Free DISA STIG and SRG Library | Vaulted

V-8557

The Windows Time Service on the forest root PDC Emulator must be configured to acquire its time from an external time source.

Finding ID
AD.0295
Rule ID
SV-9054r3_rule9054r2_rule
Severity
Cat II
CCE
(None)
Group Title
Time Synchronization-Authoritative Source
CCI
CCI-001891
Target Key
(None)
Documentable
No
Discussion

When the Windows Time service is used to synchronize time on client computers (workstations and servers) throughout an AD forest, the forest root domain PDC Emulator is the normal default to provide the authoritative time source for the entire forest. To obtain an accurate time for itself, the forest root domain PDC Emulator acts as a client to an external time source. If the Windows Time service on the forest root domain PDC Emulator is not configured to acquire the time from a proper source, it may cause time service clients throughout the forest to operate with the inaccurate time setting. When a Windows computer operates with an inaccurate time setting, access to resources on computers with the accurate time might be denied. This is notably true when Kerberos authentication is utilized. Operation with an inaccurate time setting can reduce the value of audit data and invalidate it as a source of forensic evidence in an incident investigation. Further Policy Details: The Windows Time service is the preferred time synchronization tool for Windows domain controllers. This check is Not Applicable for Component locations that do not have the AD forest root domain on site. This check must be performed on the domain controller in the *forest root domain* that holds the PDC Emulator FSMO role.

Fix Text

Configure the Windows Time service on the forest root PDC Emulator to acquire its time from an external time source. The Windows Time Service can be configured by setting the policy value for Computer Configuration >> Administrative Templates >> System >> Windows Time Service >> Time Providers >> "Configure Windows NTP Client" to "Enabled", and configure the "NtpServer" field to point to an authorized time server.

Check Content

This applies to the domain controller with the PDC emulator role in forest root domain; it is NA for other domain controllers in the forest1. DetermineUse theRegistry domainEditor controllerto withnavigate theto PDC Emulator role in the forest root domainfollowing: WindowsHLM\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient 2008 R2 or later: Open "Windows PowerShell"2. EnterIf "Get-ADDomainthe -Identityvalue [Forestfor Root“Enabled” Domain]is |not FT“1”, PDCEmulator",then wherethis [Forest Root Domain] is thea forest root domain name, such as "examplefinding.mil". (This can also be entered without the -Identity parameter if running within the forest root domain3.) WindowsUse 2008:Registry OpenEditor "Activeto Directorynavigate Users and Computers" from a domain controller in or connected to the forestfollowing: rootHKLM\System\CurrentControlSet\Services\W32Time\Parameters (available from various menus or run "dsa4.msc"). Select "Action" in the menu, then "All Tasks >> Operations Masters". Select the "PDC" tab. On the system with the PDC Emulator role, open "Windows PowerShell" or an elevated "Command Prompt" (run as administrator). Enter "W32tm /query /configuration". Under the "NtpClient" section: If the value for "Type" is not "NTP",”, then this is a finding. Note: If thethese valuechecks forindicate "NtpServer"a finding because the NtpClient is not anenabled, externalask DoDthe timeSA source,to thisdemonstrate isthat a) finding. If an alternate time synchronization tool is usedinstalled and is not enabled orand notthat configuredb) to a synchronizeDoD-authorized with an external DoD time source, this is abeing findingused. The5. USIf Navalthe ObservatoryWindows operates stratum 1 time servers, identified at http://tycho.usno.navy.mil/ntp.html. Time synchronizationservice willis occurnot throughenabled aor hierarchyno ofalternate timetool serversis downinstalled to the local level. Clients and lower-levelenabled serversin willits synchronizeplace, withthen anthis authorizedis timea server in the hierarchyfinding.

Responsibility

Information Assurance Officer

IA Controls

ECTM-1, ECTM-2