PCI DSS question in relation to small merchant businesses

For those that support businesses that have to maintain PCI compliance I noticed a question on one of the SAQ forms about separating application functions across independent servers. Sounds logical and I understand the meaning but how practical? Say if you support a small business 10-15 users that has a local DC, are you really going to break out DNS to its own separate server? Web server " which should be cloud hosted anyways" SQL, I can see if heavily utilized. Maybe there is an app that just needs MySql and it can run locally on the DC? This ends up being a matter of $$ vs " Fully Complaint ". These are self assessments but some of the questions aren’t really practical in reality.

Thoughts?

Thanks,
Wade

One thing to mention is the ability of migration. If you are stacking your services on a single server and if a single service is no longer supported on your OS or for other reasons then you are needing to migrate that service off to a new server anyway. Or if the entire OS is no longer supported then you are in a real pickle separating all the services at once. Not to mention if your single server takes a dump then you are stuck rebuilding that server with all it services on it. That kind of outage would be hard to explain to higher up management if the services weren’t separated.

The other is security and isolation, only allowing the proper traffic to the server.

When it comes to network functions I typically let network device do network functions. DNS, DHCP, and so on are all on the firewall. If it’s an environment with Active Directory then I forward all DNS queries to the firewall and set DHCP options to point the IP’s of the domain controllers.

Personally I don’t think it cost too much more to run services on individual servers. Sometimes it makes more sense to run something like a lamp stack on a single server as long as you don’t need to scale your application. Your web server can be ran on linux which will save you money on windows licenses and the only cost associated with it would be the resource on your hypervisor.

At face value it might not seem practical, but in my opinion the benefits of strategically putting services on individual servers far outweigh putting all your services on one server. You’ll be looking for a hard time later on.

Thank you for the well thought out explanation. I guess I need to expand my thought process a little further than immediate situation. I tend to get more client attuned and wanting to make situations as cost effective for them as possible without looking at the implied cost of the overall implications. Your approach makes a lot of sense that I will now implement on future decisions.

I really appreciate your input.

Thanks,
Wade

In a Microsoft AD system, why break the DNS out to another server? AD really likes to integrate with DNS and DHCP with DNS. I’d like to hear you opinions on why because I’ve only ever run the AD with DNS and DHCP on the same computer, typically around 40 users at any one time, maybe 50 at the highest load. And since these are in a college, often logging in at the same times (roughly). That said, I do have 2 servers to handle this load (now) with everything “load balanced” as well as Server 2022 handles the requests.

DNS is of course then forwarded to the firewall for names that are not known to the local domain. Might be a slight performance hit getting onto the web, but our use case is fine with an extra half second.

I keep DNS on domain controllers but I put DHCP on firewalls. Then from the domain controllers I forward the DNS queries to the firewall. Then configure DHCP to assign the DNS servers (domain controllers) to the clients.

AD heavily relies on DNS so this is why I use this direction. I don’t want windows doing any more network functions than it needs to. Also if you don’t set the domain controllers to upstream to the firewall then you can get caught in a DNS rebind attack for local services with DNS names exposed to the internet.

Another note is I don’t want to mess with DHCP relays either.