Detections
Analytics

1.1.1.1.1.4 Configure 'Maximum tolerance for computer clock synchronization'

Information

Many security services, especially authentication, rely on an accurate computer clock to perform their jobs. You should ensure computer time is accurate and that all servers in your organization use the same time source. The Windows Server 2003 W32Time service provides time synchronization for Windows Server 2003 and Microsoft Windows XPbased computers that run in an Active Directory domain. The W32Time service synchronizes the clocks of Windows Server 2003based computers with the domain controllers in a domain. This synchronization is necessary for the Kerberos protocol and other authentication protocols to work properly. To function correctly, a number of Windows Server family components rely on accurate and synchronized time. If the clocks are not synchronized on the clients, the Kerberos authentication protocol might deny access to users. Another important benefit that time synchronization provides is event correlation on all of the clients in your enterprise. Synchronized clocks on the clients in your environment ensure that you can correctly analyze events that take place in uniform sequence on those clients throughout the organization. The W32Time service uses the Network Time Protocol (NTP) to synchronize clocks on computers that run Windows Server 2003. In a Windows Server 2003 forest, time is synchronized by default in the following manner: . The primary domain controller (PDC) emulator operations master in the forest root domain is the authoritative time source for the organization. . All PDC operation masters in other domains in the forest follow the hierarchy of domains when they select a PDC emulator with which to synchronize their time. . All domain controllers in a domain synchronize their time with the PDC emulator operations master in their domain as their inbound time partner. . All member servers and client desktop computers use the authenticating domain controller as their inbound time partner. To ensure that the time is accurate, the PDC emulator in the forest root domain can be synchronized to an authoritative time source, such as a reliable NTP source or a highly accurate clock on your network. Note that NTP synchronization uses UDP port 123 traffic. Before you synchronize with an external server, you should weigh the benefits of opening this port against the potential security risk. Also, if you synchronize with an external server that you do not control, you risk configuring your servers with the incorrect time. The external server could be compromised or spoofed by an attacker to maliciously manipulate the clocks on your computers. As explained earlier, the Kerberos authentication protocol requires synchronized computer clocks. If they are not synchronized, a denial of service may occur. To prevent 'replay attacks,' the Kerberos authentication protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be closely synchronized. Because the clocks of two computers are often not synchronized, administrators can use this policy to establish the maximum acceptable difference to Kerberos between a client clock and a domain controller clock. If the difference between the client clock and the domain controller clock is less than the maximum time difference specified in this setting, any time stamp that is used in a session between the two computers is considered to be authentic.

Solution

Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization-

Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy\Maximum tolerance for computer clock synchronization

Impact- None. This is the default configuration.

See Also

https://workbench.cisecurity.org/files/42

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-8(1), CCE|CCE-3396-9, CSCv6|6.1

Plugin: Windows

Control ID: 5a4daae901bb398fcd9166c82ecf947097f6c376b6ffd072e13189df37b910e7