18.9.50.1.2 Ensure 'Configure Windows NTP Client' is set to 'Enabled: NT5DS'

Information

This policy setting specifies a set of parameters for controlling the Windows NTP Client.

The recommended STIG state for this setting is Enabled: NT5DS

Note: Domain-joined systems use NT5DS to synchronize time from other systems in the domain by default.

The following settings are available to configure:

NtpServer : The Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of dnsName,flags where flags is a hexadecimal bitmask of the flags for that host. For more information, see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Settings. The default value is time.windows.com,0x09

Type : This value controls the authentication that W32time uses. The default value is NT5DS.

CrossSiteSyncFlags : This value, expressed as a bitmask, controls how W32time chooses time sources outside its own site. The possible values are 0, 1, and 2. Setting this value to 0 (None) indicates that the time client should not attempt to synchronize time outside its site. Setting this value to 1 (PdcOnly) indicates that only the computers that function as primary domain controller (PDC) emulator operations masters in other domains can be used as synchronization partners when the client has to synchronize time with a partner outside its own site. Setting a value of 2 (All) indicates that any synchronization partner can be used. This value is ignored if the NT5DS value is not set. The default value is 2 decimal (0x02 hexadecimal).

ResolvePeerBackoffMinutes : This value, expressed in minutes, controls how long W32time waits before it attempts to resolve a DNS name when a previous attempt failed. The default value is 15 minutes.

ResolvePeerBackoffMaxTimes : This value controls how many times W32time attempts to resolve a DNS name before the discovery process is restarted. Each time DNS name resolution fails, the amount of time to wait before the next attempt will be twice the previous amount. The default value is seven attempts.

SpecialPollInterval : This NTP client value, expressed in seconds, controls how often a manually configured time source is polled when the time source is configured to use a special polling interval. If the SpecialInterval flag is enabled on the

NTPServer

setting, the client uses the value that is set as the SpecialPollInterval instead of a variable interval between MinPollInterval and MaxPollInterval values, to determine how frequently to poll the time source. SpecialPollInterval must be in the range of [ MinPollInterval MaxPollInterval ], else the nearest value of the range is picked. Default: 1024 seconds.

EventLogFlags : This value is a bitmask that controls events that may be logged to the System log in Event Viewer. Setting this value to 0x1 indicates that W32time will create an event whenever a time jump is detected. Setting this value to 0x2 indicates that W32time will create an event whenever a time source change is made. Because it is a bitmask value, setting 0x3 (the addition of 0x1 and 0x2) indicates that both time jumps and time source changes will be logged.

Time synchronization is essential for authentication and auditing purposes.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: NT5DS :

Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client

Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.

Note #2: Other configurations within this setting might need to be configured for this GPO to be effective.

Impact:

The configuration of a secured authorized time source will need to be in place for all systems.

Note: Domain-joined systems are automatically configured to synchronize with Domain Controllers. If an NTP server is configured, it must synchronize with a secure, authorized time source.

See Also

https://workbench.cisecurity.org/benchmarks/15105

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-7, 800-53|AU-8, CSCv7|6.1

Plugin: Windows

Control ID: e92d4c8c716d9e48244af97a8a3b43ff5778e03c29a7c2f62f6e386405fc4c46