Active Directory Forest STIG (STIG) Version Comparison

There are 1 differences between versions v2 r7 (Jan. 27, 2017) (the "left" version) and v2 r8 (July 27, 2018) (the "right" version).

Check AD.0295 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

The Windows Time Service on the forest root PDC Emulator must be configured to acquire its time from an external time source.

Check Content

1. This applies to the domain controller with the PDC emulator role in forest root domain; it is NA for other domain controllers in the forest. Determine the domain controller with the PDC Emulator role in the forest root domain: Windows 2008 R2 or later: Open "Windows PowerShell". Enter "Get-ADDomain -Identity [Forest Root Domain] | FT PDCEmulator", where [Forest Root Domain] is the forest root domain name, such as "example.mil". (This can also be entered without the -Identity parameter if running within the forest root domain.) Windows 2008: Open "Active Directory Use Users Registry Editor and Computers" from a domain controller in or connected to navigate to the forest root (available from various menus or run "dsa.msc"). Select "Action" in the menu, the then following: HLM\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient 2. If "All Tasks >> Operations Masters". Select the "PDC" tab. On the system with the PDC Emulator role, open "Windows PowerShell" or an elevated "Command Prompt" (run as administrator). Enter "W32tm /query /configuration". Under the "NtpClient" section: If the value for “Enabled” "Type" is not "NTP", “1”, then this is a finding. 3. finding. If Use Registry Editor to navigate to the following: HKLM\System\CurrentControlSet\Services\W32Time\Parameters 4. If the value for “Type” "NtpServer" is not “NTP”, then an external DoD time source, this is a finding. If finding. Note: If these checks indicate a finding because the NtpClient is not enabled, ask the SA to demonstrate that a) an alternate time synchronization tool is installed used and is not enabled or not configured to a synchronize with an external DoD time source, this is a finding. The US Naval Observatory operates stratum 1 time servers, identified at http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a hierarchy of time servers down to the local level. Clients and that b) a lower-level servers will synchronize with an DoD-authorized authorized external time source is being used. 5. If the Windows Time time service server is not enabled or no alternate tool is installed and enabled in its place, then the hierarchy. this is a finding.

Discussion

When the Windows Time service is used to synchronize time on client computers (workstations and servers) throughout an AD forest, the forest root domain PDC Emulator is the normal default to provide the authoritative time source for the entire forest. To obtain an accurate time for itself, the forest root domain PDC Emulator acts as a client to an external time source. If the Windows Time service on the forest root domain PDC Emulator is not configured to acquire the time from a proper source, it may cause time service clients throughout the forest to operate with the inaccurate time setting. When a Windows computer operates with an inaccurate time setting, access to resources on computers with the accurate time might be denied. This is notably true when Kerberos authentication is utilized. Operation with an inaccurate time setting can reduce the value of audit data and invalidate it as a source of forensic evidence in an incident investigation. Further investigation. Policy Details: The Windows Time service is the preferred time synchronization tool for Windows domain controllers. This check is Not Applicable for Component locations that do not have the AD forest root domain on site. This check must be performed on the domain controller in the *forest root domain* that holds the PDC Emulator FSMO role.

Fix

Configure the Windows Time service on the forest root PDC Emulator to acquire its time from an external time source. source. The Windows Time Service can be configured by setting the policy value for Computer Configuration >> Administrative Templates >> System >> Windows Time Service >> Time Providers >> "Configure Windows NTP Client" to "Enabled", and configure the "NtpServer" field to point to an authorized time server.