies are used, is only one primary function implemented per virtual system component or device? (2.2.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Is only one primary function implemented per server, to prevent functions that require different security levels from co-existing on the same server? (2.2.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Select a sample of system components and inspect the system configurations to verify that only one primary function is implemented per server. (2.2.1.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • If virtualization technologies are used, inspect the system configurations to verify that only one primary function is implemented per virtual system component or device. (2.2.1.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Only one primary function exists on a system component, (2.2.3 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Primary functions with differing security levels that exist on the same system component are isolated from each other, (2.2.3 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Functions with differing security needs that exist on the same system component are isolated from each other. (2.2.3.c Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine system configuration standards to verify they include managing primary functions requiring different security levels as specified in this requirement. (2.2.3.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine system configurations to verify that primary functions requiring different security levels are managed per one of the ways specified in this requirement. (2.2.3.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Functions with differing security needs do not co-exist on the same system component. (2.2.3.c Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Do system configuration standards include implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server? (PCI DSS Question 2.2(d) Bullet 2, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Is only one primary function implemented per server, to prevent functions that require different security levels from co-existing on the same server? (PCI DSS Question 2.2.1(a), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Do system configuration standards include implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server? (PCI DSS Question 2.2(d) Bullet 2, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Is only one primary function implemented per server, to prevent functions that require different security levels from co-existing on the same server? (PCI DSS Question 2.2.1(a), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Do system configuration standards include implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server? (PCI DSS Question 2.2(d) Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is only one primary function implemented per server, to prevent functions that require different security levels from co-existing on the same server? (PCI DSS Question 2.2.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Do system configuration standards include implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server? (PCI DSS Question 2.2(d) Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Is only one primary function implemented per server, to prevent functions that require different security levels from co-existing on the same server? (PCI DSS Question 2.2.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Only one primary function exists on a system component, (2.2.3 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Primary functions with differing security levels that exist on the same system component are isolated from each other, (2.2.3 Bullet 2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Only one primary function exists on a system component, (2.2.3 Bullet 1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Primary functions with differing security levels that exist on the same system component are isolated from each other, (2.2.3 Bullet 2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Only one primary function exists on a system component, (2.2.3 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Primary functions with differing security levels that exist on the same system component are isolated from each other, (2.2.3 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Only one primary function exists on a system component, (2.2.3 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Primary functions with differing security levels that exist on the same system component are isolated from each other, (2.2.3 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Servers that support critical business applications should be run on one or more dedicated computers (i.e., they do not provide other services such as file and print, database, e-mail, or other business applications). (CF.04.01.06b, The Standard of Good Practice for Information Security)
  • Networks should be designed to isolate particular types of network traffic (e.g., Voice over Internet Protocol data or Storage Area Network storage data) using a dedicated network, to prevent impact on other network traffic. (CF.07.01.06c, The Standard of Good Practice for Information Security)
  • Servers that support critical business applications should be run on one or more dedicated computers (i.e., they do not provide other services such as file and print, database, e-mail, or other business applications). (CF.04.01.06b, The Standard of Good Practice for Information Security, 2013)
  • Networks should be designed to isolate particular types of network traffic (e.g., Voice over Internet Protocol data or Storage Area Network storage data) using a dedicated network, to prevent impact on other network traffic. (CF.07.01.06c, The Standard of Good Practice for Information Security, 2013)
  • Operate critical services on separate physical or logical host machines, such as DNS, file, mail, web, and database servers. (Control 9.5, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Deploy two separate browser configurations to each system. One configuration should disable the use of all plugins, unnecessary scripting languages, and generally be configured with limited functionality and be used for general web browsing. The other configuration shall allow for more browser funct… (Control 7.5, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should use separate physical host machines to operate critical services, such as mail servers, database servers, file servers, and web servers. (Critical Control 11.7, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The Information Assurance Officer must ensure any device that accesses the classified network remotely cannot be used to access the unclassified network remotely. These access devices must be mutually exclusive. (§ 3.2, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • Is the e-mail service the only service running on the e-mail server? (IT - General Q 36b, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are the network services segregated to ensure data integrity and security? (IT - Networks Q 20, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is there more than one service on a server? (IT - Servers Q 9, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is each service on a separate Network Interface Card, if there is more than one service on the server? (IT - Servers Q 9, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the virus software and update application located on the same server in the Credit Union network? (IT - Virus Protection Q 9, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The smart grid Information System must use processing components that have minimal data storage and functionality. (SG.SC-23 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)