1.3.5 Ensure 'Maximum tolerance for computer clock synchronization' is set to '5 or fewer minutes' (STIG DC only)

Information

This security setting determines the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller that provides Kerberos authentication.

The STIG recommended state for this setting is: 5 or fewer minutes

To prevent replay attacks, the Kerberos v5 protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both devices must be set to the same time and date. Because the clocks of two computers are often out of sync, you can use this policy setting to establish the maximum acceptable difference to the Kerberos protocol between a client clock and domain controller clock. If the difference between a client computer clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any time stamp that is used in a session between the two devices is considered to be authentic.

Solution

To establish the recommended configuration via GP, set the following UI path to 5 or fewer minutes :

Computer Configuration\Policies\Windows Settings\Security Settings\Account Policy\Kerberos Policy\Maximum tolerance for computer clock synchronization

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/18857

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-8(1)

Plugin: Windows

Control ID: bd48d9f8ed655cd9e0aeda53e6df49466f9d096052aa87f38696eea10032c4e7